cristian: one interesting side-effect... after having two chains with the same hook, priority in the same table (as above), `iptables` cmd line tool reports the respective table as incompatible... # /usr/sbin/iptables -t filter -S --wait iptables v1.8.5 (nf_tables): table `filter' is incompatible, use 'nft' tool. # iptables -L iptables v1.8.5 (nf_tables): table `filter' is incompatible, use 'nft' tool. On Wed, Sep 15, 2021 at 11:38 AM Cristian Constantin <const.crist@xxxxxxxxxxxxxx> wrote: > > hi! > > quote from the wiki page: > > https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains > > "[...] It's possible to give two base chains the same priority, but > there is no guaranteed evaluation order of base chains with identical > priority that are attached to the same hook location." > I have tested this on my system and it is actually allowed by `nft`, kernel. > > root@firiel:/home/cco# uname -a > Linux firiel 5.8.0-63-generic #71-Ubuntu SMP Tue Jul 13 15:59:12 UTC > 2021 x86_64 x86_64 x86_64 GNU/Linux > root@firiel:/home/cco# lsb_release > LSB Version: core-11.1.0ubuntu2-noarch:printing-11.1.0ubuntu2-noarch:security-11.1.0ubuntu2-noarch > root@firiel:/home/cco# nft -v > nftables v0.9.6 (Capital Idea #2) > root@firiel:/home/cco# nft -a list table filter > table ip filter { # handle 3 > chain INPUT { # handle 1 > type filter hook input priority filter; policy accept; > } > ... > chain TEST { # handle 579 > type filter hook input priority filter; policy accept; > } > > could someone please show me a use case for using multiple chains > having the same hook and the same priority? (i.e. taking into account > that _most of the time_ rule priority and thus evaluation order is > important) > > and, in a more general sense, why is this configuration allowed (i.e. > base chains with same hook, same priority)? > > thanks, > cristian
