Is it possible to change a chains default policy when rules are already present?

Is it possible to change a chains default policy when rules are already present?

[Andreas Hoefler]

Hi

I have a chain with default policy drop. 
I would like to first have the default policy set to accept, then add rules and later change it to drop. 
Is this possible?

Thx
Andy

Re: Is it possible to change a chains default policy when rules are already present?

[Reindl Harald]

Am 13.08.20 um 14:28 schrieb Andreas Hoefler:
> I have a chain with default policy drop. 
> I would like to first have the default policy set to accept, then add rules and later change it to drop. 
> Is this possible?

iptables -t <table> -P <CHAIN> ACCEPT
iptables -t <table> -P <CHAIN> DROP

RE: Is it possible to change a chains default policy when rules are already present?

[Andreas Hoefler]

Hi

Thx for the quick reply. Forgot to mention I am using NFTables...but I guess this should be then possible as well.

Thx
Andy 

Am 13.08.20 um 14:28 schrieb Andreas Hoefler:
> I have a chain with default policy drop.
> I would like to first have the default policy set to accept, then add rules and later change it to drop.
> Is this possible?

iptables -t <table> -P <CHAIN> ACCEPT
iptables -t <table> -P <CHAIN> DROP

Re: Is it possible to change a chains default policy when rules are already present?

[Duncan Roe]

On Thu, Aug 13, 2020 at 12:50:54PM +0000, Andreas Hoefler wrote:
> Hi
>
> Thx for the quick reply. Forgot to mention I am using NFTables...but I guess this should be then possible as well.
>
> Thx
> Andy
>
> Am 13.08.20 um 14:28 schrieb Andreas Hoefler:
> > I have a chain with default policy drop.
> > I would like to first have the default policy set to accept, then add rules and later change it to drop.
> > Is this possible?
>
> iptables -t <table> -P <CHAIN> ACCEPT
> iptables -t <table> -P <CHAIN> DROP

Hi Andy,

If you are using individual nft commands then yes, you can do that.

But there is no need to do it if using an nft script (#!/usr/sbin/nft -f), since
nothing is sent to the kernel until the script is all done, and then the kernel
makes all the changes atomically (i.e. all processes are locked out until all
the changes are done).

Cheers ... Duncan.

Re: Is it possible to change a chains default policy when rules are already present?

[Pablo Neira Ayuso]

On Thu, Aug 13, 2020 at 12:28:34PM +0000, Andreas Hoefler wrote:
> Hi
> 
> I have a chain with default policy drop. 
> I would like to first have the default policy set to accept, then add rules and later change it to drop. 
> Is this possible?

For the record:

 nft add chain x y { policy accept\; }

Assuming an existing basechain 'y'. The backlash (\) before the
semicolon is there in case of invoking this from bash.

Re: Is it possible to change a chains default policy when rules are already present?

[Daniel]

Hello

Le 14/08/2020 à 13:07, Pablo Neira Ayuso a écrit :
> On Thu, Aug 13, 2020 at 12:28:34PM +0000, Andreas Hoefler wrote:
>> Hi
>>
>> I have a chain with default policy drop.
>> I would like to first have the default policy set to accept, then add rules and later change it to drop.
>> Is this possible?
> For the record:
>
>   nft add chain x y { policy accept\; }
>
> Assuming an existing basechain 'y'. The backlash (\) before the
> semicolon is there in case of invoking this from bash.

 From bash how to you set priority leaded by - like priority -150 \; We 
always get invalid option

dh@peech:~$ sudo nft add chain ip6 mangle output { type nat hook 
prerouting priority -350 \; policy accept \; }
nft: invalid option -- '3'

-- 
Daniel Huhardeaux
+33.368460088@tootai.net	      sip:820@sip.tootai.net
+41.445532125@swiss-itech.ch		    tootaiNET

Re: Is it possible to change a chains default policy when rules are already present?

