Skip to content

[next] nftables, firewalld: add to runmode #726

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
chaitu236 merged 2 commits into from
Sep 4, 2024
Merged

[next] nftables, firewalld: add to runmode #726

chaitu236 merged 2 commits into from
Sep 4, 2024

Conversation

@rtollert
Copy link
Contributor

@rtollert rtollert commented Aug 30, 2024
edited
Loading

Summary of Changes

Add nftables (modern Linux packet filtering support) to runmode; disabled by default.

Add firewalld (modern Linux high-level firewall administration tool) packages to SNAC. (nftables is in runmode, not SNAC, for symmetry with the kernel configuration, which will include the NFT modules in runmode too.)

The existing iptables initscript is unchanged. This is tracked by Azure DevOps workitem AB#2823118.

Note: this is a continuation of #725, rebased to nilrt/master/next.

Testing

Built nilrt-base-system-image and confirmed it runs on a VM. nft runs; iptables still runs. firewall-cmd is not yet tested.

This change will grow the uncompressed BSI by approximately 9.5MB; see #725 for details.

  • I have built the core package feed with this PR in place. (bitbake packagefeed-ni-core)

Procedure

@rtollert rtollert changed the title nftables, firewalld: add to runmode [next] nftables, firewalld: add to runmode Aug 30, 2024
chaitu236
chaitu236 reviewed Aug 30, 2024
View reviewed changes
@rtollert
packagegroup-ni-runmode: add nftables
6bb6c4b 
nftables is the modern packet filtering solution on Linux. The nftables
userspace can be installed alongside iptables, but in general, only one can be
enabled at once. This commit adds the userspace but does not do anything with
the present iptables-based firewall configuration.

At present, there are no plans to introduce nftables into safemode, so add it
to the runmode packagegroup, not base.

Signed-off-by: Rich Tollerton <[email protected]>
@rtollert
packagegroup-ni-snac: add firewalld
888a6f2 
firewalld is the best-maintained high-level firewall administration tool on
Linux. We ultimately wish to replace our present direct use of iptables (via
initscript) with firewalld; but at present the existing configuration is
unchanged.

Signed-off-by: Rich Tollerton <[email protected]>
@rtollert rtollert force-pushed the dev/rtollert/next/nftables branch from 73aef12 to 888a6f2 Compare September 3, 2024 19:26
@rtollert
Copy link
Contributor Author

rtollert commented Sep 4, 2024

Bump for v2.

@rtollert rtollert requested a review from chaitu236 September 4, 2024 15:13
@chaitu236 chaitu236 merged commit b03a949 into ni:nilrt/master/next Sep 4, 2024
@chaitu236 chaitu236 mentioned this pull request Oct 4, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chaitu236 chaitu236 chaitu236 approved these changes

@amstewart amstewart amstewart approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rtollert @chaitu236 @amstewart