On Fri, Nov 18, 2022 at 12:46:43PM +0100, Florian Westphal wrote: > Phil Sutter <phil@xxxxxx> wrote: > > On Fri, Nov 18, 2022 at 11:11:42AM +0100, Pablo Neira Ayuso wrote: > > > Merging threads. > > > > > > On Fri, Nov 18, 2022 at 10:55:04AM +0100, Phil Sutter wrote: > > > [...] > > > > > I think this more or less a summary of what we discussed in the NFWS. > > > > > > > > Pablo, I think you're mixing up two things here: > > > > > > > > This "support dump and load of compat expression" feature is to sanitize > > > > the current situation with up to date iptables and nftables. > > > > > > OK, then the problem we discuss is mixing iptables-nft and nftables. > > > > > > On Fri, Nov 18, 2022 at 10:47:48AM +0100, Phil Sutter wrote: > > > [...] > > > > > At this time I'd rather like a time machine to prevent nft_compat.c from > > > > > getting merged :-( > > > > > > > > If you do, please convince Pablo to not push iptables commit 384958620a. > > > > I think it opened the can of worms we're trying to confine here. > > > > > > It could be worst, if iptables-nft would not be in place, then old > > > iptables-legacy and new nftables rules would have no visibility each > > > other. > > > > > > With iptables-nft we have a way to move forward: > > > > > > - Replace nft_compat by native expressions from iptables-nft. > > > - Extend iptables-nft to understand more complex expressions, worst > > > case dump a native representation. > > > > > > Why don't we just move ahead this path instead of spinning around the > > > compat layer? This only requires userspace updates on iptables-nft. > > > > Sure! I'm just picking low hanging fruits first. With even translation > > support being still incomplete, I fear it will take a while until the > > tools are fluent enough for this to not matter anymore. And then there's > > still nftables without libxtables support. > > Then perhaps its better to do following path: > 1. Try ->xlate(), if that fails, then print a 'breaking' format? > > As far as I understand the problem is the "# comment" - type syntax that > makes nft just skip the incomplete rule, so perhaps just use invalid > format? > > Example: > > counter packets 0 bytes 0 # name foo interval 250.0ms ewmalog 500.0ms > Instead make this something like > counter packets 0 bytes 0 nft_compat [ RATEEST name foo interval 250.0ms ewmalog 500.0ms ] # unsupported iptables-nft rule > > ? > > I'd like to avoid exposure in the frontend with compatible-restore-approach if possible. Yes, that's fine with me. Now what about translated expressions? Can we apply my warning patch until at least the majority of them is understood by iptables? Cheers, Phil