From: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
To: Victor Julien <lists@inliniac.net>
Cc: Netfilter Development Mailing list
<netfilter-devel@vger.kernel.org>,
Patrick McHardy <kaber@trash.net>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Eric Leblond <eric@regit.org>,
Julien Vehent <julien@linuxwall.info>
Subject: Re: [Nftables RFC] High level library proposal
Date: Fri, 19 Apr 2013 09:50:49 +0300 [thread overview]
Message-ID: <5170E949.9060109@linux.intel.com> (raw)
In-Reply-To: <516EA900.3080607@inliniac.net>
Hi Victor,
> Not sure if it would fit the scope of this library, but as a frontend
> developer I would love to have easy access to some sort of "supported
> features" call.
>
> In Vuurmuur I currently parse /proc/net/ip_tables_names to see what
> tables are supported, /proc/net/ip_tables_matches to see what matches
> are supported, etc.
>
> This still isn't enough, because it won't tell me if the SNAT target
> will actually support the --random option, so I end up creating a lot of
> test rules at startup, just to figure this stuff out.
>
> Then there is also the case of a mismatch between kernel and userland. I
> remember one case where the Ubuntu kernel would support a module, but
> the shipped iptables wouldn't.
>
> Not sure if all of this is relevant to nftables and I don't have a
> proposed solution, but just wanted to bring it up for consideration.
This is a good idea, since indeed not all features might be supported from
one kernel configuration/version to another. However, nftables does not
expose anything through proc-fs currently. And it does not tell anything
about what are supported features anywhere, afaik.
We should first think how to fix this from kernel side, for the library
itself it
should be trivial afterwards. There are issues like as long as modules are
not loaded you don't know for instance which expressions are supported...
Maybe kernel guys have good ideas how to fix this?
Tomasz
next prev parent reply other threads:[~2013-04-19 6:50 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-17 13:41 [Nftables RFC] High level library proposal Tomasz Bursztyka
2013-04-17 13:52 ` Victor Julien
2013-04-19 6:50 ` Tomasz Bursztyka [this message]
2013-04-19 10:05 ` Pablo Neira Ayuso
2013-04-19 11:26 ` Tomasz Bursztyka
2013-04-19 12:11 ` Pablo Neira Ayuso
2013-04-22 23:03 ` Eric Leblond
2013-04-22 23:50 ` Pablo Neira Ayuso
2013-04-23 10:15 ` Tomasz Bursztyka
2013-04-23 11:31 ` Pablo Neira Ayuso
2013-04-23 11:55 ` Tomasz Bursztyka
2013-04-23 10:15 ` Tomasz Bursztyka
2013-04-22 20:05 ` Jesper Dangaard Brouer
2013-04-22 22:26 ` Eric Leblond
2013-04-23 7:27 ` Fabio M. Di Nitto
2013-04-23 10:15 ` Tomasz Bursztyka
2013-04-23 18:49 ` Jesper Dangaard Brouer
2013-04-24 6:06 ` Tomasz Bursztyka
2013-04-24 11:23 ` Jesper Dangaard Brouer
2013-04-24 15:35 ` Stephen Hemminger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5170E949.9060109@linux.intel.com \
--to=tomasz.bursztyka@linux.intel.com \
--cc=eric@regit.org \
--cc=julien@linuxwall.info \
--cc=kaber@trash.net \
--cc=lists@inliniac.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.