On Mon, Nov 12, 2018 at 03:39:37PM +0100, Sébastien Luttringer wrote:
Hello,
Hello.
Some of my servers have kernels built by a cloud provider which, does not have security tables available and have nf_conntrack_* modules builtin.
When I could, I updated the kernel, as recently suggested to another user in [1]. But, the doesn't looks like a solution for kernel we can't update.
You mention nftables below. It's quite possible the kernel provided by the cloud provider is too old to support the nftables backend. You need at least 4.18.
Moreover, these tables looks not mandatory to firewalld and limit the use of firewalld where iptables could be used.
Would you like to accept patches which make:
Yes. Patches welcome.
- security tables optional;
This should already be the case. On startup firewalld probes for the available tables. If firewalld is not handling the absence gracefully then it's is a bug and should be reported upstream. You can reopen #411.
- support kernel with builtin network modules ?
It should be possible to handle this as well. File a separate issue for it.
Side question: Why is firewalld altering ipXtables when the backend is nftables?
Even with FirewallBackend=nftables we still support the --direct rules which use iptables/ip6tables/ebtables.
Regards,
[1] https://github.com/firewalld/firewalld/issues/411
Sébastien "Seblu" Luttringer