[clug] Fwd: Debian Buster -Which firewall by default? iptables or nftables ? Apt says iptables is installed and nftables is not installed, but the Debian doco says otherwise.

Wed Jul 24 08:04:11 UTC 2019

On 24/7/19 4:15 pm, George at Clug via linux wrote:
> Hi guys,  
>
> Surely someone could help explain a bit further on what is happening with iptables in Debian?

Background

Iptables is the user space tool to manipulate firewall rules.  Over the
years, people have used iptables to refer to both the user space tool,
and to netfilter, the kernel-level components that inspect packets and
take actions on them.

nftables is the kernel-level component to replace netfilter. To keep
some compatibility in place, iptables will still talk to netfilter, but
there's a new tool a' comin'.

Why change the tool? At the moment, the iptables firewall code has so
much protocol specific logic built into the code it's replicated 4
times, once for ipv4, again for ipv6, a third time for arp, and lastly a
4th time for ethernet bridging control.  Each of those kernel sections
has a tool of their own (iptables, ip6tables, arptables and ebtables).
There was some attempt to consolidate the bits that could be
de-duplicated into x_tables, but that nugget only helps you pick apart
what's happening, and won't win you any points at pub trivia.

From the wikipedia page for nftables

'/The nftables kernel engine adds a simple virtual machine into the
Linux kernel which is able to execute bytecode to inspect a network
packet and make decisions on how that packet should be handled. The
operations implemented by this virtual machine are intentionally made
basic. //
/

/It can get data from the packet itself, have a look at the associated
metadata (inbound interface, for example), and manage connection
tracking data. //
/

/Arithmetic, bitwise and comparison operators can be used for making
decisions based on that data. The virtual machine is also capable of
manipulating sets of data (typically IP addresses), allowing multiple
comparison operations to be replaced with a single set lookup/'

'/nftables also offers an improved userspace API that allows atomic
replacements of one or more firewall rules within a single Netlink
transaction. That speeds up firewall configuration changes for setups
having large rulesets; it can also help in avoiding race conditions
while the rule changes are being executed. nftables also includes
compatibility features to ease transition from previous firewalls,
command line utilities to convert rules in the iptables format, and
syntax compatible versions of iptables commands that use the nftables
backend/'.

When the doco tells you Buster uses nf_tables and not iptables, it's
talking about the kernel modules.

When you twiddle iptables in alternatives, you're changing which tool to
manipulate the firewall at a kernel level is assigned to the user-space
command "iptables".

The default starting with Debian Buster:

# update-alternatives --set iptables /usr/sbin/iptables-nft
# update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
# update-alternatives --set arptables /usr/sbin/arptables-nft
# update-alternatives --set ebtables /usr/sbin/ebtables-nft

Switching to the legacy version:

# update-alternatives --set iptables /usr/sbin/iptables-legacy
# update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
# update-alternatives --set arptables /usr/sbin/arptables-legacy
# update-alternatives --set ebtables /usr/sbin/ebtables-legacy

HTH, and I'm sure someone will let us know if I've gotten any of this wrong.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/linux/attachments/20190724/6e29a0cc/signature.sig>