Re: Is it a bug that the iptable_filter module isn't loaded automatically with Debian 10 iptables-nft?

To: debian-user@lists.debian.org
Subject: Re: Is it a bug that the iptable_filter module isn't loaded automatically with Debian 10 iptables-nft?
From: Pascal Hambourg <pascal@plouf.fr.eu.org>
Date: Mon, 28 Oct 2019 20:23:27 +0100
Message-id: <[🔎] b44a9588-0a18-3048-21f5-5c9b675d81af@plouf.fr.eu.org>
In-reply-to: <[🔎] 20191028081413.GD1278@bitfolk.com>
References: <[🔎] 20191028081413.GD1278@bitfolk.com>

Le 28/10/2019 à 09:14, Andy Smith a écrit :


I will take a guess that the switching of the iptables commands to
use the nftables framework has somehow caused this iptable_filter
module to not be loaded even though the firewall still works.


Correct.

Is it a bug that loading rules into the filter table using
iptables-nft command (actually called as "iptables" due to
alternatives) no longer causes iptable_filter module to be loaded
and thus "filter" to appear in /proc/net/ip_tables_names?

No, it is expected. iptable_* modules and /proc/net/ip_tables_names arepart of the iptables framework. But iptables-nft uses the nftablesframework (by translating iptables rules into nftables rules).

I understand that a management software using iptables may look up/proc/net/ip_tables_names to check whether a tables is active, forinstance so that it can initialize or list it properly (initializing orlisting an unused inactive table would needlessly activate it).

Is there a different proc file that will list the active netfilter
tables?

There are no netfilter tables. Tables belong to frameworks runninginside netfilter such as iptables and nftables.

Is it safe for me to continue forcing the load of the iptable_file
and ip6table_filter modules, or should I stop doing that and seek to
get the management software fixed instead? Though doing that will
need some other way to obtain the same information. >
If it is bad to force load those modules, perhaps I should be using
update-alternatives to go back to using iptables-legacy?

Loading an iptables table makes it process packets needlessly. Also,some some iptables extensions are not supported by nftablescompatibility layer. So yes, IMO you should go back to usingiptables-legacy, even though I cannot think of any undesirable sideeffect beside performance when the chains are empty with policy ACCEPT.

I am aware that we should be switching to nftables now


IMO there is no hurry yet.

Reply to:

References:
- Is it a bug that the iptable_filter module isn't loaded automatically with Debian 10 iptables-nft?
  - From: Andy Smith <andy@strugglers.net>

Prev by Date: Issues with firefox-esr upgrade [60.9.0esr-1~deb10u1 -> 68.2.0esr-1~deb10u1]
Next by Date: ebian-10.1.0-amd64-DVD-1
Previous by thread: Is it a bug that the iptable_filter module isn't loaded automatically with Debian 10 iptables-nft?
Next by thread: failed upgrade to Buster
Index(es):
- Date
- Thread