In this wiki page[1] we can read the following:
In nftables, the expressions are the basic building block of rule,
thus, a rule is basically a composite of expressions that is linearly
evaluated from left to right: if the first expression matches, then
the next expression is evaluated and so on until we reach the last
expression that is part of the rule. An expression can match some
specific payload field, packet/flow metadata and any action.
According to the info, if the previous expression doesn't match, the rest
of the rule isn't processed. But still I can make a rule similar to the
following:
add rule inet filter INPUT meta iifname "br-*" ip saddr 10.10.0.0/24 ip saddr 10.10.2.0/24 counter accept
So I'm able to specify multiple saddr/daddr/sport/dport even when such
rules don't make any sense, since if the first saddr fails to match,
the second one will never be processed and hence the rule won't get any
matches.
At fist I thought the rule works in the way that if multiple expressions
of the same type are specified (for instance saddr), they all would be
combined into a single one, and the rule would work just fine. But
obviously that's not the case.
Is that intentional, or should it be here some check to validate the
correctness of the rules?
[1] https://wiki.nftables.org/wiki-nftables/index.php/Main_differences_with_iptables
Attachment:
signature.asc
Description: OpenPGP digital signature
