netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Florian Westphal <fw@strlen.de>
To: netfilter-devel@vger.kernel.org
Subject: let nftables indicate incomplete dissections
Date: Wed, 12 Jun 2024 09:50:13 +0200	[thread overview]
Message-ID: <20240612075013.GA13354@breakpoint.cc> (raw)

"nft list ruleset" currently omits things it does not understand
and that it cannot represent in any other way.

This includes:
1. expression is unknown
2. expression is known (e.g. "cmp"), but attr contains unexpected value
3. expression is known but there is an unknown netlink attr contained in
the dump

If backend (libnftl) could mark expressions as incomplete (from .parse
callbacks?), it would be then possible for the frontend (nft) to document
this, e.g. by adding something like "# unknown attributes", or similar.

This is mainly needed for container environments, where host environment
might be using a lot older version than what is used by a specific
container image.

Related problem: entity that is using the raw netlink interface, it
that case libnftnl might be able to parse everything but nft could
lack the ability to properly print this.

If noone has any objections, I would place this on my todo list and
start with adding to libnftnl the needed "expression is incomplete"
marking by extending the .parse callbacks.

             reply	other threads:[~2024-06-12  7:50 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-06-12  7:50 Florian Westphal [this message]
2024-06-12 13:02 ` let nftables indicate incomplete dissections Phil Sutter
2024-06-18  8:11 ` Pablo Neira Ayuso
2024-06-18  9:31   ` Florian Westphal
2024-06-24 18:14     ` Pablo Neira Ayuso
2024-06-24 21:24       ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240612075013.GA13354@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).