On Thu, Jun 08, 2017 at 06:37:57PM +0200, Arturo Borrero Gonzalez wrote: > On 8 June 2017 at 12:17, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: [...] > > Then, to keep it consistent, we should also display a warning in > > include file with no .nft postfix. At deprecate the existing behaviour > > at some point, ie. bail out if you include a file that has no trailing > > .nft in its name. > > > > If we follow this path, all ruleset file will end up using .nft as > > a trailer in the name. > > > > but perhaps it makes sense to differentiate two cases: > * include a single file: accept arbitrary names > * include a whole dir: accept only files ending in .nft > > This seems to be what sysctl(8) does when loading a single file vs a directory. > I'm thinking in a case where you have a README in the directory or > other unrelated file. I see, it makes sense indeed to have a way to skip files you don't want. But I still would like this behaviour is consistent. > If the idea is to allow drop files (a good idea indeed), then being > explicit is a good approach. > > > Is there any other similar software following this approach? How is > > 'ferm' doing this? > > ferm seems to load arbitrary files. In the docs they suggest using > .ferm files but the code > seems to allow whatever. > However, they have a set of regexp hardcoded to avoid loading things > like backups file an the like. > So, yes, probably forcing to .nft is sensible. I would go for glob support, ie. include ./nft-ruleset-files/*.nft so you can explicit indicate what file pattern you want to load. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
