Hi Florian,
On Tue, 27 Mar 2018, Florian Westphal wrote:
> When using nftables to filter icmp-in-ipv6 or icmpv6-in-ipv4 we
> erronously removed the dependency, i.e. "lis ruleset" shows
>
> table ip6 filter { chain output {
> type filter hook output priority 0; policy accept;
> icmp type destination-unreachable
> } }
>
> but that won't restore because of ip vs ipv6 conflict.
>
> After this patch, this lists as
>
> meta l4proto icmp icmp type destination-unreachable
Just a general comment, independently from the patch: I fully understand
that technically this is the expression to be used. But it's highly error
prone and also difficult to read.
The language could be made more readable by allowing (and by default
printing) a comma between the expression parts, like this:
meta l4proto icmp, icmp type destination-unreachable
Just a suggestion.
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
