feat: build host iptables with nftables support #1106
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Build iptables with nftables support, and force to use nft version. See siderolabs/talos#9883 Signed-off-by: Andrey Smirnov <[email protected]>
Unix4ever
approved these changes
Dec 6, 2024
dsseng
approved these changes
Dec 6, 2024
| @@ -30,6 +33,19 @@ steps: | |||
| install: | |||
| - | | |||
| make install DESTDIR=/rootfs | |||
| - | | |||
| # fix up symlinks which point to legacy version to point to nft version | |||
There was a problem hiding this comment.
Is this necessary? How other distros build this? Maybe patching the Makefile would be better?
There was a problem hiding this comment.
Our goal is not to have a generic solution which would work in any case. Talos enforces use of nftables (vs. legacy). Kubernetes does a wrapper which picks up iptables version by detecting existing rules in either of the backends. We know we do nft, so no reason to overcomplicate, and point default binaries to nft one.
The host iptables should be used by CNI plugins, and they don't seem to be smart enough to figure out which version to use based on anything.
There was a problem hiding this comment.
and iptables Makefile is not configurable on that - it always does iptables -> xtables-legacy-multi.
This script should work even if the default is changed though.
There was a problem hiding this comment.
/ # nsenter -t 1 -m /sbin/iptables -v
iptables v1.8.11 (nf_tables): no command specified
Try `iptables -h' or 'iptables --help' for more information.
There was a problem hiding this comment.
this is what a result looks like:
drwxr-xr-x 0/0 0 2019-06-02 01:34 sbin/
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/arptables -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/arptables-nft -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/arptables-nft-restore -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/arptables-nft-save -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/arptables-restore -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/arptables-save -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/arptables-translate -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/ebtables -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/ebtables-nft -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/ebtables-nft-restore -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/ebtables-nft-save -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/ebtables-restore -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/ebtables-save -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/ebtables-translate -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/ip6tables -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/ip6tables-apply -> iptables-apply
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/ip6tables-legacy -> xtables-legacy-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/ip6tables-legacy-restore -> xtables-legacy-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/ip6tables-legacy-save -> xtables-legacy-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/ip6tables-nft -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/ip6tables-nft-restore -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/ip6tables-nft-save -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/ip6tables-restore -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/ip6tables-restore-translate -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/ip6tables-save -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/ip6tables-translate -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/iptables -> xtables-nft-multi
-rwxr-xr-x 0/0 7052 2019-06-02 01:34 sbin/iptables-apply
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/iptables-legacy -> xtables-legacy-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/iptables-legacy-restore -> xtables-legacy-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/iptables-legacy-save -> xtables-legacy-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/iptables-nft -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/iptables-nft-restore -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/iptables-nft-save -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/iptables-restore -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/iptables-restore-translate -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/iptables-save -> xtables-nft-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/iptables-translate -> xtables-nft-multi
-rwxr-xr-x 0/0 79632 2019-06-02 01:34 sbin/xtables-legacy-multi
lrwxrwxrwx 0/0 0 2019-06-02 01:34 sbin/xtables-monitor -> xtables-nft-multi
-rwxr-xr-x 0/0 197856 2019-06-02 01:34 sbin/xtables-nft-multi
There was a problem hiding this comment.
so it basically changes "default" symlinks like iptables but iptables-legacy still points to legacy version
There was a problem hiding this comment.
I think we should probably drop iptables-legacy completely, for 1.10 with cgroups v1 (including kernel support).
There was a problem hiding this comment.
Yes, perhaps if no client complains. Should we add this to deprecation maybe?
There was a problem hiding this comment.
We never even documented that it exists, it should only be used by CNI plugins, and we want them to use nftables always.
|
/m |
smira
added a commit
to smira/talos
that referenced
this pull request
Dec 6, 2024
These are used by CNI plugins. Fixes siderolabs#9883 See siderolabs/pkgs#1106 Signed-off-by: Andrey Smirnov <[email protected]>
smira
added a commit
to smira/talos
that referenced
this pull request
Dec 6, 2024
These are used by CNI plugins. Fixes siderolabs#9883 See siderolabs/pkgs#1106 Signed-off-by: Andrey Smirnov <[email protected]>
smira
added a commit
to smira/talos
that referenced
this pull request
Dec 9, 2024
These are used by CNI plugins. Fixes siderolabs#9883 See siderolabs/pkgs#1106 Signed-off-by: Andrey Smirnov <[email protected]> (cherry picked from commit 07220fe)
Merged
smira
added a commit
to smira/talos
that referenced
this pull request
Dec 12, 2024
These are used by CNI plugins. Fixes siderolabs#9883 See siderolabs/pkgs#1106 Signed-off-by: Andrey Smirnov <[email protected]> (cherry picked from commit 07220fe)
smira
added a commit
to smira/talos
that referenced
this pull request
Dec 12, 2024
These are used by CNI plugins. Fixes siderolabs#9883 See siderolabs/pkgs#1106 Signed-off-by: Andrey Smirnov <[email protected]> (cherry picked from commit 07220fe)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Build iptables with nftables support, and force to use nft version.
See siderolabs/talos#9883