On Mon, Nov 12, 2018 at 03:39:37PM +0100, Sébastien Luttringer wrote:
Hello,
Hello.
Some of my servers have kernels built by a cloud provider which, does
not have
security tables available and have nf_conntrack_* modules builtin.
When I could, I updated the kernel, as recently suggested to another user in
[1].
But, the doesn't looks like a solution for kernel we can't update.
You mention nftables below. It's quite possible the kernel provided by
the cloud provider is too old to support the nftables backend. You need
at least 4.18.
Moreover, these tables looks not mandatory to firewalld and limit the
use of
firewalld where iptables could be used.
Would you like to accept patches which make:
Yes. Patches welcome.
- security tables optional;
This should already be the case. On startup firewalld probes for the
available tables. If firewalld is not handling the absence gracefully
then it's is a bug and should be reported upstream. You can reopen #411.
- support kernel with builtin network modules ?
It should be possible to handle this as well. File a separate issue for
it.
Side question: Why is firewalld altering ipXtables when the backend
is
nftables?
Even with FirewallBackend=nftables we still support the --direct rules
which use iptables/ip6tables/ebtables.
>
> Regards,
>
> [1]
https://github.com/firewalld/firewalld/issues/411
>
> Sébastien "Seblu" Luttringer