Re: [Shorewall-users] About iptables using nf_tables backend on Debian
On Mon, Oct 29, 2018 at 01:39:46PM -0700, Tom Eastep wrote: > On 10/29/18 11:04 AM, Vincas Dargis wrote: > > On 2018-10-24 23:34, Tom Eastep wrote: > >> On 10/24/18 9:18 AM, Vincas Dargis wrote: > >>> What does that mean with regards to Shorewall? Could there potentially > >>> be incompatibilities on how Shorewall expects Linux firewall to behave? > >> > >> There could certainly be incompatibilities that effect Shorewall and/or > >> Shorewall6. > > > > Any plans to handle this issue? Maybe worth documenting/noting that > > Debian Buster users are encouraged to use `update-alternatives` system > > for enabling "old" backend? > > > > Or this should be handled by package maintainers? > > My opinion is that we should address issues as they arise after this > iptables change migrates to testing. nf_tables is the direction in which > the Netfilter team are going, and if we immediately direct users to > switch to the old backend, we only delay resolution of compatibility > issues. Eventually, the old backend will go away, so we want all known > issues with the new backend to be resolved by that time. > > I've copied the Debian Shorewall Maintainer for his input. > Tom, I agree with your approach. The release team made an announcement last month detailing the timeline for the Buster release: https://lists.debian.org/debian-devel-announce/2018/09/msg4.html The transition freeze does not affect Shorewall, so the date by which we would need to target a final set of Shorewall packages for Buster would be February 12th. Of course, sooner is better as it allows time for bugs to be discovered by users, reported, and fixed. I have been quite busy with school and work this semester, but once final exams are over I should have some time to be able to get back to Shorewall packaging. I also have not messed with Buster at all, but I can plan to setup a VM for testing as we sort out what changes need to be made in the packaging. If we encounter some unsolvable problem, it would seem we would need to decide between requesting removal of Shorewall from the Buster release (I would much prefer to avoid that) or to document the fallback to the old backend. Either way, a package that works with the new backend would be the ideal solution. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] About iptables using nf_tables backend on Debian
On 10/29/18 11:04 AM, Vincas Dargis wrote: > On 2018-10-24 23:34, Tom Eastep wrote: >> On 10/24/18 9:18 AM, Vincas Dargis wrote: >>> What does that mean with regards to Shorewall? Could there potentially >>> be incompatibilities on how Shorewall expects Linux firewall to behave? >> >> There could certainly be incompatibilities that effect Shorewall and/or >> Shorewall6. > > Any plans to handle this issue? Maybe worth documenting/noting that > Debian Buster users are encouraged to use `update-alternatives` system > for enabling "old" backend? > > Or this should be handled by package maintainers? My opinion is that we should address issues as they arise after this iptables change migrates to testing. nf_tables is the direction in which the Netfilter team are going, and if we immediately direct users to switch to the old backend, we only delay resolution of compatibility issues. Eventually, the old backend will go away, so we want all known issues with the new backend to be resolved by that time. I've copied the Debian Shorewall Maintainer for his input. -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] About iptables using nf_tables backend on Debian
On 2018-10-24 23:34, Tom Eastep wrote: On 10/24/18 9:18 AM, Vincas Dargis wrote: What does that mean with regards to Shorewall? Could there potentially be incompatibilities on how Shorewall expects Linux firewall to behave? There could certainly be incompatibilities that effect Shorewall and/or Shorewall6. Any plans to handle this issue? Maybe worth documenting/noting that Debian Buster users are encouraged to use `update-alternatives` system for enabling "old" backend? Or this should be handled by package maintainers? ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] About iptables using nf_tables backend on Debian
On 10/24/18 9:18 AM, Vincas Dargis wrote: > Hi, > > During today's batch of Debian Sid updates I was notified about this > iptables change: > > ``` > iptables (1.8.1-1) unstable; urgency=medium > > By default, this package will try to use the nf_tables kernel backend > instead of the xtables one. Please, read more about this in > /usr/share/doc/iptables/README.Debian, including details about the new > update-alternatives configuration possibilities. > This is a major update on the way iptables works and may have severe > impact > in running systems which are upgrading between Debian versions. > The arptables and ebtables binaries are also affected, and those > packages > will be updated soon as well. > > -- Arturo Borrero Gonzalez Wed, 24 Oct 2018 > 14:00:00 +0200 > ``` > > What does that mean with regards to Shorewall? Could there potentially > be incompatibilities on how Shorewall expects Linux firewall to behave? > > I am running Shorewall on my home Sid machine, and I don't see immediate > breakage, though it runs only for an hour maybe. > There could certainly be incompatibilities that effect Shorewall and/or Shorewall6. -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] About iptables using nf_tables backend on Debian
Hi, During today's batch of Debian Sid updates I was notified about this iptables change: ``` iptables (1.8.1-1) unstable; urgency=medium By default, this package will try to use the nf_tables kernel backend instead of the xtables one. Please, read more about this in /usr/share/doc/iptables/README.Debian, including details about the new update-alternatives configuration possibilities. This is a major update on the way iptables works and may have severe impact in running systems which are upgrading between Debian versions. The arptables and ebtables binaries are also affected, and those packages will be updated soon as well. -- Arturo Borrero Gonzalez Wed, 24 Oct 2018 14:00:00 +0200 ``` What does that mean with regards to Shorewall? Could there potentially be incompatibilities on how Shorewall expects Linux firewall to behave? I am running Shorewall on my home Sid machine, and I don't see immediate breakage, though it runs only for an hour maybe. ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users