Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add --no-legacy parameter #90

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

WilliamDEdwards
Copy link

@WilliamDEdwards WilliamDEdwards commented Aug 10, 2022

In issue #47, a user reported that "sometimes there are some issues" when using the iptables-nft tools. These tools allow users to use the newer nf_tables backend while using the old xtables syntax, and therefore ferm. As a result, legacy xtables tools are now always used (from commit 47b78b6). This makes ferm unusable with nftables.

@MaxKellermann argues that ferm should no longer be used in favour of nftables:

If you're using nftables, then what's the point of using ferm? (#47 (comment))

Why? nftables copies many of ferm's ideas, which makes ferm obsolete in my opinion. (#35 (comment))

Discontinue use of ferm, which is a legacy tool for a legacy tool ;-) (#69 (comment))

nftables imitates the ferm syntax, obsoleting ferm. (#30 (comment))

you are right that ferm is sometimes more advanced than nft [...] instead of porting ferm over as a frontend for nft, I'd rather bug the nft maintainers to adopt some of ferm's features. (#35 (comment))

However, nftables misses features that ferm has. At the moment, ferm is still useful. I think it should be usable with nftables.

Commit 47b78b6 says that the iptables-nft tools are "incompatible enough that they sometimes break ferm". This is only true in specific cases. This PR adds the --no-legacy parameter. This parameter allows users to revert to the old behaviour at their own risk, i.e. use whatever they've configured as an alternative for iptables, which is iptables-nft on Debian by default.

Since commit 47b78b6, ferm always uses legacy xtables tools. This commit allows users to revert to the old behaviour.
WilliamDEdwards referenced this pull request Aug 10, 2022
Apparently, /usr/sbin/iptables-restore refers to the "nft" based tools
on some installations, and those are incompatible enough that they
sometimes break ferm.  To fix this, explicitly, refer to the "legacy"
tools.

Closes #47
@ThorbenJ
Copy link

I would also like to have ferm co-exist with other nft-tables based tooling. If you create a iptables-legacy ruleset in the kernal, you can no longer use nft.. I don't mind sacrificing that some ferm idioms won't work. However I would suggest that such failures should be logged as bugs/issues against iptables-nft and friends.

Comment on lines +889 to +890
if (!$option{no_legacy}) {
if ($name =~ /^(.*tables)(.*)$/) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe reduce the diff here with a simpler:

Suggested change
if (!$option{no_legacy}) {
if ($name =~ /^(.*tables)(.*)$/) {
if (!$option{no_legacy} and $name =~ /^(.*tables)(.*)$/) {

Copy link

@anarcat anarcat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minus cosmetic changes, this LGTM.

@raspla
Copy link

raspla commented Mar 11, 2024

@MaxKellermann any plans to get this merged?

@WilliamDEdwards
Copy link
Author

@MaxKellermann any plans to get this merged?

Check out https://gitlab.tuxis.nl/oss_public/ferm. It’s my version with this patch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants