On Wed, Jun 26, 2019 at 12:58:12PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> > > delete jump from output # disallow?
> > >
> > > This seems rather suicidal to me.
> >
> > OK, you think there may be people using oifname from the C chain, but
> > how so? To skip rules that are specific to the output path?
>
> Maybe, or just to consolidate rules, e.g.
>
> chain C {
> [ some common rules ]
> meta oifname bla ...
> [ other common rules ]
> }
>
> After the proposed change, kernel refuses ruleset as soon as C is
> or becomes reachable from a prerouting/input basechain.
I think it's more likely to misuse oifname from input path (eg. typo)
that finding someone with such usecase you describe above but...
> (Alternatively, we could reject if not reachable from output/forward,
> but that seems even more crazy because we'd have to refuse ruleset
> that has unreachable chain with 'oifname' in it ...).
... I have no problem whatsoever to leave the existing behaviour in place.
No need to keep spinning on this :-)
