Hi, On Fri, Jan 11, 2019 at 12:33:10AM +0100, Pablo Neira Ayuso wrote: > On Fri, Jan 11, 2019 at 12:16:33AM +0100, Florian Westphal wrote: > > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > > I think we need to add the built-in chains when listing if we want to > > > emulate the iptables-legacy behaviour. Listing via -L implies table > > > autoload, ie. > > > > > > # iptables-legacy -L -t raw > > > > > > pulls in the raw table and its chains. > > > > Yes, but I think thats a bug :-) > > OK, but that buggy behaviour has been there since the beginning IIRC :-) Hmm. Can you imagine a use-case where this would matter? I mean, behaviour would only divert as long as the user didn't add a rule yet. Is there a (user-relevant) functional difference between no table/chains and table with empty chains? The only use-case I could imagine is to check for given table type support by checking the list command's return code. > > I would prefer if iptables-nft would NOT do that, and instead > > list nothing, with exit value of 0. > > People should be using iptables-save instead for listing anyway, so I > don't mind if this is changed. We explicitly fixed for no output in list command on empty ruleset, so that is worth keeping IMO. Regarding the abort or avoid commit change, I don't have any good reasons for pushing it other than that it's not needed. So if you don't think it's a good idea or not worth the risk, no big deal for me. Cheers, Phil
