Public bug reported:
iptables just got replaced by the nftables wrappers, effectively
changing all Ubuntu systems to using nftables rather than regular
iptables/ip6tables/ebtables.
Unfortunately those wrappers aren't perfect and don't convert every
option properly, nor know about some of the available plugins for those
commands.
This means that unless the software using those commands are aware that
those are wrappers and adapt their use, they may break at some random
point in time.
While nftables is clearly the way forward, just silently switching the existing
native tools with the compat wrappers will lead to widespread breakage both
from packages in the archive, snaps and a variety of scripts our users may be
running.
So far, looking around, known breakages post-nft are expected with at
least Docker, Kubernetes and LXD but the same may be true with the many
other packages we have that call iptables, ip6tables, ebtables or
arptables today.
A migration should include a proper audit of all in-archive users, see
if they have a plan/patch for native nft interaction and if not,
validate their use of the tools is compatible with the wrappers.
We should also extend that to popular snaps / those we ship by default.
Snaps make things worse as they use the tools from their base snap,
which in LXD's case is currently 16.04 (soon to switch to 18.04).
** Affects: iptables (Ubuntu)
Importance: Critical
Status: Triaged
** Changed in: iptables (Ubuntu)
Importance: Undecided => Critical
** Changed in: iptables (Ubuntu)
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1843468
Title:
nftables based iptables wrapper break userspace
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1843468/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
