WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: how to disable iptables after migrating to nftables?  (Read 5132 times)

Offline GNUser

  • Hero Member
  • *****
  • Posts: 1343
how to disable iptables after migrating to nftables?
« on: December 17, 2021, 08:51:04 AM »
I migrated the firewall in my router from iptables to nftables. Router runs TCL11 x86_64. Now I'd like to completely disable iptables because even when the built-in chains have no rules, all the chains are still traversed--with associated overhead.

Interestingly, nftables.tcz depends on iptables.tcz, so I cannot do without the iptables.tcz extension:
Code: [Select]
bruno@t400:/mnt/sda1/tce/optional$ grep iptables *.dep
nftables.tcz.dep:iptables.tcz
wireguard-tools.tcz.dep:iptables.tcz

lsmod shows that the kernel modules  iptable_mangle  and  iptable_nat  are loaded. I can remove these kernel modules easily enough:
Code: [Select]
# modprobe -r iptable_mangle
# modprobe -r iptable_nat

I noticed that wireguard actually prefers nftables and uses it instead of iptables when both are available.

My two questions for you smart guys are:
1. What is the best way to disable iptables so that all the completely empty chains are not being traversed?
2. Why are the  iptable_nat  and  iptable_mangle  kernel modules being loaded? I didn't load them and they don't seem to be dependencies of any of the other kernel modules. Also, I don't see any script in  /usr/local/tce.installed  that is loading them.

Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11178
Re: how to disable iptables after migrating to nftables?
« Reply #1 on: December 17, 2021, 09:15:56 AM »
Hi GNUser
... My two questions for you smart guys are:
1. What is the best way to disable iptables so that all the completely empty chains are not being traversed? ...
Maybe something like this would work:
Code: [Select]
root@kerneltalks # iptables -F
root@kerneltalks # iptables -X
root@kerneltalks # iptables -P INPUT ACCEPT
root@kerneltalks # iptables -P OUTPUT ACCEPT
root@kerneltalks # iptables -P FORWARD ACCEPT

Quote
Where -

    -F: Flush all policy chains
    -X: Delete user-defined chains
    -P INPUT/OUTPUT/FORWARD: Accept specified traffic

Result:
Code: [Select]
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Found here:
https://kerneltalks.com/howto/how-to-disable-iptables-firewall-temporarily/

The link also tells you how to backup you existing policies should you wish to.

Quote
... 2. Why are the  iptable_nat  and  iptable_mangle  kernel modules being loaded? ...
Probably one of the iptables executables or libraries loads them.

Offline GNUser

  • Hero Member
  • *****
  • Posts: 1343
Re: how to disable iptables after migrating to nftables?
« Reply #2 on: December 17, 2021, 09:32:01 AM »
Thanks, Rich, but I have already cleared all rules from iptables chains. Also, the default target on all of the iptables chains is already ACCEPT.

My nftables firewall is working well and doing everything I need.

What I'm trying to accomplish here is to completely shut off iptables. For every network packet to traverse both nftables (which does useful work for me) and iptables (which now consists of a bunch of default tables with empty default chains) seems ugly and inefficient.

Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11178
Re: how to disable iptables after migrating to nftables?
« Reply #3 on: December 17, 2021, 10:04:26 AM »
Hi GNUser
How about:
Code: [Select]
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

Found here:
https://serverfault.com/questions/129086/how-to-start-stop-iptables-on-ubuntu

Are you sure nftables needs iptables? According to Google nftables is supposed to replace iptables.

Offline GNUser

  • Hero Member
  • *****
  • Posts: 1343
Re: how to disable iptables after migrating to nftables?
« Reply #4 on: December 17, 2021, 10:07:01 AM »
iptables has default tables and chains that continue to exist even when they contain no rules. nftables is not like this--the only tables and chains that exist are those explicitly created by the user (or applications).

Since I cannot delete the empty tables and chains in iptables, I am assuming that all of my network packets are traversing those empty tables and chains. There is a chance my assumption is wrong and that what packets traverse is the Netfilter engine and that both  iptables  and  nftables  are just human-friendly constructs to manipulate the Netfilter engine. If someone knows which is the case, please let me know.

Offline GNUser

  • Hero Member
  • *****
  • Posts: 1343
Re: how to disable iptables after migrating to nftables?
« Reply #5 on: December 17, 2021, 10:08:40 AM »
Quote
Are you sure nftables needs iptables? According to Google nftables is supposed to replace iptables.

No, I'm not sure. I'm going to try removing  iptables.tcz  from the list of dependencies for wireguard-tools and nftables to see what happens.

