On Wed, Aug 15, 2018 at 12:37:29PM +0200, Phil Sutter wrote: > Hi Pablo, > > On Wed, Aug 15, 2018 at 12:17:28PM +0200, Pablo Neira Ayuso wrote: > > On Tue, Aug 14, 2018 at 08:16:11PM +0200, Phil Sutter wrote: > > > Hi Arturo, > > > > > > I see that in your commit[1] you explicitly disable policy setting for > > > user-defined ebtables chains. Is this because ebtables-nft can't support > > > them or was it a design decision? I'm asking because it leads to > > > unexpected results for people using ebtables-nft as a drop-in > > > replacement of the legacy ebtables tool. > > > > Kernel side currently doesn't support default policy for non-base > > chains, we would need a patch to support this. > > I see. Thanks for the clarification! > > Eric, can we get by without this (yet another) ebtables quirk or is it > mandatory for firewalld functionality? It would be nice to see it implemented for parity with ebtables-legacy - I'm sure some ebtables user will expect it to work. firewalld could work around its absence by always adding a "-j RETURN" to the end of every user defined chain in ebtables. Thanks. Eric.
