Bug#934584: IPMasquerade=yes uses iptables (not nftables)
Arturo Borrero Gonzalez
arturo at debian.org
Mon Aug 12 12:50:40 BST 2019
On 8/12/19 1:26 PM, Michael Biebl wrote:
> src/shared/firewall-util.* uses libiptc (which in turn uses iptables)
>
> ttbomk, mixing nftables and iptables is supported, otherwise we'd have
> huge problems in buster (e.g. firewalld was explicitly switched back to
> use iptables as quite a few components are not yet nft ready, like
> libvirt and other container managers like docker).
> That said, I've CCed Arturo, maybe he can chime in here.
>
>
> To me this sounds more like a wishlist bug to get systemd ported from
> libiptc to libnftables and that should be filed and addressed upstream.
>
> Michael
>
Mixing nftables and iptables-legacy is not a good idea in general, unless one
knows exactly what is happening. For certain complex setups, it should be avoided.
That being said, most of the stuff should work just fine using iptables-nft.
Beware that you would need very recent iptables-nft and kernels (some bugs
happened..).
Ideally systemd would use nftables natively, but it should work just fine using
iptables-nft as well. Moreover, libiptc was never intended to be a public
library. So this sound like an excellent time to migrate to a proper public API.
More information about the Pkg-systemd-maintainers
mailing list