[PATCH firewall4] ruleset: add missing pre_* chains
Florian Eckert
fe at dev.tdt.de
Tue May 24 07:28:03 PDT 2022
Hello Jo-Philipp
I found the following summary that describes my problem. See my link
[1].
And why me need this pre_* hooks in fw4 as I suggested.
I have found the following description about priority and accept.
This is the paragraph:
Base chain priority:
Each nftables base chain is assigned a priority that defines its
ordering among other base chains, flowtables, and Netfilter internal
operations at the same hook. For example, a chain on the prerouting hook
with priority -300 will be placed before connection tracking operations.
NOTE: If a packet is accepted and there is another chain, bearing the
same hook type and with a later priority, then the packet will
subsequently traverse this other chain. Hence, an accept verdict - be it
by way of a rule or the default chain policy - isn't necessarily final.
However, the same is not true of packets that are subjected to a drop
verdict. Instead, drops take immediate effect, with no further rules or
chains being evaluated.
From my point of view it makes sense to add my changes in fw4, otherwise
it won't work.
When I read it like this then your suggestion does not work?
Kind regards
Florian
[1]
https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_types
More information about the openwrt-devel
mailing list