Hi Florian,
On 2021/04/19 17:51, Florian Westphal wrote:
Frank Myhr <fmyhr@xxxxxxxxxxx> wrote:
Nitpick: just in my personal opinion, better not to use table name that is a
nftables keyword ("filter"). I know the wiki does it lots of places. And
it's not technically wrong. But:
"filter" is not a reserved keyword.
Yes, I almost didn't say anything... maybe like vi vs. emacs it's better
to keep my opinion to myself. Actually when looking at a whole ruleset I
don't much care one way or another. My problem comes when using the
command line; when I see something like:
nft add rule inet filter prerouting iifname wan0 tcp dport 12345 count
... there's a pretty good chance I'll mistake that for a filter chain.
(Whereas in the OP ruleset it's a nat chain.) Even checking the ruleset
I might miss the nat/filter chain distinction unless I'm careful. For
me, naming things as above is error-prone and forces a mental load I
could allocate more productively elsewhere.
Since (from a user's perspective) the only purpose of tables is to group
objects with same family, I've taken to calling them something like
"t_inet". And throwing all inet objects in there so that sets & maps can
be shared most widely among them.
You're filtering in a nat chain, generally not a good idea. My understanding
is that, since nat is based on connection tracking, this chain will see only
the FIRST packet of each connection.
Correct.
Thanks for confirming. :-)
Best Wishes,
Frank
