Revert --compat option related commits

This reverts the following commits: b14c971db6db0 ("tests: Test compat mode") 11c464ed015b5 ("Add --compat option to *tables-nft and *-nft-restore commands") ca709b5784c98 ("nft: Introduce and use bool nft_handle::compat") 402b9b3c07c81 ("nft: Pass nft_handle to add_{target,action}()") This implementation of a compatibility mode implements rules using xtables extensions if possible and thus relies upon existence of those in kernel space. Assuming no viable replacement for the internal mechanics of this mode will be found in foreseeable future, it will effectively block attempts at deprecating and removing of these xtables extensions in favor of nftables expressions and thus hinder upstream's future plans for iptables. Signed-off-by: Phil Sutter <phil@nwl.cc>
author: Phil Sutter <phil@nwl.cc> 2023-08-15 13:47:28 +0200
committer: Phil Sutter <phil@nwl.cc> 2023-09-01 13:15:03 +0200
commit: 35ff97e9aca8cd301ff9b9a95b0a72de1aeb700b (patch)
tree: 5f4b36dfccf29e4290e48b3a7dfe6bc7dab5dbf2 /iptables
parent: 63e4a64e943be64a7e0486838071b981074e696d (diff)
19 files changed, 31 insertions, 183 deletions
diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8
index 12ac9ebd..09d9082c 100644
--- a/iptables/arptables-nft-restore.8
+++ b/iptables/arptables-nft-restore.8
@@ -22,23 +22,18 @@
 .SH NAME
 arptables-restore \- Restore ARP Tables (nft-based)
 .SH SYNOPSIS
-.BR arptables\-restore " [" --compat ]
+\fBarptables\-restore
 .SH DESCRIPTION
+.PP
 .B arptables-restore
 is used to restore ARP Tables from data specified on STDIN or
 via a file as first argument.
-Use I/O redirection provided by your shell to read from a file.
-.P
+Use I/O redirection provided by your shell to read from a file
+.TP
 .B arptables-restore
 flushes (deletes) all previous contents of the respective ARP Table.
-.TP
-.BR -C , " --compat"
-Create rules in a mostly compatible way, enabling older versions of
-\fBarptables\-nft\fP to correctly parse the rules received from kernel. This
-mode is only useful in very specific situations and will likely impact packet
-filtering performance.
-
 .SH AUTHOR
 Jesper Dangaard Brouer <brouer@redhat.com>
 .SH SEE ALSO
 \fBarptables\-save\fP(8), \fBarptables\fP(8)
+.PP
diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
index 673a7bd5..ea31e084 100644
--- a/iptables/arptables-nft.8
+++ b/iptables/arptables-nft.8
@@ -220,14 +220,6 @@ counters of a rule (during
 .B APPEND,
 .B REPLACE
 operations).
-.SS "OTHER OPTIONS"
-The following additional options can be specified:
-.TP
-\fB\-\-compat\fP
-Create rules in a mostly compatible way, enabling older versions of
-\fBarptables\-nft\fP to correctly parse the rules received from kernel. This
-mode is only useful in very specific situations and will likely impact packet
-filtering performance.
 
 .SS RULE-SPECIFICATIONS
 The following command line arguments make up a rule specification (as used 
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
index baada6c6..0304b508 100644
--- a/iptables/ebtables-nft.8
+++ b/iptables/ebtables-nft.8
@@ -359,12 +359,6 @@ to try to automatically load missing kernel modules.
 .TP
 .B --concurrent
 Use a file lock to support concurrent scripts updating the ebtables kernel tables.
-.TP
-.B --compat
-Create rules in a mostly compatible way, enabling older versions of
-\fBebtables\-nft\fP to correctly parse the rules received from kernel. This
-mode is only useful in very specific situations and will likely impact packet
-filtering performance.
 
