On Thu, Dec 08, 2022 at 09:31:56PM +0100, Pablo Neira Ayuso wrote: > On Thu, Dec 08, 2022 at 02:19:46PM +0100, Phil Sutter wrote: > > On Thu, Dec 08, 2022 at 01:23:56PM +0100, Pablo Neira Ayuso wrote: > > > On Thu, Dec 01, 2022 at 05:39:13PM +0100, Phil Sutter wrote: > > > > It's actually nonsense since it will never match, but iptables accepts > > > > it and the resulting nftables rule must behave identically. Reuse the > > > > solution implemented into xtables-translate (by commit e179e87a1179e) > > > > and turn the above match into 'iifname INVAL/D'. > > > > > > Maybe starting bailing out in iptables-nft when ! -i + is used at > > > ruleset load time? > > > > > > As you mentioned, this rule is really useless / never matching. > > > > Are you fine with doing it in legacy, too? > > Have you seen any autogenerated ruleset using this silly ! -i + that > might easily break? Or you are just being conservative while keeping > this around? The latter: I was fixing for '-i +' which is legal in iptables but 'iifname "*"' in nftables is not and I also had to find a way to translate it correctly if inverted. In theory neither '-i +' nor '! -i +' make sense, from my perspective we could reject both. Or only the latter since it seems even more bogus than the former. I was asking about legacy because I really think we should not change iptables-nft in a way we wouldn't with legacy. At least rejecting rulesets which worked fine with legacy is a no go. Cheers, Phil
