Skip to content

v1.0.0 - Goodbye iptables, hello nftables; IPv6 support
Compare
Choose a tag to compare
@pitkley pitkley released this 14 Sep 15:47
1.0.0
This tag was signed with the committer’s verified signature.
pitkley Pit
GPG key ID: 78CEE08B0377C481
Learn about vigilant mode.
1913447
This commit was signed with the committer’s verified signature.
pitkley Pit
GPG key ID: 78CEE08B0377C481
Learn about vigilant mode.

Summary

This release replaces the iptables-based backends for an nftables-based backend. This makes this a very big change, requiring not only changes to your configuration, but probably also to your host.

The reasons for the switch to nftables are manyfold:

  • nftables is intended to replace iptables in the long-term. It is integrated directly into the kernel like iptables, is actively being worked on, and is already the default of some big distributions (like Debian 10 Buster).
  • nftables supports multiple tables of the same type, unlike iptables which only had one table per type. This allows DFW to manage its rules in entirely different tables, requiring only very minimal intrusion into pre-existing tables and chains.
  • This release supports IPv6 for the first time. nftables has made implementing this easier and cleaner than it would have been with iptables. See the documentation on what you need to do if you want your services to be reachable via IPv6.

Take a look at the dedicated migration documentation on how to upgrade from v0.x of DFW to v1.0.

Staying on iptables

Should you be unable to switch from iptables to nftables, you can find the last working state of the iptables-based DFW under the iptables branch. This branch is kept up-to-date on dependencies on a best-effort basis, and is available on Docker Hub under pitkley/dfw:iptables. (The iptables branch equals release v0.5.1, no changes are required if you come from any 0.5 release.)

Installation

While you can use Cargo to install dfw as a binary, using the Docker image is the preferred
way to go, especially if you don't want to install Rust and Cargo on your host:

$ docker pull pitkley/dfw:1.0.0
$ docker run -d \
      --name=dfw \
      --restart=unless-stopped \
      -v /var/run/docker.sock:/var/run/docker.sock:ro \
      -v /path/to/your/config:/config \
      --net host --cap-add=NET_ADMIN \
      pitkley/dfw:1.0.0 --config-path /config

This will download a lightweight image, coming in at under 7 MB, and subsequently run it using
your configuration.

Assets 2
Loading