Re: [PATCH nft v2 3/3] src: add xt compat support

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Patrick McHardy <kaber@trash.net>
Cc: netfilter-devel@vger.kernel.org, arturo.borrero.glez@gmail.com
Subject: Re: [PATCH nft v2 3/3] src: add xt compat support
Date: Fri, 10 Apr 2015 00:33:56 +0200	[thread overview]
Message-ID: <20150409223356.GA3108@salvia> (raw)
In-Reply-To: <20150409203616.GA27610@acer.localdomain>

On Thu, Apr 09, 2015 at 09:36:17PM +0100, Patrick McHardy wrote:
> On 09.04, Pablo Neira Ayuso wrote:
> > At compilation time, you have to pass this option.
> > 
> >   # ./configure --with-xtables
> > 
> > And libxtables needs to be installed in your system.
> > 
> > This patch allows you to use xt extensions from nft, eg.
> > 
> >   # nft add rule filter output \
> >         tcp flags syn xt target TCPMSS [ --clamp-mss-to-pmtu ]
> > 
> > This feature requires that libxtables is installed in your system.
> > 
> > This provides access to all existing xt modules from nft. Users can
> > meanwhile use xt extension until we can provide native expressions.
> > 
> > You can build this optionally, if disabled it displays an error:
> > 
> >   # nft add rule filter output tcp flags syn xt target TCPMSS [ --clamp-mss-to-pmtu ]
> >   <cmdline>:1:38-77: Error: this build does not support xtables
> >   add rule filter output tcp flags syn xt target TCPMSS [ --clamp-mss-to-pmtu ]
> >                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > 
> > so you know your build doesn't support this.
> 
> Before review this patch, my main question is - are we sure we want to do
> this? How will this affect our plans to get rid of the iptables code
> at some point in the future? Arguably its a compatibility question, if we
> support this in nft people will use it and we can't simply remove it.

Good question.

I think we'll have to live with both codebases for quite a while
anyway, unfortunately we cannot skip that.

I think this code provides a way for users to easily migrate from
iptables to nftables.

They will only need to:

        iptables-compat-restore < ipt-ruleset.file

then, switch to nft and type:

        nft list ruleset > nft-ruleset.file

and start to replacing to native expressions progressively.

We also have a prototype translation layer (see xlate in the iptables
tree), that will provide an automatic translation whenever possible.

The idea is that they will periodically run something like:

        nft --migrate nft-ruleset.file

that will detect xt statements and will translate them to native
expressions whenever possible.

I think we have to ease adoption through these facilities, and new
nice features, of course.

next prev parent reply	other threads:[~2015-04-09 22:29 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-04-09 16:55 [PATCH nft v2 1/3] include: cache ip_tables.h, ip6_tables.h, arp_tables.h and ebtables.h Pablo Neira Ayuso
2015-04-09 16:55 ` [PATCH nft v2 2/3] src: expose delinearize/linearize structures and stmt_error() Pablo Neira Ayuso
2015-04-09 16:55 ` [PATCH nft v2 3/3] src: add xt compat support Pablo Neira Ayuso
2015-04-09 20:36   ` Patrick McHardy
2015-04-09 20:51     ` Florian Westphal
2015-04-09 22:34       ` Pablo Neira Ayuso
2015-04-09 22:36         ` Florian Westphal
2015-04-09 22:56           ` Pablo Neira Ayuso
2015-04-09 23:23             ` Patrick McHardy
2015-04-09 23:40               ` Pablo Neira Ayuso
2015-04-09 23:45                 ` Patrick McHardy
2015-04-09 23:59                   ` Pablo Neira Ayuso
2015-04-10  0:05                     ` Patrick McHardy
2015-04-10  0:26                       ` Pablo Neira Ayuso
2015-04-10  0:33                         ` Patrick McHardy
2015-04-09 23:22           ` Patrick McHardy
2015-04-09 23:21         ` Patrick McHardy
2015-04-09 23:44           ` Pablo Neira Ayuso
2015-04-09 23:48             ` Patrick McHardy
2015-04-10  0:07               ` Pablo Neira Ayuso
2015-04-10  0:11                 ` Patrick McHardy
2015-04-10  0:36                   ` Pablo Neira Ayuso
2015-04-10  0:36                     ` Patrick McHardy
2015-04-10  1:00                       ` Pablo Neira Ayuso
2015-04-09 22:33     ` Pablo Neira Ayuso [this message]
2015-04-09 23:18       ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150409223356.GA3108@salvia \
    --to=pablo@netfilter.org \
    --cc=arturo.borrero.glez@gmail.com \
    --cc=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.