Bug#934584: IPMasquerade=yes uses iptables (not nftables)
Michael Biebl
biebl at debian.org
Mon Aug 12 12:56:03 BST 2019
Am 12.08.19 um 13:50 schrieb Arturo Borrero Gonzalez:
> On 8/12/19 1:26 PM, Michael Biebl wrote:
>> src/shared/firewall-util.* uses libiptc (which in turn uses iptables)
>>
>> ttbomk, mixing nftables and iptables is supported, otherwise we'd have
>> huge problems in buster (e.g. firewalld was explicitly switched back to
>> use iptables as quite a few components are not yet nft ready, like
>> libvirt and other container managers like docker).
>> That said, I've CCed Arturo, maybe he can chime in here.
>>
>>
>> To me this sounds more like a wishlist bug to get systemd ported from
>> libiptc to libnftables and that should be filed and addressed upstream.
>>
>> Michael
>>
>
> Mixing nftables and iptables-legacy is not a good idea in general, unless one
> knows exactly what is happening. For certain complex setups, it should be avoided.
>
> That being said, most of the stuff should work just fine using iptables-nft.
> Beware that you would need very recent iptables-nft and kernels (some bugs
> happened..).
>
> Ideally systemd would use nftables natively, but it should work just fine using
> iptables-nft as well. Moreover, libiptc was never intended to be a public
> library. So this sound like an excellent time to migrate to a proper public API.
>
Is libnftables a proper public API, i.e. supposed to be used by 3rd
party applications?
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
More information about the Pkg-systemd-maintainers
mailing list