iptables has two kernel backends, legacy and nft.
Quoting https://developers.redhat.com/blog/2020/08/18/iptables-the-two-variants-and-their-relationship-with-nftables
> It is also important to note that while iptables-nft
> can supplant iptables-legacy, you should never use them simultaneously.
However, we don't want to block the node operations because of this
reason, as there is no enough evidence this is causing big issues in the
wild, so we just signal and warn about this situation.
Once we have more information we can revisit this decision and
keep it as is or move it to permanent.
- Use `systemctl is-active` to check if service is running
- Cleaner that `grep` on `systemctl status` output
- Return success means service is running/active
- Return failure means not running which could be due to
stopped/failed service or that service does not exist
- Use `command -v` instead of `which`
Ref: https://github.com/koalaman/shellcheck/wiki/SC2230
- Follow Google "Shell Style Guide": indent, use "readonly"
- Minor: Rephrase comment, avoid all caps
- Script was checking for "ip_conntrack_..." which was replaced by "nf_conntrack_..." on newer system. Now support both.
- Return failure ("not ok") when table is more than 90% full.
- Not sure what value is best here but I think that is better than when the table is full.
Otherwise we might end up with a value close to the max or bouncing around.
- Replaced cat by "$(< file )" to avoid calling external command
- Follow Google "Shell Style Guide": 2 space indent, use preferred "[[ test ]]", add "readonly"
- Include current connection usage in output message
My comment was eaten by github in !152 and wanted to raise attention incase this was meant to be an exit instead of an echo, otherwise feel free to close!
