* nftables and iptables nat coexistence
@ 2017-10-18 13:56 Florian Westphal
2017-10-19 10:15 ` Pablo Neira Ayuso
0 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2017-10-18 13:56 UTC (permalink / raw)
To: netfilter-devel
Hi.
Couple of month ago I sent 2 RFC patches to allow using nftables and
iptables NAT at same time.
If this is unwanted (there was concern wrt. to the new hooks I had to
add for this), we should at least improve/restrict iptables and nftables
to
1. not allow load if iptable_nat when nft nat hook is active.
2. make it a requirement to register empty nat hook (required for
the reply direction).
3. Do not permit more than one nat type per family/hook.
4. we should probably also add more checks on nat priority
for nftables to reject hooks that can't work due to no-conntrack
information being available at that point.
I think not allowing nft and iptablles nat at the same time is fine
as mixing has problems on its own, especially which transformation
gets precedence, so I suspect the old RFC patches resolve one issue
and add another one :)
So, are the old RFC patches NAKed or not? If they are, I'd first look at
#1 from the list but before I do some consensus would be welcome.
Thanks,
Florian
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: nftables and iptables nat coexistence
2017-10-18 13:56 nftables and iptables nat coexistence Florian Westphal
@ 2017-10-19 10:15 ` Pablo Neira Ayuso
2017-10-19 10:25 ` Pablo Neira Ayuso
2017-10-19 11:18 ` Florian Westphal
0 siblings, 2 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2017-10-19 10:15 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
Hi Florian,
On Wed, Oct 18, 2017 at 03:56:50PM +0200, Florian Westphal wrote:
> Hi.
>
> Couple of month ago I sent 2 RFC patches to allow using nftables and
> iptables NAT at same time.
Hm, I think we forgot to talk about this during the NFWS.
> If this is unwanted (there was concern wrt. to the new hooks I had to
> add for this), we should at least improve/restrict iptables and nftables
> to
>
> 1. not allow load if iptable_nat when nft nat hook is active.
I guess this would apply the other way around.
> 2. make it a requirement to register empty nat hook (required for
> the reply direction).
I'm seeing many posts on the lack of automatic registration of the
empty NAT chain. This is a pitfall where many people are falling one
after another in migrations. I know there's a bold sentence in the
documentation, but I think it's a sympton that we're doing something
that is unintuitive to users, and it should be a wake up call for us.
Can we just autoregister the empty nat chain using the default
priority? If an explicit chain is registered, then disable this.
Does this sound too complicated to you?
> 3. Do not permit more than one nat type per family/hook.
Yes, this makes sense to me.
> 4. we should probably also add more checks on nat priority
> for nftables to reject hooks that can't work due to no-conntrack
> information being available at that point.
Yes, this would be good too.
> I think not allowing nft and iptablles nat at the same time is fine
> as mixing has problems on its own, especially which transformation
> gets precedence, so I suspect the old RFC patches resolve one issue
> and add another one :)
My only concern is, may this cause problems when migrating from
iptables to nftables?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: nftables and iptables nat coexistence
2017-10-19 10:15 ` Pablo Neira Ayuso
@ 2017-10-19 10:25 ` Pablo Neira Ayuso
2017-10-19 11:18 ` Florian Westphal
1 sibling, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2017-10-19 10:25 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Thu, Oct 19, 2017 at 12:15:29PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Oct 18, 2017 at 03:56:50PM +0200, Florian Westphal wrote:
> > 3. Do not permit more than one nat type per family/hook.
>
> Yes, this makes sense to me.
You could add a singleton flag for chain, so we check this from the
core, just and idea.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: nftables and iptables nat coexistence
2017-10-19 10:15 ` Pablo Neira Ayuso
2017-10-19 10:25 ` Pablo Neira Ayuso
@ 2017-10-19 11:18 ` Florian Westphal
2017-10-19 11:30 ` Pablo Neira Ayuso
1 sibling, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2017-10-19 11:18 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Florian Westphal, netfilter-devel
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Hi Florian,
>
> On Wed, Oct 18, 2017 at 03:56:50PM +0200, Florian Westphal wrote:
> > Hi.
> >
> > Couple of month ago I sent 2 RFC patches to allow using nftables and
> > iptables NAT at same time.
>
> Hm, I think we forgot to talk about this during the NFWS.
Yes. We can try Netdev 2.2 next 8-)
> > If this is unwanted (there was concern wrt. to the new hooks I had to
> > add for this), we should at least improve/restrict iptables and nftables
> > to
> >
> > 1. not allow load if iptable_nat when nft nat hook is active.
>
> I guess this would apply the other way around.
Both ways.
> > 2. make it a requirement to register empty nat hook (required for
> > the reply direction).
>
> I'm seeing many posts on the lack of automatic registration of the
> empty NAT chain. This is a pitfall where many people are falling one
> after another in migrations. I know there's a bold sentence in the
> documentation, but I think it's a sympton that we're doing something
> that is unintuitive to users, and it should be a wake up call for us.
I agree.
> Can we just autoregister the empty nat chain using the default
> priority? If an explicit chain is registered, then disable this.
>
> Does this sound too complicated to you?
I'll look into it.
> > 3. Do not permit more than one nat type per family/hook.
>
> Yes, this makes sense to me.
>
> > 4. we should probably also add more checks on nat priority
> > for nftables to reject hooks that can't work due to no-conntrack
> > information being available at that point.
>
> Yes, this would be good too.
>
> > I think not allowing nft and iptablles nat at the same time is fine
> > as mixing has problems on its own, especially which transformation
> > gets precedence, so I suspect the old RFC patches resolve one issue
> > and add another one :)
>
> My only concern is, may this cause problems when migrating from
> iptables to nftables?
I don't see any however once we do it we cannot remove such additional
hooks anymore (right now it won't work, if we do it iptable_nat and
nftables nat will work (plus multiple nftables nat chains types
if the priority is before the implicit null-binding hook so if we revert
that we break such setups that rely on the new implicit hooks.
Registering implicit nat hook, making iptables_nat and nftables nat
at the same time impossible (reject from kernel) etc. is more
convenient as we cannot break existing setups and only prevent
configuring a non-working/broken state rather than allowing things
that do not work at the moment.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: nftables and iptables nat coexistence
2017-10-19 11:18 ` Florian Westphal
@ 2017-10-19 11:30 ` Pablo Neira Ayuso
0 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2017-10-19 11:30 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Thu, Oct 19, 2017 at 01:18:12PM +0200, Florian Westphal wrote:
> Registering implicit nat hook, making iptables_nat and nftables nat
> at the same time impossible (reject from kernel) etc. is more
> convenient as we cannot break existing setups and only prevent
> configuring a non-working/broken state rather than allowing things
> that do not work at the moment.
Yes, let's tighten things now, we can relax them later.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-10-19 11:30 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-18 13:56 nftables and iptables nat coexistence Florian Westphal
2017-10-19 10:15 ` Pablo Neira Ayuso
2017-10-19 10:25 ` Pablo Neira Ayuso
2017-10-19 11:18 ` Florian Westphal
2017-10-19 11:30 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).