From: trentbuck@gmail.com (Trent W. Buck)
To: netfilter@vger.kernel.org
Subject: Re: Upgrading libnetfilter_queue to use nftables
Date: Mon, 18 Nov 2019 11:53:02 +1100 [thread overview]
Message-ID: <87bltadmz5.fsf@goll.lan> (raw)
In-Reply-To: a10d6417-ddcd-328e-1834-c234d92c28d8@tana.it
Alessandro Vesely <vesely@tana.it> writes:
> On Thu 14/Nov/2019 04:12:46 +0100 Florian Westphal wrote:
>> Alessandro Vesely <vesely@tana.it> wrote:
>>> [...]
>>> There is a user space filter reading queued packets and issuing verdicts.
>>> It is linked to libnetfilter_queue, libnfnetlink and libmnl.
>>> Does automatic translation work fine in this case?
>>
>> It has nothing to do with translation, userspace doesn't care, its the
>> same interface.
>
> So it shouldn't even be needed to maintain alternatives like Debian does, e.g.:
>
> # update-alternatives --set iptables /usr/sbin/iptables-nft
> vs
> # update-alternatives --set iptables /usr/sbin/iptables-legacy
nft doesn't support some things (e.g. -j TARPIT from xtables-addons-dkms).
iptables-legacy lets you continue using those things.
You also need the -legacy tools to inspect firewall rules created by
e.g. systemd-nspawn for systemd containers.
Here is an example system with a single nft rule AND a single legacy
rule created by systemd:
root@not-omega:~# iptables-save
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
root@not-omega:~# iptables-legacy-save
# Generated by iptables-save v1.8.3 on Mon Nov 18 11:48:26 2019
*nat
:PREROUTING ACCEPT [111429:8069436]
:INPUT ACCEPT [111423:8067363]
:OUTPUT ACCEPT [38839:3454394]
:POSTROUTING ACCEPT [38837:3454330]
-A POSTROUTING -s 10.194.71.0/24 -j MASQUERADE
COMMIT
# Completed on Mon Nov 18 11:48:26 2019
root@not-omega:~# nft list ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
counter packets 9 bytes 632 continue comment "example rule that does nothing"
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
PS: I'm 95% sure I've seen iptables-restore silently fail to load SOME
rules leaving me with a wrong ruleset instead of a right ruleset or the
existing ruleset. And then iptables-legacy-restore worked fine.
(I'd give the actual code, but it was a few weeks ago and I don't have
it handy.)
prev parent reply other threads:[~2019-11-18 0:53 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-13 17:41 Upgrading libnetfilter_queue to use nftables Alessandro Vesely
2019-11-14 3:12 ` Florian Westphal
2019-11-14 9:03 ` Alessandro Vesely
2019-11-18 0:53 ` Trent W. Buck [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bltadmz5.fsf@goll.lan \
--to=trentbuck@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.