Hi, just a follow up from today. On host, where I was debuging firehol behaviour on iptables-nft vs. iptables- legacy (before reporting bug) , I got strange behavior after upgrading to 3.1.6+ds-8.
It was caused by my manual change of iptables alternatives -legacy one. Sequence was like this: install firehol 3.1.6+ds-7 setup firewall (loaded do nft tables) do some debuging to find out that you need -legacy update-alternatives to iptables-legacy load firewall again (this time, it loads to legacy iptables) upgrade to firehol 3.1.6+ds-8, keep iptables alternatives to -legacy Now you have two "identical" firewalls ;) - first was loaded with old version of firehol to nft, second is loaded to legacy tables. Now change config of firehol, open new port to be accessible, reload firehol and test it. It's not accessible, iptables keep logging dropped packet. Try to allow all access, try to stop firehol - port is still not accessible. List your firewall using iptables -L You see empty ruleset with policy=ACCEPT in all chains. Go crazy ;) Try to list iptables-nft -L AHA - here is your firewall blocking your access. (it also warns you, that there are some rules in legacy tables) Reboot I think, users are safe to upgrade from -7 to -8 , unless they did manual override of iptables alternatives. Libor
