[clug] Fwd: Debian Buster -Which firewall by default? iptables or nftables ? Apt says iptables is installed and nftables is not installed, but the Debian doco says otherwise.

Bob Edwards bob at cs.anu.edu.au
Wed Jul 24 08:18:37 UTC 2019


On 24/7/19 6:04 pm, Steve Walsh via linux wrote:
> On 24/7/19 4:15 pm, George at Clug via linux wrote:
>> Hi guys,
>>
>> Surely someone could help explain a bit further on what is happening with iptables in Debian?
> 
> Background
> 
> Iptables is the user space tool to manipulate firewall rules.  Over the
> years, people have used iptables to refer to both the user space tool,
> and to netfilter, the kernel-level components that inspect packets and
> take actions on them.
> 
> nftables is the kernel-level component to replace netfilter. To keep
> some compatibility in place, iptables will still talk to netfilter, but
> there's a new tool a' comin'.
> 
> Why change the tool? At the moment, the iptables firewall code has so
> much protocol specific logic built into the code it's replicated 4
> times, once for ipv4, again for ipv6, a third time for arp, and lastly a
> 4th time for ethernet bridging control.  Each of those kernel sections
> has a tool of their own (iptables, ip6tables, arptables and ebtables).
> There was some attempt to consolidate the bits that could be
> de-duplicated into x_tables, but that nugget only helps you pick apart
> what's happening, and won't win you any points at pub trivia.
> 
>  From the wikipedia page for nftables
> 
> '/The nftables kernel engine adds a simple virtual machine into the
> Linux kernel which is able to execute bytecode to inspect a network
> packet and make decisions on how that packet should be handled. The
> operations implemented by this virtual machine are intentionally made
> basic. //
> /
> 
> /It can get data from the packet itself, have a look at the associated
> metadata (inbound interface, for example), and manage connection
> tracking data. //
> /
> 
> /Arithmetic, bitwise and comparison operators can be used for making
> decisions based on that data. The virtual machine is also capable of
> manipulating sets of data (typically IP addresses), allowing multiple
> comparison operations to be replaced with a single set lookup/'
> 
> '/nftables also offers an improved userspace API that allows atomic
> replacements of one or more firewall rules within a single Netlink
> transaction. That speeds up firewall configuration changes for setups
> having large rulesets; it can also help in avoiding race conditions
> while the rule changes are being executed. nftables also includes
> compatibility features to ease transition from previous firewalls,
> command line utilities to convert rules in the iptables format, and
> syntax compatible versions of iptables commands that use the nftables
> backend/'.
> 
> When the doco tells you Buster uses nf_tables and not iptables, it's
> talking about the kernel modules.
> 
> When you twiddle iptables in alternatives, you're changing which tool to
> manipulate the firewall at a kernel level is assigned to the user-space
> command "iptables".
> 
> The default starting with Debian Buster:
> 
> # update-alternatives --set iptables /usr/sbin/iptables-nft
> # update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
> # update-alternatives --set arptables /usr/sbin/arptables-nft
> # update-alternatives --set ebtables /usr/sbin/ebtables-nft
> 
> Switching to the legacy version:
> 
> # update-alternatives --set iptables /usr/sbin/iptables-legacy
> # update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
> # update-alternatives --set arptables /usr/sbin/arptables-legacy
> # update-alternatives --set ebtables /usr/sbin/ebtables-legacy
> 
> 
> HTH, and I'm sure someone will let us know if I've gotten any of this wrong.
> 
> 

I don't know how much you got right or wrong, but I'm going with what
you wrote.

What you didn't write is that our own Paul Rusty Russell (well, he lived
and worked in Canberra for a number of years) wrote iptables code, and
it's predecessor, ipchains. He also organised and underwrote the first
Australian Linux Conference (CALU), and is the inaugural winner of the
"Rusty Wrench" award (not sure why it is called that - Steve might know,
he being another recipient of that esteemed award...).

cheers,
Bob Edwards.




More information about the linux mailing list