Add --compat option to *tables-nft and *-nft-restore commands

The flag sets nft_handle::compat boolean, indicating a compatible rule
implementation is wanted. Users expecting their created rules to be
fetched from kernel by an older version of *tables-nft may use this to
avoid potential compatibility issues.

Changes since v1:
- Expect short option '-C' in {ip,ip6,eb}tables-nft-restore command line
  parser
- Support -C/--compat in arptables-nft-restore, too
- Update man pages with the new flag

Signed-off-by: Phil Sutter <phil@nwl.cc>

1 files changed, 8 insertions, 0 deletions

diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
index ea31e084..673a7bd5 100644
--- a/iptables/arptables-nft.8
+++ b/iptables/arptables-nft.8
@@ -220,6 +220,14 @@ counters of a rule (during
 .B APPEND,
 .B REPLACE
 operations).
+.SS "OTHER OPTIONS"
+The following additional options can be specified:
+.TP
+\fB\-\-compat\fP
+Create rules in a mostly compatible way, enabling older versions of
+\fBarptables\-nft\fP to correctly parse the rules received from kernel. This
+mode is only useful in very specific situations and will likely impact packet
+filtering performance.
 
 .SS RULE-SPECIFICATIONS
 The following command line arguments make up a rule specification (as used