firewall: replace iptables with nftables#2505
Conversation
nftables lists IPs a bit differently , so the order was adjusted for the tests to be more flexible.
georglauterbach
added
priority/high
priority/medium
area/security
kind/update
|
This PR should be properly tested before merging. It's not just replacing iptables with nftables, because they both are mostly compatible, but not 100%. Otherwise we wouldn't have to introduced the usage of iptables-legacy in the past. What was the reason for that? Is that reason now obsolete? |
|
I think the reason for switching to legacy was that the support for Fail2Ban was not there at the time. Support was introduced not too long ago. At the time of the change to Now, Fail2Ban is ready and I tested the mail server locally. Everything seems to be running quite smoothly. F2B can ban IPs, While I agree that we should be careful here to not forget anything, I cannot think of anything right now. We do not have to merge this straight away, maybe you @casperklein can test with an image created from this branch like I did? Other than that though, I think we're quite fine. |
Yes, but earliest next week. Another thing that come to my mind: At the moment, my host and DMS uses Interesting to know would be, if there are already working setups at the moment, with |
👍
My tests took place on such a system, i.e.
This I cannot test currently. |
|
I have an idea about testing the image from this branch: I will push the image built from this branch to GHCR. This way, everyone can test the new changes beforehand. EDIT: You can now pull |
|
I'm running this in production now, and it seems to work very well. I had some troubles at first, but this was due to a wrong custom configuration on my side. F2B bans IPs properly: root@mail:/# fail2ban-client status
Status
|- Number of jail: 5
`- Jail list: dovecot, postfix, postfix-sasl, postscreen, recidive
root@mail:/# fail2ban-client status postfix
Status for the jail: postfix
|- Filter
| |- Currently failed: 1
| |- Total failed: 6
| `- File list: /var/log/mail.log
`- Actions
|- Currently banned: 1
|- Total banned: 2
`- Banned IP list: 212.70.149.72
root@mail:/# nft list set inet f2b-table addr-set-postfix
table inet f2b-table {
set addr-set-postfix {
type ipv4_addr
elements = { 212.70.149.72 }
}
}I will make an announcement and I will monitor the logs. If all seems well, we can then go ahead and merge this to be in |
|
@casperklein what do you think about merging this as the last PR for |
|
Yes, but also #2530 + one little fail2ban script feature I going to provide this week. Edit: Basically, all PRs that are tagged for v11? https://github.com/docker-mailserver/docker-mailserver/milestone/10 |
Yes :D And this one as the last one :) |
|
I don't care. For me, this PR is fine and can be merged anytime. Or do I miss something? |
Nothing :) I will go ahead and merge this then, as I too think this is fine. |
|
Documentation preview for this PR is ready! 🎉 Built with commit: eb59b7a |
|
I noticed these days, that in my setup IPs don't seem to be banned anymore. Banned IP count gets lower every day. From today, I see this in However, cross-checking with Edit: Found != Banned. My fault. |
There are 2 types of iptables. The current version is meant to be a drop-in replacement for the older (legacy) iptbales, but under the hood it uses nftables. Some appliance, notably QNAP, still uses the legacy version of iptables, and don't ship with nftables, although they have recent Linux kernels. This PR broke those systems :) PR #2662 contains a discussion about this issue. Although I fully agree of not carrying legacy stuff around, it's important for docker-mailserver users to know about this issue. |
|
@dguerri now that you say it, yes, I was using the drop-in replacement of |
4 participants
Description
This PR replaces
iptableswithnftablesand adjusts the Fail2Ban configuration accordingly.Issues as in #2327 would become obsolete. But this PR does not actually focus on #2327 - it focuses on replacing old software (which is not the default since Debian 10!) with new, more performant software which is also easier to use!
Type of change
Checklist:
docs/)