* Question: Why can't non-hooked chains have policies?
@ 2017-03-21 19:49 Robert White
0 siblings, 0 replies; only message in thread
From: Robert White @ 2017-03-21 19:49 UTC (permalink / raw)
To: netfilter
I am not sure if this is deliberate or an oversight, but it seems that
chains without a hook directive can not have a policy.
The decision of what to do if you fall off the end of a chain is not
hard to answer with an explicit directive, but in terms of a chain you
might want to flush and rebuild or whatever it's just sort of surprising.
Trivial example of discussion point:
table ip example {
chain expected_normal {
type filter hook forward priority 0; policy drop;
iif eth0 goto avoid_policy_if_flushed
iif eth1 goto ought_to_be_legal
}
chain avoid_policy_if_flushed {
drop
}
chain ought_to_be_legal {
policy drop; # not legal but should be IMHO
}
}
later # nft flush chain ip example avoid_policy_if_flushed
Now obviously using jump instead of goto makes this less of an issue, so
this isn't impossible, but if something/someone tangles up some logic
surprises could develop.
I haven't figured out of this limit is arbitrary code or if it's
inherent to how hooks work. So this is a request for discussion not a
feature request etc. email.
--Rob.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-03-21 19:49 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-21 19:49 Question: Why can't non-hooked chains have policies? Robert White
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.