This is rather a bit of an hack but works for us for now.
we need to use the legacy versions for both due some bugs in the
nftables based versions, i.e., for iptables it's Debian bug #929527 [0]
and for ebtables it's Debian bug #929976 [1]. While the first gained
some response from the maintainer and a solution is in sight it's
currently blocked by Buster release freeze policy. The second one did
not get any response so far.
[0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929527
[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929976
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Conflicts=shutdown.target
[Service]
+ExecStartPre=-/usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-legacy
+ExecStartPre=-/usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy
+ExecStartPre=-/usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
ExecStart=/usr/sbin/pve-firewall start
ExecStop=/usr/sbin/pve-firewall stop
ExecReload=/usr/sbin/pve-firewall restart