Re: RFD - Exposing netfilter types?

[Ian Pilcher <arequipeno@gmail.com>]

On 12/15/25 3:43 PM, Florian Westphal wrote:
> Ian Pilcher <arequipeno@gmail.com> wrote:
>> Recently, I asked what I thought would be a simple question.  How should
>> Presumably, this is why the NFTA_SET_KEY_TYPE values that correspond to
>> simple types aren't in any public header.  Instead, those values, along
>> with all of the logic associated with complex types seem to exist solely
>> within the nftables user-space utility (nft).
> 
> Yes.  Note that the type info is only used for formatting the data.
> Its not used by the kernel and its not relevant for matching.

Yup.  I understand that this is totally a user-space/informational
thing.

>> Is there any reason that the type-related stuff that's currently in nft
>> shouldn't be broken out into a separate library that other applications
>> could also use?
> 
> Whats the use case?

My immediate use case is really simple.  I just want to verify that a
set (identified type table & name) holds either IPv4 or IPv6 addresses.
Obviously, there's no need for a library for this, as I only need the
values of TYPE_IPADDR and TYPE_IP6ADDR.

For more complicated uses, it actually looks like libnftables can be
used.  (I was not aware that the nftables package actually includes a
shared library until I stumbled on it just now.)  I will say that it
might be nice to have an API that doesn't require using the JSON
interface, for programs that are using the netlink inteface more
directly (e.g. via libnftnl).

Overall, however, it looks like libnftables basically addresses the use
cases that I was thinking of.

Thanks!

-- 
========================================================================
If your user interface is intuitive in retrospect ... it isn't intuitive
========================================================================