Phil Sutter <phil@xxxxxx> wrote: > By itself, '-m icmp --icmp-type any' is a noop, it matches any icmp > types. Yet nft_ipv4_xlate() does not emit an 'ip protocol' match if > there's an extension with same name present in the rule. Luckily, legacy > iptables demands icmp match to be prepended by '-p icmp', so we can > assume this is present and just emit the 'ip protocol' match from icmp > xlate callback. Reviewed-by: Florian Westphal <fw@xxxxxxxxx>
