On Fri, Oct 27, 2017 at 01:06:03AM +0200, Florian Westphal wrote: > This series resolves a few shortcomings with the current dependency > removal. > > Problem is that the current approach sometimes can remove dependencies > that are required, i.e. where the removal does change the rule. > > Examples: > inet t .. meta nfproto ipv6 tcp dport 22 or > inet t .. ip protocol tcp tcp dport 22 > are reduced to 'tcp dport 22'. OK, this is wrong, indeed. > ip6 nexthdr icmpv6 icmpv6 type echo-request > becomes 'ipv6 type echo-request' (which is not exactly the same, > the implicit dependency nft adds is 'meta l4proto', which skips > most extension headers). This dependency removal is wrong too indeed and I agree it needs to be fixed. What I don't still is why patch 1/8 is expanding icmp type echo-request to show explicit "ether type ip icmp type echo-request" when listing the ruleset. I mean: -icmp type echo-request;ok +icmp type echo-request;ok;ether type ip icmp type echo-request -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
