[SOLVED] nftables add table and chains

kikilinux · 11-27-2014, 04:33 AM

Hi
We can find in nftables tutorial that no predefined tables exists and we can add any table we want.
The question is if we can define any table for any protocol family, for example IP protocol family, can we define any chains for that table?
For example, I want to define a table with prerouting, input, forward, output, postrouting chains, is it possible?

Another question is, can we define chains with any priority value ?
For example, I want to define a chain with -122 priority value, is it possible?

Please correct me if I'm wrong: If we want to define chains for any table(filtering, nat, mangle ... ), we are limited to conventional defination of iptables tables and chains?
for example, if we define a table for filtering purposes we have to define chains that they bind to input, forward or output?

unSpawn · 11-29-2014, 06:30 AM

Quote:

Originally Posted by kikilinux

The question is if we can define any table for any protocol family, for example IP protocol family,

The Configuring_tables page on wiki.nftables literally reads: "We have different kind of tables depending on the family". Also see comment about inet table.

Quote:

Originally Posted by kikilinux

can we define any chains for that table?

Same Wiki Configuring_chains#Adding_non-base_chains says: "Note that this chain does not see any traffic as it is not attached to any hook". Ergo you have to attach it to a base chain like "filter".

Quote:

Originally Posted by kikilinux

For example, I want to define a table with prerouting, input, forward, output, postrouting chains, is it possible?

Those are "hooks". What you would have called "targets" in iptables.

Quote:

Originally Posted by kikilinux

Another question is, can we define chains with any priority value ?
For example, I want to define a chain with -122 priority value, is it possible?

The nftables#Priority-based_Atomic_Fix page on wiki.archlinux says: "Note: Since the priority seems to be an unsigned integer, negative priorities will be converted into very high priorities."

kikilinux · 11-29-2014, 07:28 AM

Quote:

Originally Posted by unSpawn

The Configuring_tables page on wiki.nftables literally reads: "We have different kind of tables depending on the family". Also see comment about inet table.

Same Wiki Configuring_chains#Adding_non-base_chains says: "Note that this chain does not see any traffic as it is not attached to any hook". Ergo you have to attach it to a base chain like "filter".

Those are "hooks". What you would have called "targets" in iptables.

I think I can't say what I meant, in iptables we have 3 chains (input, forward, output) which is attached to hooks(input, forward, output), respectively, for filtering purposes. I define 5 chains (chain1, chain2, chain3, chain4, chain5) that are attached into hooks (prerouting, input, forward, output, postrouting) for filtering purposes and it works. I can perform filtering on all that chains even in prerouting and postrouting. in IPtables for filtering purposes we just have input, forward, output.
The question is, does it emerge(appear) the possibility to perform filtering on chains which is attached to prerouting and postrouting hooks ?

Quote:

Originally Posted by unSpawn

The nftables#Priority-based_Atomic_Fix page on wiki.archlinux says: "Note: Since the priority seems to be an unsigned integer, negative priorities will be converted into very high priorities."

I don't know what wiki.archlinux means but I know we should be able to run this two bellow command :

Code:

# nft add chain filter input { type filter hook input priority 0\; }
and
# nft add chain filter input { type filter hook input priority -10\; }

but the second one return an error

unSpawn · 11-30-2014, 03:15 AM

Quote:

Originally Posted by kikilinux

The question is, does it emerge(appear) the possibility to perform filtering on chains which is attached to prerouting and postrouting hooks ?

Any chain that hooks into a base chain (see definition of base chains) can be used to perform filtering.

Quote:

Originally Posted by kikilinux

but the second one return an error

You did not post the actual error message so I can not help with that. As the text says it makes no sense to use negative integers anyway. So don't.

kikilinux · 11-30-2014, 10:20 AM

the error that have been returned while running the bellow command :

Quote:

nft add chain ip filter test { type filter hook input priority -10 \; }
nft: invalid option -- '1'

kikilinux · 12-10-2014, 05:49 AM

In command line if we use ... hook input priority -10 \; }, it return an error but if we use a config file and then running the file by using nft -f configFile, then the negative priority can be possible to use.
for example :
# configFile

Quote:

# nft -f
table ip filter {
chain input {
type filter hook input priority -10;
}
}

it works well when we running "nft -f configFile" command

kikilinux · 12-18-2014, 02:14 PM

The last thing to say is : the bellow link may report the problem
http://wiki.nftables.org/wiki-nftabl...etainformation

Code:

% nft add table mangle
% nft add chain postrouting {type route hook output priority -150\; }
% nft add rule mangle postrouting tcp sport 80 meta priority set 1

Quote:

Warning: There is a bug in the priority syntax that will be fixed in following versions of nftables.