[Reindl Harald]

Am 14.08.20 um 13:21 schrieb Daniel:
> Le 14/08/2020 à 13:07, Pablo Neira Ayuso a écrit :
>> On Thu, Aug 13, 2020 at 12:28:34PM +0000, Andreas Hoefler wrote:
>>> Hi
>>>
>>> I have a chain with default policy drop.
>>> I would like to first have the default policy set to accept, then add
>>> rules and later change it to drop.
>>> Is this possible?
>> For the record:
>>
>>   nft add chain x y { policy accept\; }
>>
>> Assuming an existing basechain 'y'. The backlash (\) before the
>> semicolon is there in case of invoking this from bash.
> 
> From bash how to you set priority leaded by - like priority -150 \; We
> always get invalid option
> 
> dh@peech:~$ sudo nft add chain ip6 mangle output { type nat hook
> prerouting priority -350 \; policy accept \; }
> nft: invalid option -- '3'

because you don't escape - with \-
don't nft understand quoted params?

nft add chain ip6 mangle output "{ type nat hook prerouting priority
-350 ; policy accept ; }"

Re: Is it possible to change a chains default policy when rules are already present?

[Daniel]

Le 14/08/2020 à 13:36, Reindl Harald a écrit :
>
> Am 14.08.20 um 13:21 schrieb Daniel:
>> Le 14/08/2020 à 13:07, Pablo Neira Ayuso a écrit :
>>> On Thu, Aug 13, 2020 at 12:28:34PM +0000, Andreas Hoefler wrote:
>>>> Hi
>>>>
>>>> I have a chain with default policy drop.
>>>> I would like to first have the default policy set to accept, then add
>>>> rules and later change it to drop.
>>>> Is this possible?
>>> For the record:
>>>
>>>    nft add chain x y { policy accept\; }
>>>
>>> Assuming an existing basechain 'y'. The backlash (\) before the
>>> semicolon is there in case of invoking this from bash.
>>  From bash how to you set priority leaded by - like priority -150 \; We
>> always get invalid option
>>
>> dh@peech:~$ sudo nft add chain ip6 mangle output { type nat hook
>> prerouting priority -350 \; policy accept \; }
>> nft: invalid option -- '3'
> because you don't escape - with \-
I already tested by escaping - sign, same error
> don't nft understand quoted params?
>
> nft add chain ip6 mangle output "{ type nat hook prerouting priority
> -350 ; policy accept ; }"
Not working either

dh@peech:~$ sudo nft add chain ip6 mangle prerouting "{ type nat hook 
prerouting priority -350 ; policy accept ; }"
Error: Could not process rule: Operation not supported
add chain ip6 mangle prerouting { type nat hook prerouting priority 
-350; policy accept; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

-- 
Daniel Huhardeaux
+33.368460088@tootai.net	      sip:820@sip.tootai.net
+41.445532125@swiss-itech.ch		    tootaiNET

Re: Is it possible to change a chains default policy when rules are already present?

[Florian Westphal]

Daniel <tech@tootai.net> wrote:
> 
> Le 14/08/2020 à 13:36, Reindl Harald a écrit :
> > 
> > Am 14.08.20 um 13:21 schrieb Daniel:
> > > Le 14/08/2020 à 13:07, Pablo Neira Ayuso a écrit :
> > > > On Thu, Aug 13, 2020 at 12:28:34PM +0000, Andreas Hoefler wrote:
> > > > > Hi
> > > > > 
> > > > > I have a chain with default policy drop.
> > > > > I would like to first have the default policy set to accept, then add
> > > > > rules and later change it to drop.
> > > > > Is this possible?
> > > > For the record:
> > > > 
> > > >    nft add chain x y { policy accept\; }
> > > > 
> > > > Assuming an existing basechain 'y'. The backlash (\) before the
> > > > semicolon is there in case of invoking this from bash.
> > >  From bash how to you set priority leaded by - like priority -150 \; We
> > > always get invalid option
> > > 
> > > dh@peech:~$ sudo nft add chain ip6 mangle output { type nat hook
> > > prerouting priority -350 \; policy accept \; }
> > > nft: invalid option -- '3'
> > because you don't escape - with \-
> I already tested by escaping - sign, same error
> > don't nft understand quoted params?
> > 
> > nft add chain ip6 mangle output "{ type nat hook prerouting priority
> > -350 ; policy accept ; }"
> Not working either
> 
> dh@peech:~$ sudo nft add chain ip6 mangle prerouting "{ type nat hook
> prerouting priority -350 ; policy accept ; }"
> Error: Could not process rule: Operation not supported
> add chain ip6 mangle prerouting { type nat hook prerouting priority -350;
> policy accept; }

Historic artifact, try a value larger than -200, e.g. -199.
I've sent a patch to zap this outdated check.

RE: Is it possible to change a chains default policy when rules are already present?

