In nftables, is the verdict statement "accept" final or not? I have problems understanding verdict statements in `nftables`. From `man nft`, or from here, shortly below the heading "Verdict statement", we read the fol...--prophetes.ai

In nftables, is the verdict statement "accept" final or not? I have problems understanding verdict statements in `nftables`. From `man nft`, or from here, shortly below the heading "Verdict statement", we read the following: > accept and drop are absolute verdicts --- they terminate ruleset evaluation immediately. but then, in the next sentence (emphasizing mine): > accept: Terminate ruleset evaluation and accept the packet. The packet can still be dropped later by another hook [...] I can't help but isn't that a contradiction in itself? Which one is true? Does `accept` terminate ruleset evaluation immediately, or does it not? Only one of the statements cited can be true. I am especially interested in the behavior of `accept` statements in `ingress` hooks.

I _think_ what they mean is that the `accept` will end that specific hook, but another may stop it. For example, looking at this illustration, if the **Forward Hook** were to `accept`, but then the **Postrouting Hook** were to `drop`, that would satisfy your latter quote because it is "another hook."

(This is speculation because I only have experience in `ipchains/iptables` but it looks similar enough and IIRC worked in a similar manner.)