Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: build host iptables with nftables support #1106

Merged
merged 1 commit into from
Dec 6, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .kres.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ spec:
- libinih
- libjson-c
- liblzma
- libmnl
- libnftnl
- libpopt
- libseccomp
- libselinux
Expand Down
4 changes: 3 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
#
# Generated on 2024-11-20T04:30:14Z by kres a8af16d.
# Generated on 2024-12-06T11:24:18Z by kres 232fe63.

# common variables

Expand Down Expand Up @@ -67,6 +67,8 @@ TARGETS += libcap
TARGETS += libinih
TARGETS += libjson-c
TARGETS += liblzma
TARGETS += libmnl
TARGETS += libnftnl
TARGETS += libpopt
TARGETS += libseccomp
TARGETS += libselinux
Expand Down
10 changes: 10 additions & 0 deletions Pkgfile
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,16 @@ vars:
libjson_c_sha256: 876ab046479166b869afc6896d288183bbc0e5843f141200c677b3e8dfb11724
libjson_c_sha512: 4763f2352414dac3599bc2183b4fa57dbfaac0ca24de890097bd7d0bdda93c91efa280f6566e949e6d94212ef39a63fc76c5f9d0c54ff3d04b13c859717dba5a

# renovate: datasource=git-tags extractVersion=^v(?<version>.*)$ depName=git://git.netfilter.org/libmnl
libmnl_version: 1.0.5
libmnl_sha256: 274b9b919ef3152bfb3da3a13c950dd60d6e2bcd54230ffeca298d03b40d0525
libmnl_sha512: 16fa48e74c9da7724a85c655dfb0abd8369392627934639d65de951543e1447ac3e048d231248f1ce8861443c2ef62654a85a81feeedbbffaf2e5744f6cf4c9f

# renovate: datasource=git-tags extractVersion=^v(?<version>.*)$ depName=git://git.netfilter.org/libnftnl
libnftnl_version: 1.2.8
libnftnl_sha256: 37fea5d6b5c9b08de7920d298de3cdc942e7ae64b1a3e8b880b2d390ae67ad95
libnftnl_sha512: c57030f34c50b09ae2fbf8dac5d9cf431eaaa5a5a08098e3e4c146a8bd4ae9b7753f5d2de5f2d0a6c15e5ba0c39f51275c9d8b03bdedeaadbafa6c96f9a972b6

# renovate: datasource=github-releases depName=tukaani-project/xz
# NOTE: using 5.4.5 the version debian downgraded to. Ref: https://www.openwall.com/lists/oss-security/2024/03/29/4
xz_version: v5.4.5
Expand Down
18 changes: 17 additions & 1 deletion iptables/pkg.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ variant: scratch
shell: /toolchain/bin/bash
dependencies:
- stage: base
- stage: libmnl
- stage: libnftnl
steps:
- sources:
- url: https://fossies.org/linux/misc/iptables-{{ .iptables_version }}.tar.xz
Expand All @@ -13,12 +15,13 @@ steps:
- |
tar -xf iptables.tar.xz --strip-components=1

export PKG_CONFIG_PATH=/usr/lib/pkgconfig

./configure \
--prefix=/usr \
--libexecdir=/usr/libexec \
--disable-static \
--sbindir=/sbin \
--disable-nftables \
--enable-libipq \
--with-xtlibdir=/lib/xtables

Expand All @@ -30,6 +33,19 @@ steps:
install:
- |
make install DESTDIR=/rootfs
- |
# fix up symlinks which point to legacy version to point to nft version
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this necessary? How other distros build this? Maybe patching the Makefile would be better?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our goal is not to have a generic solution which would work in any case. Talos enforces use of nftables (vs. legacy). Kubernetes does a wrapper which picks up iptables version by detecting existing rules in either of the backends. We know we do nft, so no reason to overcomplicate, and point default binaries to nft one.

The host iptables should be used by CNI plugins, and they don't seem to be smart enough to figure out which version to use based on anything.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and iptables Makefile is not configurable on that - it always does iptables -> xtables-legacy-multi.

