Jumping to chain: Difference between revisions
Jump to navigation
Jump to search
(Created page with "Like in ''iptables'', you can structure your rule-set in using a tree of chains. To do so, you first need to create the custom chain via: <source lang=...") |
("non-base chain" -> "regular chain", light editing) |
||
(5 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
It's often beneficial to structure your ruleset using a tree of [[Configuring chains|chains]]. To do so, you first need to create at least one [[Configuring_chains#Adding_regular_chains|regular chain]] via: | |||
<source lang="bash"> | <source lang="bash"> | ||
Line 35: | Line 35: | ||
The counters should update by generating simple TCP traffic. | The counters should update by generating simple TCP traffic. | ||
'''Note:''' You can only jump to | '''Note:''' You can only jump to regular chains. | ||
== jump vs goto == | == jump vs goto == | ||
Line 54: | Line 54: | ||
type filter hook input priority 0; policy accept; | type filter hook input priority 0; policy accept; | ||
# this is the 1º matching rule | # this is the 1º matching rule | ||
ip saddr 1.1.1.1 ip daddr 2.2.2.2 tcp | ip saddr 1.1.1.1 ip daddr 2.2.2.2 tcp sport 111 tcp dport 222 jump other-chain | ||
# this is the 3º matching rule | # this is the 3º matching rule | ||
ip saddr 1.1.1.1 ip daddr 2.2.2.2 tcp | ip saddr 1.1.1.1 ip daddr 2.2.2.2 tcp sport 111 tcp dport 222 accept | ||
} | } | ||
Line 76: | Line 76: | ||
# this is the 1º matching rule | # this is the 1º matching rule | ||
# default policy 'accept' will be applied after other-chain ends processing | # default policy 'accept' will be applied after other-chain ends processing | ||
ip saddr 1.1.1.1 ip daddr 2.2.2.2 tcp | ip saddr 1.1.1.1 ip daddr 2.2.2.2 tcp sport 111 tcp dport 222 goto other-chain | ||
# this rule will never be reached by this packet! | # this rule will never be reached by this packet! | ||
ip saddr 1.1.1.1 ip daddr 2.2.2.2 tcp | ip saddr 1.1.1.1 ip daddr 2.2.2.2 tcp sport 111 tcp dport 222 accept | ||
} | } | ||
Line 87: | Line 87: | ||
} | } | ||
</source> | </source> | ||
Note that only jump and goto actions to '''regular chains''' are allowed. |
Latest revision as of 22:02, 7 March 2021
It's often beneficial to structure your ruleset using a tree of chains. To do so, you first need to create at least one regular chain via:
% nft add chain ip filter tcp-chain
The example above creates the tcp-chain which will be used to add rules to filter tcp traffic, eg.
% nft add rule ip filter input ip protocol tcp jump tcp-chain
We can just add a simple rule to that tcp-chain to count packets and bytes:
% nft add rule ip filter tcp-chain counter
The listing should show something like:
% nft list table filter
table ip filter {
chain input {
type filter hook input priority 0;
ip protocol tcp jump tcp-chain
}
chain tcp-chain {
counter packets 8 bytes 2020
}
}
The counters should update by generating simple TCP traffic.
Note: You can only jump to regular chains.
jump vs goto
Please note the difference between jump and goto.
- If you use jump to get packet processed in another chain, packet will return to the chain of the calling rule after the end.
- However, if you use goto, packets will be processed in another chain but they will not return to the chain of the calling rule. In this case, the default policy applied to the packet will be the default policy of the original base chain which started processing the packet.
Example of jump:
Packet is: SRC=1.1.1.1 DST=2.2.2.2 TCP SPORT 111 DPORT 222
table ip filter {
chain input {
type filter hook input priority 0; policy accept;
# this is the 1º matching rule
ip saddr 1.1.1.1 ip daddr 2.2.2.2 tcp sport 111 tcp dport 222 jump other-chain
# this is the 3º matching rule
ip saddr 1.1.1.1 ip daddr 2.2.2.2 tcp sport 111 tcp dport 222 accept
}
chain other-chain {
# this is the 2º matching rule
counter packets 8 bytes 2020
}
}
Example of goto:
Packet is: SRC=1.1.1.1 DST=2.2.2.2 TCP SPORT 111 DPORT 222
table ip filter {
chain input {
type filter hook input priority 0; policy accept;
# this is the 1º matching rule
# default policy 'accept' will be applied after other-chain ends processing
ip saddr 1.1.1.1 ip daddr 2.2.2.2 tcp sport 111 tcp dport 222 goto other-chain
# this rule will never be reached by this packet!
ip saddr 1.1.1.1 ip daddr 2.2.2.2 tcp sport 111 tcp dport 222 accept
}
chain other-chain {
# this is the 2º matching rule
counter packets 8 bytes 2020
}
}
Note that only jump and goto actions to regular chains are allowed.