before installing net-firewall/iptables-1.8.5 # eselect iptables list Available iptables symlink targets: [1] xtables-legacy-multi [2] xtables-nft-multi * after finishing installing it becomes # eselect iptables list Available iptables symlink targets: [1] xtables-legacy-multi * [2] xtables-nft-multi This is probably due to unconditionally "eselect iptables unset" in pkg_prerm without preserving the state. Later on in pkg_postinst it is set to the default (legacy) due to being unset at this point. There is possibly another (cosmetic?) problem in pkg_postinst: in the "use nftables" part "setting to default (legacy)" is being logged but it actually sets it to nft... Reproducible: Always Steps to Reproduce: 1. eselect iptables set 2 (xtables-nft-multi) 2. eselect iptables show (to confirm) 3. emerge net-firewall/iptables 4. eselect iptables show Actual Results: 2. [2] xtables-nft-multi * 4. [1] xtables-legacy-multi * Expected Results: 4. [2] xtables-nft-multi *
I confirm, this behavior still persists. Every time iptables is re-emerged the setting is reset to legacy and breaks things, e.g. docker networking which still doesn't support nft natively and needs this compatibility layer.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a950794bde5d33d035a3726f99cc3cbfa618c437 commit a950794bde5d33d035a3726f99cc3cbfa618c437 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2021-07-23 15:54:56 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2021-07-23 15:57:16 +0000 net-firewall/iptables: bypass 'eselect iptables unset' on upgrades Closes: https://bugs.gentoo.org/760246 Signed-off-by: Mike Gilbert <floppym@gentoo.org> net-firewall/iptables/iptables-1.8.7.ebuild | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
