Change policy with nftables on command line

Yes you can redefine an already existing base chain's policy without changing its content. There's no separate keyword for this, it's still add:

nft add chain family mytable mychain '{ policy drop; }'

---

Complete example in a namespace:

test.nft:

flush ruleset

table ip t {
    chain c {
        type filter hook output priority 0; policy accept;
        oif lo accept
        counter
    }
}

setup:

# ip netns add test
# ip netns exec test nft -f test.nft

alteration:

# ip netns exec test nft add 'chain ip t c { policy drop; }'
# ip netns exec test nft list ruleset
table ip t {
    chain c {
        type filter hook output priority filter; policy drop;
        oif "lo" accept
        counter packets 0 bytes 0
    }
}

The policy was changed, without altering the rules. Using here nft 0.9.5 and kernel 5.7.x . Depending on version behaviour might differ.

There's a kernel commit from 2015 allowing to do only this:

netfilter: nf_tables: allow to change chain policy without hook if it exists

If there's an existing base chain, we have to allow to change the default policy without indicating the hook information.

However, if the chain doesn't exists, we have to enforce the presence of the hook attribute.

Signed-off-by: Pablo Neira Ayuso [email protected]

Before this (around kernel 4.1), one had to provide again the base chain definition (which can't be changed by the way):

# ip netns exec test nft add 'chain ip t c { type filter hook output priority 0;  policy drop; }'