Given a host that is in an unknown state of configuration, I would like to know if there is an effective way of non-interactively determining if the firewall rule set in place is managed by iptables or nftables.
Sounds pretty simple and I've given this quite a bit of thought, but haven't come back with a meaningful answer to put on a script...
A variant of this problem was addressed recently in Kubernetes, so it’s worth looking at what was done there. (The variant is whether to use iptables-legacy or iptables-nft and their IPv6 variants to drive the host’s rules.)
The approach taken in Kubernetes is to look at the number of lines output by the respective “save” commands, iptables-legacy-save and iptables-nft-save (and their IPv6 variants). If the former produces ten lines or more of output, or produces more output than the latter, then it’s assumed that iptables-legacy should be used; otherwise, that iptables-nft should be used.
In your case, the decision tree could be as follows:
iptables isn’t installed, use nft;nft isn’t installed, use iptables;iptables-save doesn’t produce any rule-defining output, use nft;nft list tables and nft list ruleset don’t produce any output, use iptables.If iptables-save and nft list ... both produce output, and iptables isn’t iptables-nft, I’m not sure an automated process can decide.
iptables-save, iptables-legacy-save and iptables-nft-save all return null output (on debian) if an nft ruleset is defined. If a rule is defined using iptables-nft, then the output of iptables-nft-save returns data reflecting the change, but not the entirety of the nft ruleset (not necessarily an issue in this particular case), yet the nft ruleset is updated to contain the change added with iptables-nft. I think I can work out a solution from this information, thank you. -save variants appear to work, see the “If” part at the end of the second paragraph; if you’re referring to something else, see the last paragraph. You can quickly tell whether iptables or nftables is in use by looking at the output of iptables -V. Not 100% optimal as it still requires a little output parsing, but quite straight forward.
Redhat has a blog post from 2020-08 with guidance on this that also applies to Ubuntu.
The two variants of the
iptablescommand are:
legacy: Often referred to asiptables-legacy.nf_tables: Often referred to asiptables-nft.The newer
iptables-nftcommand provides a bridge to the nftables kernel API and infrastructure.
You can find out which variant is in use by looking up the iptables version.
For
iptables-nft, the variant will be shown in parentheses after the version number, denoted as nf_tables:
# iptables -V iptables v1.8.7 (nf_tables) For
iptables-legacy, the variant will either be absent, or it will show legacy in parentheses:
# iptables -V iptables v1.8.4 (legacy) So a simple test with grep to determine if we are nftables or not would be:
iptables -V | grep -E ' \(nf_tables\) *$' ...it is possible in the future that iptables is no longer distributed by default and so a more future-proof test would look something like:
if command -v iptables; then if iptables -V | grep -E ' \(nf_tables\) *$'; then echo "nft" else echo "iptables" fi elif command -v nft; then echo "nft"; fi Step 1:
sudo which iptables /usr/sbin/iptables Step 2:
sudo ls -l /usr/sbin/iptables lrwxrwxrwx 1 root root 26 jan 16 2023 /usr/sbin/iptables -> /etc/alternatives/iptables Step 3:
update-alternatives --query iptables Name: iptables Link: /usr/sbin/iptables Slaves: iptables-restore /usr/sbin/iptables-restore iptables-save /usr/sbin/iptables-save Status: auto Best: /usr/sbin/iptables-nft Value: /usr/sbin/iptables-nft Alternative: /usr/sbin/iptables-legacy Priority: 10 Slaves: iptables-restore /usr/sbin/iptables-legacy-restore iptables-save /usr/sbin/iptables-legacy-save Alternative: /usr/sbin/iptables-nft Priority: 20 Slaves: iptables-restore /usr/sbin/iptables-nft-restore iptables-save /usr/sbin/iptables-nft-save Step 4:
sudo systemctl status nftables ● nftables.service - nftables Loaded: loaded (/lib/systemd/system/nftables.service; enabled; preset: enabled) Active: active (exited) since Wed 2024-09-18 14:04:23 CEST; 5h 57min ago Docs: man:nft(8) http://wiki.nftables.org Process: 563 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=0/SUCCESS) Main PID: 563 (code=exited, status=0/SUCCESS) CPU: 42ms ruj 18 14:04:23 msi systemd[1]: Finished nftables.service - nftables. Notice: journal has been rotated since unit was started, output may be incomplete. sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination And we can conclude that nftables is up and running while iptables exists but it's not configured.
Also run sudo nft list ruleset to list nftables rules
update-alternatives command. It's very useful. Check for the existence of the module in the loaded kernel. Looking at what tools are found in your shell does not guarantee those are the tools used to configure it. The kernel is where iptables and nftables actually exist, regardless of which tools are used. It can even be both in use.
This machine is using kernel 5.15 with nftables built as a module.
$ lsmod | grep -E "^nft_|^iptable_" nft_limit 16384 18 nft_chain_nat 16384 4 nft_counter 16384 3584 nft_compat 20480 3691 $ ls -d /sys/module/nft* /sys/module/iptable* ls: cannot access '/sys/module/iptable*': No such file or directory /sys/module/nft_chain_nat /sys/module/nft_compat /sys/module/nft_counter /sys/module/nft_limit This machine is using kernel 5.10 with iptables built as a module:
$ lsmod | grep -E "^nft_|^iptable_" iptable_mangle 16384 1 iptable_nat 16384 1 iptable_raw 16384 1 iptable_filter 16384 1 $ ls -d /sys/module/nft* /sys/module/iptable* ls: cannot access '/sys/module/nft*': No such file or directory /sys/module/iptable_filter/ /sys/module/iptable_mangle/ /sys/module/iptable_nat/ /sys/module/iptable_raw/ 