Re: So hey let's talk about this nftables ordering situation.
On Fri, Feb 21, 2025 at 04:02:25PM -0800, robinleepowell(a)gmail.com wrote:
So I, like many other people, have hit problems with nftables
ordering,
as has been discussed on this mailing list MANY TIMES.
This whole thing seemed ridiculous so I asked the nftables people about
what one is *supposed* to do in this situation. It turns out that the
standard solution is for libvirt's nftables rules to set a packet mark
(there's a collision possibility here but it's a 32 bit integer if you
pick one at random it shouldn't be a problem) and then the user adds a
rule to exclude packets with that mark from any reject rules they might
have, or explicitly accept marked packets in their own chains, or whatever.
That's an interesting idea and worth a try.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|