Tuesday, 10 September 2019

Re: Should we be reverting iptables to iptables-legacy for eoan?

On Tue, 10 Sep 2019, Stéphane Graber wrote:

> For LXD specifically, we think it would take us about 3 weeks of
> engineering work to sort this in a way that can work on all
> distributions, properly detecting and supporting:
> - no nft present
> - nft present but old iptables used
> - nft present and used

I realize that LXD is an atypical snap, but this is exactly the sort of
thing I would hope that snapd could help with so all snaps wouldn't be
required to go through the same hoops to avoid breaking the system. The
one good thing is that iptables-nft is (supposed to ;) wholly support
the iptables-legacy syntax, so there is some hope of making this easier
for the average snap developer. Those that want full-on netfilter would
need to jump through these hoops of course.

For all systems, it probably makes sense to have a small tool that can
perform this detection, so admins, application developers and the like
can then just focus on what tool to use (ideally upstreamed into
iptables itself).

