Re: How do iptables and nftables work in conjunction?
On Sat, 2020-07-25 at 22:31 -0400, Gunnar Niels wrote:
I've been continuing to experiment with firewalld and learn the
underlying
userspace tools like iptables and nft for expressing firewall rules,
but from
what I've been reading, it seems like nftables is intended to replace
iptables,
which is possibly heading towards deprecation (if anyone can shed
some light
on that, would be much appreciated)?
I'm no expert, but from what I understand yes, nftables is iptables
replacement. They aren't expected to work at the same time.
If that's true, it appears that firewalld whever it is in use still
needs
to work on top of *both* iptables and nftables. When I add a direct
rule,
that gets added directly to the cooresponding iptables chain, while
rich
rules look like they are added to nftable chains.
I don't know the intricacies here but I was debugging a firewall issue
a month or two ago and know that I could change the backend nftables
uses between one or the other. I'm not aware of being able to use them
simultaneously. I'm no expert so what you said above could be true, but
I'd be a little surprised. I 100% know you can set the backend to one
or the other however.
I'm working on my Arch Linux workstation, but I'm also responsible
for a number
RHEL/CentOS boxes that I'd like to upgrade to their respective v8
editions, but
I'd really like a rock solid understanding of firewalld and the
systems underneath
before I'm comfortable in productions.
So how do iptables and nftables work in conjunction with one another
when they
seem like they potentially could hold conflicting rules? Is there
some order
of precedence where these are ultiately boiled down to a single
golden source
of rules within the kernel?
I 100% know you can ask firewalld to use nftables OR iptables. I'm
unaware of being able to use both. I would recommend getting familiar
with nftables whenever you have the time and inclination to do so.
RHEL/CentOS 8 still have the iptables interfaces so you don't have to
change them to nftables yet if you don't want to.
Sincerely,
--
Nathanael