Received: from knopi.disroot.org (knopi.disroot.org [178.21.23.139])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 8865F781AC6
	for <~alpine/users@lists.alpinelinux.org>; Sat, 15 May 2021 13:32:56 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by disroot.org (Postfix) with ESMTP id 68561511D4
	for <~alpine/users@lists.alpinelinux.org>; Sat, 15 May 2021 15:32:56 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at disroot.org
Received: from knopi.disroot.org ([127.0.0.1])
	by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id NDIuJgLz3HGn for <~alpine/users@lists.alpinelinux.org>;
	Sat, 15 May 2021 15:32:55 +0200 (CEST)
Date: Sat, 15 May 2021 13:32:48 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail;
	t=1621085574; bh=P7MPjk0NpFEENd+m8GaU5E/9OGYLOEM8EC8/neyv2io=;
	h=Date:From:To:Subject;
	b=bcR95siQMpJ4FZRbGZvQHdDZKefzIpaVXNZW2l2ZFoqPkiAddOwhwqRPBj+Q6EBC2
	 dwKuw5eO36IRrOUgSOtk9xuwwCfAA72OuWHTCHs+Rmmh9/ZhtVj7haxYBKTlasn2Wg
	 wdqXGQ8gc4HDD6phixjYpM2xMCyESY6ropuj2KAC8wmvpTiQpuZpzEpKzh3cjEc8ik
	 7QUj7y4iuOkuDhLbfzMmEAA93Ug7+a4oheikW+A1P/OqvRt2OiEymOSNgo75W0VQ4g
	 aDDgwy9CD/frCtOeF9n0F7Nzyv3cLdouSu6XBGEQww08XKJJfqWHUcUP5TFiLkCRWi
	 9cIxhf9ljHXkw==
From: Daniel Gray <dng@disroot.org>
To: ~alpine/users@lists.alpinelinux.org
Subject: Changing legacy iptables/nft
Message-ID: <20210515133248.txheslwbqlzxzecn@disroot.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline

Hi,

I'm wondering if it's possible to change iptables family of commands to
point to the iptables-nft* versions instead.

Currently looking at Docker which seem to to put iptables rules in the
legacy tables. Docker seems to just use iptables
https://docs.docker.com/network/iptables/ and the recommended solution
seems to be to do something like:

sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

However this is only for Debian based distributions.

I thought about wiping the table and using nftables (what I prefer) but
the only issue with that is I would have to manually update it as this
person points out.
https://gist.github.com/goll/bdd6b43c2023f82d15729e9b0067de60#gistcomment-3738515

I also found that it interfers with LXD and KVM
https://discuss.linuxcontainers.org/t/lxd-and-docker-firewall-redux-how-to-deal-with-forward-policy-set-to-drop/9953/7
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865975

In theory if there was a nice way to make Alpine Linux use the
iptables-nft* variants by default, then I should be able to continue to
use nftables as usual for my manual created rules.

-- 
Daniel Gray (dng) 0x41911F722B0F9AE3
https://social.privacytools.io/@dngray