[Bug 1456] New: Consider eliding empty variables if expanded within an element list

Fri Aug 28 09:03:26 CEST 2020

https://bugzilla.netfilter.org/show_bug.cgi?id=1456

            Bug ID: 1456
           Summary: Consider eliding empty variables if expanded within an
                    element list
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: kfm at plushkava.net

This concerns a minor usability issue that I noticed after evaluting some of
the criticism in the GitHub issue referenced by bug 1434. In the GitHub issue,
one critic complains that this sample ruleset does not work as expected:

  define BASE_ALLOWED_INCOMING_TCP_PORTS = {22, 80, 443}
  define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {}
  table inet filter {
    chain input {
      type filter hook input priority 0; policy drop;
      tcp dport {$BASE_ALLOWED_INCOMING_TCP_PORTS,
$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept
    }
  }

Currently, this is not permitted by nft's parser. My first thought was that the
intended outcome could be achieved by instead declaring:

  define EXTRA_ALLOWED_INCOMING_TCP_PORTS = ""

However, doing so causes the value to be coerced to 0, resulting in:

  tcp dport { 0, 22, 80, 443 } ct state new counter packets 0 bytes 0 accept

Notwithstanding that this isn't a particularly idiomatic way of writing an nft
ruleset, it seems plausible that other new users might try using internal
variables in this way. Perhaps it would be worth supporting.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200828/e9a11447/attachment.html>