Fw4: Chain priority not working properly


I created a default deny rule for DNS on my router. On fw3, by adding an override on the forwarding_rule chain, an exemption can be added to this default deny rule.

However, when this is converted to fw4 rules with the user_pre_forward chain, DNS queries are still blocked. Here is a dump of the active rules that was tested.

table inet fw4 {
        chain forward {
                type filter hook forward priority filter; policy drop;
                tcp dport { 53, 853, 5353 } counter packets 0 bytes 0 drop
                udp dport { 53, 853, 5353 } counter packets 2 bytes 120 drop
table inet fw4 {
        chain user_pre_forward {
                type filter hook forward priority filter - 1; policy accept;
                udp dport 53 counter packets 2 bytes 120 accept

Notice that both counters were incremented. I was expecting that after a match on the user_pre_forward chain, no other rules will be executed.

Am I missing something here? Running on OpenWrt SNAPSHOT, r18773-04ed224543.

EDIT: Removed non-DNS related rules on the dump to make viewing easier.

Change it to accept or explicitly permit it.

But why? The rule on "forward" chain is the default deny rule. The rule on "user_pre_forward" is the override. I expect the "user_pre_forward" to be evaluated first since priority is -1.

Using pre-forward is for things like marking or forcing packets to go to a specific rule.

Forward is what takes traffic from one zone to the next.

So I need to create another rule that will be jumped to by the pre_forward... Let me try that.

EDIT: Im still having doubts about creating another rule. Defeats the purpose of the pre_forward chain. In fw3, this is simple.

EDIT: Upon rechecking the documentation, I found this

Base chain priority

Each nftables base chain is assigned a priority that defines its ordering among other base chains, flowtables, and Netfilter internal operations at the same hook. For example, a chain on the prerouting hook with priority -300 will be placed before connection tracking operations.

NOTE: If a packet is accepted and there is another chain, bearing the same hook type and with a later priority, then the packet will subsequently traverse this other chain. Hence, an accept verdict - be it by way of a rule or the default chain policy - isn't necessarily final. However, the same is not true of packets that are subjected to a drop verdict. Instead, drops take immediate effect, with no further rules or chains being evaluated. 

So, to summarize, the ACCEPT verdict on the pre_forward chain was hit but, another chain with the same hook was found and was executed.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.