Re: "nft --check" not warning about missing statement in rule

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Alexander Helmer <a.helmer@internett.de>
Cc: "'netfilter@vger.kernel.org'" <netfilter@vger.kernel.org>
Subject: Re: "nft --check" not warning about missing statement in rule
Date: Mon, 16 May 2022 15:31:04 +0200	[thread overview]
Message-ID: <20220516133104.GA5118@breakpoint.cc> (raw)
In-Reply-To: <C928E2C92BFA9E4DA6068EBF01B2EC27A6DE31E9@tt-05.im.internett.de>

Alexander Helmer <a.helmer@internett.de> wrote:
> Hi everyone!
> 
> I got my first nftables-based firewall in production after many years with iptables. I opted to use a nft-script to manage the ruleset. 
> A small bash wrapper does some checks first and then loads the new ruleset.
> 
> One of those checks is a syntax-check with:
> 	"nft -c -f #path-to-ruleset-file#"
> 
> For better readability I used newlines in some rules. Unfortunately at two places in the 2k lines script I failed to put a '\' at the end of a line which caused nftables to create two seperate rules instead of one.
> I do not understand how nftables interpreted the rules and why nft -c did not throw an error.
> 
> Both rules looked something like this (forward chain, drop policy):
> 
> ip saddr { xxxxx } \
> 	ip daddr { yyyyy }  		< missing \ here
> 	ct state new accept;
> 
> 
> Nftables created the rules like this:
> 
> 1. ip saddr { xxxxx } ip daddr { yyyyy }

Implict continue, just as yu guessed already.

     prev parent reply	other threads:[~2022-05-16 13:31 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-16  7:50 "nft --check" not warning about missing statement in rule Alexander Helmer
2022-05-16 13:31 ` Florian Westphal [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220516133104.GA5118@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=a.helmer@internett.de \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.