What are the use cases of "continue" verdict in the nftables?

Question

It is described in the documentation of nftables as:

continue  
    Continue ruleset evaluation with the next rule.
    This is the default behaviour in case a rule issues no verdict.

But I am curious as what might be the use cases of continue

score 1 · Accepted Answer · answered Jan 25 '24 at 16:02

One use case is, for example, it can be used in chain filters e.g. to match multiple connection states and set actions like established: accept, related: accept and new: continue where rules for new connections are defined in the following set for example ... Something like:

  chain base_filter {
    counter jump drop_filter
    ct state vmap {
      established: accept,
      related: accept,
      new: continue,
      invalid: drop
    }

... quoted from https://wiki.gentoo.org/wiki/Nftables

It's a convenience feature that mostly keeps coherence and consistency when writing/reading rules by humans (especially presets) and can be a needed feature in some cases when sometimes you might need to match a few, set action on some and continue on others.

What are the use cases of "continue" verdict in the nftables?

1 Answers1