On 2022-01-18, at 02:23:46 +0100, Pablo Neira Ayuso wrote:
> On Mon, Jan 17, 2022 at 09:54:52PM +0000, Jeremy Sowden wrote:
> > On 2022-01-17, at 11:40:51 +0100, Phil Sutter wrote:
> > > On Sun, Jan 16, 2022 at 08:08:15PM +0100, Florian Westphal wrote:
> [...]
> > > > Pablo, Phil, others -- what is your take?
> > >
> > > I think the change is OK if existing rulesets will continue to
> > > work just as before and remain compatible with legacy. IMHO, new
> > > rulesets created using iptables-nft may become incompatible if
> > > users explicitly ask for it (e.g. by specifying an exceedingly
> > > long log prefix.
> > >
> > > What about --nflog-range? This series seems to drop support for
> > > it, at least in the sense that ruleset dumps won't contain the
> > > option. In theory, users could depend on identifying a specific
> > > rule via nflog range value.
> >
> > Fair enough. I'll add a check so that nft is not used for targets
> > that specify `--nflog-range`.
>
> --nflog-range does work?
No.
> --nflog-size is used and can be mapped to 'snaplen' in nft_log.
Correct.
> Manpage also discourages the usage of --nflog-range for long time.
>
> Not sure it is worth to add a different path for this case.
Yes, there have been warnings about `--nflog-range` since `--nflog-size`
was added in 2016. I wasn't entirely happy dropping `--nflog-range`
support and introducing the divergence between -legacy and -nft as an
incidental side-effect, so when Phil brought it up, I had a look and it
turns out that the code to preserve support for it is quite small:
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1366,6 +1366,12 @@ int add_log(struct nftnl_rule *r, struct iptables_command_state *cs)
struct nftnl_expr *expr;
struct xt_nflog_info *info = (struct xt_nflog_info *)cs->target->t->data;
+ if (info->len && !(info->flags & XT_NFLOG_F_COPY_LEN))
+ /*
+ * nft doesn't support --nflog-range
+ */
+ return add_target(r, cs->target->t);
+
expr = nftnl_expr_alloc("log");
if (!expr)
return -ENOMEM;
Perhaps, we could put this in now, add something to the release notes
for the next release formally deprecating `--nflog-range` and then
remove it altogether in the following release.
Or we could just apply the current patches if you're not that bothered.
:)
J.
Attachment:
signature.asc
Description: PGP signature
