Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Guide to the Secure Configuration of Ubuntu 22.04
System Settings
Network Configuration and Firewalls
nftables
Nftables Base Chain Hooks
Nftables Base Chain Hooks
An XCCDF Value
Details
Profiles
Prose
Nftables Base Chain Hooks
The possible hooks which can be used to configure the base chain are:
ingress
(only in netdev family since Linux kernel 4.2, and inet family since Linux kernel 5.10): sees packets immediately after they are passed up from the NIC driver, before even prerouting.
prerouting
sees all incoming packets, before any routing decision has been made. Packets may be addressed to the local or remote systems.
input
sees incoming packets that are addressed to and have now been routed to the local system and processes running there.
forward
sees incoming packets that are not addressed to the local system.
output
sees packets that originated from processes in the local machine.
postrouting
sees all packets after routing, just before they leave the local system.