From: Florian Westphal <fw@strlen.de>
To: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nft v6 0/3] doc: miscellaneous improvements
Date: Wed, 29 Oct 2025 12:28:15 +0100 [thread overview]
Message-ID: <aQH6T6M-r561jvQ7@strlen.de> (raw)
In-Reply-To: <0e0112a16c881a1072c3d9dcba4d323b608674b0.camel@christoph.anton.mitterer.name>
Christoph Anton Mitterer <mail@christoph.anton.mitterer.name> wrote:
> IMO that makes things a bit more convoluted, first explaining who can
> call who, then where evaluation continues, then again explaining who
> can call who.
I swapped the two sentences.
> I would however suggest to reconsider in prarticular "all traffic will
> be blocked".
> "all traffic" is... well "all traffic"... but the decision is just
> about one packet, ain't it?
> Also "blocked" is IMO a bit fuzzy. Is the term used before? I'd rather
> interpret it as some generic term that could be either drop or reject
> or similar, but here the example was particularly about when any chain
> uses drop as policy.
What about this:
Thus, if any base chain uses drop as its policy, the same base chain (or a
regular chain directly or indirectly called by it) must contain at least one
*accept* rule to avoid all traffic from getting dropped.
> IMO it doesn't make things easier for a beginner, if one basically
> has to read through everything to find all information.
I added a reference. Also keep in mind that nftables will already tell
you about terminal statement not at end.
nft add rule ip f c drop counter
Error: Statement after terminal statement has no effect
> Als, "or a user-defined", ain't the base chains user-defined,
> too?
Thanks, user-defined is iptables-legacy lingo (base chains always
exist), old habit.
next prev parent reply other threads:[~2025-10-29 11:28 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-28 14:54 [PATCH nft v6 0/3] doc: miscellaneous improvements Florian Westphal
2025-10-28 14:54 ` [PATCH nft v6 1/3] doc: add overall description of the ruleset evaluation Florian Westphal
2025-10-28 14:54 ` [PATCH nft v6 2/3] doc: fix/improve documentation of verdicts Florian Westphal
2025-10-28 14:54 ` [PATCH nft v6 3/3] doc: minor improvements the `reject` statement Florian Westphal
2025-10-29 0:19 ` [PATCH nft v6 0/3] doc: miscellaneous improvements Christoph Anton Mitterer
2025-10-29 11:28 ` Florian Westphal [this message]
2025-10-30 1:04 ` Christoph Anton Mitterer
2025-10-30 10:34 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aQH6T6M-r561jvQ7@strlen.de \
--to=fw@strlen.de \
--cc=mail@christoph.anton.mitterer.name \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.