主页 / server / 问题 / 985115
Accepted
mvorisek
Asked: 2019-09-22 06:25:54 +0800 CST

每个 nftables 链有多个钩子?

  • 772

是否可以在 nftables 链中定义多个钩子,或者是否有任何其他优雅的方式来防止内部规则重复(不包含来自另一个文件)?

table inet raw {
    chain mangle {
        type filter hook { prerouting, input, output, forward } priority -190; policy accept;

        ct state invalid counter drop
    }
}
iptables

1 个回答

  1. Best Answer

    不,基本链只有一个挂钩到 netfilter。

    但是在同一个表中,你可以从每个基链调用同一个用户链。这是一个示例,额外的计数器在单个 之后显示它们的状态ping -c1 127.0.0.1

    table inet myfilter {
    chain mypreroutingchain {
        type filter hook prerouting priority filter; policy accept;
        counter packets 2 bytes 168
        jump myuserchain
    }

    chain myinput {
        type filter hook input priority filter; policy accept;
        counter packets 2 bytes 168
        jump myuserchain
    }

    chain myforward {
        type filter hook forward priority filter; policy accept;
        counter packets 0 bytes 0
        jump myuserchain
    }

    chain myoutput {
        type filter hook output priority filter; policy accept;
        counter packets 2 bytes 168
        jump myuserchain
    }

    chain mypostrouting {
        type filter hook postrouting priority filter; policy accept;
        counter packets 2 bytes 168
        jump myuserchain
    }

    chain myuserchain {
        oif "lo" counter packets 4 bytes 336
        iif "lo" counter packets 4 bytes 336
        counter packets 8 bytes 672
        ct state invalid counter packets 0 bytes 0 drop
    }
}

    同一用户链myuserchain被调用 8 次以进行 ping:

    传出echo- r​​equest :来自output + postrouting ,来自prerouting + input的传入 echo 请求,然后再次与echo- r​​eply 相同。

    • 2

相关问题