分类
devops

iptables is being replaced by nftables starting with Debian Buster

Table of Contents

install

apt install iptables;
Setting up nftables (0.9.0-2) ...
Setting up iptables (1.8.2-4) ...
update-alternatives: using /usr/sbin/iptables-legacy to provide /usr/sbin/iptables (iptables) in auto mode
update-alternatives: using /usr/sbin/ip6tables-legacy to provide /usr/sbin/ip6tables (ip6tables) in auto mode
update-alternatives: using /usr/sbin/iptables-nft to provide /usr/sbin/iptables (iptables) in auto mode
update-alternatives: using /usr/sbin/ip6tables-nft to provide /usr/sbin/ip6tables (ip6tables) in auto mode
update-alternatives: using /usr/sbin/arptables-nft to provide /usr/sbin/arptables (arptables) in auto mode
update-alternatives: using /usr/sbin/ebtables-nft to provide /usr/sbin/ebtables (ebtables) in auto mode
root@3acf839a54d4:/# ls -l /sbin/iptables
lrwxrwxrwx 1 root root 18 Oct 28 00:05 /sbin/iptables -> /usr/sbin/iptables
root@3acf839a54d4:/# ls -l /usr/sbin/iptables
lrwxrwxrwx 1 root root 26 Oct 28 00:05 /usr/sbin/iptables -> /etc/alternatives/iptables
root@3acf839a54d4:/# ls -l /etc/alternatives/iptables
lrwxrwxrwx 1 root root 22 Oct 28 00:05 /etc/alternatives/iptables -> /usr/sbin/iptables-nft

The default starting with Debian Buster:

# update-alternatives --set iptables /usr/sbin/iptables-nft
# update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
# update-alternatives --set arptables /usr/sbin/arptables-nft
# update-alternatives --set ebtables /usr/sbin/ebtables-nft

Switching to the legacy version:

# update-alternatives --set iptables /usr/sbin/iptables-legacy
# update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
# update-alternatives --set arptables /usr/sbin/arptables-legacy
# update-alternatives --set ebtables /usr/sbin/ebtables-legacy
iptables -Ln
iptables v1.8.2 (nf_tables):  CHAIN_ADD failed (No such file or directory): chain INPUT
# 查看内核模块
lsmod |grep -i -E "ip_tables|iptable_filter|ip6_tables|ip6table_filter"
ip6table_filter        16384  1
ip6_tables             28672  14 ip6table_filter,ip6table_raw,ip6table_nat,ip6table_mangle
iptable_filter         16384  2
ip_tables              28672  8 iptable_filter,iptable_raw,iptable_nat,iptable_mangle

nftables替换了Netfilter的旧版iptables部分。与iptables相比,nftables的优势包括更少的代码重复和更易于扩展到新协议。

# 查看nftables模块
lsmod |grep -i -E "nf"
nf_tables             139264  0
nf_nat_ipv6            16384  1 ip6table_nat
nf_conntrack_netlink    49152  0
nfnetlink              16384  4 nf_conntrack_netlink,nf_tables,ip_set
nf_nat_ipv4            16384  2 ipt_MASQUERADE,iptable_nat
nf_nat                 36864  3 nf_nat_ipv6,nf_nat_ipv4,xt_nat
nf_conntrack          163840  9 xt_conntrack,nf_nat,xt_state,nf_nat_ipv6,ipt_MASQUERADE,nf_nat_ipv4,xt_nat,nf_conntrack_netlink,ip_vs
nf_defrag_ipv6         20480  2 nf_conntrack,ip_vs
nf_defrag_ipv4         16384  1 nf_conntrack
libcrc32c              16384  4 nf_conntrack,nf_nat,xfs,ip_vs

ref

  • https://wiki.debian.org/iptables
  • https://wiki.debian.org/nftables
  • https://wiki.archlinux.org/index.php/Nftables
  • https://linux.die.net/man/8/iptables