Am 22.06.20 um 16:04 schrieb Phil Sutter: >> i gave it one try and used "iptables-nft-restore" and "ip6tables-nft", >> after reboot nothing worked at all > > Not good. Did you find out *why* nothing worked anymore? Would you maybe > care to share your script and ruleset with us? i could share it offlist, it's a bunch of stuff including a managament interface written in bash and is designed for a /24 1:1 NETMAP basicaly it already has a config-switch to enforce iptables-nft FILE TOTAL STRIPPED SIZE tui.sh 1653 1413 80K firewall.sh 984 738 57K shared.inc.sh 578 407 28K custom.inc.sh 355 112 13K config.inc.sh 193 113 6.2K update-blocked-feed.sh 68 32 4.1K [harry@srv-rhsoft:/data/lounge-daten/firewall/snapshots/2020-06-21]$ /bin/ls -1 ipset_* ipset_ADMIN_CLIENTS.txt ipset_BAYES_SYNC.txt ipset_BLOCKED.txt ipset_EXCLUDES.txt ipset_HONEYPOT_IPS.txt ipset_HONEYPOT_PORTS.txt ipset_IANA_RESERVED.txt ipset_INFRASTRUCTURE.txt ipset_IPERF.txt ipset_JABBER.txt ipset_LAN_VPN_FORWARDING.txt ipset_OUTBOUND_BLOCKED_PORTS.txt ipset_OUTBOUND_BLOCKED_SRC.txt ipset_PORTSCAN_PORTS.txt ipset_PORTS_MAIL.txt ipset_PORTS_RESTRICTED.txt ipset_RBL_SYNC.txt ipset_RESTRICTED.txt ipset_SFTP_22.txt >> via console i called "firewall.sh" again wich would delete all rules and >> chains followed by re-create them, no success and errors that things >> already exist > > That sounds weird, if it reliably drops everything why does it complain > with EEXIST? that was the reason why i gave up finally >> please don't consider to drop iptables-legacy, it just works and im miss >> a compelling argument to rework thousands of hours > > I'm not the one to make that call, but IMHO the plan is for > iptables-legacy to become irrelevant *before* it is dropped from > upstream repositories. So as long as you are still using it (and you're > not an irrelevant minority ;) nothing's at harm. well, my machines are dating back to 2008 and i don't plan to re-install them and given that im am just 42 years old now :-)
