[Bug 835] protocol without option is failing

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Aug 15 00:09:03 CEST 2013


--- Comment #5 from Phil Oester <netfilter at linuxace.com> 2013-08-15 00:09:02 CEST ---
(In reply to comment #4)
> I don't agree on this point. In iptables "-p" was just needed to imply the
> context (and load the corresponding module). 

OK, so that bit was a bad example.  

> In nftables, we can use "tcp dport
> 80" without specifying "ip protocol". So this is really tempting for the user
> to use only "tcp". So, not a bug but an enahncement in P5 seems ok ;)

I still believe it is best not to add special cases like this.  Iptables is
full of (ugly) special case hacks.  Ideally, nft grammar should strive to be
avoid this cruft.  If you want to analyze some aspect of the ip header (such as
protocol), you should have to specify "ip ...".  If you want to analyze some
aspect of the tcp header (such as dport), then you should use "tcp ...".  Seems
consistent to me, based upon the header you wish to inspect.

Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the netfilter-buglog mailing list