On Tue, Jun 25, 2019 at 02:29:54PM +0200, Phil Sutter wrote: > Hi Pablo, > > I have a ticket complaining that it is possible to use 'oifname' match > within a base chain hooked into input. Nftables behaves correctly, the > statement simply won't ever match. Question is whether this is a bug or > feature: Matching oifname on input does not make sense. You can just narrow down this from the control plane patch via kernel patch to reject this. > Bug because the rule clearly won't ever match and so does not make sense > when used in a base chain. > > Feature because one could add the rule to a non-base chain and jump to > it from any hook to reduce duplication in ruleset. We would have to > check rules in the target chain while validating the rule containing the > jump. > > What do you think? How does this behave in iptables BTW? I think iptables simply allows this, but it won't ever match obviously.
