Bug 1817223
| Summary: | iptables-save does not list incompatible nft tables | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Tomas Dolezal <todoleza> |
| Component: | iptables | Assignee: | Phil Sutter <psutter> |
| Status: | CLOSED NOTABUG | QA Contact: | qe-baseos-daemons |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.2 | CC: | iptables-maint-list, todoleza |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | 8.2 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-26 20:20:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi Tomas, This was changed as part of resolving bug 1626541. Reverting to the old behaviour is hard to achieve, recent iptables-nft doesn't even fetch tables it doesn't care about from kernel anymore (that's a performance optimization). I fear the best way of dealing with the situation is to use nft tool in order to get the full picture? Cheers, Phil Hello Phil, thanks for quick reply. I filed this from user experience point of view, but I am ok with preferring performance over this feature if there's no clean way around. The sole reason was to help iptables-based users to debug their machines more easily. Unfortunately I very seldomly saw direct use of iptables-save commands anyway. Hi Tomas, With legacy iptables, you don't see any nftables rules, either. So with firewalld and nftables backend in place, neither legacy nor nft iptables give a full picture. |
Description of problem: iptables-save omits references to tables in nftables which are not recognized by iptables-nft commands. this makes debugging of firewall rules harder for people who use this command to see installed iptables rules Version-Release number of selected component (if applicable): iptables-1.8.4-9.el8.x86_64 kernel-4.18.0-187.el8.x86_64 How reproducible: always, non-iptables-nft based tables exist Steps to Reproduce: nft -f - <<EOF flush ruleset table inet inet_all {} table ip inet4 {} table ip6 inet6 {} EOF iptables-save ip6tables-save Actual results: with iptables-1.8.2-16.el8 iptables-save # Table `inet4' is incompatible, use 'nft' tool. ip6tables-save # Table `inet6' is incompatible, use 'nft' tool. with iptables-1.8.4-9.el8 iptables-save; ip6tables-save <nothing printed> Expected results: list of tables that are incompatible with iptables ruleset: 1. return printing of ip family related tables 2. add inet family tables to output of both- ipv4/ipv6 iptables-save output iptables-save # Table `inet4' is incompatible, use 'nft' tool. # Table `inet_all' is incompatible, use 'nft' tool. <-- this would be added Additional info: