From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: Re: [RFC libnftnl/nft 0/5] nftables: indicate presence of unsupported netlink attributes
Date: Wed, 16 Oct 2024 21:04:37 +0200 [thread overview]
Message-ID: <ZxAORZJ3t4o04KUl@orbyte.nwl.cc> (raw)
In-Reply-To: <ZxAHJO_amh8cIDaR@calendula>
On Wed, Oct 16, 2024 at 08:34:12PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Oct 16, 2024 at 07:07:24PM +0200, Phil Sutter wrote:
> > On Mon, Oct 07, 2024 at 11:49:33AM +0200, Florian Westphal wrote:
> > [...]
> > > Extend libnftnl to also make an annotation when a known expression has
> > > an unknown attribute included in the dump, then extend nftables to also
> > > display this to the user.
> >
> > We must be careful with this and LIBVERSION updates. I'm looking at
> > libnftnl-1.2.0 which gained support for NFTA_TABLE_OWNER,
> > NFTA_SOCKET_LEVEL, etc. but did not update LIBVERSION at all - OK,
> > that's probably a bug. But there is also libnftnl-1.1.9 with similar
> > additions (NFTA_{DYNSET,SET,SET_ELEM}_EXPRESSIONS) and a LIBVERSION
> > update in the compatible range (15:0:4 -> 16:0:5).
>
> LIBVERSION talks about libnftnl API, not netlink attributes?
> Probably 1.1.9 got any API update while 1.20 did not?
>
> > We may increase incomplete marker correctness by treating support for
> > any new attribute an incompatible update. Given that we often have
> > dependencies between libnftnl and nftables for other things, it may not
> > be too much of a downside though.
>
> 15:0:4 -> 16:0:5 means new API is available while older are still
> supported, so old nftables can use this library binary safely.
Yes, and my concern is if one installs this newer libnftnl, behaviour of
incomplete marker will change despite the same old nftables package
being in place which doesn't handle the new kernel attribute.
> You mean, we should reset age, considering c:0:a?
I just realize that one may recompile nftables against a newer libnftnl
and achieve the same effect as the "compatible library update" described
above.
So the proposed incomplete marker merely indicates that libnftnl is
outdated compared to the running kernel (or the ruleset loaded into it).
If libnftnl does not signal "incomplete", nftables may still miss
important attributes.
The other way around should work though: If libnftnl indicates
"incomplete", user space is certainly outdated.
No longer incrementing library age value does not help here. Sorry for
the noise!
Cheers, Phil
next prev parent reply other threads:[~2024-10-16 19:04 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-07 9:49 [RFC libnftnl/nft 0/5] nftables: indicate presence of unsupported netlink attributes Florian Westphal
2024-10-07 9:49 ` [PATCH libnftnl 1/5] expr: add and use incomplete tag Florian Westphal
2024-10-08 11:13 ` Pablo Neira Ayuso
2024-10-08 12:17 ` Florian Westphal
2024-10-08 14:43 ` Pablo Neira Ayuso
2024-10-08 16:11 ` Florian Westphal
2024-10-07 9:49 ` [PATCH libnftnl 2/5] sets: " Florian Westphal
2024-10-07 9:49 ` [PATCH libnftnl 3/5] libnftnl: add api to query dissection state Florian Westphal
2024-10-07 9:49 ` [PATCH nft 4/5] netlink: tell user if libnftnl detected unknown attributes/features Florian Westphal
2024-10-07 9:49 ` [PATCH nft 5/5] sets: inform user when set definition contains unknown attributes Florian Westphal
2024-10-16 17:07 ` [RFC libnftnl/nft 0/5] nftables: indicate presence of unsupported netlink attributes Phil Sutter
2024-10-16 18:34 ` Pablo Neira Ayuso
2024-10-16 19:04 ` Phil Sutter [this message]
2024-10-16 19:41 ` Jan Engelhardt
2024-10-16 19:28 ` Jan Engelhardt
2024-10-16 20:05 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZxAORZJ3t4o04KUl@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).