How is the order of tables/chains in nftables arranged?

Question

For example, I have two tables:

table inet filter2 {
  chain forward {
    type filter hook forward priority 0; policy accept;
    ct state established,related accept
    iifname $wireif oifname $wirelessif accept
  }
}

table inet filter {
  chain forward {
    type filter hook forward priority 0; policy accept;
    drop
  }
}

The filter is executed first, so all my forward packets are dropped, which is not what I want. How can I set a table/chain to be executed at last to make it work as the default option?

Answer 1

Nftables uses underlying netfilter framework which has 6 hooks points located at different places in linux kernel network stack.

When one or more rules are added at same hook point netfilter framework priorities the rules by their priority type.

For example in your case while adding chain you can use different priority type for each chain. Lets say you want to give higher priority to rule defined forward chain of

filter table than forward chain of filter2 table

.

nft add table ip filter2

nft add chain ip filter2 forward {type filter hook forward priority 0 \;}

Now to give higher priority to forward chain of filter table assign priority less than 0.

nft add table inet filter

nft add chain inet filter '{type filter hook forward priority -1 }'

Here higher priority value means lower priority and vice-a-versa.

But be careful while using different priority type because it sometime may cause unintended behaviour to packet. For more information read this

PS: There is slight different syntax for negative priority.