Re: [nft PATCH v2 0/4] xt: Implement dump and restore support

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Thu, Nov 17, 2022 at 10:13:47PM +0100, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > If nft can't translate a compat expression, dump it in a format that can
> > be restored later without losing data, thereby keeping the ruleset
> > intact.
> 
> Why? :-( This cements nft_compat.c forever.
>
> If we're goping to do it lets at least dump it properly,
> i.e.  nft ... add rule compat "-m conntrack --ctstate NEW".

We might have to support this mixed syntax forever.  I proposed this
long long time ago, when nftables was supporting ~25% of the iptables
feature-set. These days, where they are almost on par (actually
nftables being a lot more expressive than iptables), I am not sure it
makes sense to follow this path anymore.

Unless you refer to dumping a listing which nft cannot load as a way
to provide a listing that is comprehensible, but that cannot be loaded
by the user.

> At this time I'd rather like a time machine to prevent nft_compat.c from
> getting merged :-(

I agree we should have added native translations for iptables-nft
sooner, but it was never a priority for anyone so far.

This "forward compatibility" issue (pretending old tool versions can
interpret new revisions / features loaded by newer tool versions) we
are trying to deal is hard, we already discussed none of the other
existing tooling (ethtool, iproute2, etc.) supports for this.

If you prefer to go for the _USERDATA area as a last resort, I'm OK
with it, this requires no kernel patches, and it will be used only for
the "forward compatibility" scenario (last resort)

We can also resort on displaying the raw expressions, so the user gets
a meaningful output that cannot be loaded again.

I think this more or less a summary of what we discussed in the NFWS.