So it turns out if you have the proper nft support (nft + compat module probably) in your kernel then iptables will continue to work.
The ifup failure looks like this: iptables-restore/1.8.2 Failed to initialize nft: Protocol not supported run-parts: /etc/network/if-pre-up.d/iptables exited with return code 1 ifup: failed to bring up eth0 So the script in if-pre-up.d is not working because it returns 1 instead of 0. Maybe this behaviour is the best since otherwise someone would be left without a firewall or other feature and not know about it. Better to just change scripts to point to /usr/sbin/iptables-legacy-restore for now. Cheers, chillfan ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Saturday, February 16, 2019 10:26 AM, <chill...@protonmail.com> wrote: > Yeah, although the nft wiki seems to suggest it will replace iptables they > seem to be coexisting at the moment. > > The problem with iptables is it expects you to have nft support. A quick find > command shows some changes in the provided binaries. > > /sbin/iptables-save > /sbin/iptables > /sbin/iptables-restore > /usr/sbin/iptables-save > /usr/sbin/iptables-nft-save > /usr/sbin/iptables-legacy-restore > /usr/sbin/iptables > /usr/sbin/iptables-legacy > /usr/sbin/iptables-nft-restore > /usr/sbin/iptables-restore > /usr/sbin/iptables-legacy-save > /usr/sbin/iptables-apply > /usr/sbin/iptables-nft > > Running /sbin/iptables gives: > > iptables/1.8.2 Failed to initialize nft: Protocol not supported > > And of course I don't need nft so it's not built into my kernel. For the sake > of testing I will check what happens when you do have nft support as I'm sure > the stock kernel has. > > The usual setup for restoring iptables is to place the script in > /etc/network/if-pre-up.d/iptables and restore the rules from a config file > somewhere in /etc. Maybe the quirk here is ifupdown expects if-pre-up.d > scripts to run succesfully before bringing up the interface. > > Cheers, > > chillfan > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Saturday, February 16, 2019 8:38 AM, KatolaZ kato...@freaknet.org wrote: > > > chillfan, I have several beowulf machines and all use iptables, and > > none of them has had that issue. Maybe I have not apt-get updated > > recently. Could it just be a quirk of if-up? Shall we try to track > > the issue down? > > On another note: before a useless ranftul flame gets started, please > > note that as chillfan said iptables is not going away from the Linux > > kernel. > > My2Cents > > KatolaZ > > > > [ ~.,_ Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab ] > > [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] > > [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] > > [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] > > [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ]
publickey - chillfan@protonmail.com - 0xB179B25B.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
