From: Pablo Neira Ayuso <pablo@netfilter.org>
To: "Marek Greško" <mgresko8@gmail.com>
Cc: Florian Westphal <fw@strlen.de>, netfilter@vger.kernel.org
Subject: Re: nftables and connection tracking
Date: Thu, 2 Jul 2020 21:47:10 +0200 [thread overview]
Message-ID: <20200702194710.GA14610@salvia> (raw)
In-Reply-To: <CAChjPdRFPLkKcj3eDiFrpaL2VEoueJxWrx=kwixprHkNUqf-+Q@mail.gmail.com>
On Thu, Jul 02, 2020 at 09:33:41PM +0200, Marek Greško wrote:
> Great, thanks for explanation.
>
> Now I have two chains OUTPUT with priority filter. One in the table
> raw and second in the table filter (currently both of them with policy
> accept). Is that correct? What is the order of evaluation? The order
> it appears in config file? Should not one of the priorities be changed
> to (filter + 1) or the rules moved to the filter table?
Move them to the "filter" table, no need to define a new chain. Chains
are somewhat expensives: one of the good things about nftables is that
you can define the chains that you need.
Chains whose priority is filter (0) see packets with the conntrack
information. Anything from priority -200 onwards (INT_MAX) have access
to the conntrack information.
Priorities from INT_MIN to -199 see no conntrack information (what it
used to be the "raw" table semantics).
In nftables, tables have no specific semantics anymore, it's the chain
priority that specifies what semantics apply to your basechain.
Thanks.
next prev parent reply other threads:[~2020-07-02 19:47 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-21 5:54 nftables and connection tracking Marek Greško
2020-06-21 8:06 ` Florian Westphal
[not found] ` <CAChjPdQtKBGuUvdveCVc5kmhA+fgP4DUDNKhNd11KUVCKNUZLg@mail.gmail.com>
[not found] ` <20200621090142.GL26990@breakpoint.cc>
2020-06-21 9:39 ` Marek Greško
2020-06-21 10:45 ` Florian Westphal
2020-06-21 11:33 ` Marek Greško
2020-07-01 20:01 ` Marek Greško
2020-07-01 22:48 ` Florian Westphal
2020-07-02 19:33 ` Marek Greško
2020-07-02 19:47 ` Pablo Neira Ayuso [this message]
[not found] ` <CAChjPdQb5wUP7Qbz=D-0jg-YFC0cWgV4oPJQD9-G7evi3SupAw@mail.gmail.com>
[not found] ` <YUk8dCSHCUcKn+Xy@salvia>
[not found] ` <CAChjPdREO=jtTNGc32H3mv+Zv8AHKbujb_a8=tkwC0+b2sbVCQ@mail.gmail.com>
2021-09-24 5:21 ` Fwd: " Marek Greško
2021-09-24 7:19 ` Daniel
2020-06-22 12:06 ` Pablo Neira Ayuso
2020-06-22 17:18 ` Marek Greško
2020-06-22 21:35 ` Marek Greško
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200702194710.GA14610@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=mgresko8@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox