On Sat, Jul 27, 2019 at 07:24:24PM +0200, michael-dev@xxxxxxxxxxxxx wrote:
[...]
> I used nft list ruleset to generate /etc/nftables.conf. In case too
> few statements are killed, nftables.conf becomes a bit longer but it
> is still correct and parseable although not minimal. In case too
> many statements are killed, the semantic changes on next reboot or
> for review with all kinds of implications. Therefore killing to
> many statements seems critical too many, kill too few only like a
> minor issue. I'd therefore prefer to take the risk of being overly
> broad here rathen than having incorrect information and thus not
> restrict this to vlan.
>
> Stacked protocols like ipsec, ipip tunnel or vlan tend to have the
> same upper layer payload protocol, e.g. udp in ip, udp in ipip or
> udp in esp/ah. Therefore killing protocol type statements for
> stacked protocols generally does not look safe to me, as the upper
> layer will not imply any stacked protocol.
OK. We may have to revisit the stacked protocol logic at some point
though.
Patch is applied. Thanks.
BTW, would you follow up with a fix for json tests?
If I run here:
nft-tests.py -j
it complains here:
ERROR: did not find JSON equivalent for rule 'ether type vlan ip
protocol 1 accept'
Thanks!
