From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Andreas Schultz <aschultz@tpip.net>
Cc: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>,
Netfilter Development Mailing list
<netfilter-devel@vger.kernel.org>
Subject: Re: nft compat layer
Date: Tue, 19 Jan 2016 20:04:56 +0100 [thread overview]
Message-ID: <20160119190456.GA24910@salvia> (raw)
In-Reply-To: <569CA968.9010702@tpip.net>
Hi Andreas,
On Mon, Jan 18, 2016 at 09:59:20AM +0100, Andreas Schultz wrote:
> Hi Arturo,
>
> On 01/15/2016 09:06 PM, Arturo Borrero Gonzalez wrote:
> >Hi,
> >
> >I'm giving a spin to the nft compat layer, since it can be of certain
> >importance for distributions.
> >
> >I just want to be clear on what I recommends to end users about
> >migrating from iptables (and friends) to nftables.
> >
> >Could you please remind me in which state was the discussion about
> >that patch to show x_tables extensions in nftables rulesets [0]?
> >I remember Patrick mentioned several concerns back then about this approach.
>
> I have an updated version of this patch and also fixed some of
> the problems I encountered along the way (see attached patches).
> The nft patch is based on nftables-0.5 and the kernel change
> should apply cleanly to linux-4.4.
Thanks for posting your patches.
> With the update patch I can load a fairly complex iptables
> firewall with iptables-compat, dump it with nft and reload
> the dump with nft.
BTW, looking at the kernel patches, my first question is why you
disable the chain/table validation code? Do you remember what problem
you found in it?
> diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
> index 87907d4..2f8f76c 100644
> --- a/net/ipv4/netfilter/ipt_REJECT.c
> +++ b/net/ipv4/netfilter/ipt_REJECT.c
> @@ -76,6 +76,8 @@ static int reject_tg_check(const struct xt_tgchk_param *par)
> if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
> pr_info("ECHOREPLY no longer supported.\n");
> return -EINVAL;
> + } else if (par->nft_compat) {
> + return 0;
The ipt_entry is emulated from the compat layer, do you remember what
command needs this?
Same thing in SYNPROXY and the one for the x_tables code.
If you can provide a way to reproduce the problem, I would like to
resolve the issues in master, if any.
Thanks.
next prev parent reply other threads:[~2016-01-19 19:05 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-15 20:06 nft compat layer Arturo Borrero Gonzalez
2016-01-16 20:11 ` Patrick McHardy
2016-01-18 8:59 ` Andreas Schultz
2016-01-18 10:25 ` Arturo Borrero Gonzalez
2016-01-19 19:04 ` Pablo Neira Ayuso [this message]
2016-01-20 14:47 ` Andreas Schultz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160119190456.GA24910@salvia \
--to=pablo@netfilter.org \
--cc=arturo.borrero.glez@gmail.com \
--cc=aschultz@tpip.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.