[feature request] nftables support #26824

Open
senden9 opened this Issue Sep 22, 2016 · 12 comments

Comments

Projects
None yet
@senden9

senden9 commented Sep 22, 2016

Docker seems to be optimized for iptables at the moment. Are there any plans to support nftables in future versions of Docker?

My workaround at the moment is do deactivate the iptables integration via --iptables=false and then set the right rules for nftables by hand.

@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah Sep 22, 2016

Member

I'm not aware of plans in this direction

ping @aboch is this planned? Worth doing?

Member

thaJeztah commented Sep 22, 2016

I'm not aware of plans in this direction

ping @aboch is this planned? Worth doing?

@aboch

This comment has been minimized.

Show comment
Hide comment
@aboch

aboch Sep 22, 2016

Contributor

I remember @mrjana had thought of using nftables last year. He knows more about the plan.
From what I read online, it seems nftables made it into kernel 3.13. Given docker supports up to linux 3.10, it may not be possible to move to nftables yet.

Contributor

aboch commented Sep 22, 2016

I remember @mrjana had thought of using nftables last year. He knows more about the plan.
From what I read online, it seems nftables made it into kernel 3.13. Given docker supports up to linux 3.10, it may not be possible to move to nftables yet.

@mrjana

This comment has been minimized.

Show comment
Hide comment
@mrjana

mrjana Sep 22, 2016

Contributor

Yeah nftables are not in the kernel until 3.14 and we can't use it to generally replace iptables yet.

Contributor

mrjana commented Sep 22, 2016

Yeah nftables are not in the kernel until 3.14 and we can't use it to generally replace iptables yet.

@Yamakaky

This comment has been minimized.

Show comment
Hide comment
@Yamakaky

Yamakaky Dec 4, 2016

Maybe add it as an option? That way, those who have the latest kernel can use it. Currently I have to disable my nftables firewall to get the network working, it's fine on my machine but it's not an option on a server.

Yamakaky commented Dec 4, 2016

Maybe add it as an option? That way, those who have the latest kernel can use it. Currently I have to disable my nftables firewall to get the network working, it's fine on my machine but it's not an option on a server.

@itagent

This comment has been minimized.

Show comment
Hide comment
@itagent

itagent Apr 4, 2017

Any new ideas or progress. We are in transition to nftables and really would appreciate

itagent commented Apr 4, 2017

Any new ideas or progress. We are in transition to nftables and really would appreciate

@ford-perfect

This comment has been minimized.

Show comment
Hide comment
@ford-perfect

ford-perfect Apr 7, 2017

+1 for optional nftables support
Just some dates:
Linux LTS 3.10 has it's projected EOL in October 2017.
Debian 7.0's kernel is not supported anyway but Debian 8.0's one has nftables.
RHEL-7.3 EOL is not until 2024-06 and it runs 3.10 so there is a conflict here;
but the proposition is for an optional nfttables support additionally to the existing iptables support.

+1 for optional nftables support
Just some dates:
Linux LTS 3.10 has it's projected EOL in October 2017.
Debian 7.0's kernel is not supported anyway but Debian 8.0's one has nftables.
RHEL-7.3 EOL is not until 2024-06 and it runs 3.10 so there is a conflict here;
but the proposition is for an optional nfttables support additionally to the existing iptables support.

@gdahlm

This comment has been minimized.

Show comment
Hide comment
@gdahlm

gdahlm Jun 1, 2017

I wanted that RHEL 7 does have nfttables as a tech preview, and it would greatly simplify ipv6 as well as allowing for a simpler implementations of throttling and very useful tools like connection tracking or load-balancing.

gdahlm commented Jun 1, 2017

I wanted that RHEL 7 does have nfttables as a tech preview, and it would greatly simplify ipv6 as well as allowing for a simpler implementations of throttling and very useful tools like connection tracking or load-balancing.

@Gunni

This comment has been minimized.

Show comment
Hide comment
@Gunni

Gunni Apr 16, 2018

I want to add that i've been using nftables on Centos 7 for over a year now i believe, on dozens of different servers both with and without nat, using ipv6 and more, and have had no issues other than understanding the parse errors when i mess up. And i'm using Ansible to manage and generate the nftables rules file and atomically reload the service to apply new rules, or do nothing if it fails to parse.

And since nftables applies the entire ruleset in one atomic operation, there is no moment when the system is in a partially configured state.

In my opinion i would NOT use nftables integration with docker unless i could control which file docker puts rules into and control the imports into my current ruleset myself and that docker would only issue reload commands to nftables (reload meaning nft -f , or systemctl which does it correctly).

I currently manage docker nat rules using ansible/manually.

Gunni commented Apr 16, 2018

I want to add that i've been using nftables on Centos 7 for over a year now i believe, on dozens of different servers both with and without nat, using ipv6 and more, and have had no issues other than understanding the parse errors when i mess up. And i'm using Ansible to manage and generate the nftables rules file and atomically reload the service to apply new rules, or do nothing if it fails to parse.

And since nftables applies the entire ruleset in one atomic operation, there is no moment when the system is in a partially configured state.

In my opinion i would NOT use nftables integration with docker unless i could control which file docker puts rules into and control the imports into my current ruleset myself and that docker would only issue reload commands to nftables (reload meaning nft -f , or systemctl which does it correctly).

I currently manage docker nat rules using ansible/manually.

@ojab

This comment has been minimized.

Show comment
Hide comment

ojab commented Jun 21, 2018

Meanwhile iptables is officially deprecated.

@cpuguy83

This comment has been minimized.

Show comment
Hide comment
@cpuguy83

cpuguy83 Jun 21, 2018

Contributor

I don't see the reason to bother with nftables when the whole community seems to be (rightly) pushing for bpf.

Contributor

cpuguy83 commented Jun 21, 2018

I don't see the reason to bother with nftables when the whole community seems to be (rightly) pushing for bpf.

@ojab

This comment has been minimized.

Show comment
Hide comment
@ojab

ojab Jun 21, 2018

nftables uses bpf internally. If you've implied bpfilter — it's not there yet.

ojab commented Jun 21, 2018

nftables uses bpf internally. If you've implied bpfilter — it's not there yet.

@cpuguy83

This comment has been minimized.

Show comment
Hide comment
@cpuguy83

cpuguy83 Jun 21, 2018

Contributor

Sure it uses bpf internally, but it's not really any better than without bpf but rather about deduplication.
Even with bpf in the backend, nftables is still "slightly better" than iptables.

For that matter isn't iptables using nftables in the backed? (Don't quote me on that, I think I read that somewhere at some point, haven't looked into it).

Contributor

cpuguy83 commented Jun 21, 2018

Sure it uses bpf internally, but it's not really any better than without bpf but rather about deduplication.
Even with bpf in the backend, nftables is still "slightly better" than iptables.

For that matter isn't iptables using nftables in the backed? (Don't quote me on that, I think I read that somewhere at some point, haven't looked into it).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment