On Thursday 2012-10-25 19:06, Pablo Neira Ayuso wrote:
>Hi,
>
>I've been working for a while to recover nf_tables kernel patches and
>to implement a compatibility layer so it can be used with existing
>x_tables target/match extensions. [...]
>2) Provide a fast path to merge this into mainstream. We'll have both
> iptables and nftables interfaces during some time in the Linux kernel,
> then remove iptables infrastructure at some point. iptables scripts
> would not break as we'll have the iptables emulation over nftables.
>[...]
>One final thing: nftables does not support atomic table commit. The
>point here is if we really need this for the emulation utility or we
>can live without that. Implementing atomic table replacement in
>nftables is not trivial. I have hard time to find this commit table
>feature useful.
Meanwhile, I am on xtables2 that actually reproduces the set of
_really important_ features that currently are in the setsockopt
iptables, like atomic table replace and atomic dump.
I have updated to the newest tree, and the first set is
available in the git repository at:
git://git.inai.de/linux xt2-20121025
----------------------------------------------------------------
netfilter: xtables2: initial table skeletal functions
netfilter: xtables2: initial Netlink interface
netfilter: xtables2: chain creation and deletion
netfilter: xtables2: chain renaming support
netfilter: xtables2: transaction commit operation
netfilter: xtables2: table replace support
netfilter: xtables2: transaction abort support
netfilter: xtables2: redirect writes into transaction buffer
netfilter: xtables2: supply a revision number
include/net/netfilter/xt_core.h | 48 ++
include/uapi/linux/netfilter/Kbuild | 1 +
include/uapi/linux/netfilter/nfnetlink.h | 3 +-
include/uapi/linux/netfilter/nfnetlink_xtables.h | 52 ++
net/netfilter/Kconfig | 8 +-
net/netfilter/Makefile | 2 +
net/netfilter/xt_core.c | 204 ++++++++
net/netfilter/xt_nfnetlink.c | 602 ++++++++++++++++++++++
net/netfilter/xt_nfnetlink.h | 7 +
9 files changed, 925 insertions(+), 2 deletions(-)
create mode 100644 include/net/netfilter/xt_core.h
create mode 100644 include/uapi/linux/netfilter/nfnetlink_xtables.h
create mode 100644 net/netfilter/xt_core.c
create mode 100644 net/netfilter/xt_nfnetlink.c
create mode 100644 net/netfilter/xt_nfnetlink.h
---snip---
with userspace
available in the git repository at:
git://git.inai.de/libnetfilter_xtables master
which contains a test utility xtnl-test to try the code paths that
have been added so far on the kernel side.
Getting the locking right is sort of a time killer; I hope
Eric Dumazet might get interested to have a look on that part,
since he has done so much w.r.t. locking in ip_tables already :)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
