Hi, some of you may be aware of the new default firewall backend in Debian 10 alias Buster, i.e. Buster defaults to nftables and all of xtables programs (iptables, ip6tables, etc.) are merely symlinks to iptables-nft, ip6tables-nft, etc. This means you can use the iptables syntax, but will actually get nftables rules. As I am planning to upgrade my router machine to Debian 10 in the near future, I was wondering whether I should take any precautions prior or during the upgrade with regards to shorewall. I use shorewall in a dual-stack setup with one WAN interface and several LAN-side interfaces and zones.
Has anyone tested shorewall with the iptables-nft compatibility layer? Are there any issues due to the change? Or should shorewall users change the symlinks to the iptables-legacy commands which ensure that the iptables backend is used? Looking at the manpage of xtables-nft, I don't see too much that could go wrong. Quote: >> Differences to Legacy Iptables >> Because the xtables-nft tools use the nf_tables kernel API, rule additions >> and deletions are always atomic. >> Unlike iptables-legacy, iptables-nft -A .. will NOT need to retrieve the >> current ruleset from the kernel, >> change it, and re-load the altered ruleset. Instead, iptables-nft will tell >> the kernel to add one rule. >> For this reason, the iptables-legacy --wait option is a no-op in >> iptables-nft. >> >> Use of the xtables-nft tools allow monitoring ruleset changes using the >> xtables-monitor(8) command. >> >> When using -j TRACE to debug packet traversal to the ruleset, note that you >> will need to use xtables-monitor(8) in --trace mode to obtain monitoring >> trace events. I would appreciate any thoughts and experiences. Thanks! Kind regards, Timo _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
