Re: [CentOS] firewalld / iptables / nftables
Am 09.06.20 um 15:27 schrieb Chris Adams: Once upon a time, Jonathan Billings said: 'iptables' and 'nftables' are competing technologies. In CentOS 8, firewalld's backend was switched from iptables to nftables. So it would be expected that the iptables command wouldn't have any rules defined, it isn't being used by firewalld. That is partially incorrect. While iptables and nftables are two different in-kernel firewalls, the iptables CLI command is now a wrapper that can translate to the nftables backend for compatibility. However, it can only manage a subset of nftables information (basically what it can create in the iptables back-compat mode). The nftables rules created by firewalld don't fall into that category, so can't be viewed by iptables. Instead, use the nft command, like "nft list ruleset" to see a dump of all current rules. This sounds reasonable albeit it raises another question. How does the netfilter workflow looks like when firewalld generated rules and iptables generated rules (coming from migration activities) are processed. How are both categories of rules interwoven? I assume taking only the nftables path will be the cleanest and preferred one ... but I can not avoid running some iptables tests. -- Thanks, Leon ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld / iptables / nftables
Once upon a time, Jonathan Billings said: > 'iptables' and 'nftables' are competing technologies. In CentOS 8, > firewalld's backend was switched from iptables to nftables. So it > would be expected that the iptables command wouldn't have any rules > defined, it isn't being used by firewalld. That is partially incorrect. While iptables and nftables are two different in-kernel firewalls, the iptables CLI command is now a wrapper that can translate to the nftables backend for compatibility. However, it can only manage a subset of nftables information (basically what it can create in the iptables back-compat mode). The nftables rules created by firewalld don't fall into that category, so can't be viewed by iptables. Instead, use the nft command, like "nft list ruleset" to see a dump of all current rules. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld / iptables / nftables
On Tue, 9 Jun 2020 at 08:19, Leon Fauster via CentOS wrote: > Despite that the migration of our applications comes with a significant > workload. It seems that also every aspect of common services had changed > with EL8. > > In EL8 firewalld uses nftables as backend. I wonder why iptables does > not list any rules while also configured to use nftables as backend. > > # iptables -V > iptables v1.8.2 (nf_tables) > > > # firewall-cmd --list-all |egrep -o '22|ssh' > ssh > > Maybe it's only defined to work for ipv6? Shouldn't there be 2 entries for ssh? > # nft list ruleset | egrep -o '22|ssh' > ssh > > # iptables -L -n | egrep -o '22|ssh' > > > Any hints? > > -- > Leon > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- Stephen J Smoogen. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld / iptables / nftables
On Tue, Jun 09, 2020 at 02:19:17PM +0200, Leon Fauster via CentOS wrote: > > Despite that the migration of our applications comes with a significant > workload. It seems that also every aspect of common services had changed > with EL8. > > In EL8 firewalld uses nftables as backend. I wonder why iptables does not > list any rules while also configured to use nftables as backend. > > # iptables -V > iptables v1.8.2 (nf_tables) > > > # firewall-cmd --list-all |egrep -o '22|ssh' > ssh > > # nft list ruleset | egrep -o '22|ssh' > ssh > > # iptables -L -n | egrep -o '22|ssh' > > > Any hints? 'iptables' and 'nftables' are competing technologies. In CentOS 8, firewalld's backend was switched from iptables to nftables. So it would be expected that the iptables command wouldn't have any rules defined, it isn't being used by firewalld. -- Jonathan Billings ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] firewalld / iptables / nftables
Despite that the migration of our applications comes with a significant workload. It seems that also every aspect of common services had changed with EL8. In EL8 firewalld uses nftables as backend. I wonder why iptables does not list any rules while also configured to use nftables as backend. # iptables -V iptables v1.8.2 (nf_tables) # firewall-cmd --list-all |egrep -o '22|ssh' ssh # nft list ruleset | egrep -o '22|ssh' ssh # iptables -L -n | egrep -o '22|ssh' Any hints? -- Leon ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
