On Wed, Jun 26, 2019 at 12:42:54PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > > new chain C > > > meta oifname bla added to C > > > jump added from output to C > > > jump added from input to C # should this fail? why? > > > > > > new chain C > > > jump added from input to C > > > meta oifname added to C # same q: why should this fail? > > > > There's tracking infrastructure for this already in place, right? It's > > just a matter to check for this from nft_meta_get_validate(). > > But what semantics would you add? > It seems it would 100% break existing rulesets. > > new chain C > jump added from ouput to C > meta oifname added to C # allowed? jump from output exists > jump added from input to C # disallow this? Why? To me, it makes no sense to use oifname from the input chain indirectly, even if this is being used from the C chain. > .. > delete jump from output # disallow? > > This seems rather suicidal to me. OK, you think there may be people using oifname from the C chain, but how so? To skip rules that are specific to the output path? Anyway, I'm fine with leaving things as is, I don't need this. Just in case you pass by here in the future, the tracking infrastructure should allow for this.
