Skip to content

Commit

Permalink
Merge pull request #81172 from misuzu/iptables-switch
Browse files Browse the repository at this point in the history
iptables: switch from iptables-legacy to iptables-nftables-compat
  • Loading branch information
flokli authored Oct 12, 2021
2 parents 234f96b + f898fde commit b112f36
Show file tree
Hide file tree
Showing 13 changed files with 37 additions and 50 deletions.
14 changes: 14 additions & 0 deletions nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,12 @@
<section xml:id="sec-release-21.11-highlights">
<title>Highlights</title>
<itemizedlist>
<listitem>
<para>
<literal>iptables</literal> now uses
<literal>nf_tables</literal> backend.
</para>
</listitem>
<listitem>
<para>
PHP now defaults to PHP 8.0, updated from 7.4.
Expand Down Expand Up @@ -366,6 +372,14 @@
nobody/nogroup, which is unsafe.
</para>
</listitem>
<listitem>
<para>
Since <literal>iptables</literal> now uses
<literal>nf_tables</literal> backend and
<literal>ipset</literal> doesn’t support it, some applications
(ferm, shorewall, firehol) may have limited functionality.
</para>
</listitem>
<listitem>
<para>
The <literal>paperless</literal> module and package have been
Expand Down
4 changes: 4 additions & 0 deletions nixos/doc/manual/release-notes/rl-2111.section.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ In addition to numerous new and upgraded packages, this release has the followin

## Highlights {#sec-release-21.11-highlights}

- `iptables` now uses `nf_tables` backend.

- PHP now defaults to PHP 8.0, updated from 7.4.

- kOps now defaults to 1.21.1, which uses containerd as the default runtime.
Expand Down Expand Up @@ -112,6 +114,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- The `security.wrappers` option now requires to always specify an owner, group and whether the setuid/setgid bit should be set.
This is motivated by the fact that before NixOS 21.11, specifying either setuid or setgid but not owner/group resulted in wrappers owned by nobody/nogroup, which is unsafe.

- Since `iptables` now uses `nf_tables` backend and `ipset` doesn't support it, some applications (ferm, shorewall, firehol) may have limited functionality.

- The `paperless` module and package have been removed. All users should migrate to the
successor `paperless-ng` instead. The Paperless project [has been
archived](https://github.com/the-paperless-project/paperless/commit/9b0063c9731f7c5f65b1852cb8caff97f5e40ba4)
Expand Down
2 changes: 1 addition & 1 deletion nixos/modules/virtualisation/libvirtd.nix
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,7 @@ in {
etc."qemu/bridge.conf".text = lib.concatMapStringsSep "\n" (e:
"allow ${e}") cfg.allowedBridges;
systemPackages = with pkgs; [ libressl.nc iptables cfg.package cfg.qemuPackage ];
etc.ethertypes.source = "${pkgs.ebtables}/etc/ethertypes";
etc.ethertypes.source = "${pkgs.iptables}/etc/ethertypes";
};

boot.kernelModules = [ "tun" ];
Expand Down
2 changes: 0 additions & 2 deletions pkgs/applications/networking/cluster/k3s/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@
, pkg-config
, ethtool
, util-linux
, ipset
, fetchFromGitHub
, fetchurl
, fetchzip
Expand Down Expand Up @@ -254,7 +253,6 @@ stdenv.mkDerivation rec {
bridge-utils
ethtool
util-linux # kubelet wants 'nsenter' from util-linux: https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-705994388
ipset
conntrack-tools
];

Expand Down
7 changes: 4 additions & 3 deletions pkgs/applications/networking/firehol/default.nix
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{ stdenv, lib, fetchFromGitHub, pkgs
, autoconf, automake, curl, iprange, iproute2, ipset, iptables, iputils
, autoconf, automake, curl, iprange, iproute2, iptables, iputils
, kmod, nettools, procps, tcpdump, traceroute, util-linux, whois

# If true, just install FireQOS without FireHOL
Expand Down Expand Up @@ -35,13 +35,14 @@ stdenv.mkDerivation rec {

nativeBuildInputs = [ autoconf automake ];
buildInputs = [
curl iprange iproute2 ipset iptables iputils kmod
curl iprange iproute2 iptables iputils kmod
nettools procps tcpdump traceroute util-linux whois
];

preConfigure = "./autogen.sh";
configureFlags = [ "--localstatedir=/var"
"--disable-doc" "--disable-man" ] ++
"--disable-doc" "--disable-man"
"--disable-update-ipsets" ] ++
lib.optional onlyQOS [ "--disable-firehol" ];

