Replace iptables with nftables in Bullseye

Description

Back in Buster Debian switched iptables to use the nftables backend. The iptables package is now no longer installed by default. Wazo-service is the only one that directly uses it. So, for the upgrade, we should switch to explicitly depend on nftables and change the iptables commands to use nft syntax instead. And update the documentation

Zendesk Ticket IDs

None

Linked work items

relates to

WAZO-3187

Migration - Debian 12 Bookworm Stack

Activity

Show:

Jesse Sopel April 11, 2023 at 7:17 PM
Edited

After investigating the issue, moving to the nftables command is more complicated than first anticipated. The syntax is quite different and the tool itself seems partially incomplete. A single command in iptables now requires 2-3 or more commands in nftables as there are no built in rules. It is not possible to delete a rule without first finding the handle which is assigned by the kernel and inserting at a specific point in the table also required the handle. This isn’t that hard to get, but is an extra step that can lead to parsing errors. There are also no default tables or chains, so anytime we want to add a ruleset we need to make sure we first create those. Also, the main nice feature was json support, but the actual output is fairly limited and not very useful at the moment.

Since the backend remains the same and the iptables command is still supported in Bullseye and Bookworm, for now we have opted to continue using the iptables command with the nftables backend.

So I closed the PR we were testing:

Resize issue view side panel

Won't Do

Details

Priority

Medium

Assignee

Jesse Sopel

Reporter