We are trying to implement nftables in our system. By default we want to drop all and accept by defined rules. We have some excel sheets for source ip and port and I generate rule tables out of them. But seems like defining multiple drop tables overrides others. Is that correct or am I missing something?
Example:
table inet dev {
chain input_dev {
type filter hook input priority filter; policy drop;
iifname "lo" accept
ct state { established, related } accept
tcp dport 22 accept
ip protocol icmp accept
}
chain output_dev {
type filter hook output priority filter; policy drop;
oifname "lo" accept
tcp sport 22 accept
ip protocol icmp accept
}
}
table inet speficic_table {
chain input {
type filter hook input priority filter; policy drop;
ip6 saddr <some_specific_ip> udp sport 42999 udp dport 42544 ip6 daddr ff14::1:0 accept
#more rules from excel
}
chain output {
type filter hook output priority filter; policy drop;
ip6 saddr <some_specific_ip> udp sport 42999 udp dport 42564 ip6 daddr ff14::1:0 accept
}
}
Does speficic_table drop ssh even though I accept ssh on other table? Should I keep all in same table? Some tables also have some ipv4 rules, so changing table family is not going to help me.
I was expecting that, I can create multiple tables to group my rules without overriding others. I also tried to change priority, it doesnt seem to work and even though it works its not useful for me.
