On Thu, Aug 10, 2023 at 08:54:48PM +0200, Phil Sutter wrote: > Initial attempts of keeping a compatible version of each rule in the > kernel for being dumped so any old user space will be able to parse it > despite what conversions to native expressions have taken place have > failed: The dump-only bytecode may contain a lookup expression, > therefore requires updating and an extra set and so on. This will be a > nightmare to maintain in kernel. Any alternative to this is not > transparent to old user space which can't be touched in a scenario of > $RANDOM old container has to parse the host's ruleset. > > Instead of the above, follow a much simpler route by implementing a > compat-mode into current *tables-nft which avoids any of the later > internal changes which may prevent an old iptables-nft from parsing a > kernel's rule correctly. An up to date host expecting outdated > containers accessing its ruleset may create it in a compatible form, > trading potential performance regressions in for compatibility. > > Patch 1 is just prep work, patch 2 adds the core logic, patch 3 exposes > it to CLI and patch 4 finally adds some testing. > > This should resolve nfbz#1632[1], albeit requiring adjustments in how > users call iptables. > > [1] https://bugzilla.netfilter.org/show_bug.cgi?id=1632 > > Changes since v1: > - Rebase to current HEAD > - Add missing parser and man page adjustments in patch 3 > > Phil Sutter (4): > nft: Pass nft_handle to add_{target,action}() > nft: Introduce and use bool nft_handle::compat > Add --compat option to *tables-nft and *-nft-restore commands > tests: Test compat mode Series applied.
