Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi
We can find in nftables tutorial that no predefined tables exists and we can add any table we want.
The question is if we can define any table for any protocol family, for example IP protocol family, can we define any chains for that table?
For example, I want to define a table with prerouting, input, forward, output, postrouting chains, is it possible?
Another question is, can we define chains with any priority value ?
For example, I want to define a chain with -122 priority value, is it possible?
Please correct me if I'm wrong: If we want to define chains for any table(filtering, nat, mangle ... ), we are limited to conventional defination of iptables tables and chains?
for example, if we define a table for filtering purposes we have to define chains that they bind to input, forward or output?
The question is if we can define any table for any protocol family, for example IP protocol family,
The Configuring_tables page on wiki.nftables literally reads: "We have different kind of tables depending on the family". Also see comment about inet table.
Quote:
Originally Posted by kikilinux
can we define any chains for that table?
Same Wiki Configuring_chains#Adding_non-base_chains says: "Note that this chain does not see any traffic as it is not attached to any hook". Ergo you have to attach it to a base chain like "filter".
Quote:
Originally Posted by kikilinux
For example, I want to define a table with prerouting, input, forward, output, postrouting chains, is it possible?
Those are "hooks". What you would have called "targets" in iptables.
Quote:
Originally Posted by kikilinux
Another question is, can we define chains with any priority value ?
For example, I want to define a chain with -122 priority value, is it possible?
The nftables#Priority-based_Atomic_Fix page on wiki.archlinux says: "Note: Since the priority seems to be an unsigned integer, negative priorities will be converted into very high priorities."
The Configuring_tables page on wiki.nftables literally reads: "We have different kind of tables depending on the family". Also see comment about inet table.
Same Wiki Configuring_chains#Adding_non-base_chains says: "Note that this chain does not see any traffic as it is not attached to any hook". Ergo you have to attach it to a base chain like "filter".
Those are "hooks". What you would have called "targets" in iptables.
I think I can't say what I meant, in iptables we have 3 chains (input, forward, output) which is attached to hooks(input, forward, output), respectively, for filtering purposes. I define 5 chains (chain1, chain2, chain3, chain4, chain5) that are attached into hooks (prerouting, input, forward, output, postrouting) for filtering purposes and it works. I can perform filtering on all that chains even in prerouting and postrouting. in IPtables for filtering purposes we just have input, forward, output.
The question is, does it emerge(appear) the possibility to perform filtering on chains which is attached to prerouting and postrouting hooks ?
Quote:
Originally Posted by unSpawn
The nftables#Priority-based_Atomic_Fix page on wiki.archlinux says: "Note: Since the priority seems to be an unsigned integer, negative priorities will be converted into very high priorities."
I don't know what wiki.archlinux means but I know we should be able to run this two bellow command :
Code:
# nft add chain filter input { type filter hook input priority 0\; }
and
# nft add chain filter input { type filter hook input priority -10\; }
In command line if we use ... hook input priority -10 \; }, it return an error but if we use a config file and then running the file by using nft -f configFile, then the negative priority can be possible to use.
for example :
# configFile
Quote:
# nft -f
table ip filter {
chain input {
type filter hook input priority -10;
}
}
it works well when we running "nft -f configFile" command
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.