 .SS
 RULE SPECIFICATIONS
diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
index 38309992..aa816f79 100644
--- a/iptables/iptables-restore.8.in
+++ b/iptables/iptables-restore.8.in
@@ -23,11 +23,11 @@ iptables-restore \(em Restore IP Tables
 .P
 ip6tables-restore \(em Restore IPv6 Tables
 .SH SYNOPSIS
-\fBiptables\-restore\fP [\fB\-cChntvV\fP] [\fB\-w\fP \fIseconds\fP]
+\fBiptables\-restore\fP [\fB\-chntvV\fP] [\fB\-w\fP \fIseconds\fP]
 [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP]
 [\fIfile\fP]
 .P
-\fBip6tables\-restore\fP [\fB\-cChntvV\fP] [\fB\-w\fP \fIseconds\fP]
+\fBip6tables\-restore\fP [\fB\-chntvV\fP] [\fB\-w\fP \fIseconds\fP]
 [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP]
 [\fIfile\fP]
 .SH DESCRIPTION
@@ -74,13 +74,6 @@ determine the executable's path.
 .TP
 \fB\-T\fP, \fB\-\-table\fP \fIname\fP
 Restore only the named table even if the input stream contains other ones.
-.TP
-\fB\-C\fP, \fB\-\-compat\fP
-This flag is only relevant with \fBnft\fP-variants and ignored otherwise. If
-set, rules will be created in a mostly compatible way, enabling older versions
-of \fBiptables\-nft\fP to correctly parse the rules received from kernel. This
-mode is only useful in very specific situations and will likely impact packet
-filtering performance.
 .SH BUGS
 None known as of iptables-1.2.1 release
 .SH AUTHORS
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
index c0e92f27..ecaa5553 100644
--- a/iptables/iptables.8.in
+++ b/iptables/iptables.8.in
@@ -397,13 +397,6 @@ corresponding to that rule's position in the chain.
 \fB\-\-modprobe=\fP\fIcommand\fP
 When adding or inserting rules into a chain, use \fIcommand\fP
 to load any necessary modules (targets, match extensions, etc).
-.TP
-\fB\-\-compat\fP
-This flag is only relevant with \fBnft\fP-variants and ignored otherwise. If
-set, rules will be created in a mostly compatible way, enabling older versions
-of \fBiptables\-nft\fP to correctly parse the rules received from kernel. This
-mode is only useful in very specific situations and will likely impact packet
-filtering performance.
 
 .SH LOCK FILE
 iptables uses the \fI@XT_LOCK_NAME@\fP file to take an exclusive lock at
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 14b352ce..9868966a 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -151,7 +151,7 @@ static int nft_arp_add(struct nft_handle *h, struct nft_rule_ctx *ctx,
 		else if (strcmp(cs->jumpto, XTC_LABEL_RETURN) == 0)
 			ret = add_verdict(r, NFT_RETURN);
 		else
-			ret = add_target(h, r, cs->target->t);
+			ret = add_target(r, cs->target->t);
 	} else if (strlen(cs->jumpto) > 0) {
 		/* No goto in arptables */
 		ret = add_jumpto(r, cs->jumpto, NFT_JUMP);
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 616ae5a3..391a8ab7 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -117,8 +117,7 @@ static int add_meta_broute(struct nftnl_rule *r)
 	return 0;
 }
 
-static int _add_action(struct nft_handle *h, struct nftnl_rule *r,
-		       struct iptables_command_state *cs)
+static int _add_action(struct nftnl_rule *r, struct iptables_command_state *cs)
 {
 	const char *table = nftnl_rule_get_str(r, NFTNL_RULE_TABLE);
 
@@ -134,7 +133,7 @@ static int _add_action(struct nft_handle *h, struct nftnl_rule *r,
 		}
 	}
 
-	return add_action(h, r, cs, false);
+	return add_action(r, cs, false);
 }
 
 static int
@@ -222,7 +221,7 @@ static int nft_bridge_add(struct nft_handle *h, struct nft_rule_ctx *ctx,
 			if (nft_bridge_add_match(h, fw, ctx, r, iter->u.match->m))
 				break;
 		} else {
-			if (add_target(h, r, iter->u.watcher->t))
+			if (add_target(r, iter->u.watcher->t))
 				break;
 		}
 	}
@@ -230,7 +229,7 @@ static int nft_bridge_add(struct nft_handle *h, struct nft_rule_ctx *ctx,
 	if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0)
 		return -1;
 
