On Thu, Apr 27, 2023 at 01:01:55PM +0200, Pablo Neira Ayuso wrote: > On Thu, Apr 27, 2023 at 12:57:30PM +0200, Phil Sutter wrote: > > Hi Pablo, > > > > On Wed, Apr 26, 2023 at 09:58:44PM +0200, Pablo Neira Ayuso wrote: > > [...] > > > My proposal: > > > > Thanks for returning to this. Your approach requires to define a minimum > > version from which on forward-compat is guaranteed. I was trying to > > avoid this requirement though so things would work for "unknown user > > space". > > You also require a kernel that supports your approach. Sure. But in the described use-case, anything but old user space (i.e., container content) is under control. > > Currently, the only offending extension is ebt_among since it doesn't > > exist (and never did) in non-native form. If I implement among extension > > parsing (even in non-functional form), my original approach would work. > > This also means having a minimum version for full compat, but it affects > > ebtables (actually, use of ebt_among) only. > > Yes, but this is fully user data, kernel really does not need to do > anything with this alternative representation, which is what I do not > like from you proposal. OK. > I really think userdata is the place to deal with this. Having to touch old user space is not a good solution for the given use-case. If kernel modification is a no-go, I'd rather introduce a "compat mode" in iptables-nft which causes rule creation in the most compatible form. This might impact run-time performance but is much simpler to implement and maintain. Cheers, Phil
