fix(portscan): add nf_tables fallback for Debian 12+/Ubuntu 22.04+#483
Open
pippocom wants to merge 1 commit into
Open
fix(portscan): add nf_tables fallback for Debian 12+/Ubuntu 22.04+#483pippocom wants to merge 1 commit into
pippocom wants to merge 1 commit into
Conversation
The portscan module blocked startup on modern Linux distributions where iptables-legacy is unavailable or the ip_tables kernel module is absent (Debian 13 Trixie, Ubuntu 22.04+), throwing: 'Please install iptables-legacy' even when iptables (nf_tables backend) is fully functional. Changes: - Added _iptables_legacy_works() to probe the mangle table at runtime rather than assuming legacy mode is available just because the binary exists. On Debian 13 the ip_tables kernel module may be absent, making the mangle table inaccessible even with iptables-legacy installed. - Refactored set_iptables_rules() with automatic backend detection: legacy mangle table is used when available (original behaviour); nf_tables filter/INPUT chain is used as a fallback, preserving the same 'canaryfw: ' log prefix so SynLogWatcher requires no changes. - Extracted _set_legacy_rules() and _set_nftables_rules() for clarity. The existing wiki workaround (update-alternatives --set iptables iptables-legacy) does not help on Debian 13 where the ip_tables kernel module is absent. This patch makes the module work out of the box on both legacy and modern kernels without manual intervention. Tested on: Debian 13 Trixie, kernel 6.18, Python 3.13, Raspberry Pi Zero 2W. Reported-by: Marco Iannacone <ianna@pippo.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed changes
The portscan module fails silently on modern Linux distributions (Debian 12+, Ubuntu 22.04+, Debian 13 Trixie) where iptables-legacy is unavailable or the ip_tables kernel module is absent. The module throws an exception and never starts, with no port scan detection at all.
The existing wiki workaround (update-alternatives --set iptables iptables-legacy) does not help on Debian 13 where the kernel module itself is missing.
Types of changes
Bugfix (non-breaking change which fixes an issue)
Checklist
Lint and unit tests pass locally with my changes (if applicable)
Further comments
The fix adds automatic backend detection at runtime:
_iptables_legacy_works() probes the mangle table directly rather than assuming legacy mode works just because the binary exists. On Debian 13 the ip_tables kernel module may be absent, making the mangle table inaccessible even with iptables-legacy installed.
set_iptables_rules() now selects the backend automatically: legacy mangle table when available (original behaviour, fully backward compatible); nf_tables filter/INPUT chain as fallback, preserving the same canaryfw: log prefix so SynLogWatcher requires no changes.
Logic extracted into _set_legacy_rules() and _set_nftables_rules() for readability.
Tested on: Debian 13 Trixie, kernel 6.18, Python 3.13, Raspberry Pi Zero 2W.
Reported-by: Marco Iannacone ianna@pippo.com