1

We have servers where the admins are used to using ufw on Debian 9. Upgrading to Debian 10 means switching from iptables to nftables (yes, we could still use iptables-legacy but do not want to unless ufw will support nftables in the future.)

Is there an nftables wrapper for ufw that we could use?

Is there an easy to use program like ufw that works natively with nftables?

Jason Cotman
  • 132
  • 2
  • 7
  • 3
    The default `iptables` package on Debian 10 is a wrapper for the `nftables` kernel API. So you can still use `iptables` syntax and programs that use `iptables`, while under the hood `nftables` will be used instead of `netfilter`. – Piotr P. Karwasz Mar 15 '20 at 06:45
  • No, you can not. I definitely tried that first. ufw does not work out of the box on Debian 10. Currently using iptables-legacy works but I don't like that solution. – Jason Cotman Mar 15 '20 at 08:59
  • 1
    Can you edit the question and clarify what didn't work when you used `ufw` with `iptables-nft`? `ufw` just calls the `/sbin/iptables` with the appropriate options. – Piotr P. Karwasz Mar 15 '20 at 09:47
  • No I don't think that would be a good use of time. – Jason Cotman Jun 16 '20 at 20:31
  • 2
    I remember looking at `ufw`'s code, which just calls the `iptables` executable. Now `iptables` with the `nft` backend works out of the box on Debian 10. Without further explanations on your behalf it's hard to understand why you need `iptables-legacy` instead of the newer `nft` backend. – Piotr P. Karwasz Jun 17 '20 at 22:32
  • FWIW, I upgraded my ufw-based Debian 9 firewall to Debian 10 a while ago. I saw the notice about `iptables-legacy` and today wanted to take a stab at migrating to `iptables-nft`. To my surprise, `iptables` already points to the `iptables-nft` flavor and everything works. So it seems that `ufw` definitely can be made to work with `nftables`. But please don't ask me how, it just worked out of the box for me :-) – Marcin Owsiany Mar 07 '21 at 20:54

1 Answers1

-1

There's no nftables wrapper for nft, and firewalld isn't ready for nftables either. You could write your nftables ruleset config files and share the code between the servers. You can load them via sudo nft -f /etc/mycustomrules

aardbol
  • 1,473
  • 4
  • 17
  • 26
  • Thank you but there are too many dynamic systems involved to do it this way. I either need to learn nftables as well as I knew iptables, and handle it for all of the clients, or wait for a product similar to ufw. Or use iptables-legacy I guess. – Jason Cotman Jun 16 '20 at 20:30
  • nft is userspace cli which talks to nftables kernel space. Not the other way around. Also, firewalld uses nftables by default on CE8 and Debian 10. So the only part of your answer that is correct is the last part. – Fred Flint Feb 10 '21 at 17:56