Re: [PATCH iptables v2 0/8] extensions: libxt_NFLOG: use nft back-end for iptables-nft

From: Florian Westphal <fw@strlen.de>
To: Jeremy Sowden <jeremy@azazel.net>
Cc: Netfilter Devel <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH iptables v2 0/8] extensions: libxt_NFLOG: use nft back-end for iptables-nft
Date: Sun, 16 Jan 2022 20:08:15 +0100	[thread overview]
Message-ID: <20220116190815.GB28638@breakpoint.cc> (raw)
In-Reply-To: <YeQ0JeUznhEopHxI@azazel.net>

Jeremy Sowden <jeremy@azazel.net> wrote:
> On 2021-10-01, at 18:41:34 +0100, Jeremy Sowden wrote:
> > nftables supports 128-character prefixes for nflog whereas legacy
> > iptables only supports 64 characters.  This patch series converts
> > iptables-nft to use the nft back-end in order to take advantage of the
> > longer prefixes.
> >
> >   * Patches 1-5 implement the conversion and update some related Python
> >     unit-tests.
> >   * Patch 6 fixes an minor bug in the output of nflog prefixes.
> >   * Patch 7 contains a couple of libtool updates.
> >   * Patch 8 fixes some typo's.
> 
> I note that Florian merged the first patch in this series recently.

Yes, because it was a cleanup not directly related to the rest.
I've now applied the last patch as well for the same reason.

> Feedback on the rest of it would be much appreciated.

THe patches look ok to me BUT there is the political issue
that we will now divert, afaict this means that you can now create
iptables-nft rulesets that won't ever work in iptables-legacy.

IMO its ok and preferrable to extending xt_(NF)LOG with a new revision,
but it does set some precedence, so I'm leaning towards just applying
the rest too.

Pablo, Phil, others -- what is your take?