Page 1 of 1

Raspbian Buster Lite has iptables but not nftables

Posted: Thu Jul 11, 2019 6:24 am
by beta-tester
hello,
i just flashed the official "2019-06-20-raspbian-buster-lite.zip" to my SD card and plugged it to my RPi Zero.
i know Debian Buster is using by default nftables instead of iptables.
while installing and configuring things (dnsmasq, samba, lighttpd, wireguard) i realized,
that on my Raspbial Buster Lite image only iptables is installed and active.
there is no nftables installed, because i get this:

Code: Select all

:~ $ sudo nft --help
sudo: nft: command not found

Code: Select all

:~ $ sudo dpkg -l | grep -E 'nftables|iptables'
ii  iptables                       1.8.2-4                     armhf        administration tools for packet filtering and NAT
ii  libnftnl11:armhf               1.1.2-2                     armhf        Netfilter nftables userspace API library

Code: Select all

:~ $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
i didn't tried the other versions of Raspbian Buster (full and the normal one),
but this comment let me think that on Raspbian Buster nftables is installed and active by defalt...
Is been iptables substituted by nftables in Rasbpian Buster?

so is it a mistake, that on the light version is no nftables installed?
can i install nftables simply via sudo apt install nftables, and everything is good now - iptables is deactivated and nftables is active from now on...
or are there more things to do?

Re: Raspbian Buster Lite has iptables but not nftables

Posted: Thu Jul 11, 2019 6:48 am
by fruitoftheloom
beta-tester wrote:
Thu Jul 11, 2019 6:24 am
hello,
i just flashed the official "2019-06-20-raspbian-buster-lite.zip" to my SD card and plugged it to my RPi Zero.
i know Debian Buster is using by default nftables instead of iptables.
while installing and configuring things (dnsmasq, samba, lighttpd, wireguard) i realized,
that on my Raspbial Buster Lite image only iptables is installed and active.
there is no nftables installed, because i get this:

Code: Select all

:~ $ sudo nft --help
sudo: nft: command not found

Code: Select all

:~ $ sudo dpkg -l | grep -E 'nftables|iptables'
ii  iptables                       1.8.2-4                     armhf        administration tools for packet filtering and NAT
ii  libnftnl11:armhf               1.1.2-2                     armhf        Netfilter nftables userspace API library

Code: Select all

:~ $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
i didn't tried the other versions of Raspbian Buster (full and the normal one),
but this comment let me think that on Raspbian Buster nftables is installed and active by defalt...
Is been iptables substituted by nftables in Rasbpian Buster?

so is it a mistake, that on the light version is no nftables installed?
can i install nftables simply via sudo apt install nftables, and everything is good now - iptables is deactivated and nftables is active from now on...
or are there more things to do?

Already an open recent discussion here:

https://www.raspberrypi.org/forums/view ... 9&t=244256

Re: Raspbian Buster Lite has iptables but not nftables

Posted: Thu Jul 11, 2019 7:09 am
by beta-tester
fruitoftheloom wrote:
Thu Jul 11, 2019 6:48 am
beta-tester wrote:
Thu Jul 11, 2019 6:24 am
i didn't tried the other versions of Raspbian Buster (full and the normal one),
but this comment let me think that on Raspbian Buster nftables is installed and active by defalt...
Is been iptables substituted by nftables in Rasbpian Buster?

so is it a mistake, that on the light version is no nftables installed?
can i install nftables simply via sudo apt install nftables, and everything is good now - iptables is deactivated and nftables is active from now on...
or are there more things to do?
Already an open recent discussion here:
https://www.raspberrypi.org/forums/view ... 9&t=244256
that's what i told, that there is a comment...

but it does not explain, how i can get nft commands working, because nftables (at least the nft command) is not (fully) installed on my Raspbian Buster Lite image.

it looks like it is only an issue of Raspbian Buster Lite. the normal Raspbian Buster seems to have the nft command (nftables package) installed.

can i install nftables packet by hand by simply using sudo apt install nftables and everything is working as it should?
or are there more things to do?

Re: Raspbian Buster Lite has iptables but not nftables

Posted: Thu Jul 11, 2019 7:37 am
by RaTTuS
sudo apt install nftables
worked for me on lite , not that I've used it but it installs

Re: Raspbian Buster Lite has iptables but not nftables

Posted: Thu Jul 11, 2019 10:32 am
by beta-tester
RaTTuS wrote:
Thu Jul 11, 2019 7:37 am
sudo apt install nftables
worked for me on lite , not that I've used it but it installs
thank you...

i installed it but i am still not sure if this was enough,
because i still get the old output from sudo iptables -L,
while in other comments it is reported that it is giving iptables: Operation not supported on other Raspbian Buster installations.
how can i disable the old iptables behavior so that my Raspbian Buster Lite is 100% in line with the nftables configuration as of Raspbian Buster Full or its normal version?

Re: Raspbian Buster Lite has iptables but not nftables

Posted: Thu Jul 11, 2019 10:37 am
by RaTTuS
sudo apt remove iptables
?

Re: Raspbian Buster Lite has iptables but not nftables

Posted: Thu Jul 11, 2019 11:00 am
by beta-tester
:shock: :oops: :mrgreen:
yes... and no...
yes, i can remove it... stupid me...

no, then i don't get the same behavior of the Raspbian Buster Full...
because on Raspbian Buster Full it is reported to get:

Code: Select all

:~ $ sudo iptables -L
iptables: Operation not supported
but i now get on Raspbian Buster Lite + nftables installed - iptables removed:

Code: Select all

:~ $ sudo iptables -L
iptables: command not found
so, where is the difference in configuration?

is there a creation/configuration script available, to see, how the official Raspbian Buster Full and how Raspbian Buster Lite were configured?

Re: Raspbian Buster Lite has iptables but not nftables

Posted: Thu Jul 11, 2019 11:05 am
by RaTTuS
I have to say "No Idea"
and wait for someone with more knowledge

Re: Raspbian Buster Lite has iptables but not nftables

Posted: Thu Feb 27, 2020 10:15 am
by UF_DoC
Buster Image released on 2020-02-13 even has the same issue (Raspbian Buster with desktop).

It would be nice to get clarity on which versions should have nftables by default and which do not.

secondly as the op has been asking, What is the process to properly configure nftables over iptables.

Thanks.

Re: Raspbian Buster Lite has iptables but not nftables

Posted: Thu Feb 27, 2020 10:29 am
by UF_DoC
On closer inspection it appears that the Buster image has two commands:
iptables-legacy and iptables-nft

Code: Select all

$ iptables --version
iptables v1.8.2 (nf_tables)
$ iptables-legacy --version
iptables v1.8.2 (legacy)
$ iptables-nft --version
iptables v1.8.2 (nf_tables)
The iptables command is sym-linked via /etc/alternatives/iptables to iptables-nft

So it does appear the even though the nft specific command does not exist, nftables is the default.

Regards,