From: Phil Sutter <phil@nwl.cc>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [iptables-nft RFC 1/5] nft-shared: dump errors on stdout to garble output
Date: Tue, 22 Nov 2022 18:55:49 +0100 [thread overview]
Message-ID: <Y30NJTaQx8Wn7RLE@orbyte.nwl.cc> (raw)
In-Reply-To: <20221121111932.18222-2-fw@strlen.de>
On Mon, Nov 21, 2022 at 12:19:28PM +0100, Florian Westphal wrote:
> Intentionally garble iptables-nft output if we cannot dissect
> an expression that we've just encountered, rather than dump an
> error message on stderr.
>
> The idea here is that
> iptables-save | iptables-restore
>
> will fail, rather than restore an incomplete ruleset.
What I don't like about this is that users won't notice the problem
until they try to restore the ruleset. For us it is clearly beneficial
to see where things break, but I doubt regular users care and we should
just tell them to stop mixing iptables and nft calls.
Can we maybe add "--force" to iptables-nft-save to make it print as much
as possible despite the table being considered incompatible? Not sure
how ugly this is to implement, though.
We still exit(0) in case parsing fails, BTW. Guess this is the most
important thing to fix despite all the above.
Thanks, Phil
next prev parent reply other threads:[~2022-11-22 17:57 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-21 11:19 [iptables-nft RFC 0/5] update iptables-nft dissector Florian Westphal
2022-11-21 11:19 ` [iptables-nft RFC 1/5] nft-shared: dump errors on stdout to garble output Florian Westphal
2022-11-22 17:55 ` Phil Sutter [this message]
2022-11-23 12:50 ` Florian Westphal
2022-11-23 13:13 ` Phil Sutter
2022-11-23 13:27 ` Florian Westphal
2022-11-23 13:34 ` Phil Sutter
2022-11-21 11:19 ` [iptables-nft RFC 2/5] iptables-nft: do not refuse to decode table with unsupported expressions Florian Westphal
2022-11-21 11:19 ` [iptables-nft RFC 3/5] nft: check for unknown meta keys Florian Westphal
2022-11-21 11:19 ` [iptables-nft RFC 4/5] xlate-test: extra-escape of '"' for replay mode Florian Westphal
2022-11-22 15:51 ` Phil Sutter
2022-11-22 16:01 ` Florian Westphal
2022-11-22 16:22 ` Phil Sutter
2022-11-23 9:31 ` Florian Westphal
2022-11-23 9:57 ` Phil Sutter
2022-11-21 11:19 ` [iptables-nft RFC 5/5] generic.xlate: make one replay test case work Florian Westphal
2022-11-22 16:16 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y30NJTaQx8Wn7RLE@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).