meta = with lib; {
Expand Down
7 changes: 3 additions & 4 deletions pkgs/development/libraries/libvirt/5.9.0.nix
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
, pkg-config, makeWrapper, libtool, autoconf, automake, fetchpatch
, coreutils, libxml2, gnutls, perl, python2, attr
, iproute2, iptables, readline, lvm2, util-linux, systemd, libpciaccess, gettext
, libtasn1, ebtables, libgcrypt, yajl, pmutils, libcap_ng, libapparmor
, libtasn1, libgcrypt, yajl, pmutils, libcap_ng, libapparmor
, dnsmasq, libnl, libpcap, libxslt, xhtml1, numad, numactl, perlPackages
, curl, libiconv, gmp, zfs, parted, bridge-utils, dmidecode, glib, rpcsvc-proto, libtirpc
, enableXen ? false, xen ? null
Expand Down Expand Up @@ -54,7 +54,7 @@ in stdenv.mkDerivation rec {

preConfigure = ''
${ optionalString (!buildFromTarball) "./bootstrap --no-git --gnulib-srcdir=$(pwd)/.gnulib" }
PATH=${lib.makeBinPath ([ dnsmasq ] ++ optionals stdenv.isLinux [ iproute2 iptables ebtables lvm2 systemd numad ] ++ optionals enableIscsi [ openiscsi ])}:$PATH
PATH=${lib.makeBinPath ([ dnsmasq ] ++ optionals stdenv.isLinux [ iproute2 iptables lvm2 systemd numad ] ++ optionals enableIscsi [ openiscsi ])}:$PATH
# the path to qemu-kvm will be stored in VM's .xml and .save files
# do not use "''${qemu_kvm}/bin/qemu-kvm" to avoid bound VMs to particular qemu derivations
substituteInPlace src/lxc/lxc_conf.c \
Expand All @@ -75,7 +75,6 @@ in stdenv.mkDerivation rec {
] ++ optionals stdenv.isLinux [
"QEMU_BRIDGE_HELPER=/run/wrappers/bin/qemu-bridge-helper"
"QEMU_PR_HELPER=/run/libvirt/nix-helpers/qemu-pr-helper"
"EBTABLES_PATH=${ebtables}/bin/ebtables-legacy"
"CFLAGS=-I${libtirpc.dev}/include/tirpc"
"--with-attr"
"--with-apparmor"
Expand All @@ -101,7 +100,7 @@ in stdenv.mkDerivation rec {


postInstall = let
binPath = [ iptables iproute2 pmutils numad numactl bridge-utils dmidecode dnsmasq ebtables ] ++ optionals enableIscsi [ openiscsi ];
binPath = [ iptables iproute2 pmutils numad numactl bridge-utils dmidecode dnsmasq ] ++ optionals enableIscsi [ openiscsi ];
in ''
substituteInPlace $out/libexec/libvirt-guests.sh \
--replace 'ON_BOOT=start' 'ON_BOOT=''${ON_BOOT:-start}' \
Expand Down
19 changes: 2 additions & 17 deletions pkgs/development/libraries/libvirt/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@
, gettext
, libtasn1
, iptables
, ebtables
, libgcrypt
, yajl
, pmutils
Expand Down Expand Up @@ -68,19 +67,6 @@ with lib;
# if you update, also bump <nixpkgs/pkgs/development/python-modules/libvirt/default.nix> and SysVirt in <nixpkgs/pkgs/top-level/perl-packages.nix>
let
buildFromTarball = stdenv.isDarwin;
# libvirt hardcodes the binary name 'ebtables', but in nixpkgs the ebtables
# binary we want to use is named 'ebtables-legacy'.
# Create a derivation to alias the binary name so that libvirt can find the right one, and use that below.
ebtables-compat = stdenv.mkDerivation {
pname = "ebtables-compat";
version = ebtables.version;
src = null;
buildInputs = [ ebtables ];
buildCommand = ''
mkdir -p $out/bin
ln -sf ${ebtables}/bin/ebtables-legacy $out/bin/ebtables
'';
};
in
stdenv.mkDerivation rec {
pname = "libvirt";
Expand Down Expand Up @@ -178,7 +164,7 @@ stdenv.mkDerivation rec {
'';
in
''
PATH=${lib.makeBinPath ([ dnsmasq ] ++ optionals stdenv.isLinux [ iproute2 iptables ebtables-compat lvm2 systemd numad ] ++ optionals enableIscsi [ openiscsi ])}:$PATH
PATH=${lib.makeBinPath ([ dnsmasq ] ++ optionals stdenv.isLinux [ iproute2 iptables lvm2 systemd numad ] ++ optionals enableIscsi [ openiscsi ])}:$PATH
# the path to qemu-kvm will be stored in VM's .xml and .save files
# do not use "''${qemu_kvm}/bin/qemu-kvm" to avoid bound VMs to particular qemu derivations
substituteInPlace src/lxc/lxc_conf.c \
Expand Down Expand Up @@ -226,8 +212,7 @@ stdenv.mkDerivation rec {

