Thank you! I think that edit will be extremely helpful for wiki readers. A special thanks for everyone's contributions to Netfilter and nftables. I've been working a lot on firewall tooling this past year. It's been much easier (and better) using nftables versus the legacy iptables system. Happy New Year! Brian Pond On Wed, 2020-12-30 at 22:37 +0000, kfm@xxxxxxxxxxxxx wrote: > Hi Brian, > > On 30/12/2020 19:17, Brian Pond wrote: > > Dear Netfilter Team, > > > > I would like to propose a correction to the following Wiki page. > > https://wiki.nftables.org/wiki- > > nftables/index.php/Configuring_chains#Base_chain_priority > > > > After the code block, the following sentence reads: > > > > "If priority of the 'input chain' above would be changed to -1, all > > packets would be dropped. " > > > > This sentence is incorrect. All packets will be dropped, > > regardless of > > the priority. Because within the same hook, a "drop" action always > > takes precedence over "accept". Even if the "drop" is in a chain > > with > > a later priority. > > > > * I have attached an example illustrating this. If you load this > > ruleset with nft, browsing the web is impossible. Regardless of > > whatever priority value you choose. > > * I have previously submitted a bug report about this behavior. I > > don't believe Netfilter was intended to work this way. > > > > Either way, I feel the wiki should be updated for accuracy. That > > way > > readers understand how Netfilter is currently working, with regard > > to > > drop and priority. > > > > Please let me know if you have any questions. I would be happy to > > discuss further, meet online, etc. > > See the following edit. > > https://wiki.nftables.org/wiki- > nftables/index.php?title=Configuring_chains&diff=610&oldid=534 >
