From: Jeremy Sowden <jeremy@azazel.net>
To: Phil Sutter <phil@nwl.cc>
Cc: Florian Westphal <fw@strlen.de>,
Netfilter Devel <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH iptables v2 0/8] extensions: libxt_NFLOG: use nft back-end for iptables-nft
Date: Mon, 17 Jan 2022 21:54:52 +0000 [thread overview]
Message-ID: <YeXlrL3v0CQJbxwD@azazel.net> (raw)
In-Reply-To: <YeVHs4oOQki9FIgj@orbyte.nwl.cc>
[-- Attachment #1: Type: text/plain, Size: 2257 bytes --]
On 2022-01-17, at 11:40:51 +0100, Phil Sutter wrote:
> On Sun, Jan 16, 2022 at 08:08:15PM +0100, Florian Westphal wrote:
> > Jeremy Sowden <jeremy@azazel.net> wrote:
> > > On 2021-10-01, at 18:41:34 +0100, Jeremy Sowden wrote:
> > > > nftables supports 128-character prefixes for nflog whereas
> > > > legacy iptables only supports 64 characters. This patch series
> > > > converts iptables-nft to use the nft back-end in order to take
> > > > advantage of the longer prefixes.
> > > >
> > > > * Patches 1-5 implement the conversion and update some related
> > > > Python unit-tests.
> > > > * Patch 6 fixes an minor bug in the output of nflog prefixes.
> > > > * Patch 7 contains a couple of libtool updates.
> > > > * Patch 8 fixes some typo's.
> > >
> > > I note that Florian merged the first patch in this series
> > > recently.
> >
> > Yes, because it was a cleanup not directly related to the rest.
> > I've now applied the last patch as well for the same reason.
Thanks for that.
> > > Feedback on the rest of it would be much appreciated.
> >
> > THe patches look ok to me BUT there is the political issue that we
> > will now divert, afaict this means that you can now create
> > iptables-nft rulesets that won't ever work in iptables-legacy.
> >
> > IMO its ok and preferrable to extending xt_(NF)LOG with a new
> > revision,
Indeed. The original proposal from Cloudflare was to extend xt_NFLOG,
but Pablo requested that iptables-nft be modified instead. Hence this
series.
> > but it does set some precedence, so I'm leaning towards just
> > applying the rest too.
> >
> > Pablo, Phil, others -- what is your take?
>
> I think the change is OK if existing rulesets will continue to work
> just as before and remain compatible with legacy. IMHO, new rulesets
> created using iptables-nft may become incompatible if users explicitly
> ask for it (e.g. by specifying an exceedingly long log prefix.
>
> What about --nflog-range? This series seems to drop support for it, at
> least in the sense that ruleset dumps won't contain the option. In
> theory, users could depend on identifying a specific rule via nflog
> range value.
Fair enough. I'll add a check so that nft is not used for targets that
specify `--nflog-range`.
J.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2022-01-17 21:54 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-01 17:41 [PATCH iptables v2 0/8] extensions: libxt_NFLOG: use nft back-end for iptables-nft Jeremy Sowden
2021-10-01 17:41 ` [PATCH iptables v2 1/8] nft: fix indentation error Jeremy Sowden
2021-10-01 17:41 ` [PATCH iptables v2 2/8] extensions: libxt_NFLOG: use nft built-in logging instead of xt_NFLOG Jeremy Sowden
2022-01-18 12:35 ` Florian Westphal
2021-10-01 17:41 ` [PATCH iptables v2 3/8] extensions: libxt_NFLOG: don't truncate log prefix on print/save Jeremy Sowden
2021-10-01 17:41 ` [PATCH iptables v2 4/8] extensions: libxt_NFLOG: disable `--nflog-range` Python test-cases Jeremy Sowden
2021-10-01 17:41 ` [PATCH iptables v2 5/8] extensions: libxt_NFLOG: fix `--nflog-prefix` " Jeremy Sowden
2021-10-01 17:41 ` [PATCH iptables v2 6/8] extensions: libxt_NFLOG: remove extra space when saving targets with prefixes Jeremy Sowden
2021-10-01 17:41 ` [PATCH iptables v2 7/8] build: replace `AM_PROG_LIBTOOL` and `AC_DISABLE_STATIC` with `LT_INIT` Jeremy Sowden
2021-10-01 17:41 ` [PATCH iptables v2 8/8] tests: iptables-test: correct misspelt variable Jeremy Sowden
2022-01-16 15:05 ` [PATCH iptables v2 0/8] extensions: libxt_NFLOG: use nft back-end for iptables-nft Jeremy Sowden
2022-01-16 19:08 ` Florian Westphal
2022-01-17 10:40 ` Phil Sutter
2022-01-17 21:54 ` Jeremy Sowden [this message]
2022-01-18 1:23 ` Pablo Neira Ayuso
2022-01-18 9:33 ` Jeremy Sowden
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YeXlrL3v0CQJbxwD@azazel.net \
--to=jeremy@azazel.net \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.