Hi Arturo,

On 01/15/2016 09:06 PM, Arturo Borrero Gonzalez wrote:
> Hi,
>
> I'm giving a spin to the nft compat layer, since it can be of certain
> importance for distributions.
>
> I just want to be clear on what I recommends to end users about
> migrating from iptables (and friends) to nftables.
>
> Could you please remind me in which state was the discussion about
> that patch to show x_tables extensions in nftables rulesets [0]?
> I remember Patrick mentioned several concerns back then about this approach.

I have an updated version of this patch and also fixed some of
the problems I encountered along the way (see attached patches).
The nft patch is based on nftables-0.5 and the kernel change
should apply cleanly to linux-4.4.

With the update patch I can load a fairly complex iptables
firewall with iptables-compat, dump it with nft and reload
the dump with nft.

The resulting ruleset appears to be working. YMMV.

Regards
Andreas

> Currently, with a basic ruleset errors are shown [1]. Also, if you try
> to see what's happening, segfaults [2].
>
> I'm aware of the translations efforts being made by Shivani.
>
> [0] http://patchwork.ozlabs.org/patch/459398/
> [1] http://paste.debian.net/366059
> [2] http://paste.debian.net/366060/
>
> best regards.
>