Stefan Berger/Watson/IBM wrote on 05/11/2011 12:32:41 PM:

So now this command puts the default policy of every ebtables chain to end with an implicit drop. What if I had previously created a filter assuming an implicit accept, which is the current behavior? Now that filter wouldn't work correctly anymore since my packets all get droped. Is this change really necessary?

Well, all of the generated chains need this (to support multiple address matching). This can, of course, be done by adding a "-j DROP" at the end of every chain. But since it is all of them, I thought changing the default and having fewer rules made a lot more sense. So, it isn't a requirement, but any modifications to these chains will need to account for either a DROP policy explicitly or a "-j DROP" at the end, if it's modifying an existing filter. I don't see any way around custom filters needing to be reviewed and adapted to any change in the examples set. Independent filters can explicitly use "-j DROP" or "-j ACCEPT" and not rely on the policy, but insertions in existing filters can't insert after a "-j DROP" and still work, either. With the changed policy, they can append rules and possibly still work without modification. +-DLS