NFT support

[willyhun]

Do you plan support nftables infrastructure? Thanks!

[aabc]

As far as I know, nftables is not extensible.

[aabc]

Well, if you (or someone else) find a way (or example how) to extend nftables, please send!

[q2dg]

Maybe this can help? https://zasdfgbnm.github.io/2017/09/07/Extending-nftables/

[aabc]

@q2dg Thanks. That's interesting. But he still patch libnftnl and nftables userspace to support new statement.

[junjunk]

Made fork and added support for nftables
https://github.com/junjunk/ipt-netflow/tree/nftables
This is the first testing commit - no checks in configure
Userspace patches will be a bit later

[aabc]

@junjunk Thanks for working on it. It seems break compatibility with iptables too?

[junjunk]

Well, I tried to leave compatibility with iptables untouched.
Init function of module tries to register 2 different subsys - first with xt_register_targets(ipt_netflow_reg, ARRAY_SIZE(ipt_netflow_reg)) as it was, and second one with nft_register_expr(&nft_netflow_type)
Also, I've made single main function netflow_target with 2 wrappers ipt_netflow_target for iptables and nft_netflow_eval for nftables

[junjunk]

Also, it seems to me that better way to register iptables/nftables targets via module params

[aabc]

Ah, that sounds good. (I was misinterpreted the patch, probably.)

[stalker37]

what plans to add support of NFT?

[aabc]

@stalker37 There is no way to make netflow target as a separate installable module for nft. nftables source code patching is needed. But they will (probably) not integrate it into nftables because it is not in the kernel upstream. So, nftables is less flexible in the sense of extensibility than iptables.

[stalker37]

Maybe a separate kernel module without binding to iptables/nftables?

[aabc]

What do you mean in relation to nft[ables] support?