As of net-firewall/iptables-1.8.3-r1, /sbin/iptables et al are symlinks to xtables-legacy-multi. This is a sensible default in order not to confuse users relying on the once-default kernel backend (see xtables-legacy(8) for details). However, with net-firewall/iptables[nftables], xtables-nft(8) is available, which provides the same interface as iptables etc., but uses the nftables API in the back. It is desirable for users wanting to use nftables in the back (they might want to write their firewall rules using nft(8), for example), but need to use software that only supports calling iptables(8) (e.g. libvirt), to be able to switch between both implementations. Debian has switched to xtables-nft as default with the current release, allowing the user to switch with their standard update-alternatives mechanism[0]. It is a separate decision what to set as default, but I’d like to be able to choose the implementation in Gentoo as well. The lazy way: add a new USE flag to iptables.ebuild and set the symlink at merge time. Works, and given the 30 seconds it takes to build it on my notebook probably acceptable. The nice way: write an eselect module, that iptables (or at least iptables[nftables]) RDEPENDs on. I would be willing to write either one of the USE flag patch and the eselect module, but I’m not sure about the preferred way, and how/where to host the eselect module. Existing ones seem to live somewhere in git.gentoo.org respectively dev.gentoo.org/~someone, but I’m not a Gentoo developer. [0]: https://www.debian.org/releases/stable/amd64/release-notes/ch-whats-new.html#nftables
I agree with this request. I would appreciate eselect more. Btw, there is few eselect packages living in github of non-Gentoo developers. You can most probably start there and it can be transfered somewhere else later if needed.
Created attachment 615432 [details] iptables.eselect Created eselect module to allow the selection of the iptables symlink from the available xtables-*-multi binaries
Comment on attachment 615432 [details] iptables.eselect # -*-eselect-*- vim: ft=eselect # Copyright 2005-2019 Gentoo Authors # Distributed under the terms of the GNU GPL version 2 or later DESCRIPTION="Manage the iptables and ip6tables symlink" MAINTAINER="chris@christopherpritchard.co.uk" VERSION="20200224" IPTABLES_TARGETS=("iptables" "iptables-restore" "iptables-save") IP6TABLES_TARGETS=("ip6tables" "ip6tables-restore" "ip6tables-save") # find a list of xtables symlink targets find_targets() { local f for f in "${EROOT}"/sbin/xtables-*-multi; do [[ -f ${f} ]] && basename "${f}" done } # remove the iptables symlink remove_symlinks() { for ipt in ${IPTABLES_TARGETS[@]}; do rm -f "${EROOT}"/sbin/${ipt} &>/dev/null done if [[ ${IPV6} -eq 1 ]] && [[ ${IPV6_REMOVE} -eq 1 ]]; then for ip6t in ${IP6TABLES_TARGETS[@]}; do rm -f "${EROOT}"/sbin/${ip6t} &>/dev/null done fi } # set the iptables symlink set_symlinks() { local target=$1 if is_number "${target}" && [[ ${target} -ge 1 ]]; then local targets=( $(find_targets) ) target=${targets[target-1]} fi if [[ -z ${target} || ! -f ${EROOT}/sbin/${target} ]]; then die -q "Target \"$1\" doesn't appear to be valid!" fi for ipt in ${IPTABLES_TARGETS[@]}; do ln -s "${target}" "${EROOT}/sbin/${ipt}" done if [[ ${IPV6} -eq 1 ]]; then for ip6t in ${IP6TABLES_TARGETS[@]}; do ln -s "${target}" "${EROOT}/sbin/${ip6t}" done fi } ### show action ### describe_show() { echo "Show the current iptables symlink" } do_show() { if [[ -L ${EROOT}/sbin/ip6tables ]]; then IPV6=1 fi write_list_start "Current iptables symlinks:" for ipt in ${IPTABLES_TARGETS[@]}; do if [[ -L ${EROOT}/sbin/${ipt} ]]; then local ipta=$(canonicalise "${EROOT}/sbin/${ipt}") write_kv_list_entry "${ipt}" "${ipta%/}" else write_kv_list_entry "${ipt}" "(unset)" fi done if [[ ${IPV6} -eq 1 ]]; then