Thank you; I appreciate the help with clarity. The most important
takeaway for me was that there are implicit return packet/replies
rules that don't need to be in the opposite hook (output for input,
etc).
The example was excellent to illustrate this too.
For the sake of completeness; would the 'implicit' return packet rule
be 'ct state established,related ct direction reply' ? Example:
table inet legacy {
chain root_in {
type filter hook input priority filter; policy drop;
ct state established,related accept
iifname "lo" accept
meta l4proto ipv6-icmp accept
tcp dport 80 fib daddr type local ct state new accept
}
chain root_out {
type filter hook output priority filter; policy drop;
ct state established,related ct direction reply accept
iifname "lo" accept
}
}
On Mon, Jun 6, 2022 at 11:51 AM Kerin Millar <kfm@xxxxxxxxxxxxx> wrote:
>
> On Mon, 6 Jun 2022 16:30:48 +0100
> Kerin Millar <kfm@xxxxxxxxxxxxx> wrote:
>
> > tcp dport 80 fib daddr type local ctstate new accept
>
> Please excuse the typo. Of course, I meant to write "ct state" there.
>
> --
> Kerin Millar
