diff options
author | Phil Sutter <phil@nwl.cc> | 2022-10-11 18:46:55 +0200 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2022-11-18 15:50:24 +0100 |
commit | c327e9331e50d7b4d6cfd0a82fb38bec73703bfb (patch) | |
tree | dcfac81d4ae15a21ddacbc1edc7a9d4530b86d46 /include | |
parent | 4521732ebbf34573062d2cad2f74b98910ea1c5b (diff) |
Warn for tables with compat expressions in rules
While being able to "look inside" compat expressions using nft is a nice
feature, it is also (yet another) pitfall for unaware users, deceiving
them into assuming interchangeability (or at least compatibility)
between iptables-nft and nft.
In reality, which involves 'nft list ruleset | nft -f -', any correctly
translated compat expressions will turn into native nftables ones not
understood by (the version of) iptables-nft which created them in the
first place. Other compat expressions will vanish, potentially
compromising the firewall ruleset.
Emit a warning (as comment) to give users a chance to stop and
reconsider before shooting their own foot.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'include')
-rw-r--r-- | include/rule.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/rule.h b/include/rule.h index ad9f9127..00a1bac5 100644 --- a/include/rule.h +++ b/include/rule.h @@ -169,6 +169,7 @@ struct table { unsigned int refcnt; uint32_t owner; const char *comment; + bool has_xt_stmts; }; extern struct table *table_alloc(void); |