All of lore.kernel.org
 help / color / mirror / Atom feed
From: Robert White <rwhite@pobox.com>
To: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Question: Why can't non-hooked chains have policies?
Date: Tue, 21 Mar 2017 19:49:56 +0000	[thread overview]
Message-ID: <1cc7769a-b025-a2f2-15d3-8c2baceb9132@pobox.com> (raw)

I am not sure if this is deliberate or an oversight, but it seems that 
chains without a hook directive can not have a policy.

The decision of what to do if you fall off the end of a chain is not 
hard to answer with an explicit directive, but in terms of a chain you 
might want to flush and rebuild or whatever it's just sort of surprising.

Trivial example of discussion point:

table ip example {
   chain expected_normal {
     type filter hook forward priority 0; policy drop;
     iif eth0 goto avoid_policy_if_flushed
     iif eth1 goto ought_to_be_legal
   }
   chain avoid_policy_if_flushed {
     drop
   }
   chain ought_to_be_legal {
     policy drop; # not legal but should be IMHO
   }
}

later # nft flush chain ip example avoid_policy_if_flushed

Now obviously using jump instead of goto makes this less of an issue, so 
this isn't impossible, but if something/someone tangles up some logic 
surprises could develop.

I haven't figured out of this limit is arbitrary code or if it's 
inherent to how hooks work. So this is a request for discussion not a 
feature request etc. email.

--Rob.

                 reply	other threads:[~2017-03-21 19:49 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1cc7769a-b025-a2f2-15d3-8c2baceb9132@pobox.com \
    --to=rwhite@pobox.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.