From: Phil Sutter <phil@nwl.cc>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [RFC libnftnl/nft 0/5] nftables: indicate presence of unsupported netlink attributes
Date: Wed, 16 Oct 2024 19:07:24 +0200 [thread overview]
Message-ID: <Zw_yzLizGDGzhFRg@orbyte.nwl.cc> (raw)
In-Reply-To: <20241007094943.7544-1-fw@strlen.de>
On Mon, Oct 07, 2024 at 11:49:33AM +0200, Florian Westphal wrote:
[...]
> Extend libnftnl to also make an annotation when a known expression has
> an unknown attribute included in the dump, then extend nftables to also
> display this to the user.
We must be careful with this and LIBVERSION updates. I'm looking at
libnftnl-1.2.0 which gained support for NFTA_TABLE_OWNER,
NFTA_SOCKET_LEVEL, etc. but did not update LIBVERSION at all - OK,
that's probably a bug. But there is also libnftnl-1.1.9 with similar
additions (NFTA_{DYNSET,SET,SET_ELEM}_EXPRESSIONS) and a LIBVERSION
update in the compatible range (15:0:4 -> 16:0:5).
We may increase incomplete marker correctness by treating support for
any new attribute an incompatible update. Given that we often have
dependencies between libnftnl and nftables for other things, it may not
be too much of a downside though.
> Debug out out will include the [incomplete] tag for each affected
> expression.
Looking at the impact this series has for such situations, I want to
make the iptables-nft compat extension stuff depend on it for better
detection of incompatible rule content.
Thanks, Phil
next prev parent reply other threads:[~2024-10-16 17:07 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-07 9:49 [RFC libnftnl/nft 0/5] nftables: indicate presence of unsupported netlink attributes Florian Westphal
2024-10-07 9:49 ` [PATCH libnftnl 1/5] expr: add and use incomplete tag Florian Westphal
2024-10-08 11:13 ` Pablo Neira Ayuso
2024-10-08 12:17 ` Florian Westphal
2024-10-08 14:43 ` Pablo Neira Ayuso
2024-10-08 16:11 ` Florian Westphal
2024-10-07 9:49 ` [PATCH libnftnl 2/5] sets: " Florian Westphal
2024-10-07 9:49 ` [PATCH libnftnl 3/5] libnftnl: add api to query dissection state Florian Westphal
2024-10-07 9:49 ` [PATCH nft 4/5] netlink: tell user if libnftnl detected unknown attributes/features Florian Westphal
2024-10-07 9:49 ` [PATCH nft 5/5] sets: inform user when set definition contains unknown attributes Florian Westphal
2024-10-16 17:07 ` Phil Sutter [this message]
2024-10-16 18:34 ` [RFC libnftnl/nft 0/5] nftables: indicate presence of unsupported netlink attributes Pablo Neira Ayuso
2024-10-16 19:04 ` Phil Sutter
2024-10-16 19:41 ` Jan Engelhardt
2024-10-16 19:28 ` Jan Engelhardt
2024-10-16 20:05 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zw_yzLizGDGzhFRg@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).