Hi Jeremy,
On Wed, Jul 03, 2024 at 05:02:04PM +0100, Jeremy Sowden wrote:
> At the beginning of the year you committed 34f085b16073 ("Revert
> "xshared: Print protocol numbers if --numeric was given""), which
> reverts da8ecc62dd76 ("xshared: Print protocol numbers if --numeric was
> given").
I did this in response to nfbz#1729[1] which argued the names are more
descriptive. This is obviously true and since commit b6196c7504d4d there
is no real downside to printing the name if available anymore (--numeric
still prevents calls to getprotobynumber()).
Personally I don't mind that much about changing --list output as it is
not well suited for parsing anyway. I assume most scripts use
--list-rules or iptables-save output which wasn't affected by
da8ecc62dd76. Of course I am aware of those that have to parse --list
output for one or the other reason and their suffering. The only bright
side here is that whoever had to adjust to da8ecc62dd76 will know how to
adjust to 34f085b16073, too. Plus it's not a moving target as there are
merely twelve names which remain in '-n -L' output.
> In response to a Debian bug-report:
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067733
>
> I applied the change to the iptables package and uploaded it. However,
> this caused test failures in the Debian CI pipeline for firewalld
> because its test-suite has been updated to expect the new numeric
> protocol output. Michael Biebl, the firewalld Debian maintainer, (cc'ed
> so he can correct me if I misquote him) raised a point which I think has
> some merit. It is now eighteen months since 1.8.9 was released. One
> imagines that the majority of iptables users, who presumably are not
> building iptables directly from git, must, therefore, have adjusted to
> the new output. Is it, then, worth it to revert this change and force
> them to undo that work after what may have been a couple of years by the
> time 1.8.11 comes out?
>
> What do you think?
I think it's a mess and there's no clean way out. The current code is at
least consistent between '-S' and '-L' output (iptables-save should not
be "less numeric" than '-n -L'). If it helps, I can work with Eric to
solve the problem for firewalld so Michael will have something to
backport to fix it.
All in all I have not seen many complaints about this change, I expect
few people scraping iptables output and only a fraction doing --list.
In addition to that, I plan on soon having a 1.8.11 release (we're far
ahead already to make backports a pain).
What do you think?
Thanks, Phil
