On Wed, Jun 29, 2022 at 07:20:20PM +0200, Pablo Neira Ayuso wrote: > You also consider that using absolute path in includes is suboptimal? Yeah sorry forgot to mention, using absolute paths defeats the use-case entirely. > > I think my patch is a much cleaner and general solution. > > I might be missing anything, could you describe your use-case? Ok so what I want to do is load an about to be deployed nftables config without making it permanent yet as it might be buggy and cause an ssh lockout. To prevent this I first load the temporary config with `nft -f`, check ssh still works and only then commit the config to the final location in /etc. This works all fine and dandy when only one nftables.conf file is involved, but as soon as I have includes I need to deploy the entire config directory tree somewhere out-of-the-way. If I use absolute paths then I'd have to put the new config in it's permanent location immediately that defeats the purpose of this :) If I use relative paths the success of the `nft -f` call depends on its $PWD which as we've established would work but sucks for usability. We have this nice search path mechanism already though, but if I just use just the existing -I option, which appends to the search path, the existing stuff in /etc takes precedence. Hence this patch, with it I can deploy to say /tmp/nft.tmp/, load the config with `nft -I "" -I /tmp/nft.tmp -f ...` and then commit if connectivity checks are successful. --Daniel
