Re: Chain priorities for NAT

Re: Chain priorities for NAT

[Pablo Neira Ayuso]

On Thu, Feb 02, 2017 at 01:52:18PM +0100, Christoph Pleger wrote:
> Hello,
> 
> On 2017-01-11, I wrote:
> 
> > The Wiki on https://wiki.nftables.org mentions two priorities
> specifically available for NAT, -100 and 100. But of these two, the
> wiki's example for NAT only uses the value 100 for the postrouting
> chain. The prerouting chain has priority 0, and there is no difference
> between SNAT and DNAT.
> >
> > When I look at the ipv4-nat example which is shipped together with my
> nftables package, both chains use priority -150, though due to the Wiki,
> that value is used for mangling.
> >
> > And when I look at some online-exmaples, they use 0 for prerouting and
> postrouting.
> >
> > So, what are really the best values to use for priority in snat
> prerouting and postrouting and dnat prerouting and postrouting?
> 
> Does "No answer in three weeks" mean that nobody here knows how to use
> these priority values for NAT chains? Though probably netfilter developers
> are reading this list?

Sorry, I overlooked this email.

See nf_ip_hook_priorities:
http://lxr.free-electrons.com/source/include/uapi/linux/netfilter_ipv4.h

See nf_ip6_hook_priorities:
http://lxr.free-electrons.com/source/include/uapi/linux/netfilter_ipv6.h

Yes, I'm pointing to source code, I know I should not be doing this ;-)

Probably we can add the 'default' label, so:

        add chain x y { type filter hook input priority default\; }

In this case, default translates to 0.

        add chain x y { type nat hook prerouting priority default\; }

In this case this would be -100.

Then:

        add chain x y { type nat hook postrouting priority default\; }

This results in priority 100.

We would still need explicit labels though, eg. raw and security at
least. These are special type of filter chains.

Comments welcome. Thanks.