[Gentoo|Bubbagen] experimental nftables support added to bubba-overlay

Discuss development on Bubba
Post Reply
Posts: 1389
Joined: 10 Aug 2011, 03:18

[Gentoo|Bubbagen] experimental nftables support added to bubba-overlay

Post by Gordon » 11 Sep 2019, 11:06

As xtables support appears to be degrading for newer kernels (xtables-addons can already no longer be compiled on kernel versions higher than 4.14.nnn) the next release of Bubbagen will be exclusively using nftables backend for firewalling. As part of the preparation I have added a prerelease of the new `app-admin/bubba-backend` package for those that are willing to use this new feature.

You must have a kernel with nftables support. This is not the case with the current 4.14 Bubbagen kernel but it may already be present in the current Sakaki- kernel.

The following Gentoo portage flags are needed to be able to install the `9999` prerelease package with support for the nftables backend:
- USE="nftables -iptables"

To migrate your current iptables based firewall you can re-install iptables with added USE="nftables". This will add the program `iptables-restore-translate` to your system that converts the output from `iptables-save` to nft commands. There are some hickups that may require attention:
- your firewall rules cannot contain xtables-addons targets (like geoip)
- the translator does not handle "--icmp-type 3/4" lingua

A basic firewall config can be found in `/usr/share/doc/bubba-backend-9999/examples/firewall.nft`. This config also contains the chains that allow you to do firewall manipulation through the Bubba GUI


Post Reply