Offline GNUser

  • Hero Member
  • *****
  • Posts: 1343
Re: how to disable iptables after migrating to nftables?
« Reply #6 on: December 17, 2021, 10:22:50 AM »
Hi, Rich. Both  nftables.tcz  and  wireguard-tools.tcz  need a single library from the  iptables.tcz  extension (namely, libxtables.so.12.2.0). If I extract  iptables.tcz, grab the needed library, and put in in /usr/local/lib, then everything works just fine.

I think what I'll do is to add libxtables.12.2.0 to my backup then delete  iptables.tcz  from  nftables.tcz.dep  and from  wireguard-tools.tcz.dep.

Thanks for poking me in the right direction.

P.S. Thank you, Juanito, for the nftables.tcz extension! I was thrilled when I found it in the repository. One thought about the extension: Since it is meant to replace iptables.tcz, perhaps it should include libxtables.12.2.0 and not depend on iptables.tcz for it? Or maybe libxtables should be its own extension that both iptables.tcz and nftables.tcz depend on? I don't know the best/most correct way, just thinking out loud.
« Last Edit: December 17, 2021, 10:26:36 AM by GNUser »

Offline GNUser

  • Hero Member
  • *****
  • Posts: 1343
Re: how to disable iptables after migrating to nftables?
« Reply #7 on: December 17, 2021, 10:25:41 AM »
Rich: I will add libxtables to my backup, then will remove iptables.tcz from the two .dep files that list it. At that point, iptables.tcz will no longer be loaded, which in effect disables it completely ;D Thread may be marked as solved!

Offline GNUser

  • Hero Member
  • *****
  • Posts: 1343
Re: how to disable iptables after migrating to nftables?
« Reply #8 on: December 17, 2021, 10:44:00 AM »
To clarify the dependency web:
- wireguard-tools.tcz depends on either nftables.tcz or iptables.tcz (if both extensions are present, it uses nftables)
- nftables.tcz and iptables.tcz both depend on the library libxtables
- nftables.tcz does not actually need anything in iptables.tcz other than libxtables

Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11178
Re: how to disable iptables after migrating to nftables?
« Reply #9 on: December 17, 2021, 10:47:25 AM »
Hi GNUser
... that both  iptables  and  nftables  are just human-friendly constructs to manipulate the Netfilter engine. ...
That was mentioned in the  serverfault  link that I posted as well as other sources I viewed.

I also noticed this on the git site:
Code: [Select]
AC_ARG_WITH([xtables], [AS_HELP_STRING([--with-xtables],
            [Use libxtables for iptables interaction])],
    [], [with_xtables=no])
It appears  .configure  allows you to disable xtables when building nfttables.

Found here:
https://git.netfilter.org/nftables/tree/configure.ac

Offline GNUser

  • Hero Member
  • *****
  • Posts: 1343
Re: how to disable iptables after migrating to nftables?
« Reply #10 on: December 17, 2021, 04:55:27 PM »
Rich,
Thank you for that. Good to know that nftables can be built without xtables. That would do away with the dependency on iptables.tcz

Juanito,
I see you are the maintainer of the nftables.tcz extension. Would you like me to update the extension and remove the dependency on libxtables/iptables, or are there common use cases where libxtables support is desirable?

Offline andyj

  • Hero Member
  • *****
  • Posts: 1020
Re: how to disable iptables after migrating to nftables?
« Reply #11 on: December 17, 2021, 09:24:17 PM »
Maybe for xtables-addons like geoip?

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 14516
Re: how to disable iptables after migrating to nftables?
« Reply #12 on: December 18, 2021, 01:23:11 AM »
Juanito,
I see you are the maintainer of the nftables.tcz extension. Would you like me to update the extension and remove the dependency on libxtables/iptables, or are there common use cases where libxtables support is desirable?

There seem to be two choices:

1. factor out libxtables so it is a dep for iptables and nftables
2. recompile nftables so it doesn't require libxtables

Maybe it makes more sense to try option 1 first, in which case I can refactor the iptables extension.

Offline GNUser

  • Hero Member
  • *****
  • Posts: 1343
Re: how to disable iptables after migrating to nftables?
« Reply #13 on: December 18, 2021, 04:45:42 AM »
Hi, Juanito. I went ahead and built updated nftables.tcz without libxtables for my own use. I also needed to build a newer libnftnl.tcz to support nftables.

It's your call, of course. I think both are good choices. If your preference for #1 is to keep more features in nftables, then go with #1. If your preference for #1 is because it is easier, let's go with #2 because I already built and tested everything and it would require minimal extra work for me to submit it. Just let me know.

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 14516
Re: how to disable iptables after migrating to nftables?
« Reply #14 on: December 18, 2021, 04:52:02 AM »
Let's go with 2  :)