postInstall =
let
# Keep the legacy iptables binary for now for backwards compatibility (comment on #109332)
binPath = [ iptables ebtables-compat iproute2 pmutils numad numactl bridge-utils dmidecode dnsmasq ] ++ optionals enableIscsi [ openiscsi ];
binPath = [ iptables iproute2 pmutils numad numactl bridge-utils dmidecode dnsmasq ] ++ optionals enableIscsi [ openiscsi ];
in
''
substituteInPlace $out/libexec/libvirt-guests.sh \
Expand Down
2 changes: 1 addition & 1 deletion pkgs/os-specific/linux/iptables/default.nix
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{ lib, stdenv, fetchurl, pkg-config, pruneLibtoolFiles, flex, bison
, libmnl, libnetfilter_conntrack, libnfnetlink, libnftnl, libpcap
, nftablesCompat ? false
, nftablesCompat ? true
}:

with lib;
Expand Down
2 changes: 1 addition & 1 deletion pkgs/os-specific/linux/nftables/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
, gmp, jansson, readline
, withDebugSymbols ? false
, withPython ? false , python3
, withXtables ? false , iptables
, withXtables ? true , iptables
}:

with lib;
Expand Down
12 changes: 2 additions & 10 deletions pkgs/tools/admin/lxd/default.nix
Original file line number Diff line number Diff line change
@@ -1,22 +1,14 @@
{ lib, hwdata, pkg-config, lxc, buildGoPackage, fetchurl
, makeWrapper, acl, rsync, gnutar, xz, btrfs-progs, gzip, dnsmasq, attr
, squashfsTools, iproute2, iptables, ebtables, iptables-nftables-compat, libcap
, squashfsTools, iproute2, iptables, libcap
, dqlite, raft-canonical, sqlite-replication, udev
, writeShellScriptBin, apparmor-profiles, apparmor-parser
, criu
, bash
, installShellFiles
, nftablesSupport ? false
, nixosTests
}:

let
networkPkgs = if nftablesSupport then
[ iptables-nftables-compat ]
else
[ iptables ebtables ];

in
buildGoPackage rec {
pname = "lxd";
version = "4.19";
Expand Down Expand Up @@ -45,7 +37,7 @@ buildGoPackage rec {
rm $out/bin/{deps,macaroon-identity,generate}
wrapProgram $out/bin/lxd --prefix PATH : ${lib.makeBinPath (
networkPkgs
[ iptables ]
++ [ acl rsync gnutar xz btrfs-progs gzip dnsmasq squashfsTools iproute2 bash criu attr ]
++ [ (writeShellScriptBin "apparmor_parser" ''
exec '${apparmor-parser}/bin/apparmor_parser' -I '${apparmor-profiles}/etc/apparmor.d' "$@"
Expand Down
4 changes: 2 additions & 2 deletions pkgs/tools/networking/ferm/default.nix
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{ lib, stdenv, fetchurl, makeWrapper, perl, ebtables, ipset, iptables, nixosTests }:
{ lib, stdenv, fetchurl, makeWrapper, perl, iptables, nixosTests }:

let
inherit (lib.versions) majorMinor;
Expand All @@ -23,7 +23,7 @@ in stdenv.mkDerivation rec {
postInstall = ''
rm -r $out/lib/systemd
for i in "$out/sbin/"*; do
wrapProgram "$i" --prefix PATH : "${lib.makeBinPath [ iptables ipset ebtables ]}"
wrapProgram "$i" --prefix PATH : "${lib.makeBinPath [ iptables ]}"
done
'';

Expand Down
6 changes: 0 additions & 6 deletions pkgs/tools/networking/shorewall/default.nix
Original file line number Diff line number Diff line change
@@ -1,10 +1,8 @@
{ coreutils
, ebtables
, fetchurl
, gnugrep
, gnused
, iproute2
, ipset
, iptables
, perl
, perlPackages
Expand All @@ -17,8 +15,6 @@ let
[ "${coreutils}/bin"
"${iproute2}/bin"
"${iptables}/bin"
"${ipset}/bin"
"${ebtables}/bin"
"${util-linux}/bin"
"${gnugrep}/bin"
"${gnused}/bin"
Expand Down Expand Up @@ -47,9 +43,7 @@ stdenv.mkDerivation rec {
buildInputs = [
coreutils
iproute2
ipset
iptables
ebtables
util-linux
gnugrep
gnused
Expand Down
6 changes: 3 additions & 3 deletions pkgs/top-level/all-packages.nix
Original file line number Diff line number Diff line change
Expand Up @@ -21653,9 +21653,9 @@ with pkgs;
iputils = hiPrio (callPackage ../os-specific/linux/iputils { });
# hiPrio for collisions with inetutils (ping and tftpd.8.gz)

iptables = iptables-legacy;
iptables-legacy = callPackage ../os-specific/linux/iptables { };
iptables-nftables-compat = callPackage ../os-specific/linux/iptables { nftablesCompat = true; };
iptables = callPackage ../os-specific/linux/iptables { };
iptables-legacy = callPackage ../os-specific/linux/iptables { nftablesCompat = false; };
iptables-nftables-compat = iptables;

iptstate = callPackage ../os-specific/linux/iptstate { } ;

Expand Down

0 comments on commit b112f36

Please sign in to comment.