diff options
| author | Florian Westphal <fw@strlen.de> | 2026-02-12 18:03:54 +0100 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2026-02-13 12:32:05 +0100 |
| commit | bf77b769b83a68c841dcb4f7cdf3998e2817727f (patch) | |
| tree | 58fed0e34da3660115a49709b6e090b9947a8567 | |
| parent | 758cfe51968a1fbd78cc7a6041c467e64f090d3a (diff) | |
nft: revert compat expressions in userdata
This reverts the following commits:
758cfe51968a ("configure: Auto-detect libz unless explicitly requested")
fdb541cddad0 ("tests: iptables-test: Add nft-compat variant")
7746fa0b1619 ("nft: Embed compat extensions in rule userdata")
ff5f6a208efc ("nft-ruleparse: Fallback to compat expressions in userdata")
f6f0f4f55794 ("nft: Introduce UDATA_TYPE_COMPAT_EXT")
The main intended user for '--compat' will likely go away. It is also
unlikely the 'iptables-only-emits-native-nft' will ever come to pass.
If there is ever a demand of iptables-to-native-nft that can list rules
even if decompilation step fails then we can always resurrect this again
if needed be.
Signed-off-by: Florian Westphal <fw@strlen.de>
| -rw-r--r-- | configure.ac | 10 | ||||
| -rwxr-xr-x | iptables-test.py | 14 | ||||
| -rw-r--r-- | iptables/Makefile.am | 1 | ||||
| -rw-r--r-- | iptables/arptables-nft.8 | 12 | ||||
| -rw-r--r-- | iptables/ebtables-nft.8 | 12 | ||||
| -rw-r--r-- | iptables/iptables-restore.8.in | 12 | ||||
| -rw-r--r-- | iptables/iptables.8.in | 12 | ||||
| -rw-r--r-- | iptables/nft-compat.c | 222 | ||||
| -rw-r--r-- | iptables/nft-compat.h | 54 | ||||
| -rw-r--r-- | iptables/nft-ruleparse.c | 17 | ||||
| -rw-r--r-- | iptables/nft.c | 74 | ||||
| -rw-r--r-- | iptables/nft.h | 15 | ||||
| -rw-r--r-- | iptables/xshared.c | 7 | ||||
| -rw-r--r-- | iptables/xshared.h | 1 | ||||
| -rw-r--r-- | iptables/xtables-arp.c | 1 | ||||
| -rw-r--r-- | iptables/xtables-eb.c | 4 | ||||
| -rw-r--r-- | iptables/xtables-nft.8 | 11 | ||||
| -rw-r--r-- | iptables/xtables-restore.c | 15 | ||||
| -rw-r--r-- | iptables/xtables.c | 3 |
19 files changed, 26 insertions, 471 deletions
diff --git a/configure.ac b/configure.ac index 2a8abf21..0106b316 100644 --- a/configure.ac +++ b/configure.ac @@ -77,15 +77,6 @@ AC_ARG_WITH([xt-lock-name], AS_HELP_STRING([--with-xt-lock-name=PATH], AC_ARG_ENABLE([profiling], AS_HELP_STRING([--enable-profiling], [build for use of gcov/gprof]), [enable_profiling="$enableval"], [enable_profiling="no"]) -AC_ARG_WITH([zlib], [AS_HELP_STRING([--without-zlib], - [Disable payload compression of rule compat expressions])], - [], [with_zlib=check]) -AS_IF([test "x$with_zlib" != xno], [ - AC_CHECK_LIB([z], [compress], , - [if test "x$with_zlib" != xcheck; then - AC_MSG_ERROR([No suitable version of zlib found]) - fi; with_zlib=no]) -]) AC_MSG_CHECKING([whether $LD knows -Wl,--no-undefined]) saved_LDFLAGS="$LDFLAGS"; @@ -298,7 +289,6 @@ Iptables Configuration: nftables support: ${enable_nftables} connlabel support: ${enable_connlabel} profiling support: ${enable_profiling} - compress rule compat expressions: ${with_zlib/check/yes} Build parameters: Put plugins into executable (static): ${enable_static} diff --git a/iptables-test.py b/iptables-test.py index be47a653..66db5521 100755 --- a/iptables-test.py +++ b/iptables-test.py @@ -613,8 +613,6 @@ def main(): help='Check for missing tests') parser.add_argument('-n', '--nftables', action='store_true', help='Test iptables-over-nftables') - parser.add_argument('--compat', action='store_true', - help='Test iptables-over-nftables in forced compat mode') parser.add_argument('-N', '--netns', action='store_const', const='____iptables-container-test', help='Test netnamespace path') @@ -634,10 +632,8 @@ def main(): variants.append("legacy") if args.nftables: variants.append("nft") - if args.compat: - variants.append("nft-compat") if len(variants) == 0: - variants = [ "legacy", "nft", "nft-compat" ] + variants = [ "legacy", "nft" ] if os.getuid() != 0: print("You need to