6

Given a host that is in an unknown state of configuration, I would like to know if there is an effective way of non-interactively determining if the firewall rule set in place is managed by iptables or nftables.

Sounds pretty simple and I've given this quite a bit of thought, but haven't come back with a meaningful answer to put on a script...

Pedro
  • 1,821
  • 12
  • 23

2 Answers2

7

A variant of this problem was addressed recently in Kubernetes, so it’s worth looking at what was done there. (The variant is whether to use iptables-legacy or iptables-nft and their IPv6 variants to drive the host’s rules.)

The approach taken in Kubernetes is to look at the number of lines output by the respective “save” commands, iptables-legacy-save and iptables-nft-save (and their IPv6 variants). If the former produces ten lines or more of output, or produces more output than the latter, then it’s assumed that iptables-legacy should be used; otherwise, that iptables-nft should be used.

In your case, the decision tree could be as follows:

  • if iptables isn’t installed, use nft;
  • if nft isn’t installed, use iptables;
  • if iptables-save doesn’t produce any rule-defining output, use nft;
  • if nft list tables and nft list ruleset don’t produce any output, use iptables.

If iptables-save and nft list ... both produce output, and iptables isn’t iptables-nft, I’m not sure an automated process can decide.

Stephen Kitt
  • 411,918
  • 54
  • 1,065
  • 1,164
  • Interesting. What I am finding is that `iptables-save`, `iptables-legacy-save` and `iptables-nft-save` all return null output (on debian) if an nft ruleset is defined. If a rule is defined using `iptables-nft`, then the output of `iptables-nft-save` returns data reflecting the change, but not the entirety of the nft ruleset (not necessarily an issue in this particular case), yet the nft ruleset is updated to contain the change added with `iptables-nft`. I think I can work out a solution from this information, thank you. – Pedro May 26 '20 at 09:02
0

You can quickly tell whether iptables or nftables is in use by looking at the output of iptables -V. Not 100% optimal as it still requires a little output parsing, but quite straight forward.

Redhat has a blog post from 2020-08 with guidance on this that also applies to Ubuntu.

The two variants of the iptables command are:

  • legacy: Often referred to as iptables-legacy.
  • nf_tables: Often referred to as iptables-nft.

The newer iptables-nft command provides a bridge to the nftables kernel API and infrastructure.

You can find out which variant is in use by looking up the iptables version.

Ubuntu 22.04 (nftables)

For iptables-nft, the variant will be shown in parentheses after the version number, denoted as nf_tables:

# iptables -V
iptables v1.8.7 (nf_tables)

Ubuntu 20.04 (iptables)

For iptables-legacy, the variant will either be absent, or it will show legacy in parentheses:

# iptables -V
iptables v1.8.4 (legacy)

Testing

So a simple test with grep to determine if we are nftables or not would be:

iptables -V | grep -E ' \(nf_tables\) *$'

...it is possible in the future that iptables is no longer distributed by default and so a more future-proof test would look something like:

if command -v iptables; then
    if iptables -V | grep -E ' \(nf_tables\) *$'; then
        echo "nft"
    else
        echo "iptables"
    fi
elif command -v nft; then
    echo "nft";
fi
mattpr
  • 181
  • 7