Timeline for Packet processing order in nftables
Current License: CC BY-SA 4.0
13 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Dec 9, 2023 at 19:52 | history | edited | A.B | CC BY-SA 4.0 |
Revisit the misc section after having done more thorough tests about NAT in an other Q/A
|
| Dec 28, 2022 at 18:50 | comment | added | A.B |
@pschichtel That's correct, but I'm not sure it's relevant to this Q/A. Anyway ip daddr set is not used with the nat type which I mentioned. It's used for stateless NAT in a filter (or route) type hook and has to be used for every packet rather than only the first packet of the flow (with the alteration of other packets in the same flow offloaded to conntrack/nat). It could be useful for some cases, probably not all, to also set these packets as notrack or to mark them to avoid interactions with conntrack+nat.
|
|
| Dec 28, 2022 at 4:22 | comment | added | pschichtel |
@A.B it seems to be true, that when applying a dnat rule, no further dnat rules apply. However if you use ip daddr set instead of dnat to, further processing will happen. I (ab)used this fact to first DNAT my public IP into my k8s metallb load balancer network with nftables and then let kube-router apply its iptables DNAT rules to the final cluster IP.
|
|
| Feb 7, 2022 at 9:45 | comment | added | Nubarke | Thank you for this excellent summary of the different concepts and object roles in nftables. I'm sending this answer to a coworker who is transitioning from iptables because I couldn't explain it better. | |
| Jul 11, 2021 at 11:30 | comment | added | A.B | @Slimak I'm sure I wrote it somewhere (maybe not this answer?) this is simple logic. If a packet is affected by two filters, then whatever the order of the filters the AND boolean operator's effect applies: DROP AND DROP => DROP,DROP AND ACCEPT => DROP, ACCEPT AND DROP => DROP, ACCEPT AND ACCEPT => ACCEPT. So the order of two chains (which is undefined if hooking at same priority without any more knowledge on the order it happened, the kernel version or the phase of the moon) doesn't matter: inet filter accept AND ip filter drop => DROP here <=> ip filter drop AND inet filter accept => DROP | |
| Jul 11, 2021 at 11:24 | history | edited | A.B | CC BY-SA 4.0 |
correct a minor comment about nftables in the bridge path: it's affected exactly like iptables, but should be used directly in the bridge family instead
|
| Sep 8, 2020 at 11:05 | comment | added | Slimak | Rereading linked man page (especially wording around "queue" verdict statement) suggests that accept terminates evaluation of only current hook, (not whole ruleset like what is printed by nft list ruleset), and that same priority hook will be evaluated later. | |
| Sep 8, 2020 at 10:37 | comment | added | Slimak | @A.B For me it is still not clear what will be behaviour for multiple hooks registered in same family for same type of hook. E.g. inet filter hook priority 0 would accept ipv4 packet foo and ip filter hook priority 0 would drop packet foo. If inet hook happens to be evaluated first the "ruleset evaluation termination" is only for inet hook (and ip hook will drop the packet later)? or "ruleset evaluation termination" is for all filter hooks, or for all same priority filter hooks? | |
| Sep 2, 2020 at 12:23 | vote | accept | Rahul | ||
| Sep 2, 2020 at 11:13 | history | edited | A.B | CC BY-SA 4.0 |
one backtick missing
|
| Sep 2, 2020 at 8:17 | comment | added | A.B | Yes. Just don't forget the table's family. There's one "prerouting" per family and that's as many separately handled prerouting lists (ok,there are exceptions special cases related to netdev and inet families, and with nat). | |
| Sep 2, 2020 at 4:39 | comment | added | Rahul | Thanks for the great explanation. So is it correct say following? "chains are grouped together by kernel from all the tables and ordered by priority irrespective of which table they come from. Table only serve as scope limiter for various elements chain is using for example sets, maps, etc" | |
| Sep 1, 2020 at 17:45 | history | answered | A.B | CC BY-SA 4.0 |