be root to run this, sorry", file=sys.stderr) @@ -656,14 +652,8 @@ def main(): total_passed = 0 total_tests = 0 for variant in variants: - - exec_infix = variant - if variant == "nft-compat": - os.putenv("XTABLES_COMPAT", "2") - exec_infix = "nft" - global EXECUTABLE - EXECUTABLE = "xtables-" + exec_infix + "-multi" + EXECUTABLE = "xtables-" + variant + "-multi" test_files = 0 tests = 0 diff --git a/iptables/Makefile.am b/iptables/Makefile.am index 4855c9a7..2007cd10 100644 --- a/iptables/Makefile.am +++ b/iptables/Makefile.am @@ -57,7 +57,6 @@ xtables_nft_multi_SOURCES += nft.c nft.h \ nft-ruleparse-arp.c nft-ruleparse-bridge.c \ nft-ruleparse-ipv4.c nft-ruleparse-ipv6.c \ nft-shared.c nft-shared.h \ - nft-compat.c nft-compat.h \ xtables-monitor.c \ xtables.c xtables-arp.c xtables-eb.c \ xtables-standalone.c xtables-eb-standalone.c \ diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8 index 8d1eb9fb..c48a2cc2 100644 --- a/iptables/arptables-nft.8 +++ b/iptables/arptables-nft.8 @@ -234,18 +234,6 @@ counters of a rule (during .B APPEND, .B REPLACE operations). -.TP -.B --compat -When creating a rule, attach compatibility data to the rule's userdata section -for use as aid in parsing the rule by an older version of the program. The old -version obviously needs to support this, though. -Specifying this option a second time instructs the program to default to the -rule's compatibility data when parsing, which is mostly useful for debugging or -testing purposes. - -The \fBXTABLES_COMPAT\fP environment variable can be used to override the -default setting. The expected value is a natural number representing the number -of times \fB--compat\fP was specified. .SS RULE-SPECIFICATIONS The following command line arguments make up a rule specification (as used diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8 index 3088bb0c..86981650 100644 --- a/iptables/ebtables-nft.8 +++ b/iptables/ebtables-nft.8 @@ -360,18 +360,6 @@ to try to automatically load missing kernel modules. .B --concurrent This would use a file lock to support concurrent scripts updating the ebtables kernel tables. It is not needed with \fBebtables-nft\fP though and thus ignored. -.TP -.B --compat -When creating a rule, attach compatibility data to the rule's userdata section -for use as aid in parsing the rule by an older version of the program. The old -version obviously needs to support this, though. -Specifying this option a second time instructs the program to default to the -rule's compatibility data when parsing, which is mostly useful for debugging or -testing purposes. - -The \fBXTABLES_COMPAT\fP environment variable can be used to override the -default setting. The expected value is a natural number representing the number -of times \fB--compat\fP was specified. .SS RULE SPECIFICATIONS diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in index abf8d6de..74ad3255 100644 --- a/iptables/iptables-restore.8.in +++ b/iptables/iptables-restore.8.in @@ -88,18 +88,6 @@ determine the executable's path. .TP \fB\-T\fP, \fB\-\-table\fP \fIname\fP Restore only the named table even if the input stream contains other ones. -.TP -\fB\-\-compat\fP (nft-variants only) -When creating a rule, attach compatibility data to the rule's userdata section -for use as aid in parsing the rule by an older version of the program. The old -version obviously needs to support this, though. -Specifying this option a second time instructs the program to default to the -rule's compatibility data when parsing, which is mostly useful for debugging or -testing purposes. - -The \fBXTABLES_COMPAT\fP environment variable can be used to override the -default setting. The expected value is a natural number representing the number -of times \fB--compat\fP was specified. .SH BUGS None known as of iptables-1.2.1 release .SH AUTHORS diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in index 41c45a4a..21fb891d 100644 --- a/iptables/iptables.8.in +++ b/iptables/iptables.8.in @@ -397,18 +397,6 @@ corresponding to that rule's position in the chain. \fB\-\-modprobe=\fP\fIcommand\fP When adding or inserting rules into a chain, use \fIcommand\fP to load any necessary modules (targets, match extensions, etc). -.TP -\fB\-\-compat\fP (nft-variants only) -When creating a rule, attach compatibility data to the rule's userdata section -for use as aid in parsing the rule by an older version of the program. The old -version obviously needs to support this, though. -Specifying this option a second time instructs the program to default to the -rule's compatibility data when parsing, which is mostly useful for debugging or -testing purposes. - -The \fBXTABLES_COMPAT\fP environment variable can be used to override the -default setting. The expected value is a natural number representing the number -of times \fB--compat\fP was specified. .SH LOCK FILE iptables uses the \fI@XT_LOCK_NAME@\fP file to take an exclusive lock at diff --git a/iptables/nft-compat.c b/iptables/nft-compat.c deleted file mode 100644 index dfcc05b8..00000000 --- a/iptables/nft-compat.c +++ /dev/null @@ -1,222 +0,0 @@ -/* - * (C) 2024 Red Hat GmbH - * Author: Phil Sutter <phil@nwl.cc> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - */ -#include "config.h" -#include "nft-compat.h" -#include "nft-ruleparse.h" -#include "nft.h" - -#include <stdlib.h> -#include <string.h> -#include <xtables.h> - -#ifdef HAVE_LIBZ -#include <zlib.h> -#endif - -#include <libnftnl/udata.h> - -int nftnl_rule_expr_count(const struct nftnl_rule *r) -{ - struct nftnl_expr_iter *iter = nftnl_expr_iter_create(r); - int cnt = 0; - - if (!iter) - return -1; - - while (nftnl_expr_iter_next(iter)) - cnt++; - - nftnl_expr_iter_destroy(iter); - return cnt; -} - -static struct rule_udata_ext * -rule_get_udata_ext(const struct nftnl_rule *r, uint32_t *outlen) -{ - const struct nftnl_udata *tb[UDATA_TYPE_MAX + 1] = {}; - struct nftnl_udata_buf *udata; - uint32_t udatalen; - - udata = (void *)nftnl_rule_get_data(r, NFTNL_RULE_USERDATA, &udatalen); - if (!udata) - return NULL; - - if (nftnl_udata_parse(udata, udatalen, parse_udata_cb, tb) < 0) - return NULL; - - if (!tb[UDATA_TYPE_COMPAT_EXT]) - return NULL; - - if (outlen) - *outlen = nftnl_udata_len(tb[UDATA_TYPE_COMPAT_EXT]); - return nftnl_udata_get(tb[UDATA_TYPE_COMPAT_EXT]); -} - -static void -pack_rule_udata_ext_data(struct rule_udata_ext *rue, - const void *data, size_t datalen) -{ - size_t datalen_out = datalen; -#ifdef HAVE_LIBZ - compress(rue->data, &datalen_out, data, datalen); - rue->flags |= RUE_FLAG_ZIP; -#else - memcpy(rue->data, data, datalen); -#endif - rue->size = datalen_out; -} - -void rule_add_udata_ext(struct nft_handle *h, struct nftnl_rule *r, - uint16_t start_idx, uint16_t end_idx, - uint8_t flags, uint16_t size, const void *data) -{ - struct rule_udata_ext *ext = NULL; - uint32_t extlen = 0, newextlen; - char *newext; - void *udata; - - if (!h->compat) - return; - - ext = rule_get_udata_ext(r, &extlen); - if (!ext) - extlen = 0; - - udata = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN); - if (!udata) - xtables_error(OTHER_PROBLEM, "can't alloc memory!"); - - newextlen = sizeof(*ext) + size; - newext = xtables_malloc(extlen + newextlen); - if (extlen) - memcpy(newext, ext, extlen); - memset(newext + extlen, 0, newextlen); - - ext = (struct rule_udata_ext *)(newext + extlen); - ext->start_idx = start_idx; - ext->end_idx = end_idx; - ext->flags = flags; - ext->orig_size = size; - pack_rule_udata_ext_data(ext, data, size); - newextlen = sizeof(*ext) + ext->size; - - if (!nftnl_udata_put(udata, UDATA_TYPE_COMPAT_EXT, - extlen + newextlen, newext) || - nftnl_rule_set_data(r, NFTNL_RULE_USERDATA, - nftnl_udata_buf_data(udata), - nftnl_udata_buf_len(udata))) - xtables_error(OTHER_PROBLEM, "can't alloc memory!"); - - free(newext); - nftnl_udata_buf_free(udata); -} - -static struct nftnl_expr * -__nftnl_expr_from_udata_ext(struct rule_udata_ext *rue, const void *data) -{ - struct nftnl_expr *expr = NULL; - - switch (rue->flags & RUE_FLAG_TYPE_BITS) { - case RUE_FLAG_MATCH_TYPE: - expr = nftnl_expr_alloc("match"); - __add_match(expr, data); - break; - case RUE_FLAG_TARGET_TYPE: - expr = nftnl_expr_alloc("target"); - __add_target(expr, data); - break; - default: - fprintf(stderr, - "Warning: Unexpected udata extension type %d\n", - rue->flags & RUE_FLAG_TYPE_BITS); - } - - return expr; -} - -static struct nftnl_expr * -nftnl_expr_from_zipped_udata_ext(struct rule_udata_ext *rue) -{ -#ifdef HAVE_LIBZ - uLongf datalen = rue->orig_size; - struct nftnl_expr *expr = NULL; - void *data; - - data = xtables_malloc(datalen); - if (uncompress(data, &datalen, rue->data, rue->size) != Z_OK) { - fprintf(stderr, "Warning: Failed to uncompress rule udata extension\n"); - goto out; - } - - expr = __nftnl_expr_from_udata_ext(rue, data); -out: - free(data); - return expr; -#else - fprintf(stderr, "Warning: Zipped udata extensions are not supported.\n"); - return NULL; -#endif -} - -static struct nftnl_expr *nftnl_expr_from_udata_ext(struct rule_udata_ext *rue) -{ - if (rue->flags & RUE_FLAG_ZIP) - return nftnl_expr_from_zipped_udata_ext(rue); - else - return __nftnl_expr_from_udata_ext(rue, rue->data); -} - -bool rule_has_udata_ext(const struct nftnl_rule *r) -{ - return rule_get_udata_ext(r, NULL) != NULL; -} - -#define rule_udata_ext_foreach(rue, ext, extlen) \ - for (rue = (void *)(ext); \ - (char *)rue < (char *)(ext) + extlen; \ - rue = (void *)((char *)rue + sizeof(*rue) + rue->size)) - -bool rule_parse_udata_ext(struct nft_xt_ctx *ctx, const struct nftnl_rule *r) -{ - struct rule_udata_ext *rue; - struct nftnl_expr *expr; - uint32_t extlen; - bool ret = true; - int eidx = 0; - void *ext; - - ext = rule_get_udata_ext(r, &extlen); - if (!ext) - return false; - - rule_udata_ext_foreach(rue, ext, extlen) { - for (; eidx < rue->start_idx; eidx++) { - expr = nftnl_expr_iter_next(ctx->iter); - if (!nft_parse_rule_expr(ctx->h, expr, ctx)) - ret = false; - } - - expr = nftnl_expr_from_udata_ext(rue); - if (!nft_parse_rule_expr(ctx->h, expr, ctx)) - ret = false; - nftnl_expr_free(expr); - - for (; eidx < rue->end_idx; eidx++) - nftnl_expr_iter_next(ctx->iter); - } - expr = nftnl_expr_iter_next(ctx->iter); - while (expr != NULL) { - if (!nft_parse_rule_expr(ctx->h, expr, ctx)) - ret = false; - expr = nftnl_expr_iter_next(ctx->iter); - } - return ret; -} - diff --git a/iptables/nft-compat.h b/iptables/nft-compat.h deleted file mode 100644 index 59b3c026..00000000 --- a/iptables/nft-compat.h +++ /dev/null @@ -1,54 +0,0 @@ -#ifndef _NFT_COMPAT_H_ -#define _NFT_COMPAT_H_ - -#include <libnftnl/rule.h> - -#include <linux/netfilter/x_tables.h> - -int nftnl_rule_expr_count(const struct nftnl_rule *r); - -enum rule_udata_ext_flags { - RUE_FLAG_MATCH_TYPE = (1 << 0), - RUE_FLAG_TARGET_TYPE = (1 << 1), - RUE_FLAG_ZIP = (1 << 7), -}; -#define RUE_FLAG_TYPE_BITS (RUE_FLAG_MATCH_TYPE | RUE_FLAG_TARGET_TYPE) - -struct rule_udata_ext { - uint8_t start_idx; - uint8_t end_idx; - uint8_t flags; - uint16_t orig_size; - uint16_t size; - unsigned char data[]; -}; - -struct nft_handle; - -void rule_add_udata_ext(struct nft_handle *h, struct nftnl_rule *r, - uint16_t start_idx, uint16_t end_idx, - uint8_t flags, uint16_t size, const void *data); -static inline void -rule_add_udata_match(struct nft_handle *h, struct nftnl_rule *r, - uint16_t start_idx, uint16_t end_idx, - const struct xt_entry_match *m) -{ - rule_add_udata_ext(h, r, start_idx, end_idx, - RUE_FLAG_MATCH_TYPE, m->u.match_size, m); -} - -static inline void -rule_add_udata_target(struct nft_handle *h, struct nftnl_rule *r, - uint16_t start_idx, uint16_t end_idx, - const struct xt_entry_target *t) -{ - rule_add_udata_ext(h, r, start_idx, end_idx, - RUE_FLAG_TARGET_TYPE, t->u.target_size, t); -} - -struct nft_xt_ctx; - -bool rule_has_udata_ext(const