Mikhail Morfikov <mmorfikov@xxxxxxxxx> wrote: > In nftables, the expressions are the basic building block of rule, > thus, a rule is basically a composite of expressions that is linearly > evaluated from left to right: if the first expression matches, then > the next expression is evaluated and so on until we reach the last > expression that is part of the rule. An expression can match some > specific payload field, packet/flow metadata and any action. > > According to the info, if the previous expression doesn't match, the rest > of the rule isn't processed. But still I can make a rule similar to the > following: > > add rule inet filter INPUT meta iifname "br-*" ip saddr 10.10.0.0/24 ip saddr 10.10.2.0/24 counter accept > > So I'm able to specify multiple saddr/daddr/sport/dport even when such > rules don't make any sense, since if the first saddr fails to match, > the second one will never be processed and hence the rule won't get any > matches. Yes, would make a nice project to allow nft to detect this.
