On Wed, Jun 26, 2019 at 12:32:30PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > > Feature because one could add the rule to a non-base chain and jump to > > > it from any hook to reduce duplication in ruleset. We would have to > > > check rules in the target chain while validating the rule containing the > > > jump. > > > > > > What do you think? > > > > How does this behave in iptables BTW? I think iptables simply allows > > this, but it won't ever match obviously. > > iptables userspace will reject iptables -A INPUT -o foo. > -A FOO -o foo will "work", even if we only have a -j FOO from INPUT. > > I don't think its worth to add tracking for this to kernel: > > new chain C > meta oifname bla added to C > jump added from output to C > jump added from input to C # should this fail? why? > > new chain C > jump added from input to C > meta oifname added to C # same q: why should this fail? There's tracking infrastructure for this already in place, right? It's just a matter to check for this from nft_meta_get_validate().
