-
Notifications
You must be signed in to change notification settings - Fork 881
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for nftables #2605
base: master
Are you sure you want to change the base?
Add support for nftables #2605
Conversation
thanks for your contribution @evol262, adding the interfaces for the iptble layer will make it simpler to extend the codebase and the nftable implementation will improve the speed of programming the network rules. |
With the release of EL8, nftables has become the default firewall implementation on minimal installs of CentOS/OEL/RHEL8. While an iptables driver is available (both in libnetwork and a mapper in nftables itself), this is not guaranteed to be present. firewalld pulls in iptables, but firewalld itself does not yet support raw commands to nftables. iptables calls were heavily enmeshed in libnetwork. It was necessary to create a relatively large interface in order to break the coupling to native iptables implementations, but this offers the flexibility to support or add other drivers in the future Remaining changes are needed to: drivers/bridge/link.go drivers/bridge/setup_tables.go drivers/overlay/encryption.go drivers/overlay/filter.go resolver_unix.go service_linux.go But all are sall in scope compared to this, and are translating remaining raw iptables rules to nftables and adding additional interface methods/methods for re-used logic Signed-off-by: Ryan Barry <[email protected]>
nftables does not yet seem to support marking mangled packets using the same mechanism as iptables for encrypted vxlan, but this is a relatively isolated use case outside of explicit enablement in swarm Add a few more methods to the firewall interface to support per-interface forwarding and rules. Add convenience rules for drop/accept (nftables does not have a "-j DROP|ACCEPT" mechanism, so the mechanics need to be slightly different) to keep purging implementation-specific code from the drivers Signed-off-by: Ryan Barry <[email protected]>
Only remanining are resolver and setup_tables Signed-off-by: Ryan Barry <[email protected]>
Signed-off-by: Ryan Barry <[email protected]>
Hi! Very interesting in nftables support... any updates on reviewing this PR? |
Note we have migrated this codebase over to github.com/moby/moby/libnetwork. |
With the release of EL8, nftables has become the default firewall
implementation on minimal installs of CentOS/OEL/RHEL8. While an
iptables driver is available (both in libnetwork and a mapper in
nftables itself), this is not guaranteed to be present. firewalld
pulls in iptables, but firewalld itself does not yet support raw
commands to nftables.
iptables calls were heavily enmeshed in libnetwork. It was
necessary to create a relatively large interface in order to
break the coupling to native iptables implementations, but this
offers the flexibility to support or add other drivers in the
future
Remaining changes are needed to:
But all are sall in scope compared to this, and are translating
remaining raw iptables rules to nftables and adding additional
interface methods/methods for re-used logic