similar to: KVM + libvirt + nftables without iptables?

On 10/18/2018 10:14 AM, Daniel P. Berrangé wrote: > On Wed, Oct 17, 2018 at 05:57:11PM +0200, Roman Vesely wrote: >> Hi everyone, >> >> I use Debian 9.5 Stretch and NFTABLES as a firewall. >> Using NFTABLES together with IPTABLES is not recommended, >> but libvirt depends on IPTABLES. >> >> Is it safe to run libvirt + kvm + virsh without IPTABLES?

On Wed, Oct 17, 2018 at 05:57:11PM +0200, Roman Vesely wrote: > Hi everyone, > > I use Debian 9.5 Stretch and NFTABLES as a firewall. > Using NFTABLES together with IPTABLES is not recommended, > but libvirt depends on IPTABLES. > > Is it safe to run libvirt + kvm + virsh without IPTABLES? > > By the doc https://libvirt.org/firewall.html, > IPTABLES are used for

Once upon a time, Jonathan Billings <billings at negate.org> said: > 'iptables' and 'nftables' are competing technologies. In CentOS 8, > firewalld's backend was switched from iptables to nftables. So it > would be expected that the iptables command wouldn't have any rules > defined, it isn't being used by firewalld. That is partially incorrect.

Despite that the migration of our applications comes with a significant workload. It seems that also every aspect of common services had changed with EL8. In EL8 firewalld uses nftables as backend. I wonder why iptables does not list any rules while also configured to use nftables as backend. # iptables -V iptables v1.8.2 (nf_tables) # firewall-cmd --list-all |egrep -o '22|ssh' ssh

Michal Privoznik <mprivozn@redhat.com> wrote: > On 10/18/2018 10:14 AM, Daniel P. Berrangé wrote: > > On Wed, Oct 17, 2018 at 05:57:11PM +0200, Roman Vesely wrote: > >> Hi everyone, > >> > >> I use Debian 9.5 Stretch and NFTABLES as a firewall. > >> Using NFTABLES together with IPTABLES is not recommended, > >> but libvirt depends on

Hi list, I'm studying nftables. I'm using CentOS 8.1 (Gnome) and I disabled firewalld. I noticed that a default policy is created with tables and chains probably for firewalld. So I created a .nft script where I stored my rules with a flush for previous ruleset, then saved on /etc/sysconfig/nftables.conf and the enabled nftables service. Running the script with nft -f script.nft all

On Tue, Jun 09, 2020 at 02:19:17PM +0200, Leon Fauster via CentOS wrote: > > Despite that the migration of our applications comes with a significant > workload. It seems that also every aspect of common services had changed > with EL8. > > In EL8 firewalld uses nftables as backend. I wonder why iptables does not > list any rules while also configured to use nftables as

I had the same problem. If you are not using virtual machines then # systemctl disable libvirtd works and is easily reversible. Alan On 18/04/2020 23:03, Alessandro Baggi wrote: > Il 17/04/20 11:01, Alessandro Baggi ha scritto: >> Hi list, >> >> I'm studying nftables. I'm using CentOS 8.1 (Gnome) and I disabled >> firewalld. I noticed that a default

https://bugzilla.netfilter.org/show_bug.cgi?id=1255 Bug ID: 1255 Summary: nftables SNAT is not working Product: nftables Version: unspecified Hardware: All OS: All Status: NEW Severity: critical Priority: P5 Component: kernel Assignee: pablo at netfilter.org

https://bugzilla.netfilter.org/show_bug.cgi?id=1099 Bug ID: 1099 Summary: Minor typo in wiki.nftables.org Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: trivial Priority: P5 Component: nft Assignee: pablo at netfilter.org

https://bugzilla.netfilter.org/show_bug.cgi?id=1386 Bug ID: 1386 Summary: nftables.py cmd doesn't read updated counter values after first read Product: nftables Version: unspecified Hardware: x86_64 OS: Gentoo Status: NEW Severity: major Priority: P5 Component:

https://bugzilla.netfilter.org/show_bug.cgi?id=1210 Bug ID: 1210 Summary: nftables gets confused by user namespaces when meta skuid is used Product: nftables Version: unspecified Hardware: All OS: All Status: NEW Severity: critical Priority: P5 Component: nft

https://bugzilla.netfilter.org/show_bug.cgi?id=1202 Bug ID: 1202 Summary: Cannot match on both dport and sport in one nftables rule Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft

https://bugzilla.netfilter.org/show_bug.cgi?id=1290 Bug ID: 1290 Summary: ptables: nftables layer breaks ipsec/policy keyword Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: iptables over nftable

https://bugzilla.netfilter.org/show_bug.cgi?id=1061 Bug ID: 1061 Summary: net-firewall/nftables-0.5-r2: limit rate: burst parameter doesn't work Product: nftables Version: unspecified Hardware: x86_64 URL: http://wiki.nftables.org/wiki-nftables/index.php/Rate_ limiting_matchings

On 1/30/19 10:05 PM, Simon Matter via CentOS wrote: > Did you look at Shorewall? IMHO that's what is best used in such > situations and it works since many years now. shorewall doesn't support nftables, which is largely the point of firewalld:? The Linux firewall system is currently undergoing yet another deprecation and migration from iptables to nftables. firewalld should

https://bugzilla.netfilter.org/show_bug.cgi?id=1382 Bug ID: 1382 Summary: nftables.py cmd leaking memory when ruleset contain mapping ip length to range with high limit 65535 Product: nftables Version: unspecified Hardware: x86_64 OS: Gentoo Status: NEW Severity: major

https://bugzilla.netfilter.org/show_bug.cgi?id=1051 Bug ID: 1051 Summary: nftables DNAT not working Product: nftables Version: unspecified Hardware: x86_64 OS: Gentoo Status: NEW Severity: critical Priority: P5 Component: kernel Assignee: pablo at netfilter.org

Thanks Simon, Of course we are not sure but we have a strong feeling : - We tried the restore in loop (14) and all worked fine when firewall is disabled.- We tried the restore several times but no more 2? succeed restore at a row when firewall is enabled. We also tried : - - iptables avec nftables en backend - - firewalld avec nftables en backend - - nft avec nftables en backend

https://bugzilla.netfilter.org/show_bug.cgi?id=1325 Bug ID: 1325 Summary: Reproducible NULL ptr deref upon checking trivial nftables ruleset in Linux 5.0 Product: nftables Version: unspecified Hardware: x86_64 OS: Gentoo Status: NEW Severity: normal Priority: P5