Re: Chain priorities for NAT

Re: Chain priorities for NAT

[Christoph Pleger]

Hello,

On 2017-01-11, I wrote:

> The Wiki on https://wiki.nftables.org mentions two priorities
specifically available for NAT, -100 and 100. But of these two, the
wiki's example for NAT only uses the value 100 for the postrouting
chain. The prerouting chain has priority 0, and there is no difference
between SNAT and DNAT.
>
> When I look at the ipv4-nat example which is shipped together with my
nftables package, both chains use priority -150, though due to the Wiki,
that value is used for mangling.
>
> And when I look at some online-exmaples, they use 0 for prerouting and
postrouting.
>
> So, what are really the best values to use for priority in snat
prerouting and postrouting and dnat prerouting and postrouting?

Does "No answer in three weeks" mean that nobody here knows how to use
these priority values for NAT chains? Though probably netfilter developers
are reading this list?

Regards
  Christoph

Re: Chain priorities for NAT

[Pablo Neira Ayuso]

On Thu, Feb 02, 2017 at 01:52:18PM +0100, Christoph Pleger wrote:
> Hello,
> 
> On 2017-01-11, I wrote:
> 
> > The Wiki on https://wiki.nftables.org mentions two priorities
> specifically available for NAT, -100 and 100. But of these two, the
> wiki's example for NAT only uses the value 100 for the postrouting
> chain. The prerouting chain has priority 0, and there is no difference
> between SNAT and DNAT.
> >
> > When I look at the ipv4-nat example which is shipped together with my
> nftables package, both chains use priority -150, though due to the Wiki,
> that value is used for mangling.
> >
> > And when I look at some online-exmaples, they use 0 for prerouting and
> postrouting.
> >
> > So, what are really the best values to use for priority in snat
> prerouting and postrouting and dnat prerouting and postrouting?
> 
> Does "No answer in three weeks" mean that nobody here knows how to use
> these priority values for NAT chains? Though probably netfilter developers
> are reading this list?

Sorry, I overlooked this email.

See nf_ip_hook_priorities:
http://lxr.free-electrons.com/source/include/uapi/linux/netfilter_ipv4.h

See nf_ip6_hook_priorities:
http://lxr.free-electrons.com/source/include/uapi/linux/netfilter_ipv6.h

Yes, I'm pointing to source code, I know I should not be doing this ;-)

Probably we can add the 'default' label, so:

        add chain x y { type filter hook input priority default\; }

In this case, default translates to 0.

        add chain x y { type nat hook prerouting priority default\; }

In this case this would be -100.

Then:

        add chain x y { type nat hook postrouting priority default\; }

This results in priority 100.

We would still need explicit labels though, eg. raw and security at
least. These are special type of filter chains.

Comments welcome. Thanks.

Chain priorities for NAT

[Christoph Pleger]

Hello,

I am just doing my first steps with the nftables program, reading the
documentation and entering some of the commands mentioned there. After
reading something about NAT rules, I am now quite confused about the
priorities that can be given when creating chains:

The Wiki on https://wiki.nftables.org mentions two priorities specifically
available for NAT, -100 and 100. But of these two, the wiki's example for
NAT only uses the value 100 for the postrouting chain. The prerouting
chain has priority 0, and there is no difference between SNAT and DNAT.

When I look at the ipv4-nat example which is shipped together with my
nftables package, both chains use priority -150, though due to the Wiki,
that value is used for mangling.

And when I look at some online-exmaples, they use 0 for prerouting and
postrouting.

So, what are really the best values to use for priority in snat prerouting
and postrouting and dnat prerouting and postrouting?

Kind regards
  Christoph