Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > Feature because one could add the rule to a non-base chain and jump to > > it from any hook to reduce duplication in ruleset. We would have to > > check rules in the target chain while validating the rule containing the > > jump. > > > > What do you think? > > How does this behave in iptables BTW? I think iptables simply allows > this, but it won't ever match obviously. iptables userspace will reject iptables -A INPUT -o foo. -A FOO -o foo will "work", even if we only have a -j FOO from INPUT. I don't think its worth to add tracking for this to kernel: new chain C meta oifname bla added to C jump added from output to C jump added from input to C # should this fail? why? new chain C jump added from input to C meta oifname added to C # same q: why should this fail?
