Rpi 6.18.y: Add NETFILTER_XTABLES_LEGACY to the configs to build iptables #7213
Conversation
Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
|
Needing to double check the options - iptables.ko.xz doesn't appear to have got built for me. |
|
Doh, helps to search for |
|
My reading was that iptables on debian uses nftables under the hood, so I don't know if this is necessary (but I admit this is untested). |
| CONFIG_NF_FLOW_TABLE_INET=m | ||
| CONFIG_NF_FLOW_TABLE=m | ||
| CONFIG_NETFILTER_XTABLES_COMPAT=y | ||
| CONFIG_NETFILTER_XTABLES_LEGACY=y |
There was a problem hiding this comment.
This is a no-op, NETFILTER_XTABLES_LEGACY isn't compatible with PREEMPT_RT
https://github.com/raspberrypi/linux/blob/rpi-6.18.y/net/netfilter/Kconfig#L761-L769
config NETFILTER_XTABLES_LEGACY
bool "Netfilter legacy tables support"
depends on !PREEMPT_RT
help
Say Y here if you still require support for legacy tables. This is
required by the legacy tools (iptables-legacy) and is not needed if
you use iptables over nftables (iptables-nft).
Legacy support is not limited to IP, it also includes EBTABLES and
ARPTABLES.
|
Personally I see the absence of the legacy iptables stack as a bonus as it means you can't acidentially use it at the same time as the modern nftables stack - which is possible but strongly discouraged as it can result in rather unpredictable behaviour and hard to diagnose issues. As more and more programs move away from legacy iptables (eg systemd dropped iptables support in v259) nftables will be used on more systems as well and the chance of mixing both stacks increases. iptables-nft (which is the default on Debian for ages if you enter "iptables") provides a nice bridge for legacy programs (eg docker comes to mind), but even if iptables defaults to the nft backend programs can still add legacy rules directly via the kernel API - absence of the legacy API prevents that and usually result in easy to spot error messages. Note that this is my very personal opinion on that topic and I'm not saying you should not enable the legacy stack (eg upstream Debian still has it enabled in kernel 6.18) - that's entirely up to you to decide |
|
I'd also prefer not to enable it, however if large VPN providers like NordVPN are still sticking to using legacy iptables then there's little other option. NordSecurity/nordvpn-linux#467 I'm hoping popcornmix is right that iptables-nft (as provided by the iptables package) provides the relevant access but on top of nftables, however it's not an area I know much about. |
3 participants
https://forums.raspberrypi.com/viewtopic.php?p=2360609#p2360609
Various VPN providers (notably NordVPN) appear still to be sticking with iptables, despite it being replaced by nft-tables since Buster (2019).
6.17 moved the kernel modules behind NETFILTER_XTABLES_LEGACY, so enable the legacy path.