On Sat, Aug 04, 2018 at 04:31:58PM +0200, Florian Westphal wrote: > Phil Sutter <phil@xxxxxx> wrote: > > Legacy ebtables-restore does not support COMMIT directive, so allow for > > callers of xtables_restore_parse() to toggle support for it. > > > > If it is not supported, allow for next table definition without previous > > COMMIT and implicitly commit the ruleset after parsing input instead of > > complaining about missing final COMMIT statement. > > Hmm. Omitting COMMIT with iptables classic gives ability to do > dryrun/syntax checking. Are you sure about that? Looking at iptables-restore.c, it seems COMMIT before each next table line is mandatory, otherwise following lines are attributed to the first table (which might cause unexpected results). For test runs, legacy iptables-restore has '-t' flag. > So I think it might be better to have nft-ebt-save always > print COMMIT too, to not rely on this forever? Sounds good. The only complaint would be that legacy ebtables/arptables dumps won't be accepted by nft variants anymore. Not sure if that's a good thing (prevents users from restoring old crap) or a bad thing (users may hand-craft dumps and have to adjust their scripts). Cheers, Phil -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
