On Mon, Jan 21, 2019 at 06:23:42PM +0100, Florian Westphal wrote: > Phil Sutter <phil@xxxxxx> wrote: > > This reverts commit 5f508b76a0cebaf91965ffa678089222e2d47964. > > > > While attempts at unifying syntax between arp-, eb- and iptables-nft > > increase the opportunity for more code-sharing, they are problematic > > when it comes to compatibility. Accepting the old syntax on input helps, > > but due to the fact that neither arptables nor ebtables support --check > > command we must expect for users to test existence of a rule by > > comparing input with output. If that happens in a script, deviating from > > the old syntax in output has a high chance of breaking it. > > Is there a known script that is affected? I guess some CI test script is since that's where the ticket came from. ;) > We broke this in iptables in even worse way, as we even do not support > -i ! "foo" anymore (you get a syntax error). Well, the relevant difference here is that with iptables, you may use '-C' to check for your rule but have to parse regular list output with arptables/ebtables instead. So output format is a tad more important with those tools. > Do you think adding a warning on -i ! "foo" would help? Well, downstream we would rather make use of release notes to inform users I guess. > The many syntax deviations between the flavours is not nice at all, > making this more consistent would be a nice thing imo. The bright side here is that at least for now no shared code is affected. So we may stick with the quirky ebtables syntax without cost at this point. BTW: What about changing legacy ebtables code to align its syntax more with iptables one? I know that "thou shall not touch the legacy". Though deviating ebtables-nft from ebtables-legacy means users would have to adapt - although we seem to pretend they can't when it comes to changing legacy code. Don't get me wrong, I'm open for anything but appreciate if things are done consistently. Cheers, Phil