feat: build host iptables with nftables support

Build iptables with nftables support, and force to use nft version. See siderolabs/talos#9883 Signed-off-by: Andrey Smirnov <[email protected]> (cherry picked from commit 9cf35be)
siderolabs · Dec 9, 2024 · d7d890c · d7d890c
1 parent 41ace86
commit d7d890c
Show file tree

Hide file tree

Showing 6 changed files with 87 additions and 2 deletions.
diff --git a/.kres.yaml b/.kres.yaml
@@ -24,6 +24,8 @@ spec:
     - libinih
     - libjson-c
     - liblzma
+    - libmnl
+    - libnftnl
     - libpopt
     - libseccomp
     - libselinux

diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2024-11-20T04:30:14Z by kres a8af16d.
+# Generated on 2024-12-06T11:24:18Z by kres 232fe63.
 
 # common variables
 
@@ -67,6 +67,8 @@ TARGETS += libcap
 TARGETS += libinih
 TARGETS += libjson-c
 TARGETS += liblzma
+TARGETS += libmnl
+TARGETS += libnftnl
 TARGETS += libpopt
 TARGETS += libseccomp
 TARGETS += libselinux

diff --git a/Pkgfile b/Pkgfile
@@ -102,6 +102,16 @@ vars:
   libjson_c_sha256: 876ab046479166b869afc6896d288183bbc0e5843f141200c677b3e8dfb11724
   libjson_c_sha512: 4763f2352414dac3599bc2183b4fa57dbfaac0ca24de890097bd7d0bdda93c91efa280f6566e949e6d94212ef39a63fc76c5f9d0c54ff3d04b13c859717dba5a
 
+  # renovate: datasource=git-tags extractVersion=^v(?<version>.*)$ depName=git://git.netfilter.org/libmnl
+  libmnl_version: 1.0.5
+  libmnl_sha256: 274b9b919ef3152bfb3da3a13c950dd60d6e2bcd54230ffeca298d03b40d0525
+  libmnl_sha512: 16fa48e74c9da7724a85c655dfb0abd8369392627934639d65de951543e1447ac3e048d231248f1ce8861443c2ef62654a85a81feeedbbffaf2e5744f6cf4c9f
+
+  # renovate: datasource=git-tags extractVersion=^v(?<version>.*)$ depName=git://git.netfilter.org/libnftnl
+  libnftnl_version: 1.2.8
+  libnftnl_sha256: 37fea5d6b5c9b08de7920d298de3cdc942e7ae64b1a3e8b880b2d390ae67ad95
+  libnftnl_sha512: c57030f34c50b09ae2fbf8dac5d9cf431eaaa5a5a08098e3e4c146a8bd4ae9b7753f5d2de5f2d0a6c15e5ba0c39f51275c9d8b03bdedeaadbafa6c96f9a972b6
+
   # renovate: datasource=github-releases depName=tukaani-project/xz
   # NOTE: using 5.4.5 the version debian downgraded to. Ref: https://www.openwall.com/lists/oss-security/2024/03/29/4
   xz_version: v5.4.5

diff --git a/iptables/pkg.yaml b/iptables/pkg.yaml
@@ -3,6 +3,8 @@ variant: scratch
 shell: /toolchain/bin/bash
 dependencies:
   - stage: base
+  - stage: libmnl
+  - stage: libnftnl
 steps:
   - sources:
       - url: https://fossies.org/linux/misc/iptables-{{ .iptables_version }}.tar.xz
@@ -13,12 +15,13 @@ steps:
       - |
         tar -xf iptables.tar.xz --strip-components=1
 
+        export PKG_CONFIG_PATH=/usr/lib/pkgconfig
+
         ./configure \
         --prefix=/usr \
         --libexecdir=/usr/libexec \
         --disable-static \
         --sbindir=/sbin \
-        --disable-nftables \
         --enable-libipq \
         --with-xtlibdir=/lib/xtables
 
@@ -30,6 +33,19 @@ steps:
     install:
       - |
         make install DESTDIR=/rootfs
+      - |
+        # fix up symlinks which point to legacy version to point to nft version
+        for f in /rootfs/sbin/*; do
+          # if name doesn't contain 'legacy':
+          if [[ $f == *legacy* ]]; then
+            continue
+          fi
+
+          # if it's a symlink:
+          if [ -L "$f" ]; then
+            ln -sf $(readlink $f | sed 's/legacy/nft/') $f
+          fi
+        done
 finalize:
   - from: /rootfs
     to: /
diff --git a/libmnl/pkg.yaml b/libmnl/pkg.yaml
@@ -0,0 +1,26 @@
+name: libmnl
+variant: scratch
+shell: /toolchain/bin/bash
+dependencies:
+  - stage: base
+steps:
+  - sources:
+      - url: https://www.netfilter.org/projects/libmnl/files/libmnl-{{ .libmnl_version }}.tar.bz2
+        destination: libmnl.tar.bz2
+        sha256: "{{ .libmnl_sha256 }}"
+        sha512: "{{ .libmnl_sha512 }}"
+    prepare:
+      - |
+        tar -xjf libmnl.tar.bz2 --strip-components=1
+
+        ./configure \
+          --prefix=/usr
+    build:
+      - |
+        make -j $(nproc)
+    install:
+      - |
+        make install DESTDIR=/rootfs
+finalize:
+  - from: /rootfs
+    to: /
diff --git a/libnftnl/pkg.yaml b/libnftnl/pkg.yaml
@@ -0,0 +1,29 @@
+name: libnftnl
+variant: scratch
+shell: /toolchain/bin/bash
+dependencies:
+  - stage: base
+  - stage: libmnl
+steps:
+  - sources:
+      - url: https://netfilter.org/projects/libnftnl/files/libnftnl-{{ .libnftnl_version }}.tar.xz
+        destination: libnftnl.tar.bz2
+        sha256: "{{ .libnftnl_sha256 }}"
+        sha512: "{{ .libnftnl_sha512 }}"
+    prepare:
+      - |
+        tar -xf libnftnl.tar.bz2 --strip-components=1
+
+        export PKG_CONFIG_PATH=/usr/lib/pkgconfig
+
+        ./configure \
+          --prefix=/usr
+    build:
+      - |
+        make -j $(nproc)
+    install:
+      - |
+        make install DESTDIR=/rootfs
+finalize:
+  - from: /rootfs
+    to: /