Nftables Base Chain Priorities

Description

Each nftables base chain is assigned a priority that defines its ordering among other base chains, flowtables, and Netfilter internal operations at the same hook. For example, a chain on the prerouting hook with priority -300 will be placed before connection tracking operations. Netfilter Internal Priority for inet, ip, ip6: NF_IP_PRI_RAW_BEFORE_DEFRAG Typical hooks: prerouting; nft Keyword: n/a; Description: n/a NF_IP_PRI_CONNTRACK_DEFRAG Typical hooks: prerouting; nft Keyword: n/a; Description: Packet defragmentation / datagram reassembly NF_IP_PRI_RAW Typical hooks: all; nft Keyword: raw; Description: Typical hooks: prerouting; nft Keyword: n/a; Description: Traditional priority of the raw table placed before connection tracking operation NF_IP_PRI_SELINUX_FIRST Typical hooks: n/a; nft Keyword: n/a; Description: SELinux operations NF_IP_PRI_CONNTRACK Typical hooks: prerouting, output;nft Keyword: n/a; Description: Connection tracking processes run early in prerouting and output hooks to associate packets with tracked connections. NF_IP_PRI_MANGLE Typical hooks: all;nft Keyword: mangle; Description: Mangle operation NF_IP_PRI_NAT_DST Typical hooks: prerouting;nft Keyword: dstnat; Description: Destination NAT NF_IP_PRI_FILTER Typical hooks: all;nft Keyword: filter; Description: Filtering operation, the filter table NF_IP_PRI_SECURITY Typical hooks: all;nft Keyword: security; Description: Place of security table, where secmark can be set for example NF_IP_PRI_NAT_SRC Typical hooks: postrouting;nft Keyword: srcnat; Description: Source NAT NF_IP_PRI_SELINUX_LAST Typical hooks: postrouting;nft Keyword: n/a; Description: SELinux at packet exit NF_IP_PRI_CONNTRACK_HELPER Typical hooks: postrouting;nft Keyword: n/a; Description: Connection tracking helpers, which identify expected and related packets. NF_IP_PRI_CONNTRACK_CONFIRM Typical hooks: input,postrouting;nft Keyword: n/a; Description: Connection tracking adds new tracked connections at final step in input and postrouting hooks. Netfilter Internal Priority for bridge: NF_BR_PRI_NAT_DST_BRIDGED Typical hooks: prerouting; nft Keyword: n/a; Description: n/a NF_BR_PRI_FILTER_BRIDGED Typical hooks: all;nft Keyword: filter; Description: n/a NF_BR_PRI_BRNF Typical hooks: n/a;nft Keyword: n/a; Description: n/a NF_BR_PRI_NAT_DST_OTHER Typical hooks: output;nft Keyword: out; Description: n/a NF_BR_PRI_FILTER_OTHER Typical hooks: n/a;nft Keyword: n/a; Description: n/a NF_BR_PRI_NAT_SRC Typical hooks: postrouting;nft Keyword: srcnat; Description: n/a