Alexander Helmer <a.helmer@xxxxxxxxxxxx> wrote:
> Hi everyone!
>
> I got my first nftables-based firewall in production after many years with iptables. I opted to use a nft-script to manage the ruleset.
> A small bash wrapper does some checks first and then loads the new ruleset.
>
> One of those checks is a syntax-check with:
> "nft -c -f #path-to-ruleset-file#"
>
> For better readability I used newlines in some rules. Unfortunately at two places in the 2k lines script I failed to put a '\' at the end of a line which caused nftables to create two seperate rules instead of one.
> I do not understand how nftables interpreted the rules and why nft -c did not throw an error.
>
> Both rules looked something like this (forward chain, drop policy):
>
> ip saddr { xxxxx } \
> ip daddr { yyyyy } < missing \ here
> ct state new accept;
>
>
> Nftables created the rules like this:
>
> 1. ip saddr { xxxxx } ip daddr { yyyyy }
Implict continue, just as yu guessed already.
