Subject: Load legacy iptables module 'iptable_filter' on nftables system
Package: netfilter-persistent
Version: 1.0.11
Severity: minor
File: /usr/sbin/netfilter-persistent
Dear Maintainer,
When using 'netfilter-persistent save' to dump rules on disk, the kernel module
'iptable_filter' is loaded.
But this is for the 'legacy' iptables. On Debian 10, they now use the 'nft'
flavor.
This has the side effect to add a warning to each following 'iptables' command
we type, adding at the end:
# Warning: iptables-legacy tables present, use iptables-legacy to see them
on stderr.
The corresponding code is in
/usr/share/netfilter-persistent/plugins.d/15-ip4tables
modprobe -b -q iptable_filter || true
You can test by typing:
iptables -L # no warning
modprobe -b -q iptable_filter
iptables -L # warning at the end
I think you can check for nft loaded modules before trying to load the
iptable_filter, or at least
check if /proc/net/ip_tables_names file already exists. If yes, no need to load
the module.
Best regards,
-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (990, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8),
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages netfilter-persistent depends on:
ii lsb-base 10.2019051400
netfilter-persistent recommends no packages.
Versions of packages netfilter-persistent suggests:
ii iptables-persistent 1.0.11
-- no debconf information