[Andreas Hoefler]

> Daniel <tech@tootai.net> wrote:
> >
> > Le 14/08/2020 à 13:36, Reindl Harald a écrit :
> > >
> > > Am 14.08.20 um 13:21 schrieb Daniel:
> > > > Le 14/08/2020 à 13:07, Pablo Neira Ayuso a écrit :
> > > > > On Thu, Aug 13, 2020 at 12:28:34PM +0000, Andreas Hoefler wrote:
> > > > > > Hi
> > > > > >
> > > > > > I have a chain with default policy drop.
> > > > > > I would like to first have the default policy set to accept, 
> > > > > > then add rules and later change it to drop.
> > > > > > Is this possible?
> > > > > For the record:
> > > > >
> > > > >    nft add chain x y { policy accept\; }
> > > > >
> > > > > Assuming an existing basechain 'y'. The backlash (\) before the 
> > > > > semicolon is there in case of invoking this from bash.
> > > >  From bash how to you set priority leaded by - like priority -150 
> > > > \; We always get invalid option
> > > >
> > > > dh@peech:~$ sudo nft add chain ip6 mangle output { type nat hook 
> > > > prerouting priority -350 \; policy accept \; }
> > > > nft: invalid option -- '3'
> > > because you don't escape - with \-
> > I already tested by escaping - sign, same error
> > > don't nft understand quoted params?
> > >
> > > nft add chain ip6 mangle output "{ type nat hook prerouting priority
> > > -350 ; policy accept ; }"
> > Not working either
> >
> > dh@peech:~$ sudo nft add chain ip6 mangle prerouting "{ type nat hook 
> > prerouting priority -350 ; policy accept ; }"
> > Error: Could not process rule: Operation not supported add chain ip6 
> > mangle prerouting { type nat hook prerouting priority -350; policy 
> > accept; }
> 
> Historic artifact, try a value larger than -200, e.g. -199.
> I've sent a patch to zap this outdated check.

Didn't work for me either:
#nft add chain ip6 x y {type filter hook input priority \-100\;}
nft: invalid option -- '1'

Re: Is it possible to change a chains default policy when rules are already present?

[Florian Westphal]

Andreas Hoefler <andreas.hoefler@hitachi-powergrids.com> wrote:
> > Daniel <tech@tootai.net> wrote:
> > > dh@peech:~$ sudo nft add chain ip6 mangle prerouting "{ type nat hook 
> > > prerouting priority -350 ; policy accept ; }"
> > > Error: Could not process rule: Operation not supported add chain ip6 
> > > mangle prerouting { type nat hook prerouting priority -350; policy 
> > > accept; }
> > 
> > Historic artifact, try a value larger than -200, e.g. -199.
> > I've sent a patch to zap this outdated check.
> 
> Didn't work for me either:
> #nft add chain ip6 x y {type filter hook input priority \-100\;}
> nft: invalid option -- '1'

Different problem.  Just follow Daniels example and quote everything,
i.e.  nft add chain ip6 x y "{ type filter hook input priority -100; }"

RE: Is it possible to change a chains default policy when rules are already present?

[Andreas Hoefler]

> Andreas Hoefler <andreas.hoefler@hitachi-powergrids.com> wrote:
> > > Daniel <tech@tootai.net> wrote:
> > > > dh@peech:~$ sudo nft add chain ip6 mangle prerouting "{ type nat 
> > > > hook prerouting priority -350 ; policy accept ; }"
> > > > Error: Could not process rule: Operation not supported add chain 
> > > > ip6 mangle prerouting { type nat hook prerouting priority -350; 
> > > > policy accept; }
> > >
> > > Historic artifact, try a value larger than -200, e.g. -199.
> > > I've sent a patch to zap this outdated check.
> >
> > Didn't work for me either:
> > #nft add chain ip6 x y {type filter hook input priority \-100\;}
> > nft: invalid option -- '1'
> 
> Different problem.  Just follow Daniels example and quote everything, i.e.  nft add chain ip6 x y "{ type filter hook input priority -100; }"

ah ok that did the trick, thx a lot.

Andy

Re: Is it possible to change a chains default policy when rules are already present?

