| 1 |
On Sunday, 17 May 2020 12:26:02 BST Victor Ivanov wrote: |
| 2 |
> Andrew makes a good point that, of course, not all options will be |
| 3 |
> relevant to a particular image or use case. The script is aimed to check |
| 4 |
> for "full" compatibility. Having some reported as missing is by no means |
| 5 |
> a deal breaker. |
| 6 |
> |
| 7 |
> Re nftables it's a very valid point as well. I too use nftables instead |
| 8 |
> of iptables and, in general, anything that dares touch my rules I will |
| 9 |
> either disable the option for it to do so or, if that's not possible, |
| 10 |
> swiftly eradicate it off my system with vengeance. I'm not a big fan of |
| 11 |
> how Docker manages netfilter rules so I too tend to disable that from |
| 12 |
> the config and, as Andrew said, it has been slow at adopting nftables. |
| 13 |
> It seems Docker is being developed with primary consideration for stable |
| 14 |
> (read archaic) distributions that have long release cycles. |
| 15 |
|
| 16 |
Ah. I scent Debian. |
| 17 |
|
| 18 |
> If you use nftables at all - even via other software such as firewalld, |
| 19 |
> etc - Docker may or may not like that. Previously, though admitedly |
| 20 |
> quite a while ago, Docker just loved adding iptables rules in addition |
| 21 |
> to my nftables rules. Needless to say, that quickly became a mess. |
| 22 |
|
| 23 |
I've been using shorewall for many years. |
| 24 |
|
| 25 |
> nftables is _a lot_ easier to manage, even writing rules manually feels |
| 26 |
> a lot more intuitive. So I think the learning curve (at least in terms |
| 27 |
> of syntax) tends to be less steep IMO if you decide to go down that road |
| 28 |
> at some point. |
| 29 |
> |
| 30 |
> Anyway, this probably wasn't a post of high contribution value haha |
| 31 |
|
| 32 |
All grist to the mill - thanks. |
| 33 |
|
| 34 |
-- |
| 35 |
Regards, |
| 36 |
Peter. |
Archives