Hi Brian, On 30/12/2020 19:17, Brian Pond wrote:
Dear Netfilter Team, I would like to propose a correction to the following Wiki page. https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority After the code block, the following sentence reads: "If priority of the 'input chain' above would be changed to -1, all packets would be dropped. " This sentence is incorrect. All packets will be dropped, regardless of the priority. Because within the same hook, a "drop" action always takes precedence over "accept". Even if the "drop" is in a chain with a later priority. * I have attached an example illustrating this. If you load this ruleset with nft, browsing the web is impossible. Regardless of whatever priority value you choose. * I have previously submitted a bug report about this behavior. I don't believe Netfilter was intended to work this way. Either way, I feel the wiki should be updated for accuracy. That way readers understand how Netfilter is currently working, with regard to drop and priority. Please let me know if you have any questions. I would be happy to discuss further, meet online, etc.
See the following edit. https://wiki.nftables.org/wiki-nftables/index.php?title=Configuring_chains&diff=610&oldid=534 -- Kerin Millar
