On Sun, Mar 04, 2018 at 12:16:55PM +0100, Matthias Schiffer wrote:
> On 03/04/2018 10:40 AM, Florian Westphal wrote:
> > Matthias Schiffer <mschiffer@xxxxxxxxxxxxxxxxxxxx> wrote:
[...]
> Switching from ebtables to nftables without also dropping iptables from
> Gluon is definitely out of the question, which leaves us with two options
> for the switch to nftables: waiting for (or working on) the fw3 port, or
> replacing fw3 altogether (which would also force users of Gluon to work
> with lower-level rules when making custom changes to the firewall of their
> deployment).
Please try this in a test environment / VM that mirrors your production setup:
1. Run Gluon / fw3 (i.e. your normal xtables rule scripts). Then capture what
they are:
> { set -x;for i in filter nat mangle raw;do iptables -t $i -L -v -n --line-numbers;done;set +x; } >iptables.txt 2>&1
repeat for ip6tables if necessary:
> { set -x;for i in filter nat mangle raw;do ip6tables -t $i -L -v -n --line-numbers;done;set +x; } >ip6tables.txt 2>&1
> { set -x;for i in filter nat broute;do ebtables -t $i -L --Ln --Lc --Lmac2;done;set +x; } > ebtables.txt 2>&1
2. Switch over to using the nft compatibility layer. As root, do:
> set -e; cd /usr/sbin; for i in xtables-multi ebtables; do if [ -x $i.orig ]; then rm -v $i; mv -iv $i.orig $i; else mv -iv $i $i.orig; ln -sv xtables-compat-multi $i; fi; done; cd -; set +e
For this to work, you will need iptables newer or equal "Sun Feb 25 18:14:00
2018 +1100" (commit 632ace7c2947dbb70f74ea263b86ff68de391622).
3. Verify that the output from "ls -lct /usr/sbin | tail -n+2 | head -n4" looks
like:
> lrwxrwxrwx 1 root root 20 Mar 8 10:13 ebtables -> xtables-compat-multi
> -rwxr-xr-x 1 root root 75176 Mar 8 10:13 ebtables.orig
> lrwxrwxrwx 1 root root 20 Mar 8 10:13 xtables-multi -> xtables-compat-multi
> -rwxr-xr-x 1 root root 341928 Mar 8 10:13 xtables-multi.orig
4. Reboot and run your normal Gluon / fw3 (xtables) rule scripts.
This is a test envrironment right? Of course you *could* avoid a reboot and
instead remove Linux Kernel Modules and xtables rules, but reboot is easier.
Repeat step 1 except first move iptables.txt , ip6tables.txt & ebtables.txt to
=.old (e.g. iptables.txt -> iptables.txt.old).
diff iptables.txt.old iptables.txt (and so on).
Report any differences to this list. If there are no differences, you have
successfully converted to the nft compatibility layer.
Assuming there are no differences, try
nft list ruleset
Carefully inspect the output for missing detail. For example, look for "reject"
with no qualifyinmg "with icmp type". Report any differences to this list.
If all looks ok, you have done a complete conversion to nftables.
5. If all is not OK, you can revert to the old xtables commands by running the
command in step 2 again.
HTH,
Cheers ... Duncan.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
