1

I know how hooks work in netfilter but I can't understand why there are different types of chains as described here: base chain types

I have two questions
first : why there are different types of chains? why not to use only "filter" type?
second : why "route" chain type has only one hook? it was supposed to be "mangle" equivalent in iptables but according to this Hooks by family and chain type it has only output hook. (why?)

Thank you

H. Far
  • 21
  • 5

1 Answers1

1

The chain type is part of the design of netfilter. They made different types for a the type of rule organization they thought people would like to use. this design forces people to separate chains by the three functions they create. On a technical level each chain operates different inside the kernel. For example for the route type it triggers a routing evaluation after the chain is run, this is not the case for filter or nat types.

route has only one hook, because it only needs one hook to serve its function. if the mangling that you are doing is not related to routing decisions, put it in filter and attach it to whatever you need.

To better grasp the concepts, I find the nftables code in the kernel to be quite easy to follow. Here are links to the chain type definitions inside the kernel: https://github.com/torvalds/linux/blob/master/net/netfilter/nft_chain_filter.c#L195 https://github.com/torvalds/linux/blob/master/net/netfilter/nft_chain_nat.c#L88 https://github.com/torvalds/linux/blob/master/net/netfilter/nft_chain_route.c#L134

toppk
  • 196
  • 4
  • so in this way I can always set any chain as "filter" type to have more control and more hooks! is it right? – H. Far Sep 07 '22 at 10:31
  • that is not correct. while commonly most things should be in filter, you must still use nat and route when and if you have rules that belong there. the limitations of route and nat types in terms of hooks are only done because it is not needed. here is a good manual for nftables https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking – toppk Sep 07 '22 at 12:33
  • you are correct and I understand the design discipline, but I just wanna know if there is technical difference between these types. I checked the github links you send (tnx a lot) but it seems there is no difference, only a naming convention to have more clear design, am I right??? (about RH link: tnx, but I already read that many times before asking Q here) – H. Far Sep 07 '22 at 12:53
  • 1
    if you look at nf_route_table_hook4 inside nft_chain_route you will see for example a call to ip_route_me_harder. which does not exist in the filter chain. – toppk Sep 07 '22 at 12:59