Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > delete jump from output # disallow?
> >
> > This seems rather suicidal to me.
>
> OK, you think there may be people using oifname from the C chain, but
> how so? To skip rules that are specific to the output path?
Maybe, or just to consolidate rules, e.g.
chain C {
[ some common rules ]
meta oifname bla ...
[ other common rules ]
}
After the proposed change, kernel refuses ruleset as soon as C is
or becomes reachable from a prerouting/input basechain.
(Alternatively, we could reject if not reachable from output/forward,
but that seems even more crazy because we'd have to refuse ruleset
that has unreachable chain with 'oifname' in it ...).
