RE: Understanding output from "nft list"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dňa 26. augusta 2024 18:12:58 UTC používateľ "Atkins, Brian" <Brian.Atkins@xxxxxxxxxx> napísal:
>In the nft(8) man page, I see the following.  I have not tested this behavior myself.
>accept
>        Terminate ruleset evaluation and accept the packet. The packet can still be dropped later by another hook, for instance accept in the forward hook still allows to drop the packet later in the postrouting hook, or another forward base chain that has a higher priority number and is evaluated afterwards in the processing pipeline.
>
>I was keying off "another hook".  I think another base chain with the same hook type but a different priority is considered a different hook.  It's hard to describe 'the set of chains reachable from the current base chain' with a single word.  They are all executing within the context of the current hook+priority, which is what is terminated on accept.

Perhaps it is only terminology problem, or my English is not enough
to see difference, but it seems that we both talk about the same...

When i start to use nftables (switch from iptables) i read that and
"another hook, for instance accept in the forward hook" i understand
exactly as example points, eg. accept in output hook mens go to
postrouting hook. And it works exactly as this, if (and only if) one have
only one chain per hook.

Then i start to experiment with multiple chains in the same hook
(really it was mix of ip/ip6 and inet tables) and i was surprised,
that accept eg. in "ip input" chain can be not enough as packet can
be dropped in "inet input" chain (both in input hook). The same
applies to multiple chains of one table in the same hook.

Then i read somewhere (perhaps in this ML, i forgot), that accept
ends only current chain (with hook definition), which was more
undestandable for me.

Perhaps one have to distinguish "hook" and "hook type" (or so),
and perhaps my "chain" suggestion is wrong, as here are "user
chains" (without hook definition)...

regards


-- 
Slavko
https://www.slavino.sk/





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux