NFT only system, missing iptables command

[maxilee]

Hi.
we have got system - Rocky Linux release 9.5
which default missing iptables commands , system using only NFT.

compiled fwcloud script contains references to iptables commands per example to clear firewall:

iptables_default_filter_policy() {
  $IPTABLES  -P OUTPUT  $1
  $IPTABLES  -P INPUT   $1
  $IPTABLES  -P FORWARD $1
  $IP6TABLES -P OUTPUT  $1
  $IP6TABLES -P INPUT   $1
  $IP6TABLES -P FORWARD $1
}

reset_iptables_v4() {
  $IPTABLES --flush
  $IPTABLES -X
  $IPTABLES --flush
  $IPTABLES --flush FORWARD
  $IPTABLES --flush INPUT
  $IPTABLES --flush OUTPUT
  $IPTABLES --table nat --flush
  $IPTABLES --table nat --delete-chain
  $IPTABLES --table mangle --flush
  $IPTABLES --table mangle --delete-chain
  $IPTABLES --delete-chain
}

whole script is working fine but there are errors on startup:

Nov 28 08:10:01 host fwcloud.sh[5466]: FWCloud.net - Loading firewall policy generated: Wed Nov 20 2024 08:11:04 GMT+0100 (Central European Standard Time)
Nov 28 08:10:01 host fwcloud.sh[5523]: /etc/fwcloud/fwcloud.sh: line 66: --flush: command not found
Nov 28 08:10:01 host fwcloud.sh[5524]: /etc/fwcloud/fwcloud.sh: line 67: -X: command not found
Nov 28 08:10:01 host fwcloud.sh[5525]: /etc/fwcloud/fwcloud.sh: line 68: --flush: command not found
Nov 28 08:10:01 host fwcloud.sh[5526]: /etc/fwcloud/fwcloud.sh: line 69: --flush: command not found
Nov 28 08:10:01 host fwcloud.sh[5527]: /etc/fwcloud/fwcloud.sh: line 70: --flush: command not found
Nov 28 08:10:01 host fwcloud.sh[5528]: /etc/fwcloud/fwcloud.sh: line 71: --flush: command not found
Nov 28 08:10:01 host fwcloud.sh[5529]: /etc/fwcloud/fwcloud.sh: line 72: --table: command not found
Nov 28 08:10:01 host fwcloud.sh[5530]: /etc/fwcloud/fwcloud.sh: line 73: --table: command not found
Nov 28 08:10:01 host fwcloud.sh[5531]: /etc/fwcloud/fwcloud.sh: line 74: --table: command not found
Nov 28 08:10:01 host fwcloud.sh[5532]: /etc/fwcloud/fwcloud.sh: line 75: --table: command not found
Nov 28 08:10:01 host fwcloud.sh[5533]: /etc/fwcloud/fwcloud.sh: line 76: --delete-chain: command not found
Nov 28 08:10:01 host fwcloud.sh[5534]: /etc/fwcloud/fwcloud.sh: line 82: -t: command not found
Nov 28 08:10:01 host fwcloud.sh[5536]: /etc/fwcloud/fwcloud.sh: line 87: -t: command not found
Nov 28 08:10:01 host fwcloud.sh[5537]: /etc/fwcloud/fwcloud.sh: line 82: -t: command not found
Nov 28 08:10:01 host fwcloud.sh[5539]: /etc/fwcloud/fwcloud.sh: line 87: -t: command not found
Nov 28 08:10:01 host fwcloud.sh[5540]: /etc/fwcloud/fwcloud.sh: line 82: -t: command not found
Nov 28 08:10:01 host fwcloud.sh[5542]: /etc/fwcloud/fwcloud.sh: line 87: -t: command not found
Nov 28 08:10:01 host fwcloud.sh[5466]: ******************************
Nov 28 08:10:01 host fwcloud.sh[5466]: * NFTABLES TABLES AND CHAINS *
Nov 28 08:10:01 host fwcloud.sh[5466]: ******************************
Nov 28 08:10:01 host fwcloud.sh[5578]: /etc/fwcloud/fwcloud.sh: line 44: -P: command not found
Nov 28 08:10:01 host fwcloud.sh[5579]: /etc/fwcloud/fwcloud.sh: line 45: -P: command not found
Nov 28 08:10:01 host fwcloud.sh[5580]: /etc/fwcloud/fwcloud.sh: line 46: -P: command not found
Nov 28 08:10:01 host fwcloud.sh[5581]: /etc/fwcloud/fwcloud.sh: line 47: -P: command not found
Nov 28 08:10:01 host fwcloud.sh[5582]: /etc/fwcloud/fwcloud.sh: line 48: -P: command not found
Nov 28 08:10:01 host fwcloud.sh[5583]: /etc/fwcloud/fwcloud.sh: line 49: -P: command not found

error are caused by missing "iptables" command,
how can modify compilation process to don't use iptables command on NFT only system ?

in fwcloud config this firewall is set compiler to NFT

 

[maxilee]

as a workaround for this I've created two bash scripts : iptables and ip6tables :

#!/bin/bash
exit 0

error in log is gone - but this is ugly hack

 

[Carles Munyoz]

Hi,
It is a bug in the policy compilation process.
I'm going to generate a issue related with this and we will generate a patch release in order to solve it.

Let us a couple of days for solve it and thank you very much for the report!

 

[Carles Munyoz]

We have published a new patch release that solves this problems.
Please, update your FWCloud installation and let me know if this patch release solves your problema.

 

[maxilee]

Hi.
only half of problem was resolved

I've compiled script after update and there are errors :
[10:25:49] - Uploading firewall policy (127.0.0.1)
FWCloud.net - Loading firewall policy generated: Mon Dec 02 2024 10:25:48 GMT+0100 (Central European Standard Time)

/etc/fwcloud/fwcloud.sh: line 89: -t: command not found
/etc/fwcloud/fwcloud.sh: line 94: -t: command not found
/etc/fwcloud/fwcloud.sh: line 89: -t: command not found
/etc/fwcloud/fwcloud.sh: line 94: -t: command not found
/etc/fwcloud/fwcloud.sh: line 89: -t: command not found
/etc/fwcloud/fwcloud.sh: line 94: -t: command not found

problematic function :
reset_iptables_v6() {
IPv6_TABLES="filter nat mangle"
for table in $IPv6_TABLES; do
$IP6TABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IP6TABLES -t $table -F $chain
fi
done
$IP6TABLES -t $table -X
done
}

 

[Carles Munyoz]

Sorry us, we forgot to add the filter to this function.
A new patch release (2.0.16) is cooking now in our CI, it will be available in a few minutes.
Please, let me know if with it the problem is solved.