On Thu, Nov 17, 2022 at 10:13:47PM +0100, Florian Westphal wrote: > Phil Sutter <phil@xxxxxx> wrote: > > If nft can't translate a compat expression, dump it in a format that can > > be restored later without losing data, thereby keeping the ruleset > > intact. > > Why? :-( This cements nft_compat.c forever. To avoid silently breaking a ruleset. It is a last resort measure for cases where nft can't translate the ruleset into something meaningful. I already submitted a patch adding a warning when listing tables containing compat expressions (status unclear), but a real alternative to the above would be to abort the listing or to ignore the table. Listing the ruleset in translated form when iptables-nft can't parse the translation or without translation but still maintaining syntax to be parsed without error during a later restore is almost luring users into doing stupid things. > If we're goping to do it lets at least dump it properly, > i.e. nft ... add rule compat "-m conntrack --ctstate NEW". This will make things worse: People will understand the format and start using it despite the warnings. This adds a new user base to compat expressions. I don't dare claiming nobody would start crafting compat expressions in my zip-dump format, but it's at least a larger obstacle. :D > At this time I'd rather like a time machine to prevent nft_compat.c from > getting merged :-( If you do, please convince Pablo to not push iptables commit 384958620a. I think it opened the can of worms we're trying to confine here. Cheers, Phil
