[iptables PATCH v2 0/4] Implement a best-effort forward compat solution

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Initial attempts of keeping a compatible version of each rule in the
kernel for being dumped so any old user space will be able to parse it
despite what conversions to native expressions have taken place have
failed: The dump-only bytecode may contain a lookup expression,
therefore requires updating and an extra set and so on. This will be a
nightmare to maintain in kernel. Any alternative to this is not
transparent to old user space which can't be touched in a scenario of
$RANDOM old container has to parse the host's ruleset.

Instead of the above, follow a much simpler route by implementing a
compat-mode into current *tables-nft which avoids any of the later
internal changes which may prevent an old iptables-nft from parsing a
kernel's rule correctly. An up to date host expecting outdated
containers accessing its ruleset may create it in a compatible form,
trading potential performance regressions in for compatibility.

Patch 1 is just prep work, patch 2 adds the core logic, patch 3 exposes
it to CLI and patch 4 finally adds some testing.

This should resolve nfbz#1632[1], albeit requiring adjustments in how
users call iptables.

[1] https://bugzilla.netfilter.org/show_bug.cgi?id=1632

Changes since v1:
- Rebase to current HEAD
- Add missing parser and man page adjustments in patch 3

Phil Sutter (4):
  nft: Pass nft_handle to add_{target,action}()
  nft: Introduce and use bool nft_handle::compat
  Add --compat option to *tables-nft and *-nft-restore commands
  tests: Test compat mode

 iptables-test.py                              | 19 ++++--
 iptables/arptables-nft-restore.8              | 15 +++--
 iptables/arptables-nft.8                      |  8 +++
 iptables/ebtables-nft.8                       |  6 ++
 iptables/iptables-restore.8.in                | 11 +++-
 iptables/iptables.8.in                        |  7 +++
 iptables/nft-arp.c                            |  2 +-
 iptables/nft-bridge.c                         |  9 +--
 iptables/nft-ipv4.c                           |  2 +-
 iptables/nft-ipv6.c                           |  2 +-
 iptables/nft-shared.c                         |  2 +-
 iptables/nft.c                                | 19 +++---
 iptables/nft.h                                |  7 ++-
 .../testcases/nft-only/0011-compat-mode_0     | 63 +++++++++++++++++++
 iptables/xshared.c                            |  7 ++-
 iptables/xshared.h                            |  1 +
 iptables/xtables-arp.c                        |  1 +
 iptables/xtables-eb.c                         |  7 ++-
 iptables/xtables-restore.c                    | 43 +++++++++++--
 iptables/xtables.c                            |  2 +
 20 files changed, 198 insertions(+), 35 deletions(-)
 create mode 100755 iptables/tests/shell/testcases/nft-only/0011-compat-mode_0

-- 
2.40.0
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux