On Fri, Aug 07, 2015 at 01:38:01PM +0200, Jan Engelhardt wrote: [...] > When specifying e.g. "-m policy --dir in", the xt_policy kernel > module will indeedx test for much more than just the direction, but > the additional tests it does on other fields are idempotent after > all. > > I oppose that idempotent expressions in rules, implicit or explicit, > shall lead to output when the ruleset is read back. A rule like > > -A INPUT -m policy --dir in > > should not, by default, cause `iptables -S` to output a > rule with terms essentially irrelevant to the human reader. > > -A INPUT -m policy --dir in --reqid 0:4294967295 --spi > 0:4294967295 proto 0 --mode 0 --tunnel-src 0.0.0.0/0 > --tunnel-dst 0.0.0.0/0 We're not discussing a policy. The point is that this has been broken for two years, chances that users have fixed this in the ruleset without reporting is high, so restoring the old behaviour may break things again for them. That's why I'm insisting on the fact that switching to a less obscure behaviour is a good idea in the very specific case of 'ah' since they can easily detect that things have change by diffing the new and old iptables-save output. If you don't want to send me that follow up patch, that's very bad, but if I have no other chance I'll make it myself. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