struct nftnl_rule *r); -bool rule_parse_udata_ext(struct nft_xt_ctx *ctx, const struct nftnl_rule *r); - -#endif /* _NFT_COMPAT_H_ */ diff --git a/iptables/nft-ruleparse.c b/iptables/nft-ruleparse.c index cdf1af4f..757d3c29 100644 --- a/iptables/nft-ruleparse.c +++ b/iptables/nft-ruleparse.c @@ -10,7 +10,6 @@ * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ -#include "config.h" #include <stdbool.h> #include <stdlib.h> #include <string.h> @@ -28,7 +27,6 @@ #include <xtables.h> -#include "nft-compat.h" #include "nft-ruleparse.h" #include "nft.h" @@ -950,21 +948,6 @@ bool nft_rule_to_iptables_command_state(struct nft_handle *h, ret = false; expr = nftnl_expr_iter_next(ctx.iter); } - if ((!ret || h->compat > 1) && rule_has_udata_ext(r)) { - fprintf(stderr, - "Warning: Rule parser failed, trying compat fallback\n"); - - h->ops->clear_cs(cs); - if (h->ops->init_cs) - h->ops->init_cs(cs); - - nftnl_expr_iter_destroy(ctx.iter); - ctx.iter = nftnl_expr_iter_create(r); - if (!ctx.iter) - return false; - - ret = rule_parse_udata_ext(&ctx, r); - } nftnl_expr_iter_destroy(ctx.iter); diff --git a/iptables/nft.c b/iptables/nft.c index 85080a6d..220bd56d 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -9,7 +9,6 @@ * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ -#include "config.h" #include <unistd.h> #include <fcntl.h> #include <sys/types.h> @@ -61,7 +60,6 @@ #include "nft-cache.h" #include "nft-shared.h" #include "nft-bridge.h" /* EBT_NOPROTO */ -#include "nft-compat.h" static void *nft_fn; @@ -1048,11 +1046,9 @@ void __add_match(struct nftnl_expr *e, const struct xt_entry_match *m) nftnl_expr_set(e, NFTNL_EXPR_MT_INFO, info, m->u.match_size - sizeof(*m)); } -static int add_nft_limit(struct nft_handle *h, struct nftnl_rule *r, - struct xt_entry_match *m) +static int add_nft_limit(struct nftnl_rule *r, struct xt_entry_match *m) { struct xt_rateinfo *rinfo = (void *)m->data; - int i, ecnt = nftnl_rule_expr_count(r); static const uint32_t mult[] = { XT_LIMIT_SCALE*24*60*60, /* day */ XT_LIMIT_SCALE*60*60, /* hour */ @@ -1060,8 +1056,7 @@ static int add_nft_limit(struct nft_handle *h, struct nftnl_rule *r, XT_LIMIT_SCALE, /* sec */ }; struct nftnl_expr *expr; - - rule_add_udata_match(h, r, ecnt, ecnt + 1, m); + int i; expr = nftnl_expr_alloc("limit"); if (!expr) @@ -1376,7 +1371,6 @@ static bool udp_all_zero(const struct xt_udp *u) static int add_nft_udp(struct nft_handle *h, struct nftnl_rule *r, struct xt_entry_match *m) { - int ret, ecnt = nftnl_rule_expr_count(r); struct xt_udp *udp = (void *)m->data; if (udp->invflags > XT_UDP_INV_MASK || @@ -1391,12 +1385,8 @@ static int add_nft_udp(struct nft_handle *h, struct nftnl_rule *r, if (nftnl_rule_get_u32(r, NFTNL_RULE_COMPAT_PROTO) != IPPROTO_UDP) xtables_error(PARAMETER_PROBLEM, "UDP match requires '-p udp'"); - ret = add_nft_tcpudp(h, r, udp->spts, udp->invflags & XT_UDP_INV_SRCPT, - udp->dpts, udp->invflags & XT_UDP_INV_DSTPT); - - rule_add_udata_match(h, r, ecnt, nftnl_rule_expr_count(r), m); - - return ret; + return add_nft_tcpudp(h, r, udp->spts, udp->invflags & XT_UDP_INV_SRCPT, + udp->dpts, udp->invflags & XT_UDP_INV_DSTPT); } static int add_nft_tcpflags(struct nft_handle *h, struct nftnl_rule *r, @@ -1433,7 +1423,6 @@ static int add_nft_tcp(struct nft_handle *h, struct nftnl_rule *r, struct xt_entry_match *m) { static const uint8_t supported = XT_TCP_INV_SRCPT | XT_TCP_INV_DSTPT | XT_TCP_INV_FLAGS; - int ret, ecnt = nftnl_rule_expr_count(r); struct xt_tcp *tcp = (void *)m->data; if (tcp->invflags & ~supported || tcp->option || @@ -1449,27 +1438,23 @@ static int add_nft_tcp(struct nft_handle *h, struct nftnl_rule *r, xtables_error(PARAMETER_PROBLEM, "TCP match requires '-p tcp'"); if (tcp->flg_mask) { - ret = add_nft_tcpflags(h, r, tcp->flg_cmp, tcp->flg_mask, - tcp->invflags & XT_TCP_INV_FLAGS); + int ret = add_nft_tcpflags(h, r, tcp->flg_cmp, tcp->flg_mask, + tcp->invflags & XT_TCP_INV_FLAGS); if (ret < 0) return ret; } - ret = add_nft_tcpudp(h, r, tcp->spts, tcp->invflags & XT_TCP_INV_SRCPT, - tcp->dpts, tcp->invflags & XT_TCP_INV_DSTPT); - - rule_add_udata_match(h, r, ecnt, nftnl_rule_expr_count(r), m); - - return ret; + return add_nft_tcpudp(h, r, tcp->spts, tcp->invflags & XT_TCP_INV_SRCPT, + tcp->dpts, tcp->invflags & XT_TCP_INV_DSTPT); } static int add_nft_mark(struct nft_handle *h, struct nftnl_rule *r, struct xt_entry_match *m) { struct xt_mark_mtinfo1 *mark = (void *)m->data; - int op, ecnt = nftnl_rule_expr_count(r); uint8_t reg; + int op; add_meta(h, r, NFT_META_MARK, ®); if (mark->mask != 0xffffffff) @@ -1482,8 +1467,6 @@ static int add_nft_mark(struct nft_handle *h, struct nftnl_rule *r, add_cmp_u32(r, mark->mark, op, reg); - rule_add_udata_match(h, r, ecnt, nftnl_rule_expr_count(r), m); - return 0; } @@ -1497,7 +1480,7 @@ int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx, case NFT_COMPAT_RULE_INSERT: case NFT_COMPAT_RULE_REPLACE: if (!strcmp(m->u.user.name, "limit")) - return add_nft_limit(h, r, m); + return add_nft_limit(r, m); else if (!strcmp(m->u.user.name, "among")) return add_nft_among(h, r, m); else if (!strcmp(m->u.user.name, "udp")) @@ -1534,14 +1517,10 @@ void __add_target(struct nftnl_expr *e, const struct xt_entry_target *t) nftnl_expr_set(e, NFTNL_EXPR_TG_INFO, info, t->u.target_size - sizeof(*t)); } -static int add_meta_nftrace(struct nft_handle *h, struct nftnl_rule *r, - struct xt_entry_target *t) +static int add_meta_nftrace(struct nftnl_rule *r) { - int ecnt = nftnl_rule_expr_count(r); struct nftnl_expr *expr; - rule_add_udata_target(h, r, ecnt, ecnt + 2, t); - expr = nftnl_expr_alloc("immediate"); if (expr == NULL) return -ENOMEM; @@ -1566,7 +1545,7 @@ int add_target(struct nft_handle *h, struct nftnl_rule *r, struct nftnl_expr *expr; if (strcmp(t->u.user.name, "TRACE") == 0) - return add_meta_nftrace(h, r, t); + return add_meta_nftrace(r); expr = nftnl_expr_alloc("target"); if (expr == NULL) @@ -1609,8 +1588,7 @@ int add_verdict(struct nftnl_rule *r, int verdict) return 0; } -static int add_log(struct nft_handle *h, struct nftnl_rule *r, - struct iptables_command_state *cs); +static int add_log(struct nftnl_rule *r, struct iptables_command_state *cs); int add_action(struct nft_handle *h, struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set) @@ -1627,7 +1605,7 @@ int add_action(struct nft_handle *h, struct nftnl_rule *r, else if (strcmp(cs->jumpto, XTC_LABEL_RETURN) == 0) ret = add_verdict(r, NFT_RETURN); else if (strcmp(cs->jumpto, "NFLOG") == 0) - ret = add_log(h, r, cs); + ret = add_log(r, cs); else ret = add_target(h, r, cs->target->t); } else if (strlen(cs->jumpto) > 0) { @@ -1640,14 +1618,10 @@ int add_action(struct nft_handle *h, struct nftnl_rule *r, return ret; } -static int add_log(struct nft_handle *h, struct nftnl_rule *r, - struct iptables_command_state *cs) +static int add_log(struct nftnl_rule *r, struct iptables_command_state *cs) { struct nftnl_expr *expr; struct xt_nflog_info *info = (struct xt_nflog_info *)cs->target->t->data; - int ecnt = nftnl_rule_expr_count(r); - - rule_add_udata_target(h, r, ecnt, ecnt + 1, cs->target->t); expr = nftnl_expr_alloc("log"); if (!expr) @@ -1697,7 +1671,14 @@ int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes) return 0; } -int parse_udata_cb(const struct nftnl_udata *attr, void *data) +enum udata_type { + UDATA_TYPE_COMMENT, + UDATA_TYPE_EBTABLES_POLICY, + __UDATA_TYPE_MAX, +}; +#define UDATA_TYPE_MAX (__UDATA_TYPE_MAX - 1) + +static int parse_udata_cb(const struct nftnl_udata *attr, void *data) { unsigned char *value = nftnl_udata_get(attr); uint8_t type = nftnl_udata_type(attr); @@ -1711,8 +1692,6 @@ int parse_udata_cb(const struct nftnl_udata *attr, void *data) break; case UDATA_TYPE_EBTABLES_POLICY: break; - case UDATA_TYPE_COMPAT_EXT: - break; default: return 0; } @@ -4112,10 +4091,3 @@ void nft_assert_table_compatible(struct nft_handle *h, "%s%s%stable `%s' is incompatible, use 'nft' tool.", pfx, chain, sfx, table); } - -uint8_t compat_env_val(void) -{ - const char *val = getenv("XTABLES_COMPAT"); - - return val ? atoi(val) : 0; -} diff --git a/iptables/nft.h b/iptables/nft.h index 94d90bef..9d648f15 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -108,7 +108,6 @@ struct nft_handle { struct nft_cache_req cache_req; bool restore; bool noflush; - uint8_t compat; int8_t config_done; struct list_head cmd_list; bool cache_init; @@ -278,18 +277,4 @@ void nft_assert_table_compatible(struct nft_handle *h, int ebt_set_user_chain_policy(struct nft_handle *h, const char *table, const char *chain, const char *policy); -struct nftnl_udata; - -enum udata_type { - UDATA_TYPE_COMMENT, - UDATA_TYPE_EBTABLES_POLICY, - UDATA_TYPE_COMPAT_EXT, - __UDATA_TYPE_MAX, -}; -#define UDATA_TYPE_MAX (__UDATA_TYPE_MAX - 1) - -int parse_udata_cb(const struct nftnl_udata *attr, void *data); - -uint8_t compat_env_val(void); - #endif diff --git a/iptables/xshared.c b/iptables/xshared.c index fc61e0fd..b941b8df 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -1254,9 +1254,6 @@ void xtables_printhelp(struct iptables_command_state *cs) printf( "[!] --fragment -f match second or further fragments only\n"); - if (strstr(xt_params->program_version, "nf_tables")) - printf( -" --compat append compatibility data to new rules\n"); printf( " --modprobe=<command> try to insert modules using this command\n" " --set-counters -c PKTS BYTES set the counter during insert/append\n" @@ -1921,10 +1918,6 @@ void do_parse(int argc, char *argv[], exit_tryhelp(2, p->line); - case 20: /* --compat */ - p->compat++; - break; - case 1: /* non option */ if (optarg[0] == '!' && optarg[1] == '\0') { if (invert) diff --git a/iptables/xshared.h b/iptables/xshared.h index 9d2d6d9f..af756738 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -299,7 +299,6 @@ struct xt_cmd_parse { bool restore; int line; int verbose; - uint8_t compat; bool rule_ranges; struct xt_cmd_parse_ops *ops; }; diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c index fe45c370..71518a9c 100644 --- a/iptables/xtables-arp.c +++ b/iptables/xtables-arp.c @@ -78,7 +78,6 @@ static struct option original_opts[] = { { "line-numbers", 0, 0, '0' }, { "modprobe", 1, 0, 'M' }, { "set-counters", 1, 0, 'c' }, - { "compat", 0, 0, 20 }, { 0 } }; diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index 4beebfd6..86c33b4e 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -131,7 +131,6 @@ struct option ebt_original_options[] = { "init-table" , no_argument , 0, 11 }, { "concurrent" , no_argument , 0, 13 }, { "check" , required_argument, 0, 14 }, - { "compat" , no_argument , 0, 20 }, { 0 } }; @@ -235,7 +234,6 @@ void nft_bridge_print_help(struct iptables_command_state *cs) "[!] --logical-out name[+] : logical bridge output interface name\n" "--set-counters -c chain\n" " pcnt bcnt : set the counters of the to be added rule\n" -"--compat : append compatibility data to new rules\n" "--modprobe -M program : try to insert modules using this program\n" "--concurrent : use a file lock to support concurrent scripts\n" "--verbose -v : verbose mode\n" @@ -564,7 +562,6 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, .line = line, .rule_ranges = true, .ops = &h->ops->cmd_parse, - .compat = compat_env_val(), }; int ret = 0; @@ -574,7 +571,6 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, do_parse(argc, argv, &p, &cs, &args); h->verbose = p.verbose; - h->compat = p.compat; t = nft_table_builtin_find(h, p.table); if (!t) diff --git a/iptables/xtables-nft.8 b/iptables/xtables-nft.8 index 2ed67ba9..ae54476c 100644 --- a/iptables/xtables-nft.8 +++ b/iptables/xtables-nft.8 @@ -100,17 +100,6 @@ When using \-j TRACE to debug packet traversal to the ruleset, note that you wil .B xtables\-monitor(8) in \-\-trace mode to obtain monitoring trace events. -Some extensions are implemented via native nf_tables