On Thu, Dec 01, 2022 at 05:39:13PM +0100, Phil Sutter wrote: > It's actually nonsense since it will never match, but iptables accepts > it and the resulting nftables rule must behave identically. Reuse the > solution implemented into xtables-translate (by commit e179e87a1179e) > and turn the above match into 'iifname INVAL/D'. Maybe starting bailing out in iptables-nft when ! -i + is used at ruleset load time? As you mentioned, this rule is really useless / never matching.