This script should work even if the default is changed though.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ # nsenter -t 1 -m /sbin/iptables -v
iptables v1.8.11 (nf_tables): no command specified
Try `iptables -h' or 'iptables --help' for more information.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is what a result looks like:

drwxr-xr-x 0/0               0 2019-06-02 01:34 sbin/
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/arptables -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/arptables-nft -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/arptables-nft-restore -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/arptables-nft-save -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/arptables-restore -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/arptables-save -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/arptables-translate -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/ebtables -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/ebtables-nft -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/ebtables-nft-restore -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/ebtables-nft-save -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/ebtables-restore -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/ebtables-save -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/ebtables-translate -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/ip6tables -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/ip6tables-apply -> iptables-apply
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/ip6tables-legacy -> xtables-legacy-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/ip6tables-legacy-restore -> xtables-legacy-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/ip6tables-legacy-save -> xtables-legacy-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/ip6tables-nft -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/ip6tables-nft-restore -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/ip6tables-nft-save -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/ip6tables-restore -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/ip6tables-restore-translate -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/ip6tables-save -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/ip6tables-translate -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/iptables -> xtables-nft-multi
-rwxr-xr-x 0/0            7052 2019-06-02 01:34 sbin/iptables-apply
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/iptables-legacy -> xtables-legacy-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/iptables-legacy-restore -> xtables-legacy-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/iptables-legacy-save -> xtables-legacy-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/iptables-nft -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/iptables-nft-restore -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/iptables-nft-save -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/iptables-restore -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/iptables-restore-translate -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/iptables-save -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/iptables-translate -> xtables-nft-multi
-rwxr-xr-x 0/0           79632 2019-06-02 01:34 sbin/xtables-legacy-multi
lrwxrwxrwx 0/0               0 2019-06-02 01:34 sbin/xtables-monitor -> xtables-nft-multi
-rwxr-xr-x 0/0          197856 2019-06-02 01:34 sbin/xtables-nft-multi

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so it basically changes "default" symlinks like iptables but iptables-legacy still points to legacy version

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should probably drop iptables-legacy completely, for 1.10 with cgroups v1 (including kernel support).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, perhaps if no client complains. Should we add this to deprecation maybe?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We never even documented that it exists, it should only be used by CNI plugins, and we want them to use nftables always.

for f in /rootfs/sbin/*; do
# if name doesn't contain 'legacy':
if [[ $f == *legacy* ]]; then
continue
fi

# if it's a symlink:
if [ -L "$f" ]; then
ln -sf $(readlink $f | sed 's/legacy/nft/') $f
fi
done
finalize:
- from: /rootfs
to: /
26 changes: 26 additions & 0 deletions libmnl/pkg.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: libmnl
variant: scratch
shell: /toolchain/bin/bash
dependencies:
- stage: base
steps:
- sources:
- url: https://www.netfilter.org/projects/libmnl/files/libmnl-{{ .libmnl_version }}.tar.bz2
destination: libmnl.tar.bz2
sha256: "{{ .libmnl_sha256 }}"
sha512: "{{ .libmnl_sha512 }}"
prepare:
- |
tar -xjf libmnl.tar.bz2 --strip-components=1

./configure \
--prefix=/usr
build:
- |
make -j $(nproc)
install:
- |
make install DESTDIR=/rootfs
finalize:
- from: /rootfs
to: /
29 changes: 29 additions & 0 deletions libnftnl/pkg.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
name: libnftnl
variant: scratch
shell: /toolchain/bin/bash
dependencies:
- stage: base
- stage: libmnl
steps:
- sources:
- url: https://netfilter.org/projects/libnftnl/files/libnftnl-{{ .libnftnl_version }}.tar.xz
destination: libnftnl.tar.bz2
sha256: "{{ .libnftnl_sha256 }}"
sha512: "{{ .libnftnl_sha512 }}"
prepare:
- |
tar -xf libnftnl.tar.bz2 --strip-components=1

export PKG_CONFIG_PATH=/usr/lib/pkgconfig

./configure \
--prefix=/usr
build:
- |
make -j $(nproc)
install:
- |
make install DESTDIR=/rootfs
finalize:
- from: /rootfs
to: /