Add --compat option to *tables-nft and *-nft-restore commands

The flag sets nft_handle::compat boolean, indicating a compatible rule
implementation is wanted. Users expecting their created rules to be
fetched from kernel by an older version of *tables-nft may use this to
avoid potential compatibility issues.

Changes since v1:
- Expect short option '-C' in {ip,ip6,eb}tables-nft-restore command line
  parser
- Support -C/--compat in arptables-nft-restore, too
- Update man pages with the new flag

Signed-off-by: Phil Sutter <phil@nwl.cc>

1 files changed, 9 insertions, 2 deletions

diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
index aa816f79..38309992 100644
--- a/iptables/iptables-restore.8.in
+++ b/iptables/iptables-restore.8.in
@@ -23,11 +23,11 @@ iptables-restore \(em Restore IP Tables
 .P
 ip6tables-restore \(em Restore IPv6 Tables
 .SH SYNOPSIS
-\fBiptables\-restore\fP [\fB\-chntvV\fP] [\fB\-w\fP \fIseconds\fP]
+\fBiptables\-restore\fP [\fB\-cChntvV\fP] [\fB\-w\fP \fIseconds\fP]
 [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP]
 [\fIfile\fP]
 .P
-\fBip6tables\-restore\fP [\fB\-chntvV\fP] [\fB\-w\fP \fIseconds\fP]
+\fBip6tables\-restore\fP [\fB\-cChntvV\fP] [\fB\-w\fP \fIseconds\fP]
 [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP]
 [\fIfile\fP]
 .SH DESCRIPTION
@@ -74,6 +74,13 @@ determine the executable's path.
 .TP
 \fB\-T\fP, \fB\-\-table\fP \fIname\fP
 Restore only the named table even if the input stream contains other ones.
+.TP
+\fB\-C\fP, \fB\-\-compat\fP
+This flag is only relevant with \fBnft\fP-variants and ignored otherwise. If
+set, rules will be created in a mostly compatible way, enabling older versions
+of \fBiptables\-nft\fP to correctly parse the rules received from kernel. This
+mode is only useful in very specific situations and will likely impact packet
+filtering performance.
 .SH BUGS
 None known as of iptables-1.2.1 release
 .SH AUTHORS