RE: Understanding output from "nft list"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I was thinking of non-base chains (chains without a type statement).  The base chain can have rules that jump to non-base chains, which can also have rules that jump to other chains, etc.  The accept ends that entire chain 'stack' (for want of a better term), including the original base chain.

If, say, you had a table of type ip, and another table of type inet, and they both had input hook chains, I don't think accept in one chain would have an impact on the other table's chain, although I don't know that for sure.


-----Original Message-----
From: Slavko <linux@xxxxxxxxxx>
Sent: Monday, August 26, 2024 12:45 PM
To: netfilter@xxxxxxxxxxxxxxx
Subject: RE: Understanding output from "nft list"

EXTERNAL EMAIL - USE CAUTION when clicking links or attachments




Dňa 26. augusta 2024 18:12:58 UTC používateľ "Atkins, Brian" <Brian.Atkins@xxxxxxxxxx> napísal:
>In the nft(8) man page, I see the following.  I have not tested this behavior myself.
>accept
>        Terminate ruleset evaluation and accept the packet. The packet can still be dropped later by another hook, for instance accept in the forward hook still allows to drop the packet later in the postrouting hook, or another forward base chain that has a higher priority number and is evaluated afterwards in the processing pipeline.
>
>I was keying off "another hook".  I think another base chain with the same hook type but a different priority is considered a different hook.  It's hard to describe 'the set of chains reachable from the current base chain' with a single word.  They are all executing within the context of the current hook+priority, which is what is terminated on accept.

Perhaps it is only terminology problem, or my English is not enough to see difference, but it seems that we both talk about the same...

When i start to use nftables (switch from iptables) i read that and "another hook, for instance accept in the forward hook" i understand exactly as example points, eg. accept in output hook mens go to postrouting hook. And it works exactly as this, if (and only if) one have only one chain per hook.

Then i start to experiment with multiple chains in the same hook (really it was mix of ip/ip6 and inet tables) and i was surprised, that accept eg. in "ip input" chain can be not enough as packet can be dropped in "inet input" chain (both in input hook). The same applies to multiple chains of one table in the same hook.

Then i read somewhere (perhaps in this ML, i forgot), that accept ends only current chain (with hook definition), which was more undestandable for me.

Perhaps one have to distinguish "hook" and "hook type" (or so), and perhaps my "chain" suggestion is wrong, as here are "user chains" (without hook definition)...

regards


--
Slavko
https://www.slavino.sk/






[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux