:: Re: [DNG] iptables forced obsolesce…
Pàgina inicial
Delete this message
Reply to this message
Autor: chillfan
Data:  
CC: dng@lists.dyne.org
Assumpte: Re: [DNG] iptables forced obsolescence over upgrade
So it turns out if you have the proper nft support (nft + compat module probably) in your kernel then iptables will continue to work.

The ifup failure looks like this:

iptables-restore/1.8.2 Failed to initialize nft: Protocol not supported
run-parts: /etc/network/if-pre-up.d/iptables exited with return code 1
ifup: failed to bring up eth0

So the script in if-pre-up.d is not working because it returns 1 instead of 0. Maybe this behaviour is the best since otherwise someone would be left without a firewall or other feature and not know about it. Better to just change scripts to point to /usr/sbin/iptables-legacy-restore for now.

Cheers,

chillfan

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Saturday, February 16, 2019 10:26 AM, <chillfan@???> wrote:

> Yeah, although the nft wiki seems to suggest it will replace iptables they seem to be coexisting at the moment.
>


> The problem with iptables is it expects you to have nft support. A quick find command shows some changes in the provided binaries.
>


> /sbin/iptables-save
> /sbin/iptables
> /sbin/iptables-restore
> /usr/sbin/iptables-save
> /usr/sbin/iptables-nft-save
> /usr/sbin/iptables-legacy-restore
> /usr/sbin/iptables
> /usr/sbin/iptables-legacy
> /usr/sbin/iptables-nft-restore
> /usr/sbin/iptables-restore
> /usr/sbin/iptables-legacy-save
> /usr/sbin/iptables-apply
> /usr/sbin/iptables-nft
>


> Running /sbin/iptables gives:
>


> iptables/1.8.2 Failed to initialize nft: Protocol not supported
>


> And of course I don't need nft so it's not built into my kernel. For the sake of testing I will check what happens when you do have nft support as I'm sure the stock kernel has.
>


> The usual setup for restoring iptables is to place the script in /etc/network/if-pre-up.d/iptables and restore the rules from a config file somewhere in /etc. Maybe the quirk here is ifupdown expects if-pre-up.d scripts to run succesfully before bringing up the interface.
>


> Cheers,
>


> chillfan
>


> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Saturday, February 16, 2019 8:38 AM, KatolaZ katolaz@??? wrote:
>


> > chillfan, I have several beowulf machines and all use iptables, and
> > none of them has had that issue. Maybe I have not apt-get updated
> > recently. Could it just be a quirk of if-up? Shall we try to track
> > the issue down?
> > On another note: before a useless ranftul flame gets started, please
> > note that as chillfan said iptables is not going away from the Linux
> > kernel.
> > My2Cents
> > KatolaZ
> >


> > [ ~.,_ Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab ]
> > [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ]
> > [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ]
> > [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ]
> > [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ]