[pve-devel] [RFC pve-firewall v1 1/1] pve-firewall.service: update-alternatives to {ip, eb}tables-nft
Max R. Carrara
m.carrara at proxmox.com
Fri Aug 1 17:45:21 CEST 2025
Back in c743e671d it was necessary to update-alternative `ebtables`
to `ebtables-legacy` due to some bugs [0][1]. However, these bugs
appear to be fixed now.
In Trixie, `ebtables-legacy` seems to cause an enormous amount of audit
message spam in `dmesg` after upgrading from Bookworm--about 5 long
lines every ~10 seconds-- making it very tedious to find anything one
actually cares about.
Thus, use the -nft variants instead of the -legacy ones as the
aforementioned bugs have since long been fixed and the audit log spam
is silenced that way.
[0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929527
[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929976
Signed-off-by: Max R. Carrara <m.carrara at proxmox.com>
---
debian/pve-firewall.service | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/debian/pve-firewall.service b/debian/pve-firewall.service
index f95ce6d..c99db26 100644
--- a/debian/pve-firewall.service
+++ b/debian/pve-firewall.service
@@ -8,9 +8,9 @@ Before=shutdown.target
Conflicts=shutdown.target
[Service]
-ExecStartPre=-/usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-legacy
-ExecStartPre=-/usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy
-ExecStartPre=-/usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+ExecStartPre=-/usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-nft
+ExecStartPre=-/usr/bin/update-alternatives --set iptables /usr/sbin/iptables-nft
+ExecStartPre=-/usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
ExecStart=/usr/sbin/pve-firewall start
ExecStop=/usr/sbin/pve-firewall stop
ExecReload=/usr/sbin/pve-firewall restart
--
2.39.5
More information about the pve-devel
mailing list