Warn for tables with compat expressions in rules

While being able to "look inside" compat expressions using nft is a nice feature, it is also (yet another) pitfall for unaware users, deceiving them into assuming interchangeability (or at least compatibility) between iptables-nft and nft. In reality, which involves 'nft list ruleset | nft -f -', any correctly translated compat expressions will turn into native nftables ones not understood by (the version of) iptables-nft which created them in the first place. Other compat expressions will vanish, potentially compromising the firewall ruleset. Emit a warning (as comment) to give users a chance to stop and reconsider before shooting their own foot. Signed-off-by: Phil Sutter <phil@nwl.cc>
author: Phil Sutter <phil@nwl.cc> 2022-10-11 18:46:55 +0200
committer: Phil Sutter <phil@nwl.cc> 2022-11-18 15:50:24 +0100
commit: c327e9331e50d7b4d6cfd0a82fb38bec73703bfb (patch)
tree: dcfac81d4ae15a21ddacbc1edc7a9d4530b86d46 /include
parent: 4521732ebbf34573062d2cad2f74b98910ea1c5b (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/include/rule.h b/include/rule.h
index ad9f9127..00a1bac5 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -169,6 +169,7 @@ struct table {
 	unsigned int		refcnt;
 	uint32_t		owner;
 	const char		*comment;
+	bool			has_xt_stmts;
 };
 
 extern struct table *table_alloc(void);
author	Phil Sutter <phil@nwl.cc>	2022-10-11 18:46:55 +0200
committer	Phil Sutter <phil@nwl.cc>	2022-11-18 15:50:24 +0100
commit	c327e9331e50d7b4d6cfd0a82fb38bec73703bfb (patch)
tree	dcfac81d4ae15a21ddacbc1edc7a9d4530b86d46 /include
parent	4521732ebbf34573062d2cad2f74b98910ea1c5b (diff)