Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add compatibility with netfilter backend #36

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Add compatibility with netfilter backend #36

wants to merge 6 commits into from

Conversation

papamoose
Copy link

Fixes from #30 and #35 plus small tweaks of my own.

nft -j list tables ip returns metainfo as a key in the json we get back. So check to make sure the key 'table' exists we can ignore metainfo key in the loop.

Additionally, nft command seems to want the -j before all other arguments.

[
  {
    "metainfo": {
      "version": "0.9.3",
      "release_name": "Topsy",
      "json_schema_version": 1
    }
  },
  {
    "table": {
      "family": "ip",
      "name": "security",
      "handle": 44
    }
  },
  {
    "table": {
      "family": "ip",
      "name": "raw",
      "handle": 45
    }
  },
  {
    "table": {
      "family": "ip",
      "name": "mangle",
      "handle": 46
    }
  },
  {
    "table": {
      "family": "ip",
      "name": "nat",
      "handle": 47
    }
  },
  {
    "table": {
      "family": "ip",
      "name": "filter",
      "handle": 54
    }
  }

networkhell and others added 6 commits February 14, 2020 12:02
@networkhell
Update iptables_raw.py
f25b58e
@networkhell
Update iptables_raw.py
c1fd9a4
@networkhell
Make module compatible with nftables
445ff12 
On systems using netfilter, nftables should not be installed, on systems using the new nftables backend, nftables and the nft command have to be installed.
@jbonnier
fix: Adding fallback empty array return
6c01176
@papamoose
Merge branch 'netfilter-compat'
c9b1e7f 
Compatibility with newer distros like CentOS 8 and debian buster.

Not waterproof but if the nft command is available, nft list tables is used instead of /proc/net/ip[6]_tables_names

On systems using netfilter as backend the nft command must not be available because it returns an empty list of active tables, just like the /proc/net/ip_tables_names does on systems using nftables.
@papamoose
nft command requires -j first, and json output contains metainfo so w…
5866b9a 
…e ignore it in the loop.

[
  {
    "metainfo": {
      "version": "0.9.3",
      "release_name": "Topsy",
      "json_schema_version": 1
    }
  },
  {
    "table": {
      "family": "ip",
      "name": "security",
      "handle": 44
    }
  },
  {
    "table": {
      "family": "ip",
      "name": "raw",
      "handle": 45
    }
  },
  {
    "table": {
      "family": "ip",
      "name": "mangle",
      "handle": 46
    }
  },
  {
    "table": {
      "family": "ip",
      "name": "nat",
      "handle": 47
    }
  },
  {
    "table": {
      "family": "ip",
      "name": "filter",
      "handle": 54
    }
  }
]
@johan-adriaans
Copy link

johan-adriaans commented Jun 15, 2022
edited
Loading

A small note for anyone running into the problem where their IPv6 iptables rules are ignored. For me, on ubuntu 22.04, the sudo nft list tables command will not return the filter table for IPv6 (table ip6 filter) if there are no IPv6 filter rules present. That caused iptables_raw to ignore all ip6 filter rules (any INPUT DROP, ACCEPT, etc).

To solve this, I bootstrapped the ip6tables INPUT chain with a single dummy rule. That caused the IPv6 filter table to show up in nft, and after that everything went smooth.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@papamoose @johan-adriaans @networkhell @jbonnier