[Daniel]

Le 14/08/2020 à 15:44, Andreas Hoefler a écrit :
>> Andreas Hoefler <andreas.hoefler@hitachi-powergrids.com> wrote:
>>>> Daniel <tech@tootai.net> wrote:
>>>>> dh@peech:~$ sudo nft add chain ip6 mangle prerouting "{ type nat
>>>>> hook prerouting priority -350 ; policy accept ; }"
>>>>> Error: Could not process rule: Operation not supported add chain
>>>>> ip6 mangle prerouting { type nat hook prerouting priority -350;
>>>>> policy accept; }
>>>> Historic artifact, try a value larger than -200, e.g. -199.
>>>> I've sent a patch to zap this outdated check.
>>> Didn't work for me either:
>>> #nft add chain ip6 x y {type filter hook input priority \-100\;}
>>> nft: invalid option -- '1'
>> Different problem.  Just follow Daniels example and quote everything, i.e.  nft add chain ip6 x y "{ type filter hook input priority -100; }"
> ah ok that did the trick, thx a lot.
Confirmed, thanks.

-- 
Daniel Huhardeaux
+33.368460088@tootai.net	      sip:820@sip.tootai.net
+41.445532125@swiss-itech.ch		    tootaiNET

Re: Is it possible to change a chains default policy when rules are already present?

[Pablo Neira Ayuso]

On Fri, Aug 14, 2020 at 01:21:08PM +0000, Andreas Hoefler wrote:
> > Daniel <tech@tootai.net> wrote:
> > >
> > > Le 14/08/2020 à 13:36, Reindl Harald a écrit :
> > > >
> > > > Am 14.08.20 um 13:21 schrieb Daniel:
> > > > > Le 14/08/2020 à 13:07, Pablo Neira Ayuso a écrit :
> > > > > > On Thu, Aug 13, 2020 at 12:28:34PM +0000, Andreas Hoefler wrote:
> > > > > > > Hi
> > > > > > >
> > > > > > > I have a chain with default policy drop.
> > > > > > > I would like to first have the default policy set to accept, 
> > > > > > > then add rules and later change it to drop.
> > > > > > > Is this possible?
> > > > > > For the record:
> > > > > >
> > > > > >    nft add chain x y { policy accept\; }
> > > > > >
> > > > > > Assuming an existing basechain 'y'. The backlash (\) before the 
> > > > > > semicolon is there in case of invoking this from bash.
> > > > >  From bash how to you set priority leaded by - like priority -150 
> > > > > \; We always get invalid option
> > > > >
> > > > > dh@peech:~$ sudo nft add chain ip6 mangle output { type nat hook 
> > > > > prerouting priority -350 \; policy accept \; }
> > > > > nft: invalid option -- '3'
> > > > because you don't escape - with \-
> > > I already tested by escaping - sign, same error
> > > > don't nft understand quoted params?
> > > >
> > > > nft add chain ip6 mangle output "{ type nat hook prerouting priority
> > > > -350 ; policy accept ; }"
> > > Not working either
> > >
> > > dh@peech:~$ sudo nft add chain ip6 mangle prerouting "{ type nat hook 
> > > prerouting priority -350 ; policy accept ; }"
> > > Error: Could not process rule: Operation not supported add chain ip6 
> > > mangle prerouting { type nat hook prerouting priority -350; policy 
> > > accept; }
> > 
> > Historic artifact, try a value larger than -200, e.g. -199.
> > I've sent a patch to zap this outdated check.
> 
> Didn't work for me either:
> #nft add chain ip6 x y {type filter hook input priority \-100\;}
> nft: invalid option -- '1'

This is fixed in recent nftables version there is no need to disable
the getopt_long() parser anymore via --

nft -- add chain ip6 x y {type filter hook input priority -100 \;}

see:

commit fb9cea50e8b370b6931e7b53b1a881d3b95b1c91
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Fri Dec 13 11:32:46 2019 +0100

    main: enforce options before commands

RE: Is it possible to change a chains default policy when rules are already present?

[Andreas Hoefler]

Hi

Thx a lot, that worked.
I expected the add cmd to produce an error since the chain already exists, but seems to work fine.

Andreas Hoefler
 

On Thu, Aug 13, 2020 at 12:28:34PM +0000, Andreas Hoefler wrote:
> Hi
>
> I have a chain with default policy drop.
> I would like to first have the default policy set to accept, then add rules and later change it to drop.
> Is this possible?

For the record:

 nft add chain x y { policy accept\; }

Assuming an existing basechain 'y'. The backlash (\) before the semicolon is there in case of invoking this from bash.