Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

nftables chains and priorities

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
foobarry
Posts: 5
Joined: 2019-08-02 15:56

nftables chains and priorities

#1 Post by foobarry »

I am struggling to get my head around nft.

Could someone kindly explain why the following blocks web traffic but allows ssh traffic ?

Code: Select all

#!/usr/sbin/nft -f                                                                                                                                                                                                                                              
flush ruleset                                                                                                                       
table inet filter {        
counter input_ssh {} 
	chain input {
                type filter hook input priority filter;
                iifname lo accept comment "Allow loopback traffic";
                tcp dport ssh ip counter name input_ssh accept comment "Allow IPv4 SSH from Admin";
    policy drop;
        }
counter input_http {} 
   chain http {
    type filter hook input priority filter - 1;
      tcp dport {80,443} counter name input_http accept comment "Allow HTTP";
    policy accept; 
    }
        chain forward {
                type filter hook forward priority 0;
                policy drop;
        }
        chain output {
                type filter hook output priority 0;
        }
}

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: nftables chains and priorities

#2 Post by p.H »

It has nothing to do with priorities. Chains in the same hook are cascaded. Chain "input" has policy "drop" and allows only SSH. Chain "http" accepts everything so is useless.

My advice : don't set multiple chains for filtering in the same hook unless they use independent criteria (e.g. one chain filters only on src and another filters only on dst).

foobarry
Posts: 5
Joined: 2019-08-02 15:56

Re: nftables chains and priorities

#3 Post by foobarry »

p.H wrote: 2022-01-21 21:52 My advice : don't set multiple chains for filtering in the same hook unless they use independent criteria (e.g. one chain filters only on src and another filters only on dst).
Sure, but what about for example if I want to use a config management tool (e.g. Salt) to inject specific chains depending on what is running on the server? Ideally I want to be able to do this by an "include /etc/nft/*.conf" clause that would include the extra chains files that are placed in that directory.

Is there a viable workaround to use multiple chains ? e.g. other firewalls have a "quick" that enables a specific "action right now" behaviour, but I cannot see this in nft ?

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: nftables chains and priorities

#4 Post by p.H »

You can create "custom" (non base) chains and call them from rules in base chains (or other custom chains). This way the "accept" target is definitive.

Post Reply