Hi,
On Wed, Jun 26, 2019 at 12:47:40PM +0200, Pablo Neira Ayuso wrote:
[...]
> OK, you think there may be people using oifname from the C chain, but
> how so? To skip rules that are specific to the output path?
My idea for how to use it was this:
| table ip t {
| chain in {
| type filter hook input priority 0; policy accept;
| jump common
| }
|
| chain out {
| type filter hook output priority 0; policy accept;
| jump common
| }
|
| chain common {
| iifname "eth0" tcp dport ssh counter packets 101 bytes 10149 accept
| oifname "eth0" tcp sport ssh counter packets 65 bytes 8233 accept
| counter packets 0 bytes 0 drop
| }
| }
> Anyway, I'm fine with leaving things as is, I don't need this. Just in
> case you pass by here in the future, the tracking infrastructure
> should allow for this.
OK, cool. Thanks for clarifying upstream PoV. :)
Cheers, Phil
