A question about priority in chains

A question about priority in chains

[darius]

[-- Attachment #1.1: Type: text/plain, Size: 1313 bytes --]

Hi all,

I'm still studying a bit of nftables and got confused about priority
value in chains. Manual says:

priority refers to a number used to order the chains or to set them
between some Netfilter operations. Possible values are:
NF_IP_PRI_CONNTRACK_DEFRAG (-400), NF_IP_PRI_RAW (-300),
NF_IP_PRI_SELINUX_FIRST (-225), NF_IP_PRI_CONNTRACK (-200),
NF_IP_PRI_MANGLE (-150), NF_IP_PRI_NAT_DST (-100), NF_IP_PRI_FILTER (0),
NF_IP_PRI_SECURITY (50), NF_IP_PRI_NAT_SRC (100), NF_IP_PRI_SELINUX_LAST
(225), NF_IP_PRI_CONNTRACK_HELPER (300).

So, if I use hook "prerouting" and priority -150, then I will be in
"Prerouting Mangle" chain acc. to Netfiler packet flow. If I will use
hook "prerouting" and priority -100, then I will be in "Prerouting NAT"
chain and so on. All clear.
But what will happen if I use hood "filter" and priority -150, for
example? There is no chain "Filter Mangle" according to Netfilter packet
flow. I'm quite sure that combination of hook "filter" and priority -150
will work, but does it have any sense?
Can anyone please give more detailed information on this topic? Can I be
a bit away of Netfilter packet flow by using different hood and priority
combinations, or is it recommended to stay within official Netfilter
packet flow?

-- 
Best regards,
Darius


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: A question about priority in chains

[Frank Myhr]

Hi Darius,

On 2020/03/23 15:48, darius wrote:
> Hi all,
> 
> I'm still studying a bit of nftables and got confused about priority
> value in chains. Manual says:
> 
> priority refers to a number used to order the chains or to set them
> between some Netfilter operations. Possible values are:
> NF_IP_PRI_CONNTRACK_DEFRAG (-400), NF_IP_PRI_RAW (-300),
> NF_IP_PRI_SELINUX_FIRST (-225), NF_IP_PRI_CONNTRACK (-200),
> NF_IP_PRI_MANGLE (-150), NF_IP_PRI_NAT_DST (-100), NF_IP_PRI_FILTER (0),
> NF_IP_PRI_SECURITY (50), NF_IP_PRI_NAT_SRC (100), NF_IP_PRI_SELINUX_LAST
> (225), NF_IP_PRI_CONNTRACK_HELPER (300).
> 
> So, if I use hook "prerouting" and priority -150, then I will be in
> "Prerouting Mangle" chain acc. to Netfiler packet flow. If I will use
> hook "prerouting" and priority -100, then I will be in "Prerouting NAT"
> chain and so on. All clear.
> But what will happen if I use hood "filter" and priority -150, for
> example? There is no chain "Filter Mangle" according to Netfilter packet
> flow. I'm quite sure that combination of hook "filter" and priority -150
> will work, but does it have any sense?

Actually this will not work; there is no "filter" hook.

Relevant wiki pages:

https://wiki.nftables.org/wiki-nftables/index.php/Main_differences_with_iptables

https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains

https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Chains

https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks
* Good diagram of netfilter hooks for families ip, ip6 and inet:
	prerouting, forward, input, output and postrouting
* arp family has only input & output hooks.
* netdev family has only ingress hook.
* bridge family has hooks: ???

As I understand it, the above hooks always exist, and are used by 
connection tracking and routing. At each hook, nftables packet filtering 
happens only if you hook a base chain there. The numerical priority you 
assign your base chain affects the order in which netfilter operations 
happen *on that hook only*.

If you create 2 base chains:

nft add chain ip some_table INPUT_NEG150 { type filter hook input 
priority -150 \; }

nft add chain ip some_other_table INPUT_0 { type filter hook input 
priority 0 \; }

then ipv4 packets at the input stage of processing will traverse chain 
INPUT_NEG150 before they hit chain INPUT_0. If instead of -150 you'd 
assigned priority -1 to INPUT_NEG150 this would still be true. The 
absolute priority numbers do not matter, only their numerical order 
within the same hook matters. If you have two base chains at same hook 
with _same_ priority... I don't know what happens! Probably best to 
avoid that. Even if deterministic, it would still be confusing to us 
ugly bags of water (obscure Star Trek reference, sorry).

Hope this helps (and that it's correct),
Frank

Re: A question about priority in chains

[darius]

[-- Attachment #1.1: Type: text/plain, Size: 3976 bytes --]

Hi Frank,

Thank you very much for your thorough explanation. It makes total sense
to me.

