base chains with same hook, same priority

base chains with same hook, same priority

[Cristian Constantin]

hi!

quote from the wiki page:

https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains

"[...] It's possible to give two base chains the same priority, but
there is no guaranteed evaluation order of base chains with identical
priority that are attached to the same hook location."
I have tested this on my system and it is actually allowed by `nft`, kernel.

root@firiel:/home/cco# uname -a
Linux firiel 5.8.0-63-generic #71-Ubuntu SMP Tue Jul 13 15:59:12 UTC
2021 x86_64 x86_64 x86_64 GNU/Linux
root@firiel:/home/cco# lsb_release
LSB Version: core-11.1.0ubuntu2-noarch:printing-11.1.0ubuntu2-noarch:security-11.1.0ubuntu2-noarch
root@firiel:/home/cco# nft -v
nftables v0.9.6 (Capital Idea #2)
root@firiel:/home/cco# nft -a list table filter
table ip filter { # handle 3
chain INPUT { # handle 1
type filter hook input priority filter; policy accept;
}
...
chain TEST { # handle 579
type filter hook input priority filter; policy accept;
}

could someone please show me a use case for using multiple chains
having the same hook and the same priority? (i.e. taking into account
that _most of the time_ rule priority and thus evaluation order is
important)

and, in a more general sense, why is this configuration allowed (i.e.
base chains with same hook, same priority)?

thanks,
cristian

Re: base chains with same hook, same priority

[Cristian Constantin]

cristian: one interesting side-effect...

after having two chains with the same hook, priority in the same table
(as above), `iptables` cmd line tool reports the respective table as
incompatible...

# /usr/sbin/iptables -t filter -S --wait
iptables v1.8.5 (nf_tables): table `filter' is incompatible, use 'nft' tool.

# iptables -L
iptables v1.8.5 (nf_tables): table `filter' is incompatible, use 'nft' tool.


On Wed, Sep 15, 2021 at 11:38 AM Cristian Constantin
<const.crist@googlemail.com> wrote:
>
> hi!
>
> quote from the wiki page:
>
> https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
>
> "[...] It's possible to give two base chains the same priority, but
> there is no guaranteed evaluation order of base chains with identical
> priority that are attached to the same hook location."
> I have tested this on my system and it is actually allowed by `nft`, kernel.
>
> root@firiel:/home/cco# uname -a
> Linux firiel 5.8.0-63-generic #71-Ubuntu SMP Tue Jul 13 15:59:12 UTC
> 2021 x86_64 x86_64 x86_64 GNU/Linux
> root@firiel:/home/cco# lsb_release
> LSB Version: core-11.1.0ubuntu2-noarch:printing-11.1.0ubuntu2-noarch:security-11.1.0ubuntu2-noarch
> root@firiel:/home/cco# nft -v
> nftables v0.9.6 (Capital Idea #2)
> root@firiel:/home/cco# nft -a list table filter
> table ip filter { # handle 3
> chain INPUT { # handle 1
> type filter hook input priority filter; policy accept;
> }
> ...
> chain TEST { # handle 579
> type filter hook input priority filter; policy accept;
> }
>
> could someone please show me a use case for using multiple chains
> having the same hook and the same priority? (i.e. taking into account
> that _most of the time_ rule priority and thus evaluation order is
> important)
>
> and, in a more general sense, why is this configuration allowed (i.e.
> base chains with same hook, same priority)?
>
> thanks,
> cristian

Re: base chains with same hook, same priority

[Pablo Neira Ayuso]

On Wed, Sep 15, 2021 at 01:44:47PM +0200, Cristian Constantin wrote:
> cristian: one interesting side-effect...
> 
> after having two chains with the same hook, priority in the same table
> (as above), `iptables` cmd line tool reports the respective table as
> incompatible...
> 
> # /usr/sbin/iptables -t filter -S --wait
> iptables v1.8.5 (nf_tables): table `filter' is incompatible, use 'nft' tool.
> 
> # iptables -L
> iptables v1.8.5 (nf_tables): table `filter' is incompatible, use 'nft' tool.

IIRC interaction between iptables-nft and nft has got better over the
recent version (latest is v1.8.7), and there are also recent patches
to improve it more.