每个 nftables 链有多个钩子吗?

tag-icon tag-icon iptables nftables
每个 nftables 链有多个钩子吗?

是否可以在 nftables 链中定义多个钩子,或者是否有其他优雅的方法来防止重复里面的规则(不包含来自另一个文件)?

table inet raw {
    chain mangle {
        type filter hook { prerouting, input, output, forward } priority -190; policy accept;

        ct state invalid counter drop
    }
}

答案1

不,一个基本链只有一个钩子进入 netfilter。

但在同一个表中,你可以调用相同的用户来自每个基础链的链。以下是一个例子,额外的计数器在单个之后显示其状态ping -c1 127.0.0.1

table inet myfilter {
    chain mypreroutingchain {
        type filter hook prerouting priority filter; policy accept;
        counter packets 2 bytes 168
        jump myuserchain
    }

    chain myinput {
        type filter hook input priority filter; policy accept;
        counter packets 2 bytes 168
        jump myuserchain
    }

    chain myforward {
        type filter hook forward priority filter; policy accept;
        counter packets 0 bytes 0
        jump myuserchain
    }

    chain myoutput {
        type filter hook output priority filter; policy accept;
        counter packets 2 bytes 168
        jump myuserchain
    }

    chain mypostrouting {
        type filter hook postrouting priority filter; policy accept;
        counter packets 2 bytes 168
        jump myuserchain
    }

    chain myuserchain {
        oif "lo" counter packets 4 bytes 336
        iif "lo" counter packets 4 bytes 336
        counter packets 8 bytes 672
        ct state invalid counter packets 0 bytes 0 drop
    }
}

同一用户链我的用户链被调用 8 次进行 ping:

传出回显请求: 从输出+后布线,传入的回显请求来自预路由+输入,然后再同样回音应答

相关内容