[pve-devel] [RFC pve-firewall v1 1/1] pve-firewall.service: update-alternatives to {ip, eb}tables-nft

Max R. Carrara m.carrara at proxmox.com
Fri Aug 1 17:45:21 CEST 2025


Back in c743e671d it was necessary to update-alternative `ebtables`
to `ebtables-legacy` due to some bugs [0][1]. However, these bugs
appear to be fixed now.

In Trixie, `ebtables-legacy` seems to cause an enormous amount of audit
message spam in `dmesg` after upgrading from Bookworm--about 5 long
lines every ~10 seconds-- making it very tedious to find anything one
actually cares about.

Thus, use the -nft variants instead of the -legacy ones as the
aforementioned bugs have since long been fixed and the audit log spam
is silenced that way.

[0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929527
[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929976

Signed-off-by: Max R. Carrara <m.carrara at proxmox.com>
---
 debian/pve-firewall.service | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/debian/pve-firewall.service b/debian/pve-firewall.service
index f95ce6d..c99db26 100644
--- a/debian/pve-firewall.service
+++ b/debian/pve-firewall.service
@@ -8,9 +8,9 @@ Before=shutdown.target
 Conflicts=shutdown.target
 
 [Service]
-ExecStartPre=-/usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-legacy
-ExecStartPre=-/usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy
-ExecStartPre=-/usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+ExecStartPre=-/usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-nft
+ExecStartPre=-/usr/bin/update-alternatives --set iptables /usr/sbin/iptables-nft
+ExecStartPre=-/usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
 ExecStart=/usr/sbin/pve-firewall start
 ExecStop=/usr/sbin/pve-firewall stop
 ExecReload=/usr/sbin/pve-firewall restart
-- 
2.39.5





More information about the pve-devel mailing list