Received: from smtp.dnamail.fi (sender001.dnamail.fi [83.102.40.178])
	by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 4CB8F21FC6F
	for <~alpine/devel@lists.alpinelinux.org>; Thu, 15 Jan 2026 13:32:30 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by smtp.dnamail.fi (Postfix) with ESMTP id 162952113FD2;
	Thu, 15 Jan 2026 15:32:29 +0200 (EET)
X-Virus-Scanned: X-Virus-Scanned: amavis at smtp.dnamail.fi
Received: from smtp.dnamail.fi ([83.102.40.178])
 by localhost (dmail-psmtp01.s.dnaip.fi [127.0.0.1]) (amavis, port 10024)
 with ESMTP id ilL9rYoI1qqL; Thu, 15 Jan 2026 15:32:28 +0200 (EET)
Received: from kanala.intra.datakunkku.fi (178-75-163-212.bb.dnainternet.fi [178.75.163.212])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by smtp.dnamail.fi (Postfix) with ESMTPS id E6F432113E08;
	Thu, 15 Jan 2026 15:32:27 +0200 (EET)
Received: from kanala.intra.datakunkku.fi (kanala.intra.datakunkku.fi [127.0.0.1])
	by kanala.intra.datakunkku.fi (8.18.1/8.18.1) with ESMTP id 60FDWQil852703;
	Thu, 15 Jan 2026 15:32:27 +0200
Received: from localhost (kaarle@localhost)
	by kanala.intra.datakunkku.fi (8.18.1/8.18.1/Submit) with ESMTP id 60FDWQ1j852698;
	Thu, 15 Jan 2026 15:32:26 +0200
X-Authentication-Warning: kanala.intra.datakunkku.fi: kaarle owned process doing -bs
Date: Thu, 15 Jan 2026 15:32:26 +0200 (EET)
From: Kaarle Ritvanen <kunkku@alpinelinux.org>
To: "W. Michael Petullo" <mike@flyn.org>
cc: ~alpine/devel@lists.alpinelinux.org
Subject: Re: Preferred firewall
In-Reply-To: <aVhxrpww1wvEmBWB@imp.flyn.org>
Message-ID: <7f95fffb-67ed-2ea8-95e0-e4794363bed9@alpinelinux.org>
References: <aVhxrpww1wvEmBWB@imp.flyn.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII

On Fri, 2 Jan 2026, W. Michael Petullo wrote:

> It seems x_tables is old (e.g., https://lwn.net/Articles/155118/). Did 
> something change recently in Alpine to remove ip_tables (the kernel 
> module)?

Recent kernels do not enable the ip_tables module by default, and it is 
not enabled in all Alpine kernels (e.g. x86_64).

> Is it true that awall is tied to iptables (the utility)?
> 
> Does this mean that awall does not make use of nftables (the kernel 
> module)?

awall requires iptables but works with both backends (nftables and 
legacy). It does not interact with nftables directly.

> Which is preferred, awall or nftables?

You may use whichever you want. An increasing number of packages ship with 
nftables rule files.

> Alpine's documentation still instructs to modprobe ip_tables 
> (https://wiki.alpinelinux.org/wiki/How-To_Alpine_Wall). Is this now 
> incorrect?

Yes, the page should be updated. Regardless of the iptables backend, there 
is no need to run 'modprobe'. You can use these commands instead for the 
initial setup:

awall translate         # update /etc/iptables
service iptables start  # load modules and rules for IPv4
service ip6tables start # load modules and rules for IPv6

There is also an easier method: 'awall activate' has special handling for 
the first run (when firewall is not yet enabled in the kernel). It 
performs the above steps and also updates the default runlevel and files 
in /etc/conf.d.

BR,
Kaarle