Hi Pablo, On Thu, Oct 08, 2020 at 07:31:56PM +0200, Pablo Neira Ayuso wrote: > On Fri, Oct 02, 2020 at 01:44:36PM +0200, Arturo Borrero Gonzalez wrote: > > From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > > > > Previous to this patch, the basechain policy could not be properly configured if it wasn't > > explictly set when loading the ruleset, leading to iptables-nft-restore (and ip6tables-nft-restore) > > trying to send an invalid ruleset to the kernel. > > I have applied this with some amendments to the test file to cover > the --noflush case. I think this is a real problem there, where you > can combine to apply incremental updates to the ruleset. Yes, at least I can imagine people relying upon this behaviour. > For the --flush case, I still have doubts how to use this feature, not > sure it is worth the effort to actually fix it. I even find it unintuitive as it retains state despite flushing. But that is a significant divergence between legacy and nft: | # iptables -P FORWARD DROP | # iptables-restore <<EOF | *filter | COMMIT | EOF | # iptables-save With legacy, the output is: | *filter | :INPUT ACCEPT [0:0] | :FORWARD DROP [0:0] | :OUTPUT ACCEPT [0:0] | COMMIT With nft, there's no output at all. What do you think, should we fix that? If so, which side? > We can revisit later, you can rewrite this later Phil. Sure, no problem. Thanks, Phil
