On Wed, Jun 26, 2019 at 02:50:38PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Jun 26, 2019 at 12:58:12PM +0200, Florian Westphal wrote:
> > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > > > delete jump from output # disallow?
> > > >
> > > > This seems rather suicidal to me.
> > >
> > > OK, you think there may be people using oifname from the C chain, but
> > > how so? To skip rules that are specific to the output path?
> >
> > Maybe, or just to consolidate rules, e.g.
> >
> > chain C {
> > [ some common rules ]
> > meta oifname bla ...
> > [ other common rules ]
> > }
> >
> > After the proposed change, kernel refuses ruleset as soon as C is
> > or becomes reachable from a prerouting/input basechain.
>
> I think it's more likely to misuse oifname from input path (eg. typo)
> that finding someone with such usecase you describe above but...
For the usecase above, I would probably expose a 'meta hook' selector,
so you can restrict things depending on the path.
Anyway...
> > (Alternatively, we could reject if not reachable from output/forward,
> > but that seems even more crazy because we'd have to refuse ruleset
> > that has unreachable chain with 'oifname' in it ...).
>
> ... I have no problem whatsoever to leave the existing behaviour in place.
>
> No need to keep spinning on this :-)
