Fw4: Chain priority not working properly

SiNONiMiTY · February 9, 2022, 1:16pm

Greetings,

I created a default deny rule for DNS on my router. On fw3, by adding an override on the forwarding_rule chain, an exemption can be added to this default deny rule.

However, when this is converted to fw4 rules with the user_pre_forward chain, DNS queries are still blocked. Here is a dump of the active rules that was tested.

table inet fw4 {
        chain forward {
                type filter hook forward priority filter; policy drop;
                tcp dport { 53, 853, 5353 } counter packets 0 bytes 0 drop
                udp dport { 53, 853, 5353 } counter packets 2 bytes 120 drop
        }
}
table inet fw4 {
        chain user_pre_forward {
                type filter hook forward priority filter - 1; policy accept;
                udp dport 53 counter packets 2 bytes 120 accept
        }
}

Notice that both counters were incremented. I was expecting that after a match on the user_pre_forward chain, no other rules will be executed.

Am I missing something here? Running on OpenWrt SNAPSHOT, r18773-04ed224543.

EDIT: Removed non-DNS related rules on the dump to make viewing easier.

Tech_Junky · February 9, 2022, 2:01pm

Change it to accept or explicitly permit it.

SiNONiMiTY · February 9, 2022, 2:05pm

But why? The rule on "forward" chain is the default deny rule. The rule on "user_pre_forward" is the override. I expect the "user_pre_forward" to be evaluated first since priority is -1.

Tech_Junky · February 9, 2022, 2:08pm

Using pre-forward is for things like marking or forcing packets to go to a specific rule.

Forward is what takes traffic from one zone to the next.

SiNONiMiTY · February 9, 2022, 2:14pm

So I need to create another rule that will be jumped to by the pre_forward... Let me try that.

EDIT: Im still having doubts about creating another rule. Defeats the purpose of the pre_forward chain. In fw3, this is simple.

EDIT: Upon rechecking the documentation, I found this

Base chain priority

Each nftables base chain is assigned a priority that defines its ordering among other base chains, flowtables, and Netfilter internal operations at the same hook. For example, a chain on the prerouting hook with priority -300 will be placed before connection tracking operations.

NOTE: If a packet is accepted and there is another chain, bearing the same hook type and with a later priority, then the packet will subsequently traverse this other chain. Hence, an accept verdict - be it by way of a rule or the default chain policy - isn't necessarily final. However, the same is not true of packets that are subjected to a drop verdict. Instead, drops take immediate effect, with no further rules or chains being evaluated.

So, to summarize, the ACCEPT verdict on the pre_forward chain was hit but, another chain with the same hook was found and was executed.

system · February 19, 2022, 2:14pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.