expressions instead of -\fBnft_compat\fP module. This is transparent to the user as such parts of a -rule are detected and parsed into an extension again before listing. Also, -run-time behaviour is supposed to be identical. Implementing extensions this -way is beneficial from a kernel maintainer's perspective as xtables extension -modules may at some point become unused, so increasing extension conversion is -to be expected. Since this may break older versions parsing the ruleset -in-kernel (a possible scenario with containers sharing a network namespace), -there is \fB--compat\fP flag which causes the replaced extensions to be -appended to the rule in userdata storage for the parser to fall back to. - .SH EXAMPLES One basic example is creating the skeleton ruleset in nf_tables from the xtables-nft tools, in a fresh machine: diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c index e7802b9e..23cd3498 100644 --- a/iptables/xtables-restore.c +++ b/iptables/xtables-restore.c @@ -37,7 +37,6 @@ static const struct option options[] = { {.name = "ipv6", .has_arg = false, .val = '6'}, {.name = "wait", .has_arg = 2, .val = 'w'}, {.name = "wait-interval", .has_arg = 2, .val = 'W'}, - {.name = "compat", .has_arg = false, .val = 20 }, {NULL}, }; @@ -55,7 +54,6 @@ static void print_usage(const char *name, const char *version) " [ --noflush ]\n" " [ --table=<TABLE> ]\n" " [ --modprobe=<command> ]\n" - " [ --compat ]\n" " [ --ipv4 ]\n" " [ --ipv6 ]\n", name); } @@ -286,7 +284,6 @@ void xtables_restore_parse(struct nft_handle *h, static int xtables_restore_main(int family, const char *progname, int argc, char *argv[]) { - uint8_t compat = compat_env_val(); struct nft_xt_restore_parse p = { .commit = true, .cb = &restore_cb, @@ -340,9 +337,6 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[]) if (!optarg && xs_has_arg(argc, argv)) optind++; break; - case 20: - compat++; - break; default: fprintf(stderr, "Try `%s -h' for more information.\n", @@ -393,7 +387,6 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[]) } h.noflush = noflush; h.restore = true; - h.compat = compat; xtables_restore_parse(&h, &p); @@ -426,13 +419,11 @@ static const struct nft_xt_restore_cb ebt_restore_cb = { static const struct option ebt_restore_options[] = { {.name = "noflush", .has_arg = 0, .val = 'n'}, {.name = "verbose", .has_arg = 0, .val = 'v'}, - {.name = "compat", .has_arg = 0, .val = 20}, { 0 } }; int xtables_eb_restore_main(int argc, char *argv[]) { - uint8_t compat = compat_env_val(); struct nft_xt_restore_parse p = { .in = stdin, .cb = &ebt_restore_cb, @@ -450,12 +441,9 @@ int xtables_eb_restore_main(int argc, char *argv[]) case 'v': verbose++; break; - case 20: /* --compat */ - compat++; - break; default: fprintf(stderr, - "Usage: ebtables-restore [ --verbose ] [ --noflush ] [ --compat ]\n"); + "Usage: ebtables-restore [ --verbose ] [ --noflush ]\n"); exit(1); break; } @@ -463,7 +451,6 @@ int xtables_eb_restore_main(int argc, char *argv[]) nft_init_eb(&h, "ebtables-restore"); h.noflush = noflush; - h.compat = compat; xtables_restore_parse(&h, &p); nft_fini_eb(&h); diff --git a/iptables/xtables.c b/iptables/xtables.c index 7d540880..5d73481c 100644 --- a/iptables/xtables.c +++ b/iptables/xtables.c @@ -82,7 +82,6 @@ static struct option original_opts[] = { {.name = "goto", .has_arg = 1, .val = 'g'}, {.name = "ipv4", .has_arg = 0, .val = '4'}, {.name = "ipv6", .has_arg = 0, .val = '6'}, - {.name = "compat", .has_arg = 0, .val = 20}, {NULL}, }; @@ -148,7 +147,6 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, .restore = restore, .line = line, .ops = &h->ops->cmd_parse, - .compat = compat_env_val(), }; struct iptables_command_state cs = { .jumpto = "", @@ -163,7 +161,6 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, do_parse(argc, argv, &p, &cs, &args); h->verbose = p.verbose; - h->compat = p.compat; if (!nft_table_builtin_find(h, p.table)) xtables_error(VERSION_PROBLEM, |