1 |
On Sunday, 17 May 2020 12:26:02 BST Victor Ivanov wrote: |
2 |
> Andrew makes a good point that, of course, not all options will be |
3 |
> relevant to a particular image or use case. The script is aimed to check |
4 |
> for "full" compatibility. Having some reported as missing is by no means |
5 |
> a deal breaker. |
6 |
> |
7 |
> Re nftables it's a very valid point as well. I too use nftables instead |
8 |
> of iptables and, in general, anything that dares touch my rules I will |
9 |
> either disable the option for it to do so or, if that's not possible, |
10 |
> swiftly eradicate it off my system with vengeance. I'm not a big fan of |
11 |
> how Docker manages netfilter rules so I too tend to disable that from |
12 |
> the config and, as Andrew said, it has been slow at adopting nftables. |
13 |
> It seems Docker is being developed with primary consideration for stable |
14 |
> (read archaic) distributions that have long release cycles. |
15 |
|
16 |
Ah. I scent Debian. |
17 |
|
18 |
> If you use nftables at all - even via other software such as firewalld, |
19 |
> etc - Docker may or may not like that. Previously, though admitedly |
20 |
> quite a while ago, Docker just loved adding iptables rules in addition |
21 |
> to my nftables rules. Needless to say, that quickly became a mess. |
22 |
|
23 |
I've been using shorewall for many years. |
24 |
|
25 |
> nftables is _a lot_ easier to manage, even writing rules manually feels |
26 |
> a lot more intuitive. So I think the learning curve (at least in terms |
27 |
> of syntax) tends to be less steep IMO if you decide to go down that road |
28 |
> at some point. |
29 |
> |
30 |
> Anyway, this probably wasn't a post of high contribution value haha |
31 |
|
32 |
All grist to the mill - thanks. |
33 |
|
34 |
-- |
35 |
Regards, |
36 |
Peter. |