On Thu 14/Nov/2019 04:12:46 +0100 Florian Westphal wrote: > Alessandro Vesely <vesely@xxxxxxx> wrote: >> [...] >> There is a user space filter reading queued packets and issuing verdicts. It is linked to libnetfilter_queue, libnfnetlink and libmnl. >> Does automatic translation work fine in this case? > > It has nothing to do with translation, userspace doesn't care, its the > same interface. So it shouldn't even be needed to maintain alternatives like Debian does, e.g.: # update-alternatives --set iptables /usr/sbin/iptables-nft vs # update-alternatives --set iptables /usr/sbin/iptables-legacy >> Do I have (better) to relink, recompile, and/or rewrite the user space packet filter in order to use nftable? How simple is that? > > No relink/rewrite needed, userspace can't tell if queueing came via > -j NFQUEUE or nftables' queue, its the same kernel facility (nfnetlink_queue). > Thank you for the reassurance Best Ale
