Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot alias iptables-nft as iptables with alternatives #342

Closed
LorbusChris opened this issue Jan 10, 2020 · 2 comments
Closed

Cannot alias iptables-nft as iptables with alternatives #342

LorbusChris opened this issue Jan 10, 2020 · 2 comments

Comments

@LorbusChris
Copy link
Contributor

LorbusChris commented Jan 10, 2020
edited
Loading

Fedora in F32 will use the nft implementation of iptables by default (see https://fedoraproject.org/wiki/Changes/iptables-nft-default).

Right now, however, it is not possible to alias it as iptables in FCOS with alternatives even though it is installed, as one cannot change the alternatives priority on rpm-ostree based systems (fedora-sysv/chkconfig#27) and iptables therefore always points to iptables-legacy.

RHCOS already and exclusively uses the nft implementation, leading FCOS in that regard.

Context: iptables-legacy is suspected to be the cause of https://bugzilla.redhat.com/show_bug.cgi?id=1781575 which only seems to appear on systems that still use the legacy implementation.
LorbusChris added a commit to LorbusChris/fedora-coreos-config that referenced this issue Jan 10, 2020
@LorbusChris
Make iptables-nft the default
5335d9e 
by adding a COSA postprocess script to raise its priority
above (from 5 to 15) iptables-legacy's priority (10)
with `updates-alternatives`.

This workaround will be dropped once iptables-nft becomes
the default implementation in F32:
https://fedoraproject.org/wiki/Changes/iptables-nft-default

Tracker Issue:
coreos/fedora-coreos-tracker#342
LorbusChris added a commit to LorbusChris/fedora-coreos-config that referenced this issue Jan 10, 2020
@LorbusChris
Make iptables-nft the default iptables implementation
78487da 
by adding a COSA postprocess script to raise its priority
above (from 5 to 15) iptables-legacy's priority (10)
with `update-alternatives`.

This workaround will be dropped once iptables-nft becomes
the default implementation in F32:
https://fedoraproject.org/wiki/Changes/iptables-nft-default

Tracker Issue:
coreos/fedora-coreos-tracker#342
@LorbusChris LorbusChris mentioned this issue Jan 10, 2020
Closed
LorbusChris added a commit to LorbusChris/fedora-coreos-config that referenced this issue Jan 10, 2020
@LorbusChris
Make iptables-nft the default iptables implementation
31e60e0 
by adding a COSA postprocess script to raise its priority
above (from 5 to 15) iptables-legacy's priority (10)
with `update-alternatives`.

This workaround will be dropped once iptables-nft becomes
the default implementation in F32:
https://fedoraproject.org/wiki/Changes/iptables-nft-default

Tracker Issue:
coreos/fedora-coreos-tracker#342
@LorbusChris LorbusChris changed the title Use iptables-nft by default Ccannot use iptables-nft Jan 10, 2020
@LorbusChris LorbusChris changed the title Ccannot use iptables-nft Cannot use iptables-nft Jan 10, 2020
@LorbusChris LorbusChris changed the title Cannot use iptables-nft Cannot alias iptables-nft as iptables with alternatives Jan 10, 2020
@dustymabe
Copy link
Member

Here is the previous conversation around firewalling: #26

This simply sounds like a bug that needs to be fixed (and you've linked to one).

Can you just workaround it in ignition with the equivalent of:

[core@coreos ~]$ sudo ln -sf /usr/sbin/iptables-nft /etc/alternatives/iptables 
[core@coreos ~]$ 
[core@coreos ~]$ iptables --version
iptables v1.8.3 (nf_tables)

@LorbusChris
Copy link
Contributor Author

Changing the symlink in /etc/alternatives/ does the trick indeed, thanks Dusty!

@dustymabe dustymabe mentioned this issue Nov 20, 2020
Closed
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dustymabe @LorbusChris