{"description": "Each nftables base chain is assigned a priority that defines its ordering \namong other base chains, flowtables, and Netfilter internal operations at \nthe same hook. For example, a chain on the prerouting hook with priority \n-300 will be placed before connection tracking operations. \nNetfilter Internal Priority for inet, ip, ip6:\n<tt>NF_IP_PRI_RAW_BEFORE_DEFRAG</tt> Typical hooks: prerouting; nft Keyword: n/a; Description: n/a\n<tt>NF_IP_PRI_CONNTRACK_DEFRAG</tt> Typical hooks: prerouting; nft Keyword: n/a; Description: Packet defragmentation / datagram reassembly \n<tt>NF_IP_PRI_RAW</tt> Typical hooks: all; nft Keyword: raw; Description:  Typical hooks: prerouting; nft Keyword: n/a; Description: Traditional priority of \nthe raw table placed before connection tracking operation \n<tt>NF_IP_PRI_SELINUX_FIRST</tt> Typical hooks: n/a; nft Keyword: n/a; Description: SELinux operations  \n<tt>NF_IP_PRI_CONNTRACK</tt> Typical hooks: prerouting, output;nft Keyword: n/a; Description: Connection tracking processes run early in prerouting and \noutput hooks to associate packets with tracked connections.\n<tt>NF_IP_PRI_MANGLE</tt> Typical hooks: all;nft Keyword: mangle; Description: Mangle operation\n<tt>NF_IP_PRI_NAT_DST</tt> Typical hooks: prerouting;nft Keyword: dstnat; Description: Destination NAT\n<tt>NF_IP_PRI_FILTER</tt> Typical hooks: all;nft Keyword: filter; Description: Filtering operation, the filter table \n<tt>NF_IP_PRI_SECURITY</tt> Typical hooks: all;nft Keyword: security; Description: Place of security table, where secmark can be set for example \n<tt>NF_IP_PRI_NAT_SRC</tt> Typical hooks: postrouting;nft Keyword: srcnat; Description: Source NAT\n<tt>NF_IP_PRI_SELINUX_LAST</tt> Typical hooks: postrouting;nft Keyword: n/a; Description: SELinux at packet exit\n<tt>NF_IP_PRI_CONNTRACK_HELPER</tt> Typical hooks: postrouting;nft Keyword: n/a; Description: Connection tracking helpers, which identify expected and \nrelated packets. \n<tt>NF_IP_PRI_CONNTRACK_CONFIRM</tt> Typical hooks: input,postrouting;nft Keyword: n/a; Description: Connection tracking adds new tracked connections \nat final step in input and postrouting hooks. \nNetfilter Internal Priority for bridge:\n<tt>NF_BR_PRI_NAT_DST_BRIDGED</tt> Typical hooks: prerouting; nft Keyword: n/a; Description: n/a\n<tt>NF_BR_PRI_FILTER_BRIDGED</tt> Typical hooks: all;nft Keyword: filter; Description: n/a\n<tt>NF_BR_PRI_BRNF</tt> Typical hooks: n/a;nft Keyword: n/a; Description: n/a\n<tt>NF_BR_PRI_NAT_DST_OTHER</tt> Typical hooks: output;nft Keyword: out; Description: n/a\n<tt>NF_BR_PRI_FILTER_OTHER</tt> Typical hooks: n/a;nft Keyword: n/a; Description: n/a\n<tt>NF_BR_PRI_NAT_SRC</tt> Typical hooks: postrouting;nft Keyword: srcnat; Description: n/a", "type": "string", "operator": "equals", "interactive": true, "options": {"default": "0,0,0", "NF_IP_PRI_RAW_BEFORE_DEFRAG": -450, "NF_IP_PRI_CONNTRACK_DEFRAG": -400, "NF_IP_PRI_RAW": -300, "NF_IP_PRI_SELINUX_FIRST": -225, "NF_IP_PRI_CONNTRACK": -200, "NF_IP_PRI_MANGLE": -150, "NF_IP_PRI_NAT_DST": -100, "NF_IP_PRI_FILTER": 0, "NF_IP_PRI_SECURITY": 50, "NF_IP_PRI_NAT_SRC": 100, "NF_IP_PRI_SELINUX_LAST": 225, "NF_IP_PRI_CONNTRACK_HELPER": 300, "NF_IP_PRI_CONNTRACK_CONFIRM": 2147483647, "NF_BR_PRI_NAT_DST_BRIDGED": -300, "NF_BR_PRI_FILTER_BRIDGED": -200, "NF_BR_PRI_BRNF": 0, "NF_BR_PRI_NAT_DST_OTHER": 100, "NF_BR_PRI_FILTER_OTHER": 200, "NF_BR_PRI_NAT_SRC": 300, "chain_priorities": "0,0,0"}, "warnings": [], "title": "Nftables Base Chain Priorities", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-nftables/var_nftables_base_chain_priorities.var"}