Re: [nftables v0.9.2] inet <> ip | ip6 family tables processing order?

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: ѽ҉ᶬḳ℠ <vtol@gmx.net>
Cc: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: [nftables v0.9.2] inet <> ip | ip6 family tables processing order?
Date: Wed, 5 Feb 2020 12:21:04 +0100	[thread overview]
Message-ID: <20200205112104.GA26952@breakpoint.cc> (raw)
In-Reply-To: <dad1e392-ae29-a3bf-7411-d1dfe2095de2@gmx.net>

ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
> Having deployed family tables:
> 
> * inet
> * ip
> * ip6
> 
> and to my understanding the _base chain definitions_, hook priority and
> policy, are only applicable to chains within the same family table but are
> mutually exclusive between the different family tables I am struggling to
> comprehend as to the order of packet processing among the aforementioned
> family tables:
> 
> * which family table the packet is processed trough first/last - inet or ip
> | ip6?

None.  Ordering is by prio, not by family.

In ip vs ip6 case its even irrelevant because an ipv4 packet will never
travel any of the ip6 base chains, ever (and vice versa).

> * if the hook priority in the base chains of each family is the same but
> different policies being applied how would such conflict, inet vs. ip | ip6,
> resolve?

Implementation defined, right now its 'last added'.
But result is the same, if verdict is "drop", packet is discarded and
evaluation ends.

Just like with iptables: if you drop in mangle input, filter table won't
even get a chance to see the packet.

> As far as I comprehend jump | goto works with chains in the same family
> table but it is not possible to jump | goto from the inet table to ip | ip6
> or vice versa, or is it?

Its not, each table is a distinct entity.

next prev parent reply	other threads:[~2020-02-05 11:21 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-05  9:23 [nftables v0.9.2] inet <> ip | ip6 family tables processing order? ѽ҉ᶬḳ℠
2020-02-05 11:21 ` Florian Westphal [this message]
2020-02-05 11:56   ` ѽ҉ᶬḳ℠
2020-02-05 12:26     ` Florian Westphal
2020-02-06 18:35   ` Gordon Fisher

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200205112104.GA26952@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=netfilter@vger.kernel.org \
    --cc=vtol@gmx.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox