Re: [iptables PATCH v2 0/8] nft: Implement forward compat for future binaries

[Phil Sutter <phil@nwl.cc>]

On Wed, Oct 09, 2024 at 01:48:11PM +0200, Phil Sutter wrote:
> Changes since v1:
> - Split the parser into a separate patch for easier backporting by
>   distributions.
> - Make the writer opt-in, allow users to force the parser fallback at
>   run-time.
> - Document the feature in man pages.
> 
> Time to abandon earlier attempts at providing compatibility for old
> binaries, choose the next best option which is not relying upon any
> kernel changes.
> 
> Basically, all extensions replaced by native bytecode are appended to
> rule userdata so when nftnl rule parsing code fails, it may retry
> omitting all these expressions and restoring an extension from userdata
> instead.
> 
> The idea behind this is that extensions are stable which relieves native
> bytecode from being the same. With this series in place, one may
> (re-)start converting extensions into native nftables bytecode again.
> 
> Appending rule userdata upon creation is inactive by default and enabled
> via --compat option or XTABLES_COMPAT env variable. The parser will fall
> back to userdata automatically if present and parsing fails.
> 
> Patches 1-3 are preparation. Patches 4 and 5 implement the parser side,
> patches 6 and 7 implement the writer and patch 8 finally extends
> iptables-test.py to cover the new code.
> 
> Phil Sutter (8):
>   nft: Make add_log() static
>   nft: ruleparse: Introduce nft_parse_rule_expr()
>   nft: __add_{match,target}() can't fail
>   nft: Introduce UDATA_TYPE_COMPAT_EXT
>   nft-ruleparse: Fallback to compat expressions in userdata
>   nft: Pass nft_handle into add_{action,match}()
>   nft: Embed compat extensions in rule userdata
>   tests: iptables-test: Add nft-compat variant

Series applied.