RE: Understanding output from "nft list"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



In the nft(8) man page, I see the following.  I have not tested this behavior myself.
accept
        Terminate ruleset evaluation and accept the packet. The packet can still be dropped later by another hook, for instance accept in the forward hook still allows to drop the packet later in the postrouting hook, or another forward base chain that has a higher priority number and is evaluated afterwards in the processing pipeline.

I was keying off "another hook".  I think another base chain with the same hook type but a different priority is considered a different hook.  It's hard to describe 'the set of chains reachable from the current base chain' with a single word.  They are all executing within the context of the current hook+priority, which is what is terminated on accept.


-----Original Message-----
From: Slavko <linux@xxxxxxxxxx>
Sent: Monday, August 26, 2024 10:53 AM
To: netfilter@xxxxxxxxxxxxxxx
Subject: RE: Understanding output from "nft list"

EXTERNAL EMAIL - USE CAUTION when clicking links or attachments




Dňa 26. augusta 2024 16:32:23 UTC používateľ "Atkins, Brian" <Brian.Atkins@xxxxxxxxxx> napísal:


>  'Accept',  on the other hand, accepts the packet in the current hook.  No other rules reachable from the hook chain are executed.

Are you sure with that? My understanding of "accept" verdict is, that it ends processing rules in current chain, not in current hook. Thus rules in other chains (with lower priority -- higher number) in current hook are applied.

regards


--
Slavko
https://www.slavino.sk/






[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux