You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The reason will be displayed to describe this comment to others. Learn more.
I guess this is about that problem where ipv6nat does not start when Dockerโs rules were created with a certain version of iptables-nft (#3940)? If thatโs the case, we should probably restrict this to that specific version.
The reason will be displayed to describe this comment to others. Learn more.
Hm. I came across problems on Buster lately.
I expect that you'd get it when you install iptables 1.8.5 from backports on buster. A vanilla buster should not exhibit the issue as it has iptables 1.8.2. Bullseye has iptables 1.8.7, which robbertkl/docker-ipv6nat#67 says is the version with the fix.
So how about checking for iptables 1.8.[456], running update-alternatives on Debian and printing an error messages on other distributions?
The reason will be displayed to describe this comment to others. Learn more.
I have updated Mailcow this morning and this change breaks my installation:
ERROR: Failed to Setup IP tables: Unable to enable SKIP DNAT rule: (COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -I DOCKER -i br-mailcow -j RETURN' failed: iptables: No chain/target/match by that name.)
The reason will be displayed to describe this comment to others. Learn more.
nfttables is not already on all systems ':)
@omexlu That's true, however eventually all Linux distros will migrate across to nftables and the legacy iptables interfaces will be removed, so it's a reasonable idea to detect the presence of nftables and prefer its commands when available.
The same thing happened when iptables was new. Some people stuck to the old implementation (ipchains) for a while, but eventually everyone migrated across and the old one was removed, and now nobody ever talks about ipchains any more :)
af14907There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why this change? What advantages/disadvantages will this bring?
af14907There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Furthermore, should not ip6tables then also be changed here?
af14907There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess this is about that problem where ipv6nat does not start when Dockerโs rules were created with a certain version of
iptables-nft(#3940)? If thatโs the case, we should probably restrict this to that specific version.af14907There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes I think this command need the be improved.
af14907There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm. I came across problems on Buster lately.
af14907There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the problem currently only affect Buster? Maybe you could limit it somehow.
But you already know what you are doing :)
And I think you missed ip6tables:
af14907#commitcomment-49196793
af14907There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I expect that you'd get it when you install iptables 1.8.5 from backports on buster. A vanilla buster should not exhibit the issue as it has iptables 1.8.2. Bullseye has iptables 1.8.7, which robbertkl/docker-ipv6nat#67 says is the version with the fix.
So how about checking for iptables 1.8.[456], running update-alternatives on Debian and printing an error messages on other distributions?
af14907There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Setting update-alternatives on effected versions and on other doing nothing as before :)
af14907There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have updated Mailcow this morning and this change breaks my installation:
My system:
I temporary solved the issue by removing the "/usr/sbin/iptables-legacy" alternative and updating again.
af14907There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was aware that there will be problems here (@andryyy).
@paftek
How exactly did you go about removing it temporarily?
af14907There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@omexlu:
af14907There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, it has been reverted:
d71ce15
af14907There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will mailcow be upgraded to use nftables in the future? iptables is legacy now and the compatibility shim won't be around forever.
af14907There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nfttables is not already on all systems ':)
af14907There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@omexlu That's true, however eventually all Linux distros will migrate across to nftables and the legacy iptables interfaces will be removed, so it's a reasonable idea to detect the presence of nftables and prefer its commands when available.
The same thing happened when iptables was new. Some people stuck to the old implementation (ipchains) for a while, but eventually everyone migrated across and the old one was removed, and now nobody ever talks about ipchains any more :)
af14907There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes you right, I am sure this will be implemented with a detect what is available :)
af14907There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just wait. No need to act now at all.