On Fri, May 31, 2024, at 11:11, Wolfgang wrote: >> It's not clear that you understand that the value of nftrace doesn't quietly reset itself to 0 between hooks, however. > > Can you explain this further? Which value of nftrace? What shall reset itself? It appears you misunderstood the statement. The point being made here is that once 'nftrace' has been set to '1' on a packet, it will stay '1' for the entire lifetime of that packet through the netfilter subsystem. It will go back to zero, or any other value, and there is no need to set it to '1' again in a later hook or chain. If you set it to '1' in a very early part of the netfilter lifecycle, you'll be able to use 'nft monitor' to see the handling of that packet through the remainder of the lifecycle. Thus, if you are setting it to '1' in 'ingress', for example, there is no need have rules to set it to '1' in any other tables or hooks or chains (unless there are different conditions applied on those rules).
