Re: [RFC PATCH] doc: use symbolic names for chain priorities

[Simon Ruderich <simon@ruderich.org>]

[-- Attachment #1: Type: text/plain, Size: 1751 bytes --]

On Sun, Mar 07, 2021 at 10:02:52AM -0500, Frank Myhr wrote:
> Hi Simon,
>
> Priority is only relevant _within a given hook_. So comparing priorities of
> base chains hooked to prerouting and postrouting (as in your example above)
> does not make sense. Please see:
>
> https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority
> https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks

Hello Frank,

thank you. This helped, somewhat.

The image https://people.netfilter.org/pablo/nf-hooks.png in the
wiki lists netfilter hooks. Do these correspond to nftables
hooks? So all prerouting hooks (type nat, type filter, etc.) for
IP are applied to the green "Prerouting Hook" in the IP part of
the diagram? And the "Netfilter Internal Priority" applies only
within such a hook to order them?

If this is correct this leads me to three questions:

Why is there a global order of netfilter hooks (via the priority,
-450 to INT_MAX)? Wouldn't it also work to set for example
NF_IP_PRI_NAT_SRC to -400 because it only applies in postrouting
anyway? Or is it designed that way to "hint" at the packet flow
(lower numbers first, independent of the actual hooks)?

For type nat and hook prerouting priorities like -100, 0 and 500
would all work because we have no other hooks in that range.
However, using priority -250 would be problematic because it puts
it before the netfilter connection tracking?

What exactly is the difference between the chain types? Is it
relevant for netfilter or is it only for nftables so it knows
which rules to expect in the given chain?

Regards
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]