Hi Victor,
Not sure if it would fit the scope of this library, but as a frontend
developer I would love to have easy access to some sort of "supported
features" call.
In Vuurmuur I currently parse /proc/net/ip_tables_names to see what
tables are supported, /proc/net/ip_tables_matches to see what matches
are supported, etc.
This still isn't enough, because it won't tell me if the SNAT target
will actually support the --random option, so I end up creating a lot of
test rules at startup, just to figure this stuff out.
Then there is also the case of a mismatch between kernel and userland. I
remember one case where the Ubuntu kernel would support a module, but
the shipped iptables wouldn't.
Not sure if all of this is relevant to nftables and I don't have a
proposed solution, but just wanted to bring it up for consideration.
This is a good idea, since indeed not all features might be supported from
one kernel configuration/version to another. However, nftables does not
expose anything through proc-fs currently. And it does not tell anything
about what are supported features anywhere, afaik.
We should first think how to fix this from kernel side, for the library
itself it
should be trivial afterwards. There are issues like as long as modules are
not loaded you don't know for instance which expressions are supported...
Maybe kernel guys have good ideas how to fix this?
Tomasz
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
