[iptables PATCH v2 0/8] nft: Implement forward compat for future binaries

Phil Sutter <phil@xxxxxx> · Wed, 9 Oct 2024 13:48:11 +0200

Changes since v1:
- Split the parser into a separate patch for easier backporting by
  distributions.
- Make the writer opt-in, allow users to force the parser fallback at
  run-time.
- Document the feature in man pages.

Time to abandon earlier attempts at providing compatibility for old
binaries, choose the next best option which is not relying upon any
kernel changes.

Basically, all extensions replaced by native bytecode are appended to
rule userdata so when nftnl rule parsing code fails, it may retry
omitting all these expressions and restoring an extension from userdata
instead.

The idea behind this is that extensions are stable which relieves native
bytecode from being the same. With this series in place, one may
(re-)start converting extensions into native nftables bytecode again.

Appending rule userdata upon creation is inactive by default and enabled
via --compat option or XTABLES_COMPAT env variable. The parser will fall
back to userdata automatically if present and parsing fails.

Patches 1-3 are preparation. Patches 4 and 5 implement the parser side,
patches 6 and 7 implement the writer and patch 8 finally extends
iptables-test.py to cover the new code.

Phil Sutter (8):
  nft: Make add_log() static
  nft: ruleparse: Introduce nft_parse_rule_expr()
  nft: __add_{match,target}() can't fail
  nft: Introduce UDATA_TYPE_COMPAT_EXT
  nft-ruleparse: Fallback to compat expressions in userdata
  nft: Pass nft_handle into add_{action,match}()
  nft: Embed compat extensions in rule userdata
  tests: iptables-test: Add nft-compat variant

 configure.ac                   |   9 ++
 iptables-test.py               |  14 ++-
 iptables/Makefile.am           |   1 +
 iptables/arptables-nft.8       |  12 ++
 iptables/ebtables-nft.8        |  12 ++
 iptables/iptables-restore.8.in |  12 ++
 iptables/iptables.8.in         |  12 ++
 iptables/nft-arp.c             |   2 +-
 iptables/nft-bridge.c          |   9 +-
 iptables/nft-compat.c          | 222 +++++++++++++++++++++++++++++++++
 iptables/nft-compat.h          |  54 ++++++++
 iptables/nft-ipv4.c            |   2 +-
 iptables/nft-ipv6.c            |   2 +-
 iptables/nft-ruleparse.c       |  90 ++++++++-----
 iptables/nft-ruleparse.h       |   4 +
 iptables/nft.c                 | 111 ++++++++++-------
 iptables/nft.h                 |  24 +++-
 iptables/xshared.c             |   7 ++
 iptables/xshared.h             |   1 +
 iptables/xtables-arp.c         |   1 +
 iptables/xtables-eb.c          |   4 +
 iptables/xtables-nft.8         |  11 ++
 iptables/xtables-restore.c     |  15 ++-
 iptables/xtables.c             |   3 +
 24 files changed, 544 insertions(+), 90 deletions(-)
 create mode 100644 iptables/nft-compat.c
 create mode 100644 iptables/nft-compat.h

-- 
2.43.0