update-alternatives iptables-nft

jizzmaster99

New Member
Joined
Oct 20, 2019
Messages
5
Reaction score
0
Credits
0
Hi,
After some tinkering around with nftables/iptables i ended up having to reinstall the now missing symlinks for update-alternatives.
The manpage is confusing to say the least.

The syntax is apparently update-alternatives <link> <name> <path> <priority>
But having tried a couple of ways i just end up with different conflicts and error messages.

What is the correct way to install iptables-nft as an alternative to the legacy iptables?
 


Hi,
After some tinkering around with nftables/iptables i ended up having to reinstall the now missing symlinks for update-alternatives.
The manpage is confusing to say the least.

The syntax is apparently update-alternatives <link> <name> <path> <priority>
But having tried a couple of ways i just end up with different conflicts and error messages.

What is the correct way to install iptables-nft as an alternative to the legacy iptables?
Which distro version you are referring to?
 
Debian Buster
 
It's not so much the iptables/nftables configuration per say i am interested in, but the linking procedure for update-alternatives
 
Hello,

But having tried a couple of ways i just end up with different conflicts and error messages.

Can you give us the error messages ?
Alternatives on Debian behave simply : they are links to an other link in /etc/alternatives/ which is itself a link to something else.

Here are mines concerning iptables :
Bash:
wololo@ayoyo:/home/30# ls -lh /etc/alternatives/iptables*
lrwxrwxrwx 1 root root 32 jan.  1 13:37 /etc/alternatives/iptables -> /usr/sbin/iptables-nft
lrwxrwxrwx 1 root root 32 jan.  1 13:37 /etc/alternatives/iptables-restore -> /usr/sbin/iptables-nft-restore
lrwxrwxrwx 1 root root 32 jan.  1 13:37 /etc/alternatives/iptables-save -> /usr/sbin/iptables-nft-save

You can use the following command to fix the alternatives for iptables
Bash:
# update-alternatives --config iptables

What is the correct way to install iptables-nft as an alternative to the legacy iptables?

It is provided by default since linux 3.3 : https://wiki.debian.org/nftables
NOTE: Debian Buster uses the nftables framework by default.

It's embeded by default in the kernel but the user-land utils are not. There is the iptables translation suite (iptables-nft) but if you want to deal with nft you should use the userland utilities "nft" provided by the nftables package :
Bash:
# apt install nftables
 
In my case, I ran into the fact that Debian now has no iptables. At least not by default. I found this out when on Debian 11, I entered the command iptables and got "command not found". I was very surprised and read the documentation. It turned out that now I needed to use nftables. The good news: One nft utility replaces four previous ones: iptables, ip6tables, ebtables, and arptables. And many cool commands contribute to NFT Promotion. The bad news: the documentation (man nft) contains more than 3 thousand lines. You will have to do some work, but I am sure you will succeed. There are a lot of quick guides on the Internet on this subject.
 
Last edited:
on my Debian sid system:
Code:
sudo update-alternatives --config iptables
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables).

  Selection    Path                       Priority   Status
------------------------------------------------------------
* 0            /usr/sbin/iptables-nft      20        auto mode
  1            /usr/sbin/iptables-legacy   10        manual mode
  2            /usr/sbin/iptables-nft      20        manual mode

policy iptables
iptables:
Installed: 1.8.7-1
Candidate: 1.8.7-1
Version table:
*** 1.8.7-1 500
500 https://deb.debian.org/debian unstable/main arm64 Packages
100 /var/lib/dpkg/status

policy nftables
nftables:
Installed: 1.0.2-1
Candidate: 1.0.2-1
Version table:
*** 1.0.2-1 500
500 https://deb.debian.org/debian unstable/main arm64 Packages
100 /var/lib/dpkg/status

I use ufw/gufw.

Code:
sudo ufw status verbose
Status: active
Logging: off
Default: deny (incoming), allow (outgoing), disabled (routed)
 

Members online


Latest posts

Top