Re: Stretch => Buster: iptables

To: debian-user@lists.debian.org
Subject: Re: Stretch => Buster: iptables
From: Reco <recoverym4n@enotuniq.net>
Date: Fri, 16 Oct 2020 13:35:28 +0300
Message-id: <[🔎] E1kTN56-00071j-Hp@enotuniq.net>
In-reply-to: <[🔎] 2e60c9a3-6ce1-0b68-d65f-37362ade22e3@dybdal.dk>
References: <[🔎] 2e60c9a3-6ce1-0b68-d65f-37362ade22e3@dybdal.dk>

	Hi.

On Fri, Oct 16, 2020 at 12:25:23PM +0200, Jesper Dybdal wrote:
> I have a lot of iptables rules.
> 
> Is it correctly understood that the upgrade to Buster will automatically install iptables-nft, and that iptablés-nft provides complete and compatible support
> for the functionality of the old iptables command, so I can expect my iptables scripts to just work?

Barring some kernel bugs - yes.
For instance, I've seen kernel panics because of simple:

iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

It *should* be fixed by now, but I cannot call my own usage of netfilter
that advanced (filter, nat, *some* raw, that's it).

> (If so, that would be really nice, since I can then postpone the move to native nftables.)

To switch back to conventional netfilter you'll have to execute these:

update-alternatives --config iptables
update-alternatives --config ip6tables
update-alternatives --config arptables
update-alternatives --config ebtables

Last two are optional, and it all should be done after the migration to buster.

Reco

Reply to:

Follow-Ups:
- Re: Stretch => Buster: iptables
  - From: Jesper Dybdal <jd-debian-user@dybdal.dk>

References:
- Stretch => Buster: iptables
  - From: Jesper Dybdal <jd-debian-user@dybdal.dk>

Prev by Date: Re: Stretch => Buster: AppArmor
Next by Date: Re: Stretch => Buster: Entropy during boot
Previous by thread: Stretch => Buster: iptables
Next by thread: Re: Stretch => Buster: iptables
Index(es):
- Date
- Thread