On Tue, 8 Oct 2024, at 5:59 PM, Robin Bussell wrote:
> Hi Folks,
> I'm trying to create a regular chain with a default drop
> policy and not getting anywhere. The wiki implies this can be done, but
> when I try:
>
> nft 'add chain ip myTable myChain { policy drop ;}'
>
> I get back:
>
> Error: Could not process rule: Operation not supported
> add chain ip O365 O365WhiteList { policy drop ;}
> ^^^^^^^^^^^
>
> ( those carets line up with the "policy drop" on my terminal. A table
> called myTable of the ip family exists already )
>
> So are policies actually supported on regular chains? If so, can you
> tell me what might be wrong with my nft invocation?
There can be no policy for a chain bearing no hook.
>
> What I want to do is make a whitelist setup by having a base chain
> hooked to forward with a rule that jumps to my whitelist chain for
> packets coming in from one particular interface.
> Then have the whitelist chain with a default drop policy and a set of
> rules defining which hosts and networks to accept for further
> forwarding.
If the base chain already has "policy drop" then simply use goto instead of jump. Alternatively, conclude your whitelist chain with an explicit "drop" rule.
--
Kerin Millar
