On 18 January 2016 at 09:59, Andreas Schultz <aschultz@xxxxxxxx> wrote: > Hi Arturo, > > On 01/15/2016 09:06 PM, Arturo Borrero Gonzalez wrote: >> >> Hi, >> >> I'm giving a spin to the nft compat layer, since it can be of certain >> importance for distributions. >> >> I just want to be clear on what I recommends to end users about >> migrating from iptables (and friends) to nftables. >> >> Could you please remind me in which state was the discussion about >> that patch to show x_tables extensions in nftables rulesets [0]? >> I remember Patrick mentioned several concerns back then about this >> approach. > > > I have an updated version of this patch and also fixed some of > the problems I encountered along the way (see attached patches). > The nft patch is based on nftables-0.5 and the kernel change > should apply cleanly to linux-4.4. > > With the update patch I can load a fairly complex iptables > firewall with iptables-compat, dump it with nft and reload > the dump with nft. > > The resulting ruleset appears to be working. YMMV. > The last I can find in patchwork [0] seems to support ebtables watchers, among other things. The kernel patch to disable validations in nft_compat I assume is work in progress or something? Anyway, I just want to make sure what is the roadmap with regards to the compat stuff. What should I recommend users to do when migrating to nftables? [0] http://patchwork.ozlabs.org/patch/459772/ -- Arturo Borrero González -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
