From c327e9331e50d7b4d6cfd0a82fb38bec73703bfb Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Tue, 11 Oct 2022 18:46:55 +0200 Subject: Warn for tables with compat expressions in rules While being able to "look inside" compat expressions using nft is a nice feature, it is also (yet another) pitfall for unaware users, deceiving them into assuming interchangeability (or at least compatibility) between iptables-nft and nft. In reality, which involves 'nft list ruleset | nft -f -', any correctly translated compat expressions will turn into native nftables ones not understood by (the version of) iptables-nft which created them in the first place. Other compat expressions will vanish, potentially compromising the firewall ruleset. Emit a warning (as comment) to give users a chance to stop and reconsider before shooting their own foot. Signed-off-by: Phil Sutter --- include/rule.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include') diff --git a/include/rule.h b/include/rule.h index ad9f9127..00a1bac5 100644 --- a/include/rule.h +++ b/include/rule.h @@ -169,6 +169,7 @@ struct table { unsigned int refcnt; uint32_t owner; const char *comment; + bool has_xt_stmts; }; extern struct table *table_alloc(void); -- cgit v1.2.3