On Tue, Nov 22, 2022 at 05:01:28PM +0100, Florian Westphal wrote:
> Phil Sutter <phil@xxxxxx> wrote:
> > On Mon, Nov 21, 2022 at 12:19:31PM +0100, Florian Westphal wrote:
> > > Before, nft fails to restore some rules because it sees:
> > > insert rule ip filter INPUT iifname iifname ip ...
> > >
> > > Add extra escaping for " so that the shell won't remove it and
> > > nft will see 'iifname "iifname"'.
> >
> > This is fixing up the wrong side, see:
>
> Not sure what you mean here.
>
> The quotes ARE printed, but the shell strips them away.
>
> > struct xt_xlate_{mt,tg}_params::escape_quotes
>
> Ick.
>
> > this is set if iptables-translate was called and unset if
> > iptables-restore-translate was called. I didn't invent this, but the
> > logic seems to be escape quotes when printing a command, don't when
> > printing a dump file content.
> >
> > I have a patch in my queue which extends the conditional quoting to
> > interface names. Will submit it later today along with other fixes in
> > that corner.
>
> I would prefer to rip this out, I don't think any of the tools should
> print '\"' instead of '"'.
Either way is fine with me. See how I explicitly call 'echo "<input>" |
nft -f -' in xlate-test.py to force evaluation by the shell - an earlier
version of that code would break since nft saw the escapes. So *we*
don't need them, but one could argue it educates users that they'll have
to escape the quotes if they specify them on command line.
Cheers, Phil
