On Tue, 7 Jun 2022 12:08:48 -0400
Gio <gioflux@xxxxxxxxx> wrote:
> Thank you; I appreciate the help with clarity. The most important
> takeaway for me was that there are implicit return packet/replies
> rules that don't need to be in the opposite hook (output for input,
> etc).
>
> The example was excellent to illustrate this too.
>
> For the sake of completeness; would the 'implicit' return packet rule
> be 'ct state established,related ct direction reply' ? Example:
>
> table inet legacy {
> chain root_in {
> type filter hook input priority filter; policy drop;
> ct state established,related accept
> iifname "lo" accept
> meta l4proto ipv6-icmp accept
> tcp dport 80 fib daddr type local ct state new accept
> }
> chain root_out {
> type filter hook output priority filter; policy drop;
> ct state established,related ct direction reply accept
> iifname "lo" accept
> }
> }
Yes, I believe it would be. Incidentally, the second rule in the root_out chain should be using oifname, rather than iifname.
--
Kerin Millar
