8:39 a.m.
Hello,
Some of my servers have kernels built by a cloud provider which, does not have
security tables available and have nf_conntrack_* modules builtin.
When I could, I updated the kernel, as recently suggested to another user in
[1].
But, the doesn't looks like a solution for kernel we can't update.
Moreover, these tables looks not mandatory to firewalld and limit the use of
firewalld where iptables could be used.
Would you like to accept patches which make:
- security tables optional;
- support kernel with builtin network modules ?
Side question: Why is firewalld altering ipXtables when the backend is
nftables?
Regards,
[1] https://github.com/firewalld/firewalld/issues/411
Sébastien "Seblu" Luttringer
12:54 p.m.
On Mon, Nov 12, 2018 at 03:39:37PM +0100, Sébastien Luttringer wrote:
Hello,
Hello.
Some of my servers have kernels built by a cloud provider which, does
not have
security tables available and have nf_conntrack_* modules builtin.
When I could, I updated the kernel, as recently suggested to another user in
[1].
But, the doesn't looks like a solution for kernel we can't update.
You mention nftables below. It's quite possible the kernel provided by
the cloud provider is too old to support the nftables backend. You need
at least 4.18.
Moreover, these tables looks not mandatory to firewalld and limit the
use of
firewalld where iptables could be used.
Would you like to accept patches which make:
Yes. Patches welcome.
- security tables optional;
This should already be the case. On startup firewalld probes for the
available tables. If firewalld is not handling the absence gracefully
then it's is a bug and should be reported upstream. You can reopen #411.
- support kernel with builtin network modules ?
It should be possible to handle this as well. File a separate issue for
it.
Side question: Why is firewalld altering ipXtables when the backend
is
nftables?
Even with FirewallBackend=nftables we still support the --direct rules
which use iptables/ip6tables/ebtables.
>
> Regards,
>
> [1] https://github.com/firewalld/firewalld/issues/411
>
> Sébastien "Seblu" Luttringer
5:54 p.m.
On Mon, 2018-11-12 at 13:54 -0500, Eric Garver wrote:
On Mon, Nov 12, 2018 at 03:39:37PM +0100, Sébastien Luttringer
wrote:
You mention nftables below. It's quite possible the kernel provided bythe
cloud provider is too old to support the nftables backend. You needat least
4.18.
The kernel version of the cloud provided is 4.9.130. I don't find a lot
of
distribution which already ship a 4.18 kernel. According to wikipedia, kernel
version 3.13 is the first to support nftables subsystem. Did you mean 3.18?
- security tables optional;
This should already be the case. On startup firewalld probes for theavailable
tables. If firewalld is not handling the absence gracefullythen it's is a bug
and should be reported upstream. You can reopen #411.
I can confirm, without
security tables, firewalld refuses to start.
I posted a message into #411, but I cannot reopen.
- support kernel with builtin network modules ?
It should be possible to handle this as well. File a separate issue forit.
Done. Issue #430 is open.
Regards,
Sébastien "Seblu" Luttringer
1:48 p.m.
On Mon, Nov 19, 2018 at 12:54:59AM +0100, Sébastien Luttringer wrote:
On Mon, 2018-11-12 at 13:54 -0500, Eric Garver wrote:
> On Mon, Nov 12, 2018 at 03:39:37PM +0100, Sébastien Luttringer wrote:
> You mention nftables below. It's quite possible the kernel provided bythe
> cloud provider is too old to support the nftables backend. You needat least
> 4.18.
The kernel version of the cloud provided is 4.9.130. I don't find a lot of
distribution which already ship a 4.18 kernel. According to wikipedia, kernel
version 3.13 is the first to support nftables subsystem. Did you mean 3.18?
I meant 4.18.
From the firewalld v0.6.0 release notes:
New dependencies for nftables backend:
- nftables >= 0.9.0
- linux >= 4.18
While most of the nftables backend will function with earlier
versions of nftables and Linux it is not recommended. Many bugs
were found and fixed in these packages while firewalld’s
nftables backend was being developed. Some examples are;
iptables and nftables NAT coexistence, nftables AUDIT support,
nftables set ranges with timeouts.
> - security tables optional;
> This should already be the case. On startup firewalld probes for theavailable
> tables. If firewalld is not handling the absence gracefullythen it's is a bug
> and should be reported upstream. You can reopen #411.
I can confirm, without security tables, firewalld refuses to start.
I posted a message into #411, but I cannot reopen.
> - support kernel with builtin network modules ?
> It should be possible to handle this as well. File a separate issue forit.
Done. Issue #430 is open.
Thanks.
1975
days inactive
1990
days old
firewalld-users@lists.fedorahosted.org
3 comments
2 participants
participants (2)
-
Eric Garver -
Sébastien Luttringer