* Incompatibility when use python3-nftables and iptables-nft
@ 2023-08-10 3:20 Wayne Bao
2023-08-10 22:47 ` Florian Westphal
0 siblings, 1 reply; 2+ messages in thread
From: Wayne Bao @ 2023-08-10 3:20 UTC (permalink / raw)
To: netfilter
I am using python3-nftables
(https://github.com/ansibleguy/python3-nftables) to programatically
update rules, and at the same time using iptables-nft from commandline
to manage rules. I see incompatibility when I use these two together:
1. If I add a rule using iptables:
iptables -A INPUT -p tcp --dport 443 -s 1.2.3.4 -i eth1 -j ACCEPT
then python3-nftables "list ruleset" does not show dport 443:
{'rule': {'family': 'ip', 'table': 'filter', 'chain': 'INPUT',
'handle': 4, 'expr': [{'match': {'op': '==', 'left': {'meta': {'key':
'iifname'}}, 'right': 'eth1'}}, {'match': {'op': '==', 'left':
{'meta': {'key': 'l4proto'}}, 'right': 'tcp'}}, {'match': {'op': '==',
'left': {'payload': {'protocol': 'ip', 'field': 'saddr'}}, 'right':
'1.2.3.4'}}, {'xt': None}, {'counter': {'packets': 0, 'bytes': 0}},
{'accept': None}]}}
2. If I add a rule using python3-nftables while the filter table and
INPUT chain exists:
{"nftables": [{"add": {"rule": {
"family": "ip",
"table": "filter",
"chain": "INPUT",
"expr": [
{
"match": {
"op": "==",
"left": {"meta": {"key": "iifname"}},
"right": "eth1",
}
},
{
"match": {
"op": "==",
"left": {
"payload": {"protocol": "tcp",
"field": "dport"}
},
"right": 443,
}
},
{
"match": {
"op": "==",
"left": {
"payload": {"protocol": "ip",
"field": "saddr"}
},
"right": "1.2.3.4",
}
},
{"counter": {"packets": 0, "bytes": 0}},
{"accept": None},
]}}}]}
then "iptables -nL" does not show dport 443:
iptables -nL
------
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 1.2.3.4 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-------
Is this a bug when using python3-nftables and iptables-nft?
I am running on a RHEL8 docker instance and my python3-nftables and
iptables-nft version:
iptables --version
iptables v1.8.4 (nf_tables)
python3.11
ansibleguy-nftables 1.0.2
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Incompatibility when use python3-nftables and iptables-nft
2023-08-10 3:20 Incompatibility when use python3-nftables and iptables-nft Wayne Bao
@ 2023-08-10 22:47 ` Florian Westphal
0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2023-08-10 22:47 UTC (permalink / raw)
To: Wayne Bao; +Cc: netfilter
Wayne Bao <herecomeswaynebao0811@gmail.com> wrote:
> I am using python3-nftables
> (https://github.com/ansibleguy/python3-nftables) to programatically
> update rules, and at the same time using iptables-nft from commandline
> to manage rules. I see incompatibility when I use these two together:
Yes, nft and iptables-nft are incompatible.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-08-10 22:47 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-08-10 3:20 Incompatibility when use python3-nftables and iptables-nft Wayne Bao
2023-08-10 22:47 ` Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox