On Friday, December 6, 2019 4:03 PM, Vasili Pupkin <[email protected]> wrote:
> On 06.12.2019 18:08, Jason A. Donenfeld wrote: > > > On Fri, Dec 6, 2019 at 4:06 PM Jordan Glover > > [email protected] wrote: > > > > > On Thursday, December 5, 2019 8:24 PM, Jason A. Donenfeld [email protected] > > > wrote: > > > > > > > If we can make nft coexistance work reliably, perhaps we can run the > > > > nft rule on systems where the nft binary simply exists. > > > > > > Will this work correctly on systems where nft binary exist but only > > > iptables rules are used? > > > That's what I meant by, "if we can make nft coexistance work reliably." > > Take a look at the table on the bottom of this page > https://wiki.nftables.org/wiki-nftables/index.php/Troubleshooting#Question_4._How_do_nftables_and_iptables_interact_when_used_on_the_same_system.3F > > On my system their rules coexist fine. Both nftables and iptables are > just high level interfaces to kernel netfilter hooks after all, if > either of them drop the packet then the packet is dropped. It is also > possible to write the same filter using iptables, not as easy and not as > beautiful as nft though. Finally wireguard can do this directly > interacting with netfilter as the last resort. But nft rule won't be visible from iptables tools like iptables-save, right? This may be confusing for people who still use iptables for setting up firewall on their systems. Jordan _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
