Conversation

Notices

1. Embed this notice
   Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 29-Aug-2024 17:33:12 JST Ryan Castellucci :nonbinary_flag:

   I'm kinda pissed that my arcane knowledge of iptables that was acquired decades ago now has to be replaced with an understanding of nftables.

   • Embed this notice
     Kev_Prime (kev_prime@infosec.exchange)'s status on Thursday, 29-Aug-2024 17:39:18 JST Kev_Prime

     in reply to

     @ryanc I recently spent some time learning about the history of iptables and the move to nftables. I also spent some time learning and playing with nftables enought to swap to using it directly the past few years instead of an iptables cli that converts it to nftables.

     To my knowledge iptables is still completely valid and everything is converted automatically for you.

     Is there some piece of news that I'm missing where iptables is being removed?

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 29-Aug-2024 17:39:22 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • CyberFrog

     @froge I wonder if that's why I have problems with DHCP v6

   • Embed this notice
     CyberFrog (froge@social.glitched.systems)'s status on Thursday, 29-Aug-2024 17:39:25 JST CyberFrog

     in reply to

     @ryanc@infosec.exchange I learned something cursed when researching the transition of these things, which is that the linux kernel can load both iptables and nftables rules at the same time, on the same machine, and nftables rules take precedence but fall back to iptables afterwards
     
     imagine trying to debug a system that you thought was using iptables but actually has a secret nftables rule inserted before iptables even sees the packet.. all the iptables rules would be totally correct, because the filtering happens earlier on 🙃

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 29-Aug-2024 17:40:43 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • CyberFrog

     @froge I see the benefits of it, and it can do a lot of things iptables can't, but... Arg.

   • Embed this notice
     CyberFrog (froge@social.glitched.systems)'s status on Thursday, 29-Aug-2024 17:40:45 JST CyberFrog

     in reply to

     @ryanc@infosec.exchange but also nftables is syntactically very similar, which helps a lot at least lol

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 29-Aug-2024 17:41:23 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • CyberFrog

     @froge I've been using a firewall script on my home routers that I originally wrote at least 15 years ago...

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 29-Aug-2024 17:48:09 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Kev_Prime

     @Kev_Prime I've seen that iptables is deprecated. I use a lot of really esoteric functionality and have been avoiding dealing with it, but I need to replace my router now to handle the upgraded network at my house.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 29-Aug-2024 17:51:48 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • CyberFrog

     @froge I use Debian on my routers.

   • Embed this notice
     CyberFrog (froge@social.glitched.systems)'s status on Thursday, 29-Aug-2024 17:51:50 JST CyberFrog

     in reply to

     @ryanc@infosec.exchange if the distro is new and uses nftables, like fedora or something, it might be doing strange things like that 👀

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 29-Aug-2024 17:59:57 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • CyberFrog

     @froge I'd rather just learn nftables at this point.

   • Embed this notice
     CyberFrog (froge@social.glitched.systems)'s status on Thursday, 29-Aug-2024 17:59:59 JST CyberFrog

     in reply to

     @ryanc@infosec.exchange I'm not sure if they've switched to nftables by default yet, they might have, maybe it's worth checking if they have any nftables rules defined or something weird

   • Embed this notice
     Kev_Prime (kev_prime@infosec.exchange)'s status on Thursday, 29-Aug-2024 18:24:17 JST Kev_Prime

     in reply to

     • CyberFrog

     @froge @ryanc I see that doesn't seem like such an issue to me there's well documented ways to convert iptables configs over to nftables configs and then just use them with the new nf_tables subsystem.

     So if you know iptables just still write your rules there convert it and deploy while enjoying a faster kernel.

   • Embed this notice
     dlgeek (dlgeek@infosec.exchange)'s status on Thursday, 29-Aug-2024 22:37:51 JST dlgeek

     in reply to

     @ryanc I'm still salty I had to migrate from ipchains.