Packages: Keep iptables support when adding nftables

I'm currently doing a 22.03 x86 build retaining fw3 instead of fw4 (it's running well and I'm not ready to make the jump just yet due to some packages missing fw4 support and time for my learning curve). But I notice in a recent package commit (acme: switch from iptables to nft) that the iptables code was complete removed updating to nftables. Any thoughts about keeping both sets of code and checking the firewall configuration?

When you install fw3 it installs iptables as a dependency. There is a bug in the iptables package on 22.03 that results in iptables-legacy being installed. A patch was merged yesterday in master (snapshot) but not yet in 22.03.

The workaround is to remove iptables-legacy by name then install iptables-nft.

Then you should be good to go.

2 Likes

Thanks for the reply...I'll look at how that will affect my build..
But not really my concern (changed the thread title to be clearer).

Replacing the incorrectly installed iptables-legacy with the correct iptables-nft is exactly what is required if you want both iptables support along with the default nftables support.

I'm building without any nftables support....keep it simple principle.
But I now understand your point about 'dual' support. I may give it a try. Looking for how to keep banIP support. I 'unbroke' it and it's running fine on my 22.03 iptables only build.

try looking into crowdsec. Its more modern than BanIP.

I have not yet found any package with a dependency on iptables that does not work perfectly with iptables-nft. This is also true with generic Linux operating systems. So the well tested and accepted iptables-nft is the way forward.