On Thu, Feb 07, 2019 at 05:48:53PM +0100, Florian Westphal wrote: > Phil Sutter <phil@xxxxxx> wrote: > > > What it should show instead: > > > Bridge chain: FOOBAR, entries: 1, policy: RETURN > > > -j DROP > > > -d 01:02:03:04:05:06 -j CONTINUE > > > > > > (because thats whats the actual state -- the last rule is unreachable). > > > > Hmm. Yes, that's ugly. Also, if you perform a change to the ruleset in > > that state (no matter what, e.g. just create another chain or add a rule > > somewhere else), the policy rule will be moved to the end. Not sure how > > we could handle this. > > I think in that case ebtables-nft should make policy be 'RETURN', i.e., > not re-add a new policy chain. > > I think we could even avoid the 'user comment' and just examine the last > rule in the chain -- check if its unconditional DROP/ACCEPT and then > handle that as the 'policy'. We can probably add UDATA_TYPE_EBTABLES_POLICY, so we don't need to guess if this is an autogenerated policy rule at the end of non-base chain. Just search for the rule with this flag. For nft this autogenerated rule will be transparent.
