Re: let nftables indicate incomplete dissections

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Phil Sutter <phil@nwl.cc>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: let nftables indicate incomplete dissections
Date: Wed, 12 Jun 2024 15:02:38 +0200	[thread overview]
Message-ID: <ZmmcbldzDBlnFhzL@orbyte.nwl.cc> (raw)
In-Reply-To: <20240612075013.GA13354@breakpoint.cc>

Hi!

On Wed, Jun 12, 2024 at 09:50:13AM +0200, Florian Westphal wrote:
> "nft list ruleset" currently omits things it does not understand
> and that it cannot represent in any other way.
> 
> This includes:
> 1. expression is unknown
> 2. expression is known (e.g. "cmp"), but attr contains unexpected value
> 3. expression is known but there is an unknown netlink attr contained in
> the dump
> 
> If backend (libnftl) could mark expressions as incomplete (from .parse
> callbacks?), it would be then possible for the frontend (nft) to document
> this, e.g. by adding something like "# unknown attributes", or similar.
> 
> This is mainly needed for container environments, where host environment
> might be using a lot older version than what is used by a specific
> container image.

ACK, we'll certainly end up in a similar situation as with iptables-nft
so doing nothing is not an option.

> Related problem: entity that is using the raw netlink interface, it
> that case libnftnl might be able to parse everything but nft could
> lack the ability to properly print this.
> 
> If noone has any objections, I would place this on my todo list and
> start with adding to libnftnl the needed "expression is incomplete"
> marking by extending the .parse callbacks.

The JSON interface prefixes dumps by a metainfo object which holds nft
version number and a schema version (still "1"). Introducing a similar
"bytecode versioning" cached in and dumped by kernel space might be a
quick way to enable a current nft tool to detect a bytecode from the
future, assuming that we'll also take care and increment that version
when things change. 

OTOH, considering compatibility (or testing for it somehow) of a given
bytecode change may be much more tedious than a practical approach of
trying to parse and using a defined exit when failing.

Cheers, Phil

next prev parent reply	other threads:[~2024-06-12 13:02 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-06-12  7:50 let nftables indicate incomplete dissections Florian Westphal
2024-06-12 13:02 ` Phil Sutter [this message]
2024-06-18  8:11 ` Pablo Neira Ayuso
2024-06-18  9:31   ` Florian Westphal
2024-06-24 18:14     ` Pablo Neira Ayuso
2024-06-24 21:24       ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZmmcbldzDBlnFhzL@orbyte.nwl.cc \
    --to=phil@nwl.cc \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.