Re: firewalld / iptables / nftables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Am 09.06.20 um 15:27 schrieb Chris Adams:
Once upon a time, Jonathan Billings <billings@xxxxxxxxxx> said:
'iptables' and 'nftables' are competing technologies.  In CentOS 8,
firewalld's backend was switched from iptables to nftables.  So it
would be expected that the iptables command wouldn't have any rules
defined, it isn't being used by firewalld.

That is partially incorrect.  While iptables and nftables are two
different in-kernel firewalls, the iptables CLI command is now a wrapper
that can translate to the nftables backend for compatibility.

However, it can only manage a subset of nftables information (basically
what it can create in the iptables back-compat mode).  The nftables
rules created by firewalld don't fall into that category, so can't be
viewed by iptables.

Instead, use the nft command, like "nft list ruleset" to see a dump of
all current rules.

This sounds reasonable albeit it raises another question. How does the
netfilter workflow looks like when firewalld generated rules and iptables generated rules (coming from migration activities) are processed. How are both categories of rules interwoven? I assume taking
only the nftables path will be the cleanest and preferred one ... but
I can not avoid running some iptables tests.

--
Thanks,
Leon

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux