search

coreos / go-iptables

Go wrapper around iptables utility
Apache License 2.0
1.14k stars 257 forks source link

nftables support #73

Closed greenpau closed 4 years ago

greenpau commented 4 years ago

@squeed, I am running nftables:

$ iptables --version
iptables v1.8.2 (nf_tables)

I recently opened an https://github.com/containernetworking/plugins/issues/461. In a nutshell, CNI uses go-iptables library to configure IP masquerading. Some of the commands succeed, but some fail (e.g. iptables -t nat -S --wait):

ERRO[0000] Error adding network: failed to list chains: running [/usr/sbin/iptables -t nat -S --wait]: exit status 1: iptables v1.8.2 (nf_tables): table `nat' is incompatible, use 'nft' tool.

ERRO[0000] Error while adding pod to CNI network "podman": failed to list chains: running [/usr/sbin/iptables -t nat -S --wait]: exit status 1: iptables v1.8.2 (nf_tables): table `nat' is incompatible, use 'nft' tool.

Error: error configuring network namespace for container 51f6adbaed7d674fb4b48d501eb7ce0605d09e003ac09f6588b98dea7230ca9f: failed to list chains: running [/usr/sbin/iptables -t nat -S --wait]: exit status 1: iptables v1.8.2 (nf_tables): table `nat' is incompatible, use 'nft' tool.

Is there a plan to support nftables? Are you open to PR on it?

greenpau commented 4 years ago

Upon review, there is no nftables support.