Re: [DNG] How stable Is beowulf? How to upgrade from ascii?
Le 07/11/2019 à 15:57, fraser kendall a écrit : > > Beowulf/Buster has moved from iptables to nftables. > and what about bpfilter? https://lwn.net/Articles/747551/ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] iptables at risk when uprgading?
On Thu, Nov 07, 2019 at 02:57:53PM +, fraser kendall wrote: > On Thu, 7 Nov 2019 13:13:38 +0100 > Bernard Rosset via Dng wrote: > > > > - Even though I use scripts to automatically save/restore ip(6)tables > > rules on up/down, I ended up having my rules cleared through initial > > reboots. No precise idea on why. > > I suggest you always keep a manual save of them somewhere. > > Beowulf/Buster has moved from iptables to nftables. You can still use > iptables* with iptables-legacy*, but you'll need to edit your scripts > to reflect this. The option to save existing rules is part of the > upgrade but assumes that the existing rules haven't already been > overwritten with the default 'allow anything and everything'. I use a > second root terminal to check the current ruleset before making the > decision to accept; I also check that the correct ruleset has been > applied after the first few reboots and any updates just to be sure. Does this mean that the upgrade from ascii to beowulf is not transparent and that I risk losing the iptables on my front-end machine when I do it? -- hendrik ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] iptables at risk when uprgading?
> "HB" == Hendrik Boom writes:
HB> Does this mean that the upgrade from ascii to beowulf is not transparent
HB> and that I risk losing the iptables on my front-end machine when I do it?
Save the tables with iptables-save and ip6tables-save before upgrading
and try restoring them with iptables-restore and ip6tables-restore after
upgrading.
Or, save before and then, after the upgrade, run:
#!/bin/sh
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
update-alternatives --set arptables /usr/sbin/arptables-legacy
update-alternatives --set ebtables /usr/sbin/ebtables-legacy
and then restore them with iptables-restore and ip6tables-restore.
If you do not have arptables and ebtables installed, those two
lines will report errors, but it won't hurt anything.
After the upgrade, /usr/sbin/iptables will be a symlink to
/etc/alternatives/iptables. After the update-alternatives calls,
/etc/alternatives/iptables will be a symlink to
/usr/sbin/iptables-legacy, so you won't then have to edit any callers.
Symlinks exist like that also for ip6tables, each's -save and -restore
as well as {arp,eb}tables.
Displaimer: not my work; someone posted the u-a calls on debian-devel
a few weeks ago.
I use it on some kvm and openvz which do not work well with nftables or
the nftable-using iptables. They got filtering working again for me.
-JimC
--
James Cloos OpenPGP: 0x997A9F17ED7DAEA6
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] iptables at risk when uprgading?
Does this mean that the upgrade from ascii to beowulf is not transparent and that I risk losing the iptables on my front-end machine when I do it? That is precisely what happened to me, for unclear reasons. Cannot say if this is systematic, or if I fell upon a specific use case trap. Manually save your rules, as in: do not merely rely on you if-pre-up.d/ & if-post-down.d/ scripts. As stated before, you'll always be able to restore exported rules, as nftables keeps backwards-compatible tools allowing to load your saved rulesets from iptables. It *might* just not happen automatically during the upgrade process, as I experienced. Bernard Rosset https://rosset.net/ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
