On Mon, Feb 19, 2018 at 01:52:18PM +0100, Harald Welte wrote: > Hi Daniel, > > On Mon, Feb 19, 2018 at 01:03:17PM +0100, Daniel Borkmann wrote: > > Hi Harald, > > > > On 02/17/2018 01:11 PM, Harald Welte wrote: > > [...] [...] > It would be an interesting test to see if e.g. docker would run on top > of the translator. I have no idea if anyone has tried this. It would > for sure be an interesting investigation. I would much rather see > effort spent on improving the existing translators, or helping those > projects doing the switch to nftables (or any other new technology) than > to introduce new technology using 18-year-old uapi interfaces that we > all know have many problems. FWIW, this is the one-liner I use to switch between original and compatible xtables: > set -e;cd /usr/sbin;for i in xtables-multi ebtables;do if [ -x $i.orig ];then rm -v $i;mv -iv $i.orig $i;else mv -iv $i $i.orig; ln -sv xtables-compat-multi $i;fi;done;cd -;set +e Run it once: > 'xtables-multi' -> 'xtables-multi.orig' > 'xtables-multi' -> 'xtables-compat-multi' > 'ebtables' -> 'ebtables.orig' > 'ebtables' -> 'xtables-compat-multi' > /home/dunc > 10:03:37# ls -lct /usr/sbin|head -n5 > total 72016 > lrwxrwxrwx 1 root root 20 Mar 8 10:02 ebtables -> xtables-compat-multi > -rwxr-xr-x 1 root root 75176 Mar 8 10:02 ebtables.orig > lrwxrwxrwx 1 root root 20 Mar 8 10:02 xtables-multi -> xtables-compat-multi > -rwxr-xr-x 1 root root 341928 Mar 8 10:02 xtables-multi.orig Run it again: > removed 'xtables-multi' > 'xtables-multi.orig' -> 'xtables-multi' > removed 'ebtables' > 'ebtables.orig' -> 'ebtables' > /home/dunc > 10:04:36# ls -lct /usr/sbin|head -n5 > total 72016 > -rwxr-xr-x 1 root root 75176 Mar 8 10:04 ebtables > -rwxr-xr-x 1 root root 341928 Mar 8 10:04 xtables-multi > -rwxr-xr-x 1 root root 1465464 Mar 6 12:06 nft > lrwxrwxrwx 1 root root 20 Mar 6 12:06 iptables-restore-translate -> xtables-compat-multi So far I have only tested libvirt - all seems OK except a couple of rough edges which I plan to document once fully investigated, but the VMs work well enough for me. Anyone with Docker could try the above (reboot recommended after doing it (else clear rulesets before and modprobe -r after)). I have yet to use Docker myself, plan to test Virtualbox next. Cheers ... Duncan. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
