nft chain priority and policy
Debian Stretch, nft version 0.9.0-1 kernel 4.9.0-8-amd64
Am finding behaviour in added chains a bit different to that expected from reading all the documentation.
I have chain
input {type filter hook input priority 0; policy drop;}
This carried most of the firewall rules. I then added another
chain
testpr {type filter hook input priority -1;}
I cut and pasted the rule to accept ftp from the input chain (where it had been working) into the testpr chain.
ftp was blocked. The packets should have traversed testpr first, been accepted before, if necessary entering input chain. This was obviously not happening.
I tried swapping the priorities which, as expected, put the testpr chain after the input chain and so caused the ftp packets to be dropped.
The only way I could get it to work was to change the input policy, but then, of course, that gave a policy of accept so the testpr chain was irrelevant. As any packet not specifically dropped would be accepted, defeating the purpose of a firewall.
I had the same result after changing the testpr to a non-base chain.
Any suggestions please?
|