On 8/3/20 10:53 AM, Marjorie Roome via Dng wrote:
> On Fri, 2020-07-31 at 18:44 -0700, Thomas Groman via Dng wrote:
>> I upgraded one of my larger and more complex servers from ASCII to
>> Beowulf. Switching to NFT was very easy after the upgrade. Just
>> create the rules, (have flush have the beginning), remove the
>> iptables if-pre-up hook if you made one, copy the example init script
>> from /usr/share/doc/nftables/example, set it executable, and rc-
>> update add nftables default. then openrc to bring the system to the
>> new defined default runlevel
>>
> While it clearly worked for you with openrc it is broken on sysvinit as
> the example /usr/share/doc/nftables/examples/sysvinit/nftables.init has
> this:
>

> # Default-Start:
> # Default-Stop:      0 1 2 3 4 5 6

>
> in the LSB header, not the required:
>

> # Default-Start:    S
> # Default-Stop:     0 1 6

>
> On 2020-08-02 17:00, Hendrik Boom wrote:
>> What is NFT?
>>
> It stands for Net Filter Tables. It handles more than iptables (also
> ip6tables, arptables and ebtables) and it's been developed by the Net
> Filter team, hence the name. The binary is also nft.
>
> It is obviously coming in very slowly (it's been around for at least 5
> years). And users are still translating it back to iptables syntax
> using iptables-legacy.
>
> Beowulf still installs with iptables. Buster uses nftables.
>
> Firewalld can use nftables as a backend. UFW can't.
>
> --
> Marjorie
>

Hi,
did you try update-alternatives to set iptables to iptables-legacy
behaviour. Arno-iptables-firewall and xtables-addons-dkms from
testing work for me that way.

Ciao,
Tito