On Tue, Feb 20, 2024 at 02:55:09PM +0000, Ignat Korchagin wrote:
> Commit d0009effa886 ("netfilter: nf_tables: validate NFPROTO_* family") added
> some validation of NFPROTO_* families in the nft_compat module, but it broke
> the ability to use legacy iptables modules in dual-stack nftables.
>
> While with legacy iptables one had to independently manage IPv4 and IPv6 tables,
> with nftables it is possible to have dual-stack tables sharing the rules.
> Moreover, it was possible to use rules based on legacy iptables match/target
> modules in dual-stack nftables. Consider the following program:
>
> ```
>
> /* #define TBL_FAMILY NFPROTO_IPV4 */
>
> /*
> * creates something like below
> * table inet testfw {
> * chain input {
> * type filter hook prerouting priority filter; policy accept;
> * bytecode counter packets 0 bytes 0 accept
Upstream nft does not provides this. Please, clarify that this the
output with the out-of-tree patch,
> * }
> * }
> *
> * compile:
> * cc -o nftbpf nftbpf.c -lnftnl -lmnl
> */
> int main(void)
Please, no program in the commit description, it makes it too long,
I am not sure this is the good place to store this.
> ```
>
> Above creates an INET dual-stack family table using xt_bpf based rule. After
> d0009effa886 ("netfilter: nf_tables: validate NFPROTO_* family") we get
> EOPNOTSUPP for the above configuration.
>
> Fix this by allowing NFPROTO_INET for nft_(match/target)_validate(), but also
> restrict the functions to classic iptables hooks.
>
> Changes in v2:
> * restrict nft_(match/target)_validate() to classic iptables hooks
> * rewrite example program to use unmodified libnftnl
Thanks! Please send a v3 with updates.
