Wish they'll update iptables in 10.4. Current version (nft based) has lot of issues.

iptables is legacy, and nftables is where pretty much all distros have been heading towards as the new normal (before bpf looked like the new shiny). The only real issue I recall in nft was lack of support for conntrack with bridge networking, which was added in the kernel 5.2-ish time period.

Huh. There's something you don't see every day. (Overflowing is easy. Shove too much onto the stack or unbalance your pushes and pops. I can't think of anything but unbalanced pushes and pops that would cause an underflow.)

And what issues would that be? Did you submit bug reports? Did you try switching back to iptables-legarcy through the update-alternatives mechanism?

Yes, see here the issues:

some of the are fixed in testing/sid, but still broken on buster, example:



That's indeed one of the possible workaround, the other is to update iptables from the backports. But many users are encountering these issues on a plain buster.

Well, I'd say you don't have a strong argument for a backport if you say the rules you load are invalid and it's unclear which commit fixes this. If I were the maintainer, I probably also wouldn't wanna invest a whole lot of time in this issue if you basically have two ways around the issue (the backported version and iptables-legacy). If it's that important to you, you could investigate the issue further and identify the commit that solves this. Maybe then, he'd be inclined to backport it.

Mind you, I also had cases where I reported bugs and hoped for a backport and the maintainer didn't want to do so even when the fix was clear. But Debian is a volunteer project, so I accept their decision. It's their free time after all and it's not like I paid a subscription to an enterprise distribution that entitles me to some sort of support.

I don't know how many people are affected by these problems and how much of an issue it is for them. I have several Debian machines/servers that I upgraded from Stretch to Buster. They all use either ufw for simple iptables-based firewalling or shorewall in case of more complex firewall setups. I was concerned about the switch of the default firewall backend in Buster (but I was aware of the change). Except for one machine, I had no issues with the new iptables-nft backend. That includes both ufw and shorewall setups. Only on one shorewall-based machine I noticed a warning or error message. But that machine really has a complex setup with many interfaces and rules. In that case, iptables-nft loads the shorewall-generated ruleset just fine and seems to work fine as well. But when I do a `nft list ruleset`, I get an error message. I figured out which rule causes this and reported it upstream, but didn't get a response. My suspicion is that it's just a cosmetic issue and the rules work just fine. But I'm not entirely sure, nor do I care enough about it, so on that machine I simply switched back to iptables-legacy. I'm planning to move to plain nftables in the near future anyway, so I really don't wanna invest more time in that issue if I can just use iptables-legacy for the time being.