Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider not switching iptables to legacy implementation #1015

Closed
mquirin opened this issue Apr 10, 2020 · 3 comments
Closed

Consider not switching iptables to legacy implementation #1015

mquirin opened this issue Apr 10, 2020 · 3 comments
Labels
Merged Fixed and merged into Maste rbranch

Comments

@mquirin
Copy link
Contributor

mquirin commented Apr 10, 2020

From https://wiki.debian.org/iptables :

NOTE: iptables is being replaced by nftables starting with Debian Buster

However the pivpn installer switches the implementation back to iptables-legacy:

pivpn/auto_install/install.sh

Lines 450 to 453 in 4e8d4df

if [[ ${OSCN} == "buster" ]]; then
$SUDO update-alternatives --set iptables /usr/sbin/iptables-legacy
$SUDO update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
fi

I think this goes back to #751 however when I switch my configuration to the nftables back end this works without problem:

$ pivpn debug
::::		Self check		 ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] WireGuard is running
:: [OK] WireGuard is enabled (it will automatically start on reboot)
:: [OK] WireGuard is listening on port 51820/udp

$ iptables -V
iptables v1.8.2 (nf_tables)

$ uname -a
Linux foo 4.19.97-v7+ #1294 SMP Thu Jan 30 13:15:58 GMT 2020 armv7l GNU/Linux
@orazioedoardo
Copy link
Member

I think this goes back to #751 however when I switch my configuration to the nftables back end this works without problem:

Fine, but don't you need to create a new rule set to actually use nftables?

@mquirin
Copy link
Contributor Author

mquirin commented Apr 18, 2020

No, the front end is compatible. You would still call the iptables command / use the iptables rule file.
I’m only talking about the backend implementation here, which was switched transparently to nftables in buster and is changed back to to legacy implementation in the pivpn setup script.
I’m just saying we should not need to change the implementation in the background (the original reason seems to be resolved). I think the change of implementation might be confusing for some users (it was for me) and also could cause problems down the line since the main distribution is not using the legacy implementation anymore.

@mquirin
Copy link
Contributor Author

mquirin commented Apr 18, 2020

The below extract from https://wiki.debian.org/iptables is relevant:

NOTE: Debian Buster uses the nftables framework by default.

Starting with Debian Buster, nf_tables is the default backend when using iptables, by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem). This also affects ip6tables, arptables and ebtables.

@orazioedoardo orazioedoardo added the On Hold we want it .. buuut not just yet label Apr 26, 2020
orazioedoardo added a commit that referenced this issue May 23, 2020
@orazioedoardo
Fix issue #1015
3ec566c
@orazioedoardo orazioedoardo added Fix in Test Branch and removed On Hold we want it .. buuut not just yet labels May 23, 2020
@orazioedoardo orazioedoardo added Merged Fixed and merged into Maste rbranch and removed Fix in Test Branch labels Jun 9, 2020
@orazioedoardo orazioedoardo mentioned this issue Sep 5, 2020
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Merged Fixed and merged into Maste rbranch
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mquirin @orazioedoardo