-	return _add_action(h, r, cs);
+	return _add_action(r, cs);
 }
 
 static bool nft_rule_to_ebtables_command_state(struct nft_handle *h,
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 663052fc..2f10220e 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -95,7 +95,7 @@ static int nft_ipv4_add(struct nft_handle *h, struct nft_rule_ctx *ctx,
 	if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0)
 		return -1;
 
-	return add_action(h, r, cs, !!(cs->fw.ip.flags & IPT_F_GOTO));
+	return add_action(r, cs, !!(cs->fw.ip.flags & IPT_F_GOTO));
 }
 
 static bool nft_ipv4_is_same(const struct iptables_command_state *a,
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 8bc633df..d53f87c1 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -81,7 +81,7 @@ static int nft_ipv6_add(struct nft_handle *h, struct nft_rule_ctx *ctx,
 	if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0)
 		return -1;
 
-	return add_action(h, r, cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO));
+	return add_action(r, cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO));
 }
 
 static bool nft_ipv6_is_same(const struct iptables_command_state *a,
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 5e0ca00e..34ca9d16 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -198,7 +198,7 @@ void add_addr(struct nft_handle *h, struct nftnl_rule *r,
 
 	for (i = 0; i < len; i++) {
 		if (m[i] != 0xff) {
-			bitwise = h->compat || m[i] != 0;
+			bitwise = m[i] != 0;
 			break;
 		}
 	}
diff --git a/iptables/nft.c b/iptables/nft.c
index 09ff9cf1..97fd4f49 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1476,12 +1476,10 @@ int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx,
 	case NFT_COMPAT_RULE_APPEND:
 	case NFT_COMPAT_RULE_INSERT:
 	case NFT_COMPAT_RULE_REPLACE:
-		if (!strcmp(m->u.user.name, "among"))
-			return add_nft_among(h, r, m);
-		else if (h->compat)
-			break;
-		else if (!strcmp(m->u.user.name, "limit"))
+		if (!strcmp(m->u.user.name, "limit"))
 			return add_nft_limit(r, m);
+		else if (!strcmp(m->u.user.name, "among"))
+			return add_nft_among(h, r, m);
 		else if (!strcmp(m->u.user.name, "udp"))
 			return add_nft_udp(h, r, m);
 		else if (!strcmp(m->u.user.name, "tcp"))
@@ -1540,13 +1538,12 @@ static int add_meta_nftrace(struct nftnl_rule *r)
 	return 0;
 }
 
-int add_target(struct nft_handle *h, struct nftnl_rule *r,
-	       struct xt_entry_target *t)
+int add_target(struct nftnl_rule *r, struct xt_entry_target *t)
 {
 	struct nftnl_expr *expr;
 	int ret;
 
-	if (!h->compat && strcmp(t->u.user.name, "TRACE") == 0)
+	if (strcmp(t->u.user.name, "TRACE") == 0)
 		return add_meta_nftrace(r);
 
 	expr = nftnl_expr_alloc("target");
@@ -1590,8 +1587,8 @@ int add_verdict(struct nftnl_rule *r, int verdict)
 	return 0;
 }
 
-int add_action(struct nft_handle *h, struct nftnl_rule *r,
-	       struct iptables_command_state *cs, bool goto_set)
+int add_action(struct nftnl_rule *r, struct iptables_command_state *cs,
+	       bool goto_set)
 {
 	int ret = 0;
 
@@ -1607,7 +1604,7 @@ int add_action(struct nft_handle *h, struct nftnl_rule *r,
 		else if (strcmp(cs->jumpto, "NFLOG") == 0)
 			ret = add_log(r, cs);
 		else
-			ret = add_target(h, r, cs->target->t);
+			ret = add_target(r, cs->target->t);
 	} else if (strlen(cs->jumpto) > 0) {
 		/* Not standard, then it's a go / jump to chain */
 		if (goto_set)
diff --git a/iptables/nft.h b/iptables/nft.h
index fb9fc81e..5acbbf82 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -111,7 +111,6 @@ struct nft_handle {
 	struct list_head	cmd_list;
 	bool			cache_init;
 	int			verbose;
-	bool			compat;
 
 	/* meta data, for error reporting */
 	struct {
@@ -193,11 +192,9 @@ int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes);
 int add_verdict(struct nftnl_rule *r, int verdict);
 int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx,
 	      struct nftnl_rule *r, struct xt_entry_match *m);
-int add_target(struct nft_handle *h, struct nftnl_rule *r,
-	       struct xt_entry_target *t);
+int add_target(struct nftnl_rule *r, struct xt_entry_target *t);
 int add_jumpto(struct nftnl_rule *r, const char *name, int verdict);
-int add_action(struct nft_handle *h, struct nftnl_rule *r,
-	       struct iptables_command_state *cs, bool goto_set);
+int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set);
 int add_log(struct nftnl_rule *r, struct iptables_command_state *cs);
 char *get_comment(const void *data, uint32_t data_len);
 
diff --git a/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 b/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0
deleted file mode 100755
index c8cee8ae..00000000
--- a/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0
+++ /dev/null
@@ -1,63 +0,0 @@
-#!/bin/bash
-
-[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
-
-set -e
-
-# reduce noise in debug output
-$XT_MULTI iptables -t raw -A OUTPUT
-$XT_MULTI iptables -t raw -F
-
-# add all the things which were "optimized" here
-RULE='-t raw -A OUTPUT'
-
-# prefix matches on class (actually: byte) boundaries no longer need a bitwise
-RULE+=' -s 10.0.0.0/8 -d 192.168.0.0/16'
-
-# these were turned into native matches meanwhile
-# (plus -m tcp, but it conflicts with -m udp)
-RULE+=' -m limit --limit 1/min'
-RULE+=' -p udp -m udp --sport 1024:65535'
-RULE+=' -m mark --mark 0xfeedcafe/0xfeedcafe'
-RULE+=' -j TRACE'
-
-EXPECT_COMMON='TRACE  udp opt -- in * out *  10.0.0.0/8  -> 192.168.0.0/16   limit: avg 1/min burst 5 udp spts:1024:65535 mark match 0xfeedcafe/0xfeedcafe
-ip raw OUTPUT'
-
-EXPECT="$EXPECT_COMMON
-  [ payload load 1b @ network header + 12 => reg 1 ]
-  [ cmp eq reg 1 0x0000000a ]
-  [ payload load 2b @ network header + 16 => reg 1 ]
-  [ cmp eq reg 1 0x0000a8c0 ]
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000011 ]
-  [ limit rate 1/minute burst 5 type packets flags 0x0 ]
-  [ payload load 2b @ transport header + 0 => reg 1 ]
-  [ range eq reg 1 0x00000004 0x0000ffff ]
-  [ meta load mark => reg 1 ]
-  [ bitwise reg 1 = ( reg 1 & 0xfeedcafe ) ^ 0x00000000 ]
-  [ cmp eq reg 1 0xfeedcafe ]
-  [ counter pkts 0 bytes 0 ]
-  [ immediate reg 9 0x00000001 ]
-  [ meta set nftrace with reg 9 ]
-"
-
-diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -vv $RULE)
-
-EXPECT="$EXPECT_COMMON
-  [ payload load 4b @ network header + 12 => reg 1 ]
-  [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000000 ]
-  [ cmp eq reg 1 0x0000000a ]
-  [ payload load 4b @ network header + 16 => reg 1 ]
-  [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ]
-  [ cmp eq reg 1 0x0000a8c0 ]
-  [ payload load 1b @ network header + 9 => reg 1 ]
-  [ cmp eq reg 1 0x00000011 ]
-  [ match name limit rev 0 ]
-  [ match name udp rev 0 ]
-  [ match name mark rev 1 ]
-  [ counter pkts 0 bytes 0 ]
-  [ target name TRACE rev 0 ]
-"
-
-diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables --compat -vv $RULE)
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 74b7a041..5f75a0a5 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -1263,8 +1263,7 @@ xtables_printhelp(const struct xtables_rule_match *matches)
 	printf(
 "  --modprobe=<command>		try to insert modules using this command\n"
 "  --set-counters -c PKTS BYTES	set the counter during insert/append\n"
-"[!] --version	-V		print package version\n"
-"  --compat			create rules compatible for parsing with old binaries\n");
+"[!] --version	-V		print package version.\n");
 
 	if (afinfo->family == NFPROTO_ARP) {
 		int i;
@@ -1788,10 +1787,6 @@ void do_parse(int argc, char *argv[],
 
 			exit_tryhelp(2, p->line);
 
-		case 15: /* --compat */
-			p->compat = true;
-			break;
-
 		case 1: /* non option */
 			if (optarg[0] == '!' && optarg[1] == '\0') {
 				if (invert)
diff --git a/iptables/xshared.h b/iptables/xshared.h
index f69a7b43..a200e0d6 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -283,7 +283,6 @@ struct xt_cmd_parse {
 	int				line;
 	int				verbose;
 	bool				xlate;
-	bool				compat;
 	struct xt_cmd_parse_ops		*ops;
 };
 
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index c6a9c6d6..71518a9c 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -78,7 +78,6 @@ static struct option original_opts[] = {
 	{ "line-numbers", 0, 0, '0' },
 	{ "modprobe", 1, 0, 'M' },
 	{ "set-counters", 1, 0, 'c' },
-	{ "compat", 0, 0, 15 },
 	{ 0 }
 };
 
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index ffd51efa..08eec79d 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -223,7 +223,6 @@ struct option ebt_original_options[] =
 	{ "init-table"     , no_argument      , 0, 11  },
 	{ "concurrent"     , no_argument      , 0, 13  },
 	{ "check"          , required_argument, 0, 14  },
-	{ "compat"         , no_argument      , 0, 15  },
 	{ 0 }
 };
 
@@ -336,8 +335,7 @@ static void print_help(const struct xtables_target *t,
 "--modprobe -M program         : try to insert modules using this program\n"
 "--concurrent                  : use a file lock to support concurrent scripts\n"
 "--verbose -v                  : verbose mode\n"
-"--version -V                  : print package version\n"
-"--compat                      : create rules compatible for parsing with old binaries\n\n"
+"--version -V                  : print package version\n\n"
 "Environment variable:\n"
 /*ATOMIC_ENV_VARIABLE "          : if set <FILE> (see above) will equal its value"*/
 "\n\n");
@@ -1099,9 +1097,6 @@ print_zero:
 			return 1;
 		case 13 :
 			break;
-		case 15:
-			h->compat = true;
-			break;
 		case 1 :
 			if (!strcmp(optarg, "!"))
 				ebt_check_inverse2(optarg, argc, argv);
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index bd8c6bc1..23cd3498 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -26,7 +26,6 @@ static int counters, verbose;
 /* Keeping track of external matches and targets.  */
 static const struct option options[] = {
 	{.name = "counters", .has_arg = false, .val = 'c'},
-	{.name = "compat",   .has_arg = false, .val = 'C'},
 	{.name = "verbose",  .has_arg = false, .val = 'v'},
 	{.name = "version",       .has_arg = 0, .val = 'V'},
 	{.name = "test",     .has_arg = false, .val = 't'},
@@ -46,9 +45,8 @@ static const struct option options[] = {
 
 static void print_usage(const char *name, const char *version)
 {
-	fprintf(stderr, "Usage: %s [-c] [-C] [-v] [-V] [-t] [-h] [-n] [-T table] [-M command] [-4] [-6] [file]\n"
+	fprintf(stderr, "Usage: %s [-c] [-v] [-V] [-t] [-h] [-n] [-T table] [-M command] [-4] [-6] [file]\n"
 			"	   [ --counters ]\n"
-			"	   [ --compat ]\n"
 			"	   [ --verbose ]\n"
 			"	   [ --version]\n"
 			"	   [ --test ]\n"
@@ -291,7 +289,6 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
 		.cb = &restore_cb,
 	};
 	bool noflush = false;
-	bool compat = false;
 	struct nft_handle h;
 	int c;
 
@@ -306,7 +303,7 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
 		exit(1);
 	}
 
-	while ((c = getopt_long(argc, argv, "bcCvVthnM:T:wW", options, NULL)) != -1) {
+	while ((c = getopt_long(argc, argv, "bcvVthnM:T:wW", options, NULL)) != -1) {
 		switch (c) {
 			case 'b':
 				fprintf(stderr, "-b/--binary option is not implemented\n");
@@ -314,9 +311,6 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
 			case 'c':
 				counters = 1;
 				break;
-			case 'C':
-				compat = true;
-				break;
 			case 'v':
 				verbose++;
 				break;
@@ -393,7 +387,6 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
 	}
 	h.noflush = noflush;
 	h.restore = true;
-	h.compat = compat;
 
 	xtables_restore_parse(&h, &p);
 
