All of lore.kernel.org
 help / color / mirror / Atom feed
* end iptables support
@ 2020-10-03  5:40 Emilio Augusto Lazo Zaia
  2020-10-03 12:58 ` Reindl Harald
  0 siblings, 1 reply; 6+ messages in thread
From: Emilio Augusto Lazo Zaia @ 2020-10-03  5:40 UTC (permalink / raw)
  To: netfilter

Hello

When is supposed to be dropped the iptables support in Linux kernel in favor of nft? Currently I'm using iptables in many servers!

-- 
Emilio Augusto Lazo Zaia


^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: end iptables support
  2020-10-03  5:40 end iptables support Emilio Augusto Lazo Zaia
@ 2020-10-03 12:58 ` Reindl Harald
  2020-10-05  5:46   ` Emilio Augusto Lazo Zaia
  0 siblings, 1 reply; 6+ messages in thread
From: Reindl Harald @ 2020-10-03 12:58 UTC (permalink / raw)
  To: Emilio Augusto Lazo Zaia, netfilter



Am 03.10.20 um 07:40 schrieb Emilio Augusto Lazo Zaia:
> When is supposed to be dropped the iptables support in Linux kernel in favor of nft? Currently I'm using iptables in many servers!

in 99% of all cases with a recent distribution you can just switch to
iptables-nft and are done

at boot (it can restore iptables-legacy rules):
/usr/sbin/iptables-nft-restore /etc/sysconfig/iptables

after that:
alternatives --config iptables
alternatives --config arptables
alternatives --config ebtables

switch to nft backend and now your well known "iptables" commands will
use the "nft" backend behind the scenes

done that months ago on all Fedora 31 servers here while iptables-nft is
the default starting with Fedora 32


^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: end iptables support
  2020-10-03 12:58 ` Reindl Harald
@ 2020-10-05  5:46   ` Emilio Augusto Lazo Zaia
  2020-10-05  8:05     ` Laura García Liébana
  2020-10-05 10:26     ` Reindl Harald
  0 siblings, 2 replies; 6+ messages in thread
From: Emilio Augusto Lazo Zaia @ 2020-10-05  5:46 UTC (permalink / raw)
  To: Reindl Harald, netfilter

Thanks. But I'm using recent match. I can't switch to nftables if recent match is not supported yet...


Emilio Augusto Lazo Zaia

On 3/10/20 8:58 a. m., Reindl Harald wrote:
>
> Am 03.10.20 um 07:40 schrieb Emilio Augusto Lazo Zaia:
>> When is supposed to be dropped the iptables support in Linux kernel in favor of nft? Currently I'm using iptables in many servers!
> in 99% of all cases with a recent distribution you can just switch to
> iptables-nft and are done
>
> at boot (it can restore iptables-legacy rules):
> /usr/sbin/iptables-nft-restore /etc/sysconfig/iptables
>
> after that:
> alternatives --config iptables
> alternatives --config arptables
> alternatives --config ebtables
>
> switch to nft backend and now your well known "iptables" commands will
> use the "nft" backend behind the scenes
>
> done that months ago on all Fedora 31 servers here while iptables-nft is
> the default starting with Fedora 32
>
>

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: end iptables support
  2020-10-05  5:46   ` Emilio Augusto Lazo Zaia
@ 2020-10-05  8:05     ` Laura García Liébana
  2020-10-05 10:26     ` Reindl Harald
  1 sibling, 0 replies; 6+ messages in thread
From: Laura García Liébana @ 2020-10-05  8:05 UTC (permalink / raw)
  To: Emilio Augusto Lazo Zaia; +Cc: Reindl Harald, Mail List - Netfilter

Hi!

On Mon, Oct 5, 2020 at 7:51 AM Emilio Augusto Lazo Zaia
<emiliolazozaia@gmail.com> wrote:
>
> Thanks. But I'm using recent match. I can't switch to nftables if recent match is not supported yet...
>

recent match can be replaced by sets with timeout.

https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables#recent

Cheers.

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: end iptables support
  2020-10-05  5:46   ` Emilio Augusto Lazo Zaia
  2020-10-05  8:05     ` Laura García Liébana
@ 2020-10-05 10:26     ` Reindl Harald
  2020-10-05 10:31       ` Reindl Harald
  1 sibling, 1 reply; 6+ messages in thread
From: Reindl Harald @ 2020-10-05 10:26 UTC (permalink / raw)
  To: Emilio Augusto Lazo Zaia, netfilter



Am 05.10.20 um 07:46 schrieb Emilio Augusto Lazo Zaia:
> Thanks. But I'm using recent match. I can't switch to nftables if recent match is not supported yet...

you don't get it - iptables-nft supports xt_recent, connlimit, ipset and
so on with a 100% compatible CLI syntax

iptables-nft !== nftables
iptables-nft === iptables with nftables *backend*

> On 3/10/20 8:58 a. m., Reindl Harald wrote:
>>
>> Am 03.10.20 um 07:40 schrieb Emilio Augusto Lazo Zaia:
>>> When is supposed to be dropped the iptables support in Linux kernel in favor of nft? Currently I'm using iptables in many servers!
>> in 99% of all cases with a recent distribution you can just switch to
>> iptables-nft and are done
>>
>> at boot (it can restore iptables-legacy rules):
>> /usr/sbin/iptables-nft-restore /etc/sysconfig/iptables
>>
>> after that:
>> alternatives --config iptables
>> alternatives --config arptables
>> alternatives --config ebtables
>>
>> switch to nft backend and now your well known "iptables" commands will
>> use the "nft" backend behind the scenes
>>
>> done that months ago on all Fedora 31 servers here while iptables-nft is
>> the default starting with Fedora 32


