[Bug 1748] nft masquerade commands make table nat unreadable by iptables-nft

Thu Apr 18 14:13:31 CEST 2024

https://bugzilla.netfilter.org/show_bug.cgi?id=1748

--- Comment #2 from Thomas Schlien <ts at ferncast.de> ---
Hi Phil,

thanks for the fast answer. I understand now that one should not mix up the
two, but I can give you one example on our system where I didn't even knew that
a rule was added via nft.

We have a server where some VMs are running in libvirt/QEMU/KVM and some in
docker. One of the docker services is mailcow which itself starts 18 docker
container. One of them is netfilter container which handles all the firewall
rules settings. Unfortunately mailcow checks if nftables is installed on the
host and if so the nft tool is used to handle the necessary rule injection in
the firewall. This way I didn't even noticed that the table was "poisoned".

Isn't the idea to replace iptables by nftables one day? I think at least a lot
of people do believe this as the mailcow example shows. Also the description of
nftables on netfilter.org homepage leads to this assumption. But if this is the
case there will be a transition phase where both tools will be used in
parallel. So how should this be handled?

Btw. other rules that I inject, e.g., via `/usr/sbin/nft insert rule filter
LIBVIRT_FWI oifname kvmnat meta l4proto 6 ip daddr ${GUEST_IP} tcp dport
${GUEST_PORT_SSH} accept comment \"Accept SSH traffic\"` are handled fine by
iptables-nft.

Best regards,
Thomas

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240418/e2723294/attachment.html>