Hi,
I noticed a few hours ago that a particular piece of firewall
management software wasn't working correctly with my Debian 10
hosts.
After quite a lot of investigation I worked out that the software in
question was looking at the content of /proc/net/ip_tables_names to
determine the names of the tables that are currently active
('filter', 'mangle', etc).
On my Debian 10 hosts, this file is empty even though they have
active rules loaded by iptables.
I then noticed that on my Debian 9 hosts, the modules iptable_filter
and ip6table_filter are loaded as soon as a rule is added to any of
the chains in the filter table ('INPUT', 'OUTPUT, 'FORWARD').
By manually loading the module iptable_filter on my Debian 10 hosts
I was able to populate the file /proc/net/ip_tables_names with the
active tables ('filter') and the management software works again. I
have for the moment made this change permanent by adding those
modules to a file in /etc/modules-load.d/.
I will take a guess that the switching of the iptables commands to
use the nftables framework has somehow caused this iptable_filter
module to not be loaded even though the firewall still works.
Is it a bug that loading rules into the filter table using
iptables-nft command (actually called as "iptables" due to
alternatives) no longer causes iptable_filter module to be loaded
and thus "filter" to appear in /proc/net/ip_tables_names?
Is there a different proc file that will list the active netfilter
tables?
Is it safe for me to continue forcing the load of the iptable_file
and ip6table_filter modules, or should I stop doing that and seek to
get the management software fixed instead? Though doing that will
need some other way to obtain the same information.
If it is bad to force load those modules, perhaps I should be using
update-alternatives to go back to using iptables-legacy?
I am aware that we should be switching to nftables now, but I have
quite a few servers all managed by config management. As I will need
to switch the method by which I manage the firewalling in the config
management, and don't want to run two different things
simultaneously, I was planning to wait until my oldest hosts have
been upgraded enough and then do them all at once. I don't really
want to starting rewriting the firewalls on older Debian 8 servers
when they should go away within a year anyway.
Cheers,
Andy
