Re: Upgrading libnetfilter_queue to use nftables

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Alessandro Vesely <vesely@tana.it>
Cc: netfilter <netfilter@vger.kernel.org>
Subject: Re: Upgrading libnetfilter_queue to use nftables
Date: Thu, 14 Nov 2019 04:12:46 +0100	[thread overview]
Message-ID: <20191114031246.GI19558@breakpoint.cc> (raw)
In-Reply-To: <28ab2afb-a16a-14ae-e511-aa4e641c1f24@tana.it>

Alessandro Vesely <vesely@tana.it> wrote:
> I'm using Debian 9 (stretch) and saw that the current version (Debian 10, buster) transparently installs nftables instead of iptables, offering to switch back by setting alternatives.
> I'm worried how smoothly an upgrade would go.  I have calls similar to these:
> 
> iptables -A INPUT -j NFQUEUE
>
> or
> 
> iptables -t raw -A OUTPUT -p tcp ! --syn -j NFQUEUE --queue-num 2
> iptables -A OUTPUT -p tcp ! --syn -m mark --mark 4 -j REJECT --reject-with tcp-reset
> 
> There is a user space filter reading queued packets and issuing verdicts.  It is linked to libnetfilter_queue, libnfnetlink and libmnl.
> Does automatic translation work fine in this case?

It has nothing to do with translation, userspace doesn't care, its the
same interface.

> Do I have (better) to relink, recompile, and/or rewrite the user space packet filter in order to use nftable?  How simple is that?

No relink/rewrite needed, userspace can't tell if queueing came via
-j NFQUEUE or nftables' queue, its the same kernel facility (nfnetlink_queue).

next prev parent reply	other threads:[~2019-11-14  3:12 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-13 17:41 Upgrading libnetfilter_queue to use nftables Alessandro Vesely
2019-11-14  3:12 ` Florian Westphal [this message]
2019-11-14  9:03   ` Alessandro Vesely
2019-11-18  0:53     ` Trent W. Buck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191114031246.GI19558@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=netfilter@vger.kernel.org \
    --cc=vesely@tana.it \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.