write_list_start "Current ip6tables symlinks:" for ip6t in ${IP6TABLES_TARGETS[@]}; do if [[ -L ${EROOT}/sbin/${ip6t} ]]; then local ipta=$(canonicalise "${EROOT}/sbin/${ip6t}") write_kv_list_entry "${ip6t}" "${ipta%/}" else write_kv_list_entry "${ip6t}" "(unset)" fi done fi } ### list action ### describe_list() { echo "List available iptables symlink targets" } do_list() { local i targets=( $(find_targets) ) if [[ -L ${EROOT}/sbin/ip6tables ]]; then IPV6=1 fi write_list_start "Available iptables symlink targets:" for (( i = 0; i < ${#targets[@]}; i++ )); do # highlight the target where the symlink is pointing to [[ ${targets[i]} = \ $(basename "$(canonicalise "${EROOT}/sbin/iptables")") ]] \ && targets[i]=$(highlight_marker "${targets[i]}") done write_numbered_list -m "(none found)" "${targets[@]}" } ### set action ### describe_set() { echo "Set a new iptables symlink target" } describe_set_parameters() { echo "[--ipv6] <target>" } describe_set_options() { echo "--ipv6: Forces creation of ip6tables symlinks" echo "target : Target name or number (from 'list' action)" } do_set() { if [[ ${1} == "--ipv6" ]]; then IPV6=1 shift fi [[ -z $1 ]] && die -q "You didn't tell me what to set the symlink to" [[ $# -gt 2 ]] && die -q "Too many parameters" if [[ -L ${EROOT}/sbin/ip6tables ]]; then IPV6=1 IPV6_REMOVE=1 fi if [[ -L ${EROOT}/sbin/iptables ]]; then # existing symlink remove_symlinks || die -q "Couldn't remove existing symlink" set_symlinks "$1" || die -q "Couldn't set a new symlink" elif [[ -e ${EROOT}/sbin/iptables ]]; then # we have something strange die -q "${EROOT}/sbin/iptables exists but is not a symlink" else set_symlinks "$1" || die -q "Couldn't set a new symlink" fi }
Noticed a bug in my original upload, whereby if ip6tables didn't exist (for example, because an invalid target was specified), there was no way of getting it back using the tool.
Created attachment 615434 [details] iptables.eselect
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18c5c5cab882f71e7917ebfaa670478ed07fb41e commit 18c5c5cab882f71e7917ebfaa670478ed07fb41e Author: Patrick McLean <patrick.mclean@sony.com> AuthorDate: 2020-03-20 00:09:37 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2020-03-20 00:09:53 +0000 net-firewall/iptables-1.8.4-r1: revbump, add eselect (bug 698746) This makes the ebuild compatible with eselect-iptables. Closes: https://bugs.gentoo.org/698746 Copyright: Sony Interactive Entertainment Inc. Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> .../files/iptables-1.8.4-no-symlinks.patch | 19 +++ net-firewall/iptables/iptables-1.8.4-r1.ebuild | 153 +++++++++++++++++++++ 2 files changed, 172 insertions(+) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=43308778fc97e4c8047ce5188130cd1546a701fc commit 43308778fc97e4c8047ce5188130cd1546a701fc Author: Patrick McLean <patrick.mclean@sony.com> AuthorDate: 2020-03-20 00:07:09 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2020-03-20 00:09:53 +0000 app-eselect/eselect-iptables: New packge (bug #698746) Bug: https://bugs.gentoo.org/698746 Copyright: Sony Interactive Entertainment Inc. Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> app-eselect/eselect-iptables/Manifest | 1 + .../eselect-iptables/eselect-iptables-20200319.ebuild | 19 +++++++++++++++++++ app-eselect/eselect-iptables/metadata.xml | 8 ++++++++ 3 files changed, 28 insertions(+)
https://gitweb.gentoo.org/proj/eselect.git/commit/modules?h=extern&id=f473cb298779981b8ec6c522165f41562d67548a commit f473cb298779981b8ec6c522165f41562d67548a Author: Mike Gilbert <floppym@gentoo.org> Date: Fri May 8 00:28:39 2020 -0400 iptables.eselect: new module Bug: https://bugs.gentoo.org/698746 Signed-off-by: Mike Gilbert <floppym@gentoo.org> AUTHORS | 3 + modules/iptables.eselect | 175 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 178 insertions(+)
