On Mon, Oct 07, 2024 at 11:49:33AM +0200, Florian Westphal wrote:
[...]
> Extend libnftnl to also make an annotation when a known expression has
> an unknown attribute included in the dump, then extend nftables to also
> display this to the user.
We must be careful with this and LIBVERSION updates. I'm looking at
libnftnl-1.2.0 which gained support for NFTA_TABLE_OWNER,
NFTA_SOCKET_LEVEL, etc. but did not update LIBVERSION at all - OK,
that's probably a bug. But there is also libnftnl-1.1.9 with similar
additions (NFTA_{DYNSET,SET,SET_ELEM}_EXPRESSIONS) and a LIBVERSION
update in the compatible range (15:0:4 -> 16:0:5).
We may increase incomplete marker correctness by treating support for
any new attribute an incompatible update. Given that we often have
dependencies between libnftnl and nftables for other things, it may not
be too much of a downside though.
> Debug out out will include the [incomplete] tag for each affected
> expression.
Looking at the impact this series has for such situations, I want to
make the iptables-nft compat extension stuff depend on it for better
detection of incompatible rule content.
Thanks, Phil