^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: end iptables support
  2020-10-05 10:26     ` Reindl Harald
@ 2020-10-05 10:31       ` Reindl Harald
  0 siblings, 0 replies; 6+ messages in thread
From: Reindl Harald @ 2020-10-05 10:31 UTC (permalink / raw)
  To: Emilio Augusto Lazo Zaia, netfilter



Am 05.10.20 um 12:26 schrieb Reindl Harald:
> 
> 
> Am 05.10.20 um 07:46 schrieb Emilio Augusto Lazo Zaia:
>> Thanks. But I'm using recent match. I can't switch to nftables if recent match is not supported yet...
> 
> you don't get it - iptables-nft supports xt_recent, connlimit, ipset and
> so on with a 100% compatible CLI syntax
> 
> iptables-nft !== nftables
> iptables-nft === iptables with nftables *backend*

[root@testserver:~]$ iptables-nft --verbose --list INBOUND
Chain INBOUND (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 IPST_ALL   all  --  any    any     anywhere
anywhere             recent: UPDATE seconds: 2 hit_count: 250 TTL-Match
name: limit_all_global side: source mask: 255.255.255.255
    0     0 DROP_ALL   all  --  any    any     anywhere
anywhere             recent: UPDATE seconds: 2 reap hit_count: 150
TTL-Match name: limit_all_global side: source mask: 255.255.255.255
16034  718K            all  --  any    any     anywhere
anywhere             recent: SET name: limit_all_global side: source
mask: 255.255.255.255
    0     0 LD_C_24    all  --  any    any     anywhere
anywhere             #conn src/24 > 250
    0     0 LD_C_32    all  --  any    any     anywhere
anywhere             #conn src/32 > 120
    0     0 LD_C_16    all  --  any    any     anywhere
anywhere             #conn src/16 > 500
    0     0 LD_R_SSH   tcp  --  any    any     anywhere
anywhere             tcp dpt:10022 recent: UPDATE seconds: 60 reap
hit_count: 120 TTL-Match name: limit_ssh_global side: source mask:
255.255.255.255
    1    60            tcp  --  any    any     anywhere
anywhere             tcp dpt:10022 recent: SET name: limit_ssh_global
side: source mask: 255.255.255.255
    0     0 LD_R_DNS   all  --  any    any     anywhere
anywhere             match-set DNS_PORT dst recent: UPDATE seconds: 2
reap hit_count: 60 TTL-Match name: limit_dns_global side: source mask:
255.255.255.255
   18  1029            all  --  any    any     anywhere
anywhere             match-set DNS_PORT dst recent: SET name:
limit_dns_global side: source mask: 255.255.255.255
    0     0 LD_R_FTP   tcp  --  any    any     anywhere
anywhere             tcp dpt:ftp recent: UPDATE seconds: 2 reap
hit_count: 20 TTL-Match name: limit_ftp_global side: source mask:
255.255.255.255
   13   548            tcp  --  any    any     anywhere
anywhere             tcp dpt:ftp recent: SET name: limit_ftp_global
side: source mask: 255.255.255.255
   50  2340 REJECT     all  --  any    any     anywhere
anywhere             recent: CHECK seconds: 15 reap TTL-Match name:
portscan side: source mask: 255.255.255.255 reject-with
icmp-admin-prohibited
  715 29869 LRJ_SCAN   all  --  any    any     anywhere
anywhere             match-set PORTSCAN_PORTS dst recent: SET name:
portscan side: source mask: 255.255.255.255

>> On 3/10/20 8:58 a. m., Reindl Harald wrote:
>>>
>>> Am 03.10.20 um 07:40 schrieb Emilio Augusto Lazo Zaia:
>>>> When is supposed to be dropped the iptables support in Linux kernel in favor of nft? Currently I'm using iptables in many servers!
>>> in 99% of all cases with a recent distribution you can just switch to
>>> iptables-nft and are done
>>>
>>> at boot (it can restore iptables-legacy rules):
>>> /usr/sbin/iptables-nft-restore /etc/sysconfig/iptables
>>>
>>> after that:
>>> alternatives --config iptables
>>> alternatives --config arptables
>>> alternatives --config ebtables
>>>
>>> switch to nft backend and now your well known "iptables" commands will
>>> use the "nft" backend behind the scenes
>>>
>>> done that months ago on all Fedora 31 servers here while iptables-nft is
>>> the default starting with Fedora 32

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-10-05 10:31 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-03  5:40 end iptables support Emilio Augusto Lazo Zaia
2020-10-03 12:58 ` Reindl Harald
2020-10-05  5:46   ` Emilio Augusto Lazo Zaia
2020-10-05  8:05     ` Laura García Liébana
2020-10-05 10:26     ` Reindl Harald
2020-10-05 10:31       ` Reindl Harald

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.