On 2. februára 2025 18:48:47 UTC, Binarus <lists@xxxxxxxxxx> wrote: >However, when setting nftrace to 1 in my ruleset and monitoring the packet flow, I noticed that the chains were not traversed in the order stated above. Since I am a netfilter newbie, I searched for my mistake for a long time, but to no avail. It is very well possible that there are mistakes on my side, though. > >On the other hand, during my research, I have found a post [2] that was an eye opener. The first and only reply to the question (at the time of writing) explains in great detail and in an understandable manner that the priority of a nat type chain is simply ignored* and that every nat type chain instead is always executed at priority -100. [* The relative order of nat type chains that are at the same hook is preserved, though, according to the post. ] I am far from expert, but my understanding is, that NAT is special case, as it is performed by kernel itself at exact time (hardcoded priority). The nftables doesn't do NAT itself, its NAT rules just instructs kernel if and how to do it. Thus "type nat" chains are run all at once (in order of its priorites). IMO, one cannot mix (nor expect) that all chain types can be freely mixed/interleaved (in mean of their priorities), otherwise chain's type would be redundant. In other words, one have to take into account the chain type too.. Yes, nftables adds great level of flexibility (in compare with iptables), but that can be hard to describe without being too long. IMO nft manpage is already too long and have to be split (and then extended with more details). regards -- Slavko https://www.slavino.sk/
