<html>

    <head>

      <base href="https://bugzilla.netfilter.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Consider eliding empty variables if expanded within an element list"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1456">1456</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Consider eliding empty variables if expanded within an element list

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>nftables

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>enhancement

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P5

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>nft

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>pablo@netfilter.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>kfm@plushkava.net

          </td>

        </tr></table>

      <p>

        <div>

        <pre>This concerns a minor usability issue that I noticed after evaluting some of

the criticism in the GitHub issue referenced by <a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Usability improvements, enabling creation of complex firewalls"

   href="show_bug.cgi?id=1434">bug 1434</a>. In the GitHub issue,

one critic complains that this sample ruleset does not work as expected:

  define BASE_ALLOWED_INCOMING_TCP_PORTS = {22, 80, 443}

  define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {}

  table inet filter {

    chain input {

      type filter hook input priority 0; policy drop;

      tcp dport {$BASE_ALLOWED_INCOMING_TCP_PORTS,

$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept

    }

  }

Currently, this is not permitted by nft's parser. My first thought was that the

intended outcome could be achieved by instead declaring:

  define EXTRA_ALLOWED_INCOMING_TCP_PORTS = ""

However, doing so causes the value to be coerced to 0, resulting in:

  tcp dport { 0, 22, 80, 443 } ct state new counter packets 0 bytes 0 accept

Notwithstanding that this isn't a particularly idiomatic way of writing an nft

ruleset, it seems plausible that other new users might try using internal

variables in this way. Perhaps it would be worth supporting.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are watching all bug changes.</li>

      </ul>

    </body>

</html>