And yes, I've made a mistake in my question. I was referring to
Netfilter packet flow
https://en.wikipedia.org/wiki/Netfilter#/media/File:Netfilter-packet-flow.svg
and my main concern was if it makes sense to have combination of
chain/hook/priority which does not exist in Netfilter packet flow. For
example, "filter" chain, "input" hook and NF_IP_PRI_NAT_DST(-100)
priority. It does not makes sense to have DST NAT in input filter as
routing decision is already done. I guess I was a bit confused with
constant names assigned to priority values.

But again, nft is replacement for netfilter and it works in slightly
different way. that was maybe a bad idea to try to follow Netfilter
packet flow diagram.

Anyway, your explanation really answered my question.

Best regards,
Darius

On 24.03.2020 13.20, Frank Myhr wrote:
> Hi Darius,
> 
> On 2020/03/23 15:48, darius wrote:
>> Hi all,
>>
>> I'm still studying a bit of nftables and got confused about priority
>> value in chains. Manual says:
>>
>> priority refers to a number used to order the chains or to set them
>> between some Netfilter operations. Possible values are:
>> NF_IP_PRI_CONNTRACK_DEFRAG (-400), NF_IP_PRI_RAW (-300),
>> NF_IP_PRI_SELINUX_FIRST (-225), NF_IP_PRI_CONNTRACK (-200),
>> NF_IP_PRI_MANGLE (-150), NF_IP_PRI_NAT_DST (-100), NF_IP_PRI_FILTER (0),
>> NF_IP_PRI_SECURITY (50), NF_IP_PRI_NAT_SRC (100), NF_IP_PRI_SELINUX_LAST
>> (225), NF_IP_PRI_CONNTRACK_HELPER (300).
>>
>> So, if I use hook "prerouting" and priority -150, then I will be in
>> "Prerouting Mangle" chain acc. to Netfiler packet flow. If I will use
>> hook "prerouting" and priority -100, then I will be in "Prerouting NAT"
>> chain and so on. All clear.
>> But what will happen if I use hood "filter" and priority -150, for
>> example? There is no chain "Filter Mangle" according to Netfilter packet
>> flow. I'm quite sure that combination of hook "filter" and priority -150
>> will work, but does it have any sense?
> 
> Actually this will not work; there is no "filter" hook.
> 
> Relevant wiki pages:
> 
> https://wiki.nftables.org/wiki-nftables/index.php/Main_differences_with_iptables
> 
> 
> https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
> 
> https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Chains
> 
> 
> https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks
> * Good diagram of netfilter hooks for families ip, ip6 and inet:
>     prerouting, forward, input, output and postrouting
> * arp family has only input & output hooks.
> * netdev family has only ingress hook.
> * bridge family has hooks: ???
> 
> As I understand it, the above hooks always exist, and are used by
> connection tracking and routing. At each hook, nftables packet filtering
> happens only if you hook a base chain there. The numerical priority you
> assign your base chain affects the order in which netfilter operations
> happen *on that hook only*.
> 
> If you create 2 base chains:
> 
> nft add chain ip some_table INPUT_NEG150 { type filter hook input
> priority -150 \; }
> 
> nft add chain ip some_other_table INPUT_0 { type filter hook input
> priority 0 \; }
> 
> then ipv4 packets at the input stage of processing will traverse chain
> INPUT_NEG150 before they hit chain INPUT_0. If instead of -150 you'd
> assigned priority -1 to INPUT_NEG150 this would still be true. The
> absolute priority numbers do not matter, only their numerical order
> within the same hook matters. If you have two base chains at same hook
> with _same_ priority... I don't know what happens! Probably best to
> avoid that. Even if deterministic, it would still be confusing to us
> ugly bags of water (obscure Star Trek reference, sorry).
> 
> Hope this helps (and that it's correct),
> Frank


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: A question about priority in chains

[Frank Myhr]

On 2020/03/24 15:28, darius wrote:

> I was referring to Netfilter packet flow
> https://en.wikipedia.org/wiki/Netfilter#/media/File:Netfilter-packet-flow.svg
...
> But again, nft is replacement for netfilter and it works in slightly
> different way. that was maybe a bad idea to try to follow Netfilter
> packet flow diagram.


The Wikipedia article was conflating netfilter with iptables. nftables 
is part of netfilter; it replaces iptables, the packet-filtering portion 
of netfilter. I've made some edits to try to make this distinction.

Thanks,
Frank