On 10.04, Pablo Neira Ayuso wrote: > On Fri, Apr 10, 2015 at 12:45:05AM +0100, Patrick McHardy wrote: > [...]: > > I want this decision to be made based on what users actually need and > > on what they need it for. Not basically pull in everything from iptables > > in one go without even thinking about it. > > > > As a middle ground, I think I could agree to adding the xt compat > > framework, but only allow selective extensions to be used where we > > are sure we need them. > > The framework fully supports this, imposing an artificial limitation > makes no sense to me at all. I'm aware that its technically possible, the question is a different one. > And more importantly, without this patch nft breaks when users > load their ruleset throught iptables-compat-restore. How will it break if we don't support it so far? > With that artificial limitation, some rulesets will break, some other > not. > > Admit it, there is no way we can control what users will do in the > future. The only way out is to move forward in an evolutionary > fashion. Right. But this is not evolutionary. It pulls everything we have in iptables in nftables in one big dump. Its the opposite of evolution. An evolutionary process would be to grow things as they are needed, which is what I'm suggesting. Don't you see the difference? If people are using the translation layer, they will by definition translate their old ruleset again on every load. Once they have the xt stuff in their nftables ruleset, we don't have any control over it anymore. Unless you want to pull the nft translation layer into nft, which would be ridiculous. We can't decide anymore how we want to map an old extension to the new framework. We loose all control and are stuck with the worst case, which is that people might be using all the old crap in compat mode. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
