On Mon, Nov 21, 2022 at 12:19:28PM +0100, Florian Westphal wrote: > Intentionally garble iptables-nft output if we cannot dissect > an expression that we've just encountered, rather than dump an > error message on stderr. > > The idea here is that > iptables-save | iptables-restore > > will fail, rather than restore an incomplete ruleset. What I don't like about this is that users won't notice the problem until they try to restore the ruleset. For us it is clearly beneficial to see where things break, but I doubt regular users care and we should just tell them to stop mixing iptables and nft calls. Can we maybe add "--force" to iptables-nft-save to make it print as much as possible despite the table being considered incompatible? Not sure how ugly this is to implement, though. We still exit(0) in case parsing fails, BTW. Guess this is the most important thing to fix despite all the above. Thanks, Phil
