Patrick McHardy <kaber@xxxxxxxxx> wrote: > On 09.04, Pablo Neira Ayuso wrote: > > At compilation time, you have to pass this option. > > > > # ./configure --with-xtables > > > > And libxtables needs to be installed in your system. > > > > This patch allows you to use xt extensions from nft, eg. > > > > # nft add rule filter output \ > > tcp flags syn xt target TCPMSS [ --clamp-mss-to-pmtu ] > > > > This feature requires that libxtables is installed in your system. > > > > This provides access to all existing xt modules from nft. Users can > > meanwhile use xt extension until we can provide native expressions. > > > > You can build this optionally, if disabled it displays an error: > > > > # nft add rule filter output tcp flags syn xt target TCPMSS [ --clamp-mss-to-pmtu ] > > <cmdline>:1:38-77: Error: this build does not support xtables > > add rule filter output tcp flags syn xt target TCPMSS [ --clamp-mss-to-pmtu ] > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > > so you know your build doesn't support this. > > Before review this patch, my main question is - are we sure we want to do > this? How will this affect our plans to get rid of the iptables code > at some point in the future? Arguably its a compatibility question, if we > support this in nft people will use it and we can't simply remove it. FWIW I think Patricks concerns are well-founded, if we do this we cannot remove those extensions, ever. And this will include several dubious modules (time match for example). Why would I want to re-write a working nft+compat ruleset to one that only uses native expressions? Whats the point of providing a 'native' replacement for an existing xtables target if we can just use the xtables version? Thus I'm leaning towards not adding any compat support in nft. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html