Dňa 26. augusta 2024 18:12:58 UTC používateľ "Atkins, Brian" <Brian.Atkins@xxxxxxxxxx> napísal: >In the nft(8) man page, I see the following. I have not tested this behavior myself. >accept > Terminate ruleset evaluation and accept the packet. The packet can still be dropped later by another hook, for instance accept in the forward hook still allows to drop the packet later in the postrouting hook, or another forward base chain that has a higher priority number and is evaluated afterwards in the processing pipeline. > >I was keying off "another hook". I think another base chain with the same hook type but a different priority is considered a different hook. It's hard to describe 'the set of chains reachable from the current base chain' with a single word. They are all executing within the context of the current hook+priority, which is what is terminated on accept. Perhaps it is only terminology problem, or my English is not enough to see difference, but it seems that we both talk about the same... When i start to use nftables (switch from iptables) i read that and "another hook, for instance accept in the forward hook" i understand exactly as example points, eg. accept in output hook mens go to postrouting hook. And it works exactly as this, if (and only if) one have only one chain per hook. Then i start to experiment with multiple chains in the same hook (really it was mix of ip/ip6 and inet tables) and i was surprised, that accept eg. in "ip input" chain can be not enough as packet can be dropped in "inet input" chain (both in input hook). The same applies to multiple chains of one table in the same hook. Then i read somewhere (perhaps in this ML, i forgot), that accept ends only current chain (with hook definition), which was more undestandable for me. Perhaps one have to distinguish "hook" and "hook type" (or so), and perhaps my "chain" suggestion is wrong, as here are "user chains" (without hook definition)... regards -- Slavko https://www.slavino.sk/