Hello,
Some of my servers have kernels built by a cloud provider which, does not have security tables available and have nf_conntrack_* modules builtin.
When I could, I updated the kernel, as recently suggested to another user in [1]. But, the doesn't looks like a solution for kernel we can't update. Moreover, these tables looks not mandatory to firewalld and limit the use of firewalld where iptables could be used.
Would you like to accept patches which make: - security tables optional; - support kernel with builtin network modules ?
Side question: Why is firewalld altering ipXtables when the backend is nftables?
Regards,
[1] https://github.com/firewalld/firewalld/issues/411
Sébastien "Seblu" Luttringer
On Mon, Nov 12, 2018 at 03:39:37PM +0100, Sébastien Luttringer wrote:
Hello,
Hello.
Some of my servers have kernels built by a cloud provider which, does not have security tables available and have nf_conntrack_* modules builtin.
When I could, I updated the kernel, as recently suggested to another user in [1]. But, the doesn't looks like a solution for kernel we can't update.
You mention nftables below. It's quite possible the kernel provided by the cloud provider is too old to support the nftables backend. You need at least 4.18.
Moreover, these tables looks not mandatory to firewalld and limit the use of firewalld where iptables could be used.
Would you like to accept patches which make:
Yes. Patches welcome.
- security tables optional;
This should already be the case. On startup firewalld probes for the available tables. If firewalld is not handling the absence gracefully then it's is a bug and should be reported upstream. You can reopen #411.
- support kernel with builtin network modules ?
It should be possible to handle this as well. File a separate issue for it.
Side question: Why is firewalld altering ipXtables when the backend is nftables?
Even with FirewallBackend=nftables we still support the --direct rules which use iptables/ip6tables/ebtables.
Regards,
[1] https://github.com/firewalld/firewalld/issues/411
Sébastien "Seblu" Luttringer
On Mon, 2018-11-12 at 13:54 -0500, Eric Garver wrote:
On Mon, Nov 12, 2018 at 03:39:37PM +0100, Sébastien Luttringer wrote: You mention nftables below. It's quite possible the kernel provided bythe cloud provider is too old to support the nftables backend. You needat least 4.18.
The kernel version of the cloud provided is 4.9.130. I don't find a lot of distribution which already ship a 4.18 kernel. According to wikipedia, kernel version 3.13 is the first to support nftables subsystem. Did you mean 3.18?
- security tables optional;
This should already be the case. On startup firewalld probes for theavailable tables. If firewalld is not handling the absence gracefullythen it's is a bug and should be reported upstream. You can reopen #411.
I can confirm, without security tables, firewalld refuses to start. I posted a message into #411, but I cannot reopen.
- support kernel with builtin network modules ?
It should be possible to handle this as well. File a separate issue forit.
Done. Issue #430 is open. Regards,
Sébastien "Seblu" Luttringer
On Mon, Nov 19, 2018 at 12:54:59AM +0100, Sébastien Luttringer wrote:
On Mon, 2018-11-12 at 13:54 -0500, Eric Garver wrote:
On Mon, Nov 12, 2018 at 03:39:37PM +0100, Sébastien Luttringer wrote: You mention nftables below. It's quite possible the kernel provided bythe cloud provider is too old to support the nftables backend. You needat least 4.18.
The kernel version of the cloud provided is 4.9.130. I don't find a lot of distribution which already ship a 4.18 kernel. According to wikipedia, kernel version 3.13 is the first to support nftables subsystem. Did you mean 3.18?
I meant 4.18.
From the firewalld v0.6.0 release notes:
New dependencies for nftables backend:
- nftables >= 0.9.0 - linux >= 4.18
While most of the nftables backend will function with earlier versions of nftables and Linux it is not recommended. Many bugs were found and fixed in these packages while firewalld’s nftables backend was being developed. Some examples are; iptables and nftables NAT coexistence, nftables AUDIT support, nftables set ranges with timeouts.
- security tables optional;
This should already be the case. On startup firewalld probes for theavailable tables. If firewalld is not handling the absence gracefullythen it's is a bug and should be reported upstream. You can reopen #411.
I can confirm, without security tables, firewalld refuses to start. I posted a message into #411, but I cannot reopen.
- support kernel with builtin network modules ?
It should be possible to handle this as well. File a separate issue forit.
Done. Issue #430 is open.
Thanks.
firewalld-users@lists.fedorahosted.org