On Thu, Dec 08, 2022 at 02:19:46PM +0100, Phil Sutter wrote: > On Thu, Dec 08, 2022 at 01:23:56PM +0100, Pablo Neira Ayuso wrote: > > On Thu, Dec 01, 2022 at 05:39:13PM +0100, Phil Sutter wrote: > > > It's actually nonsense since it will never match, but iptables accepts > > > it and the resulting nftables rule must behave identically. Reuse the > > > solution implemented into xtables-translate (by commit e179e87a1179e) > > > and turn the above match into 'iifname INVAL/D'. > > > > Maybe starting bailing out in iptables-nft when ! -i + is used at > > ruleset load time? > > > > As you mentioned, this rule is really useless / never matching. > > Are you fine with doing it in legacy, too? Have you seen any autogenerated ruleset using this silly ! -i + that might easily break? Or you are just being conservative while keeping this around?
