Our experience with nftables and 'iptables' on Ubuntu 22.04

July 7, 2023

A while back I wrote about how I'd now used nftables on a new machine and it was okay. This came about because Ubuntu 22.04's default setup is that the 'iptables' command is actually a frontend for nftables, and when I noticed that I decided that I might as well write nftables rules directly for this. Today I had cause to remember this, and also to reflect on our other uses of nftables on Ubuntu 22.04. These other uses came about because we have various machines (such as our fileservers) that use firewall rules that are set up with the 'iptables' command, and in some cases also removed by it. Since in 22.04 the iptables command is actually using nftables, that means those machines silently started using nftables when we upgraded them to 22.04.

The good news is that everything just worked. Until I was thinking about it today, it didn't even strike me that these various machines were now using nftables; absolutely nothing changed that we'd noticed. All of our setup and management scripts kept working as-is, and the actual rules kept working. Our 'iptables' rules include both straight firewall access control rules and some NAT rewriting rules (on different machines); some of the firewall rules use ipsets, a few use firewall marks and masks along with sub-chains, and others are applied only temporarily and then deleted later. This doesn't cover all of the various iptables command line options and rules, but it's a reasonable large amount of what I'd expect to use under normal circumstances.

However, this splits our experience into two separate and distinct buckets. On the one hand, we've directly used nftables with a static configuration written down in /etc/nftables.conf. On the other hand, we've indirectly used nftables through the iptables command with dynamic configurations. We haven't tried to do dynamic things directly with the 'nft' command, or to mix a static initial configuration from /etc/nftables.conf with later dynamic modifications from either 'nft' or 'iptables', so I have no idea how well either would work. Although since the 22.04 'iptables' command is just a compatibility layer over nftables, you can clearly do dynamic rule modifications with nftables in general.

My current view is that if I was to write rules for some system from scratch in an environment like Ubuntu 22.04, I would directly use nftables and /etc/nftables.conf for a static configuration that I expected to reload if I ever changed things. However, if I had a dynamic configuration where I had to add and delete rules on the fly, I would stick with using the 'iptables' command (and its syntax and handling of rules, sub-chains, and so on) rather than try to master using 'nft' for this. I'm sure that someday I'll need to learn dynamic use of 'nft', but not today.

(In theory we have some completely static firewall rules created through 'iptables', so we could run the iptables commands, use 'nft list ruleset' to dump the nftables translation, create an /etc/nftables.conf from that dump, and switch over to setting up the rules natively through nftables. In practice we're not going to do this for already-installed machines, and we may not remember to do this even when we next have to rebuild them under a new Ubuntu version.)

Written on 07 July 2023.
« Basic NFS v4 seems to just work (so far) on Ubuntu 22.04
The HTTP status code for a web server's default "hello" front page »

Page tools: View Source.
Search:
Login: Password:

Last modified: Fri Jul 7 23:33:54 2023
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.