On Thu, Feb 22, 2024 at 12:15 AM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>
> On Tue, Feb 20, 2024 at 02:55:09PM +0000, Ignat Korchagin wrote:
> > Commit d0009effa886 ("netfilter: nf_tables: validate NFPROTO_* family") added
> > some validation of NFPROTO_* families in the nft_compat module, but it broke
> > the ability to use legacy iptables modules in dual-stack nftables.
> >
> > While with legacy iptables one had to independently manage IPv4 and IPv6 tables,
> > with nftables it is possible to have dual-stack tables sharing the rules.
> > Moreover, it was possible to use rules based on legacy iptables match/target
> > modules in dual-stack nftables. Consider the following program:
> >
> > ```
> >
> > /* #define TBL_FAMILY NFPROTO_IPV4 */
> >
> > /*
> > * creates something like below
> > * table inet testfw {
> > * chain input {
> > * type filter hook prerouting priority filter; policy accept;
> > * bytecode counter packets 0 bytes 0 accept
>
> Upstream nft does not provides this. Please, clarify that this the
> output with the out-of-tree patch,
>
> > * }
> > * }
> > *
> > * compile:
> > * cc -o nftbpf nftbpf.c -lnftnl -lmnl
> > */
> > int main(void)
>
> Please, no program in the commit description, it makes it too long,
> I am not sure this is the good place to store this.
What if I replace the table and chain creation with nft commands and
just leave the code creating the rule? This would make the overall
program shorter, but would still illustrate the example
> > ```
> >
> > Above creates an INET dual-stack family table using xt_bpf based rule. After
> > d0009effa886 ("netfilter: nf_tables: validate NFPROTO_* family") we get
> > EOPNOTSUPP for the above configuration.
> >
> > Fix this by allowing NFPROTO_INET for nft_(match/target)_validate(), but also
> > restrict the functions to classic iptables hooks.
> >
> > Changes in v2:
> > * restrict nft_(match/target)_validate() to classic iptables hooks
> > * rewrite example program to use unmodified libnftnl
>
> Thanks! Please send a v3 with updates.
