Am 07.06.23 um 13:15 schrieb Tushar Shinde:
What is use of table chains if they are not decision makers in accept case?
We mostly know what to accept and deny everything else. Is this cannot
be done with nftables?
exactly the same as in iptables for example PREROUTING it don't matter
if you have a ACCEPT rule or nothing matches which would DROP a packet -
default policy is ACCEPT
but just because it passed PREROUTING/MANGLE/RAW by ACCEPT it there
don't mean you want to accept the package in FORWARD/INPUT chains
that's the whole point of chains at all
Chain PREROUTING (policy ACCEPT 64M packets, 4408M bytes)
num pkts bytes target prot opt in out source
destination
1 799M 827G ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 44M 2500M INBOUND all -- wan * 0.0.0.0/0
0.0.0.0/0 ! match-set EXCLUDES_IPV4 src
On Tue, Jun 6, 2023 at 9:29 PM <seentr@xxxxxxxxxxxx> wrote:
You can try to set mark as well as accept them. This way you will be able to determine in the following chains that some of previous ones had accepted it.
2023-06-06T15:40:03Z Tushar Shinde <mtk.tushar@xxxxxxxxx>:
Hi,
I have asked the same question to super users. But I looks like I need
help from experts.
https://superuser.com/questions/1787416/nftables-how-to-stop-further-chain-traversal-after-accept-verdict
Question is, If there are multiple tables (possibly owned by multiple
teams/projects ), if a rule is accepted by one of the tables in the
chain, how to stop looking into the next high priority chain. Right
now my observation is ACCEPT just stops processing the current chain
and jump to next table. If this is last table then only ACCEPT will
work, otherwise this ACCEPT is useless.
Logs are on SU post.
Kindly correct me if I am wrong.