Dear experts, hoping that the development team can kick in here ... I have used the whole weekend for trying to understand why packets do not traverse the chains in my ruleset in the expected order. The documentation in the wiki [1] states: "Within a given hook, Netfilter performs operations in order of increasing numerical priority. Each nftables base chain and flowtable is assigned a priority that defines its ordering among other base chains and flowtables and Netfilter internal operations at the same hook." IMHO, this statement is not ambiguous and cannot be misunderstood. Packets traverse chains that are registered at the same hook in the order that is determined by the priority of these chains, no matter what. Period. However, when setting nftrace to 1 in my ruleset and monitoring the packet flow, I noticed that the chains were not traversed in the order stated above. Since I am a netfilter newbie, I searched for my mistake for a long time, but to no avail. It is very well possible that there are mistakes on my side, though. On the other hand, during my research, I have found a post [2] that was an eye opener. The first and only reply to the question (at the time of writing) explains in great detail and in an understandable manner that the priority of a nat type chain is simply ignored* and that every nat type chain instead is always executed at priority -100. [* The relative order of nat type chains that are at the same hook is preserved, though, according to the post. ] The post further contains an example ruleset and shows traces that prove the statements made. In summary, it seems convincing to me. Now, the problem is that either the netfilter documentation is wrong or that that post is wrong. In both of them, there is no room for interpretation. Rather, the netfilter documentation states the exact opposite of what that post states, regarding one of the most crucial points in understanding nftables / netfilter and monitoring its operation. Could somebody please clarify which of them is correct? If it's the netfilter documentation that is wrong: - We would be very grateful if somebody could fix it soon. This would save a lot of time for everybody who is in the process of learning netfilter and nftables. - Furthermore, could somebody please let us know if nat type chains are the only exception from the "chains are evaluated in priority order" rule, or if there are more chain types that are an exception? Best regards, and thank you very much in advance, Binarus [1] https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks#Priority_within_hook [2] https://unix.stackexchange.com/questions/762402/nftables-are-chains-of-multiple-types-all-evaluated-for-a-given-hook
