F41 Change Proposal: Netavark Nftables Default (self-contained)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Wiki - https://fedoraproject.org/wiki/Changes/NetavarkNftablesDefault
Discussion Thread -
https://discussion.fedoraproject.org/t/f41-change-proposal-netavark-nftables-default-self-contained/125528

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.


== Summary ==
Netavark should use nftables by default to create/manage the firewall
rules for the Podman containers.

== Owner ==

* Name: [[User:FASAcountName| Paul Holzinger]]
* Email: <pholzing@xxxxxxxxxx>
* Name: Matthew Heon
* Email: <mheon@xxxxxxxxxx>


== Detailed Description ==

Netavark is used by Podman to configure networking for the containers.
It manages interfaces and firewall rules. Currently it uses iptables
by default to create the firewall rules for the containers but it can
also be configured to use nftables (nft). The goal is to switch the
default over to nftables. We also expect a small speed up for the
container start-up times as nftables allows us to batch insert rules
at once which makes it more performant and robust compared to
iptables.

== Feedback ==


== Benefit to Fedora ==

* netavark no longer requires iptables
* all rules are now part of the netavark table so there are less
conflicts with other tools/users who manage firewall rules
* slightly faster container start-up time


== Scope ==

* Proposal owners: Paul Holzinger, Matthew Heon
** Using nftables is already supported in netavark as of version v1.10
(already included in fedora). Set a build option in the specfile to
change the default driver from iptables to nftables

* Other developers: N/A

* Release engineering: N/A

* Policies and guidelines: N/A (not needed for this Change)

* Trademark approval: N/A (not needed for this Change)

* Alignment with the Fedora Strategy:

== Upgrade/compatibility impact ==


== Early Testing (Optional) ==

Do you require 'QA Blueprint' support? N

== How To Test ==

The change can be tested by setting the firewall driver to nftables in
containers.conf:

 $ sudo mkdir -p /etc/containers/containers.conf.d
 $ echo $'[network]\nfirewall_driver="nftables"' | sudo tee
/etc/containers/containers.conf.d/50-netavark-nftables.conf

Changing the firewall driver while you have running containers will
likely cause some conflicting rules so it is best to reboot when this
option is changed.

Now start the containers and make sure the network works as usual. The
rules can be checked with

 $ sudo nft list table inet netavark

== User Experience ==

There should no change in behavior for end users unless they manually
messed with the netavark firewall rules.

== Dependencies ==

N/A

== Contingency Plan ==

* Contingency mechanism: Keep using iptables as default.
* Contingency deadline: beta freeze
* Blocks release? N/A

== Documentation ==

N/A (not a System Wide Change)

== Release Notes ==


-- 
Aoife Moloney

Fedora Operations Architect

Fedora Project

Matrix: @amoloney:fedora.im

IRC: amoloney

-- 
_______________________________________________
devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux