Re: Stretch => Buster: iptables
On 2020-11-06 11:43, Sven Hartge wrote: Jesper Dybdal wrote: * The CT target, to add the ftp helper. I fixed that by adding a bit of native nft with the nft command after all the iptables(-nft) commands. For the sake of the archive and people looking at this thread hoping for some insight, please post your native nft rules you created. Here they are (I'm afraid I can't remember which websites I got the inspiration from): table ip myhelpers { ct helper ftp-standard { type "ftp" protocol tcp } chain input { type filter hook prerouting priority 0; tcp dport 21 ct helper set "ftp-standard" counter } chain output { type filter hook output priority 0; tcp dport 21 ct helper set "ftp-standard" counter } } I loaded them after all the iptables-nft rules with the commands: # Delete any existing myhelpers tables, ignoring possible failure for an non-existent table: nft delete table myhelpers >/dev/null 2>&1 # Load the myhelpers table shown above: nft -f myhelpers.nft This seems to work. -- Jesper Dybdal https://www.dybdal.dk
Re: Stretch => Buster: iptables
Jesper Dybdal wrote: > * The CT target, to add the ftp helper. I fixed that by adding a bit of > native nft with the nft command after all the iptables(-nft) commands. For the sake of the archive and people looking at this thread hoping for some insight, please post your native nft rules you created. Grüße, Sven. -- Sigmentation fault. Core dumped.
Re: Stretch => Buster: iptables
On 2020-10-16 12:25, I wrote: I have a lot of iptables rules. Is it correctly understood that the upgrade to Buster will automatically install iptables-nft, and that iptablés-nft provides complete and compatible support for the functionality of the old iptables command, so I can expect my iptables scripts to just work? I have now upgraded the first of my Stretch machines, and iptables-nft works, but does not support everything. I can recommend studying https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables before upgrading to Buster if the system has non-trivial iptables usage. In my case, I was using the following that is not supported by iptables-nft: * The "recent" module. But I can do without that. * The "tos" module. But I can do without that. * The CT target, to add the ftp helper. I fixed that by adding a bit of native nft with the nft command after all the iptables(-nft) commands. -- Jesper Dybdal https://www.dybdal.dk
Re: Stretch => Buster: iptables
Le vendredi 16 octobre 2020 à 14:12:55+0200, Jesper Dybdal a écrit : > > On 2020-10-16 12:35, Reco wrote: > > Barring some kernel bugs - yes. > > For instance, I've seen kernel panics because of simple: > > > > iptables -A INPUT -m conntrack --ctstate INVALID -j DROP > > Aargh! I had not realized that I would have to be prepared for kernel > panics during the upgrade, so I really appreciate that warning. I'll have a > bootable rescue disk ready. > > Thanks a lot for not only this, but also your responses to my other > questions. Don't worry too much on that KP part, it's true there were some instabilities at first, but not in the stable release. For what it's worth, there are also scripts helping to transition to nftables for good. Cheers, -- Pierre-Elliott Bécue GPG: 9AE0 4D98 6400 E3B6 7528 F493 0D44 2664 1949 74E2 It's far easier to fight for one's principles than to live up to them. signature.asc Description: PGP signature
Re: Stretch => Buster: iptables
On 2020-10-16 12:35, Reco wrote: Barring some kernel bugs - yes. For instance, I've seen kernel panics because of simple: iptables -A INPUT -m conntrack --ctstate INVALID -j DROP Aargh! I had not realized that I would have to be prepared for kernel panics during the upgrade, so I really appreciate that warning. I'll have a bootable rescue disk ready. Thanks a lot for not only this, but also your responses to my other questions. -- Jesper Dybdal https://www.dybdal.dk
Re: Stretch => Buster: iptables
Hi. On Fri, Oct 16, 2020 at 12:25:23PM +0200, Jesper Dybdal wrote: > I have a lot of iptables rules. > > Is it correctly understood that the upgrade to Buster will automatically > install iptables-nft, and that iptablés-nft provides complete and compatible > support > for the functionality of the old iptables command, so I can expect my > iptables scripts to just work? Barring some kernel bugs - yes. For instance, I've seen kernel panics because of simple: iptables -A INPUT -m conntrack --ctstate INVALID -j DROP It *should* be fixed by now, but I cannot call my own usage of netfilter that advanced (filter, nat, *some* raw, that's it). > (If so, that would be really nice, since I can then postpone the move to > native nftables.) To switch back to conventional netfilter you'll have to execute these: update-alternatives --config iptables update-alternatives --config ip6tables update-alternatives --config arptables update-alternatives --config ebtables Last two are optional, and it all should be done after the migration to buster. Reco
Stretch => Buster: iptables
I have a lot of iptables rules. Is it correctly understood that the upgrade to Buster will automatically install iptables-nft, and that iptablés-nft provides complete and compatible support for the functionality of the old iptables command, so I can expect my iptables scripts to just work? (If so, that would be really nice, since I can then postpone the move to native nftables.) Thanks, Jesper -- Jesper Dybdal https://www.dybdal.dk