On Wed, Oct 09, 2024 at 01:48:11PM +0200, Phil Sutter wrote:
> Changes since v1:
> - Split the parser into a separate patch for easier backporting by
> distributions.
> - Make the writer opt-in, allow users to force the parser fallback at
> run-time.
> - Document the feature in man pages.
>
> Time to abandon earlier attempts at providing compatibility for old
> binaries, choose the next best option which is not relying upon any
> kernel changes.
>
> Basically, all extensions replaced by native bytecode are appended to
> rule userdata so when nftnl rule parsing code fails, it may retry
> omitting all these expressions and restoring an extension from userdata
> instead.
>
> The idea behind this is that extensions are stable which relieves native
> bytecode from being the same. With this series in place, one may
> (re-)start converting extensions into native nftables bytecode again.
>
> Appending rule userdata upon creation is inactive by default and enabled
> via --compat option or XTABLES_COMPAT env variable. The parser will fall
> back to userdata automatically if present and parsing fails.
>
> Patches 1-3 are preparation. Patches 4 and 5 implement the parser side,
> patches 6 and 7 implement the writer and patch 8 finally extends
> iptables-test.py to cover the new code.
>
> Phil Sutter (8):
> nft: Make add_log() static
> nft: ruleparse: Introduce nft_parse_rule_expr()
> nft: __add_{match,target}() can't fail
> nft: Introduce UDATA_TYPE_COMPAT_EXT
> nft-ruleparse: Fallback to compat expressions in userdata
> nft: Pass nft_handle into add_{action,match}()
> nft: Embed compat extensions in rule userdata
> tests: iptables-test: Add nft-compat variant
Series applied.
