| Message ID | 20241009114819.15379-1-phil@nwl.cc |
|---|---|
| Headers | show |
| Series | nft: Implement forward compat for future binaries | expand |
On Wed, Oct 09, 2024 at 01:48:11PM +0200, Phil Sutter wrote: > Changes since v1: > - Split the parser into a separate patch for easier backporting by > distributions. > - Make the writer opt-in, allow users to force the parser fallback at > run-time. > - Document the feature in man pages. > > Time to abandon earlier attempts at providing compatibility for old > binaries, choose the next best option which is not relying upon any > kernel changes. > > Basically, all extensions replaced by native bytecode are appended to > rule userdata so when nftnl rule parsing code fails, it may retry > omitting all these expressions and restoring an extension from userdata > instead. > > The idea behind this is that extensions are stable which relieves native > bytecode from being the same. With this series in place, one may > (re-)start converting extensions into native nftables bytecode again. > > Appending rule userdata upon creation is inactive by default and enabled > via --compat option or XTABLES_COMPAT env variable. The parser will fall > back to userdata automatically if present and parsing fails. > > Patches 1-3 are preparation. Patches 4 and 5 implement the parser side, > patches 6 and 7 implement the writer and patch 8 finally extends > iptables-test.py to cover the new code. > > Phil Sutter (8): > nft: Make add_log() static > nft: ruleparse: Introduce nft_parse_rule_expr() > nft: __add_{match,target}() can't fail > nft: Introduce UDATA_TYPE_COMPAT_EXT > nft-ruleparse: Fallback to compat expressions in userdata > nft: Pass nft_handle into add_{action,match}() > nft: Embed compat extensions in rule userdata > tests: iptables-test: Add nft-compat variant Series applied.
Changes since v1: - Split the parser into a separate patch for easier backporting by distributions. - Make the writer opt-in, allow users to force the parser fallback at run-time. - Document the feature in man pages. Time to abandon earlier attempts at providing compatibility for old binaries, choose the next best option which is not relying upon any kernel changes. Basically, all extensions replaced by native bytecode are appended to rule userdata so when nftnl rule parsing code fails, it may retry omitting all these expressions and restoring an extension from userdata instead. The idea behind this is that extensions are stable which relieves native bytecode from being the same. With this series in place, one may (re-)start converting extensions into native nftables bytecode again. Appending rule userdata upon creation is inactive by default and enabled via --compat option or XTABLES_COMPAT env variable. The parser will fall back to userdata automatically if present and parsing fails. Patches 1-3 are preparation. Patches 4 and 5 implement the parser side, patches 6 and 7 implement the writer and patch 8 finally extends iptables-test.py to cover the new code. Phil Sutter (8): nft: Make add_log() static nft: ruleparse: Introduce nft_parse_rule_expr() nft: __add_{match,target}() can't fail nft: Introduce UDATA_TYPE_COMPAT_EXT nft-ruleparse: Fallback to compat expressions in userdata nft: Pass nft_handle into add_{action,match}() nft: Embed compat extensions in rule userdata tests: iptables-test: Add nft-compat variant configure.ac | 9 ++ iptables-test.py | 14 ++- iptables/Makefile.am | 1 + iptables/arptables-nft.8 | 12 ++ iptables/ebtables-nft.8 | 12 ++ iptables/iptables-restore.8.in | 12 ++ iptables/iptables.8.in | 12 ++ iptables/nft-arp.c | 2 +- iptables/nft-bridge.c | 9 +- iptables/nft-compat.c | 222 +++++++++++++++++++++++++++++++++ iptables/nft-compat.h | 54 ++++++++ iptables/nft-ipv4.c | 2 +- iptables/nft-ipv6.c | 2 +- iptables/nft-ruleparse.c | 90 ++++++++----- iptables/nft-ruleparse.h | 4 + iptables/nft.c | 111 ++++++++++------- iptables/nft.h | 24 +++- iptables/xshared.c | 7 ++ iptables/xshared.h | 1 + iptables/xtables-arp.c | 1 + iptables/xtables-eb.c | 4 + iptables/xtables-nft.8 | 11 ++ iptables/xtables-restore.c | 15 ++- iptables/xtables.c | 3 + 24 files changed, 544 insertions(+), 90 deletions(-) create mode 100644 iptables/nft-compat.c create mode 100644 iptables/nft-compat.h