[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Question: Why can't non-hooked chains have policies?
From:       Robert White <rwhite () pobox ! com>
Date:       2017-03-21 19:49:56
Message-ID: 1cc7769a-b025-a2f2-15d3-8c2baceb9132 () pobox ! com
[Download RAW message or body]

I am not sure if this is deliberate or an oversight, but it seems that 
chains without a hook directive can not have a policy.

The decision of what to do if you fall off the end of a chain is not 
hard to answer with an explicit directive, but in terms of a chain you 
might want to flush and rebuild or whatever it's just sort of surprising.

Trivial example of discussion point:

table ip example {
   chain expected_normal {
     type filter hook forward priority 0; policy drop;
     iif eth0 goto avoid_policy_if_flushed
     iif eth1 goto ought_to_be_legal
   }
   chain avoid_policy_if_flushed {
     drop
   }
   chain ought_to_be_legal {
     policy drop; # not legal but should be IMHO
   }
}

later # nft flush chain ip example avoid_policy_if_flushed

Now obviously using jump instead of goto makes this less of an issue, so 
this isn't impossible, but if something/someone tangles up some logic 
surprises could develop.

I haven't figured out of this limit is arbitrary code or if it's 
inherent to how hooks work. So this is a request for discussion not a 
feature request etc. email.

--Rob.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]