On Wed, Jan 27, 2016 at 02:42:35PM +0100, Florian Westphal wrote: > Check for OP_EQ before removing a dependency, else we may zap wrong one, > changing the meaning of the rule. > > Listing without patch: > ip protocol udp udp dport ssh > ip protocol udp udp dport ssh > counter packets 1 bytes 308 ip protocol udp udp dport ssh > > With patch: > ip protocol != tcp udp dport ssh > ip protocol != udp udp dport ssh > ip protocol != tcp counter packets 1 bytes 308 udp dport ssh Acked-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > Signed-off-by: Florian Westphal <fw@xxxxxxxxx> > --- > NB: ip protocol != udp udp dport ... is nonsensical, not sure > if its worth the hassle to try to reject stuff like this. I agree this is not worth. We'll have more advanced tools to perform transformations and more in-depth semantic evaluation of the ruleset at some point, but not now ;-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
