The netfilter wiki describes the usage of 'jumping' to regular chains as a convenient way to arrange rulesets into a tree structure. I was trying to follow this concept in VyOS, but experienced some unexpected behaviour, so I opened a thread in the forums (https://forum.vyos.io/t/need-help-with-firewall-rulesets-and-jump/10572):

Hi,

I am currently evaluating VyOS as a replacement for pfSense and thinking about how to organize firewall rules in different rulesets. The general idea is to have a bunch of rulesets to be used multiple times by ‘jumping’ to them. I was playing around with the ‘jump’ action, but it’s not working the way I was expecting. Since I have very limited experience with netfilter in general, I am not sure if it’s a misunderstanding on my part or a potential issue of how it is implemented in VyOS.

This is how my firewall config looks like:

interface eth8 {
     in {
         name stdnt-in
     }
 }
 name floating {
     default-action return
     enable-default-log
     rule 1 {
         action accept
         destination {
             address 10.236.253.11
         }
         log enable
         protocol icmp
     }
 }
 name stdnt-in {
     default-action drop
     enable-default-log
     rule 1 {
         action jump
         jump-target floating
         log enable
     }
 }
 state-policy {
     established {
         action accept
     }
     invalid {
         action drop
     }
     related {
         action accept
     }
 }

When testing this configuration and sending an ICMP echo request from a system behind eth8 to 10.236.253.11 (which is behind eth4), the following happens according to the logs:

1. the packet gets processed by ruleset stdnt-in
2. rule 1 lets the packet jump to ruleset floating
3. rule 1 of floating sets the accept action for the packet

This is where I was expecting the packet to leave filter processing and the ICMP echo request packet to being forwarded. However, the following happened:

4. the packet enters ruleset stdnt-in again and is being dropped due to the default action.

After taking a look at the netfilter wiki, this behaviour may be a consequence of how base chain priority works in netfilter: Configuring chains - nftables wiki

Those rulesets in VyOS are created as regular chains, however, which are explictly mentioned as a way to arrange rulesets in a tree structure: Configuring chains - nftables wiki

Any ideas?

As n.fort explained in the thread, this behaviour comes from the fact that in VyOS 'accept' rules are created with the return action. Is there any chance that this could be changed? At least for my intended use case, the current implementation defeats the purpose of the jump action.