So I have two input chains, input and dyn which is dynamically generated.
However the rules of dyn just don't work because of input. I've tried setting the priority of input to 1, and the dyn to 0 even -200. Still nothing.
When I flush the input rules, then dyn works.
What am I doing wrong here?
sudo nft list ruleset
table inet filter {
chain input {
type filter hook input priority filter + 1; policy accept;
iif "lo" accept
ct state established,related accept
tcp dport 299 ip saddr 3x.xx.xx.xx accept
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
ip6 saddr fe80::/10 icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report, 151, 152, 153 } accept
counter packets 10 bytes 5255 drop
}
chain dyn {
type filter hook input priority filter; policy accept;
iif "lo" accept
ct state established,related accept
ip saddr 2x.xx.xx.xx udp dport 8999 log prefix "dyn" accept
ip6 saddr xxx:xxxx:xxxx:xxxx::9999 udp dport 8999 log prefix "dyn" accept
ip saddr 2x.xx.xx.xx tcp dport 7999 log prefix "dyn" accept
ip6 saddr xxx:xxxx:xxxx:xxxx::9999 tcp dport 7999 log prefix "dyn" accept
ip saddr 2x.xx.xx.xx icmp type echo-request log prefix "dyn" accept
ip6 saddr xxx:xxxx:xxxx:xxxx::9999 icmp type echo-request log prefix "dyn"
ip saddr 2x.xx.xx.xx tcp dport 6999 log prefix "dyn" accept
ip6 saddr xxx:xxxx:xxxx:xxxx::aaaa tcp dport 6999 log prefix "dyn" accept
}
}
