Re: Bug#912977: iptables: nftables layer breaks ipsec/policy keyword

[Pierre Chifflier <pollux@debian.org>]

On Tue, Nov 06, 2018 at 02:02:06PM +0100, Arturo Borrero Gonzalez wrote:
> Control: forwarded -1 https://bugzilla.netfilter.org/show_bug.cgi?id=1290
> 
> Hopefully next upstream release will contain a fix.

Hi,

Thanks Arturo.

After some more testing, it seems the bug would be less severe than it
looks:

- the (iptables) rules seems to work, the nft dump can just not show
  them (which is a bug, but less important)
  This was tested for the policy module, for OUTPUT.

- the iptables rules can be saved and reloaded as usual

- the produced nft ruleset should not be used (for ex to switch to
  nftables), as it will load without error but without the nft_compat
  keywords. This would also be a different bug.

I'm still running some more tests, but I think the severity can be
lowered.

Regards,
Pierre