Re: Is it a bug that the iptable_filter module isn't loaded automatically with Debian 10 iptables-nft?
Le 28/10/2019 à 09:14, Andy Smith a écrit :
I will take a guess that the switching of the iptables commands to
use the nftables framework has somehow caused this iptable_filter
module to not be loaded even though the firewall still works.
Correct.
Is it a bug that loading rules into the filter table using
iptables-nft command (actually called as "iptables" due to
alternatives) no longer causes iptable_filter module to be loaded
and thus "filter" to appear in /proc/net/ip_tables_names?
No, it is expected. iptable_* modules and /proc/net/ip_tables_names are
part of the iptables framework. But iptables-nft uses the nftables
framework (by translating iptables rules into nftables rules).
I understand that a management software using iptables may look up
/proc/net/ip_tables_names to check whether a tables is active, for
instance so that it can initialize or list it properly (initializing or
listing an unused inactive table would needlessly activate it).
Is there a different proc file that will list the active netfilter
tables?
There are no netfilter tables. Tables belong to frameworks running
inside netfilter such as iptables and nftables.
Is it safe for me to continue forcing the load of the iptable_file
and ip6table_filter modules, or should I stop doing that and seek to
get the management software fixed instead? Though doing that will
need some other way to obtain the same information. >
If it is bad to force load those modules, perhaps I should be using
update-alternatives to go back to using iptables-legacy?
Loading an iptables table makes it process packets needlessly. Also,
some some iptables extensions are not supported by nftables
compatibility layer. So yes, IMO you should go back to using
iptables-legacy, even though I cannot think of any undesirable side
effect beside performance when the chains are empty with policy ACCEPT.
I am aware that we should be switching to nftables now
IMO there is no hurry yet.
Reply to: