Hi Tomasz,
On Tue, Jul 02, 2013 at 12:04:20PM +0300, Tomasz Bursztyka wrote:
[...]
> nft add rule ip filter xt M [ <M match options> ] drop
>
> But what's the user does not know, is that the xt match M will
> generate pure nft expressions, not using the xt compat expression
> (no memory blob etc...)
> Then: (let's say M matches tcp protocol, port 12345)
>
> nft list table filter
>
> table global {
> chain filter input {
> ip protocol 6 tcp dport 12345 drop
> }
> }
>
> It's misleading. The user is not retrieving his command here. I am
> pretty sure lots of users will complain about that.
We can document that xt commands from nft are translated to native
whenever possible.
[...]
> We have to force them ;) "Want iptables way of doing thing: use
> iptables-nftables. Want the new features and flexibility: use nft".
Many users have rule-sets with thousands of rules. Following this
approach you propose, they will have to rewrite their rule-set
*entirely* to native nft. That's a lot of work and a daunting task,
they won't happy about that.
With this patch, users that want to migrate to get the new features
can simply load their rule-set via iptables-nftables, then switch to
nft to obtain the translation. If there is no native replacement for
one of the rule selectors, they can *still* use the new nft. Thus,
they can *progressively* migrate to native nft as soon as native
replacements for existing features are provided.
Regards.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
