On Mon, Jan 17, 2022 at 09:54:52PM +0000, Jeremy Sowden wrote: > On 2022-01-17, at 11:40:51 +0100, Phil Sutter wrote: > > On Sun, Jan 16, 2022 at 08:08:15PM +0100, Florian Westphal wrote: [...] > > > Pablo, Phil, others -- what is your take? > > > > I think the change is OK if existing rulesets will continue to work > > just as before and remain compatible with legacy. IMHO, new rulesets > > created using iptables-nft may become incompatible if users explicitly > > ask for it (e.g. by specifying an exceedingly long log prefix. > > > > What about --nflog-range? This series seems to drop support for it, at > > least in the sense that ruleset dumps won't contain the option. In > > theory, users could depend on identifying a specific rule via nflog > > range value. > > Fair enough. I'll add a check so that nft is not used for targets that > specify `--nflog-range`. --nflog-range does work? --nflog-size is used and can be mapped to 'snaplen' in nft_log. Manpage also discourages the usage of --nflog-range for long time. Not sure it is worth to add a different path for this case.