You are not logged in.
- Topics: Active | Unanswered
#1 2022-12-15 09:05:27
- webcapcha
- Member
- Registered: 2019-02-14
- Posts: 167
[SOLVED] Moved to the nftables but still having iptables leftovers.
I've completely moved to the pure nftables without firewalld or similar. And according to the Arch Wiki I did install https://wiki.archlinux.org/title/Nftables#Installation *iptables-nft* package which should removed iptables package as wiki claims.
But I find I still have iptables.service
x sudo systemctl status iptables.service
○ iptables.service - IPv4 Packet Filtering Framework
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; preset: disabled)
Active: inactive (dead)As well as directory
/etc/iptablesIs it safe to delete those orphans? If yes then how?
Last edited by webcapcha (2022-12-15 14:45:24)
Ukrainian
Offline
#2 2022-12-15 09:23:41
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 15,158
Re: [SOLVED] Moved to the nftables but still having iptables leftovers.
Those aren't orphans and it's definitely a Bad Idea to delete them.
$ pacman -F /usr/lib/systemd/system/iptables.service /etc/iptables/
usr/lib/systemd/system/iptables.service is owned by core/iptables 1:1.8.8-2
usr/lib/systemd/system/iptables.service is owned by core/iptables-nft 1:1.8.8-2
etc/iptables/ is owned by core/iptables 1:1.8.8-2
etc/iptables/ is owned by core/iptables-nft 1:1.8.8-2
$As far as I can see you've done everything right.
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
#3 2022-12-15 09:26:19
- mpan
- Member
- Registered: 2012-08-01
- Posts: 1,607
- Website
Re: [SOLVED] Moved to the nftables but still having iptables leftovers.
Those are not orphans. All mentioned files are a part of core/iptables-nft.
Offline
#4 2022-12-15 09:32:49
- webcapcha
- Member
- Registered: 2019-02-14
- Posts: 167
Re: [SOLVED] Moved to the nftables but still having iptables leftovers.
And why we have service that I'm not going to use? I mean iptables.service. Is it because some of "base" or "root" packages built with iptables support by default? Because for now I have just empty /etc/iptables/empty.rules file.
Ukrainian
Offline
#5 2022-12-15 09:50:57
- seth
- Member
- From: Won't reply 2 private help req
- Registered: 2012-09-03
- Posts: 76,416
Re: [SOLVED] Moved to the nftables but still having iptables leftovers.
*iptables-nft* package which should removed iptables
No, "should" not.
https://archlinux.org/packages/core/x86_64/iptables/
Linux kernel packet control tool (using legacy interface)
https://archlinux.org/packages/core/x86 … ables-nft/
Linux kernel packet control tool (using nft interface)
Because for now I have just empty /etc/iptables/empty.rules file
https://archlinux.org/packages/core/x86 … ables-nft/
etc/iptables/empty.rules
etc/iptables/ip6tables.rules
etc/iptables/iptables.rules
etc/iptables/simple_firewall.rulesSo what happened?
Online
#6 2022-12-15 09:56:08
- webcapcha
- Member
- Registered: 2019-02-14
- Posts: 167
Re: [SOLVED] Moved to the nftables but still having iptables leftovers.
Is it better in my case to delete iptables-nft and install pure nftables package?
For reason to not have iptables.service that I'm not going to use
Ukrainian
Offline
#7 2022-12-15 10:16:14
- seth
- Member
- From: Won't reply 2 private help req
- Registered: 2012-09-03
- Posts: 76,416
Re: [SOLVED] Moved to the nftables but still having iptables leftovers.
Why are you freaking out about the disabled iptables.service???
iptables is a dependency for a bunch of other packages - if you use any of them, you'll need *some* iptables installation.
Otherwise, why do you have one itfp??
Online
#8 2022-12-15 10:31:19
- webcapcha
- Member
- Registered: 2019-02-14
- Posts: 167
Re: [SOLVED] Moved to the nftables but still having iptables leftovers.
Just came across and its not only services but also several empty non useful files in my case. If I use vim why do I need emacs files or so on.
Well if there is no chance to just delete those orphans from my user perspective easily then I dont mind about letting them to live on my ssd.
Ukrainian
Offline
#9 2022-12-15 14:05:38
- seth
- Member
- From: Won't reply 2 private help req
- Registered: 2012-09-03
- Posts: 76,416
Re: [SOLVED] Moved to the nftables but still having iptables leftovers.
You can delete whatever you want - it's your system.
But:
several empty non useful files … delete those orphans
is just an assumption you make.
Do you *know* that no dependency of iptables to the scope of your usecase for that tool does somehow make use of those "empty non useful … orphans"?
Then you can delete them (with more than questionable benefits, but whatever)
Otherwise you mayeasily run into unforseen and hard to track back consequences ("errors") in those tools.
Also deleting those files w/o adding them to NoExtract will just reinstall them w/ the next update.
Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.
Online
#10 2022-12-15 14:44:40
- webcapcha
- Member
- Registered: 2019-02-14
- Posts: 167
Re: [SOLVED] Moved to the nftables but still having iptables leftovers.
You can delete whatever you want - it's your system.
Come on I didn't make meta statement. Of course I can do whatever I want. Even throw my laptop to the window. But its not my case just delete something and then enjoy error on reboot.
Do you *know* that no dependency of iptables to the scope of your usecase for that tool does somehow make use of those "empty non useful … orphans"?
No I dont. I'm not senjor Arch linux user or software developer.
I just find iptables stuff which I dont really need from my user perspective not from dependency perspective.
And having the aforementioned iptables service with empty ruleset kind adding additional point of failure. How I can make sure that the other day I or piece of software don't accidentally start iptables service eventually given me no firewall at all.
I marked this topic solved but if you have suggestion regarding this you are welcome
Last edited by webcapcha (2022-12-15 14:45:02)
Ukrainian
Offline
#11 2022-12-15 15:05:19
- seth
- Member
- From: Won't reply 2 private help req
- Registered: 2012-09-03
- Posts: 76,416
Re: [SOLVED] Moved to the nftables but still having iptables leftovers.
How I can make sure that the other day I or piece of software don't accidentally start iptables service eventually given me no firewall at all.
If something "accidentally" calls "/usr/bin/iptables-restore /etc/iptables/iptables.rules" w/ root permissions, you have other problems to deal with, but
1. the "accidental" invocation of any service is prohibited by masking it
2. the service will call iptables-restore which is merely a symlink to xtables-nft-multi
What configures your firewall right now anyway?
Online
#12 2022-12-15 16:25:29
- webcapcha
- Member
- Registered: 2019-02-14
- Posts: 167
Re: [SOLVED] Moved to the nftables but still having iptables leftovers.
https://wiki.archlinux.org/title/Nftables#Workstation here is my config, just copy pasted
iptables-nft package from wiki
Ukrainian
Offline