V6.0 move from iptables to nftables

[mfgamma]

Hi,

questions on nftables move from iptables:

I am using shorewall for years with many setups in place: what is needed to make it work on V6.0 on top of switching by update-alternatives --set iptables /usr/sbin/iptables-legacy?

is the native firwall in proxmox using nftables or iptables?

thanks

 

[LnxBil]

AFAIK, Debian Buster ships with the active compatibility layer of nftables that act and feels like iptables itself, so that it can be transparently used without even noticing it. So maybe it just works out-of-the-box? Best way is to test on the PVE 6 Beta.

 

[fabian]

pve-firewall uses the legacy interface as well (for now), since the nft one does not yet support all our generated commands.

 

[mfgamma]

Hi Fabian,

thanks for the answer. So that means that shorewall will also work without any additional update-alternatives to be done?

 

[fabian]

pve-firewall sets the alternatives to the legacy version for iptables, ip6tables and ebtables.

 

[spirit]

pve-firewall uses the legacy interface as well (for now), since the nft one does not yet support all our generated commands.

Notables Bridge conntrack support just has been added in netdev next. Maybe for proxmox 7 ?

 

[RolandK]

hello, i found that latest proxmox 6.3 still seems to be using iptables/ebtables legacy versions with 1.8.2-4

i cannot judge how urgent migration to newer interface is, but FYI:

https://www.computerweekly.com/de/r...us-iptables-Das-muessen-Linux-Admins-beachten

"Allerdings wird allen Anwendern mit Erscheinen der Version 1.8.2 dringend empfohlen, auf die nftables-Schnittstelle umzusteigen, statt weiterhin das iptables-System zu verwenden."

https://ral-arturo.org/2020/11/27/netfilter-virtual-workshop.html

Phil Sutter shared his past and future iptables development efforts. He highlighted fixed bugs and his short/midterm TODO list. I know Phil has been busy lately fixing iptables-legacy/iptables-nft incompatibilities. Basically addressing annoying bugs discovered by all ruleset managers out there (kubernetes, docker, openstack neutron, etc). Lots of work has been done to improve the situation; moreover I myself reported, or forwarded from the Debian bug tracker, several bugs. Anyway I was unable to attend this talk, only learnt a few bits in the following sessions, so I don’t have a lot to comment here.

 

[spirit]

hello, i found that latest proxmox 6.3 still seems to be using iptables/ebtables legacy versions with 1.8.2-4

i cannot judge how urgent migration to newer interface is, but FYI:

https://www.computerweekly.com/de/r...us-iptables-Das-muessen-Linux-Admins-beachten

"Allerdings wird allen Anwendern mit Erscheinen der Version 1.8.2 dringend empfohlen, auf die nftables-Schnittstelle umzusteigen, statt weiterhin das iptables-System zu verwenden."

https://ral-arturo.org/2020/11/27/netfilter-virtual-workshop.html

Phil Sutter shared his past and future iptables development efforts. He highlighted fixed bugs and his short/midterm TODO list. I know Phil has been busy lately fixing iptables-legacy/iptables-nft incompatibilities. Basically addressing annoying bugs discovered by all ruleset managers out there (kubernetes, docker, openstack neutron, etc). Lots of work has been done to improve the situation; moreover I myself reported, or forwarded from the Debian bug tracker, several bugs. Anyway I was unable to attend this talk, only learnt a few bits in the following sessions, so I don’t have a lot to comment here.

Interesting, thanks for sharing.

they was missing part for nftables for bridge filtering, only resolved recently 1year ago, that's why it was not implemented yet in proxmox6. I don't known about the roadmap, but maybe for proxmox7 it could be technically possible to implement it.

 

[Proxygen]

If I have pve-firewall off at all levels, is my box affected by the legacy components OR they are not being used, and my system is using nft (via pfsense)?