GoForum › 🌐 V2EX

nftables 学得有点懵

cxxnullptr · 2026-02-07 14:37 · 0 次点赞 · 6 条回复

多个相同 hook ，一个 accept ，后面的还执行吗？

chatgpt 和 grok 说 accept 就终结了，gemini 说还能继续执行

chatgpt 回答

grok 回答

gemini 回答

规则 1 ，不同优先级

table inet A {
  chain input {
    type filter hook input priority 0;
    tcp dport 22 accept
  }
}


table inet B {
  chain input {
    type filter hook input priority 10;
    tcp dport 22 drop
  }
}

规则 2 ，相同优先级

table inet A {
  chain input {
    type filter hook input priority 0;
    tcp dport 22 accept
  }
}


table inet B {
  chain input {
    type filter hook input priority 0;
    tcp dport 22 drop
  }
}

6 条回复

slowman · 2026-02-07 14:37

nftables 文档怎么说

KagurazakaNyaa · 2026-02-07 14:37

https://wiki.nftables.org/wiki-nftables/index.php/Accepting_and_dropping_packets

按照 wiki 的说法，accept 不会终止处理

EchoWhale · 2026-02-07 14:47

不再执行当前 chain 的其他规则，但会执行其他 chain 的规则。

NOTE: If a packet is accepted and there is another chain, bearing the same hook type and with a later priority, then the packet will subsequently traverse this other chain. Hence, an accept verdict - be it by way of a rule or the default chain policy - isn’t necessarily final. However, the same is not true of packets that are subjected to a drop verdict. Instead, drops take immediate effect, with no further rules or chains being evaluated.

https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains