On Wed, Nov 23, 2022 at 02:27:49PM +0100, Florian Westphal wrote:
> Phil Sutter <phil@xxxxxx> wrote:
> > > Huh?
> > > iptables-restore < bla
> > > iptables-restore v1.8.8 (nf_tables): unknown option "--bla"
> > > Error occurred at line: 7 Try `iptables-restore -h' or 'iptables-restore --help' for more information.
> > >
> > > ... exits with 2.
> > >
> > > Can you give an example?
> >
> > # nft add table ip filter '{ chain FORWARD { \
> > type filter hook forward priority filter; \
> > ip saddr 10.1.2.3 meta cpu 3 counter accept; }; }'
> >
> > # nft list ruleset
> > table ip filter {
> > chain FORWARD {
> > type filter hook forward priority filter; policy accept;
> > ip saddr 10.1.2.3 meta cpu 3 counter packets 0 bytes 0 accept
> > }
> > }
> >
> > # iptables-nft -S FORWARD
> > -P FORWARD ACCEPT
> > -A FORWARD -s 10.1.2.3/32 -j ACCEPT
> > # echo $?
> > 0
>
> Ah. I thought you were talking about iptables-restore/rule parsing.
No, my point is that in 'iptables-save | iptables-restore' the first
command should fail already if kernel ruleset is unparseable. :)
Cheers, Phil