@@ -424,7 +417,6 @@ static const struct nft_xt_restore_cb ebt_restore_cb = {
 };
 
 static const struct option ebt_restore_options[] = {
-	{.name = "compat",  .has_arg = 0, .val = 'C'},
 	{.name = "noflush", .has_arg = 0, .val = 'n'},
 	{.name = "verbose", .has_arg = 0, .val = 'v'},
 	{ 0 }
@@ -437,16 +429,12 @@ int xtables_eb_restore_main(int argc, char *argv[])
 		.cb = &ebt_restore_cb,
 	};
 	bool noflush = false;
-	bool compat = false;
 	struct nft_handle h;
 	int c;
 
-	while ((c = getopt_long(argc, argv, "Cnv",
+	while ((c = getopt_long(argc, argv, "nv",
 				ebt_restore_options, NULL)) != -1) {
 		switch(c) {
-		case 'C':
-			compat = true;
-			break;
 		case 'n':
 			noflush = 1;
 			break;
@@ -455,7 +443,7 @@ int xtables_eb_restore_main(int argc, char *argv[])
 			break;
 		default:
 			fprintf(stderr,
-				"Usage: ebtables-restore [ --compat ] [ --verbose ] [ --noflush ]\n");
+				"Usage: ebtables-restore [ --verbose ] [ --noflush ]\n");
 			exit(1);
 			break;
 		}
@@ -463,7 +451,6 @@ int xtables_eb_restore_main(int argc, char *argv[])
 
 	nft_init_eb(&h, "ebtables-restore");
 	h.noflush = noflush;
-	h.compat = compat;
 	xtables_restore_parse(&h, &p);
 	nft_fini_eb(&h);
 
@@ -478,37 +465,15 @@ static const struct nft_xt_restore_cb arp_restore_cb = {
 	.chain_restore  = nft_cmd_chain_restore,
 };
 
-static const struct option arp_restore_options[] = {
-	{.name = "compat",  .has_arg = 0, .val = 'C'},
-	{ 0 }
-};
-
 int xtables_arp_restore_main(int argc, char *argv[])
 {
 	struct nft_xt_restore_parse p = {
 		.in = stdin,
 		.cb = &arp_restore_cb,
 	};
-	bool compat = false;
 	struct nft_handle h;
-	int c;
-
-	while ((c = getopt_long(argc, argv, "C",
-				arp_restore_options, NULL)) != -1) {
-		switch(c) {
-		case 'C':
-			compat = true;
-			break;
-		default:
-			fprintf(stderr,
-				"Usage: arptables-restore [ --compat ]\n");
-			exit(1);
-			break;
-		}
-	}
 
 	nft_init_arp(&h, "arptables-restore");
-	h.compat = compat;
 	xtables_restore_parse(&h, &p);
 	nft_fini(&h);
 	xtables_fini();
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 25b4dbc6..22d6ea58 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -82,7 +82,6 @@ static struct option original_opts[] = {
 	{.name = "goto",	  .has_arg = 1, .val = 'g'},
 	{.name = "ipv4",	  .has_arg = 0, .val = '4'},
 	{.name = "ipv6",	  .has_arg = 0, .val = '6'},
-	{.name = "compat",        .has_arg = 0, .val = 15 },
 	{NULL},
 };
 
@@ -162,7 +161,6 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
 
 	do_parse(argc, argv, &p, &cs, &args);
 	h->verbose = p.verbose;
-	h->compat = p.compat;
 
 	if (!nft_table_builtin_find(h, p.table))
 		xtables_error(VERSION_PROBLEM,
author	Phil Sutter <phil@nwl.cc>	2023-08-15 13:47:28 +0200
committer	Phil Sutter <phil@nwl.cc>	2023-09-01 13:15:03 +0200
commit	35ff97e9aca8cd301ff9b9a95b0a72de1aeb700b (patch)
tree	5f4b36dfccf29e4290e48b3a7dfe6bc7dab5dbf2 /iptables
parent	63e4a64e943be64a7e0486838071b981074e696d (diff)