Joshua Lant <joshualant@xxxxxxxxxxxxxx> wrote: > > Why are you interested in getting iptables to work? > > > > It would be better to ensure that nftables is working properly; unlike > > with xtables the kernel representation is hidden from userspace. > > Sorry I should have been clear initially, I am trying to compile using nftables. No, I was talking about: https://git.netfilter.org/nftables/ which doesn't use any of the old xtables structures and is not supposed to have any 'binary blobs' passed between kernel and userland. iptables-nft still uses some parts of xtables, most of the matches and targets are handled this way, and binary blob is passed to kernel via netlink. See net/netfilter/nft_compat.c Admittingly, its less bad than the get/setsockopt format, but you've already encountered things like include/uapi/linux/netfilter/xt_TEE.h As for a way foward, there are several options: 1. "unsupported, use native nft binary" 2. what you did: force pointers to be sizeof(unsigned long), they aren't used by userland, they are placeholders for kernel only 3. Once https://patchwork.ozlabs.org/project/netfilter-devel/patch/20240731222703.22741-8-phil@xxxxxx/ discussion is resolved, aggressively convert itpables-nft to prefer native nft expressions instead of the nft_compat proxy. 3) is definitely a lot more work than 2). Furthermore iptables-nft cannot be made a full nft client because iptables syntax lacks aequivalents for native nft constructs like jump maps or sets, so users cannot mix nft and iptables-nft anyway. Personally I think it would be better to let iptables move to maintenance only mode and let it die rather than continue to spending time on it, but this is the minority opinion so far.
