Hello, I am in the process to learn all the nftables knowledge, needed to understand some more complex setups and to create own configurations from scratch, without migrating/translating iptables-stuff. My startpoint is the diagram from Pablo, which is available in the wiki under https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks . My questions to this diagram: 1) netdev family filter for ingress and egress, like described in the table below the diagram: Where in the diagram, I can apply those filters? I attach a modified version of this diagram, where I have marked the three possible hook chain types (filter, nat, route) to the places, where those hooks are tied to. 2) Traffic flow inside the machine How is traffic flowing, when Application A talks to Applikation B? There is no way, for traffic Application A generates, reaching the Prerouting Hook. However, I wrote some trace rulesets hooking into every possible filter and telling me, where the packets are. Here I see, that those packages leave Postrouting, but not entering egress/ingress (which could be a solution for cases when both applications ate listening on the same interface. No: Those packages reappear in the Prerouting Hook, have a new trace id, but the same ip id. 3) The Routing Decision after Local Process makes by my understanding no sense, as it has only one output. 4) In case Application B listens on a Bridge Device, I would expect seeing a way from Output Bridge to Prerouting Bridge or Input Bridge. I have no testcase for this scenario, so my question is hypothetic I would be glad, if someone could give me some answers. Perhaps I have overseen some details, leading me in the wrong direction. Thanks for any helpful answer Wolfgang
Attachment:
nf-hooks.png
Description: PNG image