On Thu, Feb 22, 2024 at 11:49:32AM +0000, Ignat Korchagin wrote:
> Hi Pablo,
>
> On Thu, Feb 22, 2024 at 10:52 AM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> >
> > Hi Ignat,
> >
> > On Thu, Feb 22, 2024 at 10:33:08AM +0000, Ignat Korchagin wrote:
> > > Commit d0009effa886 ("netfilter: nf_tables: validate NFPROTO_* family") added
> > > some validation of NFPROTO_* families in the nft_compat module, but it broke
> > > the ability to use legacy iptables modules in dual-stack nftables.
> > >
> > > While with legacy iptables one had to independently manage IPv4 and IPv6
> > > tables, with nftables it is possible to have dual-stack tables sharing the
> > > rules. Moreover, it was possible to use rules based on legacy iptables
> > > match/target modules in dual-stack nftables.
> > >
> > > As an example, the program from [2] creates an INET dual-stack family table
> > > using an xt_bpf based rule, which looks like the following (the actual output
> > > was generated with a patched nft tool as the current nft tool does not parse
> > > dual stack tables with legacy match rules, so consider it for illustrative
> > > purposes only):
> > >
> > > table inet testfw {
> > > chain input {
> > > type filter hook prerouting priority filter; policy accept;
> > > bytecode counter packets 0 bytes 0 accept
> > > }
> > > }
> >
> > This nft command does not exist in tree, this does not restores fine
> > with nft -f. It provides a misleading hint to the reader.
>
> I tried to clarify above that this is for illustrative purposes only -
> just to give context about what we are trying to do, but do let me
> know if you prefer a v4 with this completely removed.
Thanks for clarifying.
> > I am fine with restoring this because you use it, but you have to find
> > a better interface than using nft_compat to achieve this IMO.
>
> We're actually looking to restore the effort in [1] so some support
> would be appreciated.
>
> > The upstream consensus this far is not to expose nft_compat features
> > through userspace nft. But as said, I understand and I am fine with
> > restoring kernel behaviour so you can keep going with your out-of-tree
> > patch.
>
> Understood. There is no expectation from us that upstream userspace
> nft should natively support this (as it didn't before d0009effa886),
> but we can send the patch if consensus changes.
Thanks for explaining.
