Ahoj,
Dňa Tue, 22 Apr 2025 13:43:52 +0200 Florian Westphal <fw@xxxxxxxxx>
napísal:
> This is an input chain. The loopback bypass is restricted
> to PRE_ROUTING before v6.15-rc1.
That opens another question, as i have in that chain:
chain r_prerouting { # handle 1
type filter hook input priority raw; policy accept;
iif "lo" notrack accept comment "no lo conntrack" # handle 15
...
}
Why this notrack works? The image about packet flow on [1] left me in
impression, that input hook happens after conntrack (as conntrack
priority is shown as part of prerouting hook), thus raw priority of
input hook is not important for that (just for ordering it), and thus
setting notrack in input hook is too late, despite of chain priority...
But it is not, it works, conntrack -L doesn't shows "lo" entries (nor
-E)... Please, can someone explain it for me? Does raw priority in
input (or more generic in any) hook run it before conntrack/DNAT,
despite of hook type?
What is then difference in between prerouting and input (and forward)
hooks, in conntrack/DNAT context?
(please approximate my question, my English is far from good)
[1] https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks
regards
--
Slavko
https://www.slavino.sk
