Wiki - https://fedoraproject.org/wiki/Changes/NetavarkNftablesDefault Discussion Thread - https://discussion.fedoraproject.org/t/f41-change-proposal-netavark-nftables-default-self-contained/125528 This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Netavark should use nftables by default to create/manage the firewall rules for the Podman containers. == Owner == * Name: [[User:FASAcountName| Paul Holzinger]] * Email: <pholzing@xxxxxxxxxx> * Name: Matthew Heon * Email: <mheon@xxxxxxxxxx> == Detailed Description == Netavark is used by Podman to configure networking for the containers. It manages interfaces and firewall rules. Currently it uses iptables by default to create the firewall rules for the containers but it can also be configured to use nftables (nft). The goal is to switch the default over to nftables. We also expect a small speed up for the container start-up times as nftables allows us to batch insert rules at once which makes it more performant and robust compared to iptables. == Feedback == == Benefit to Fedora == * netavark no longer requires iptables * all rules are now part of the netavark table so there are less conflicts with other tools/users who manage firewall rules * slightly faster container start-up time == Scope == * Proposal owners: Paul Holzinger, Matthew Heon ** Using nftables is already supported in netavark as of version v1.10 (already included in fedora). Set a build option in the specfile to change the default driver from iptables to nftables * Other developers: N/A * Release engineering: N/A * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with the Fedora Strategy: == Upgrade/compatibility impact == == Early Testing (Optional) == Do you require 'QA Blueprint' support? N == How To Test == The change can be tested by setting the firewall driver to nftables in containers.conf: $ sudo mkdir -p /etc/containers/containers.conf.d $ echo $'[network]\nfirewall_driver="nftables"' | sudo tee /etc/containers/containers.conf.d/50-netavark-nftables.conf Changing the firewall driver while you have running containers will likely cause some conflicting rules so it is best to reboot when this option is changed. Now start the containers and make sure the network works as usual. The rules can be checked with $ sudo nft list table inet netavark == User Experience == There should no change in behavior for end users unless they manually messed with the netavark firewall rules. == Dependencies == N/A == Contingency Plan == * Contingency mechanism: Keep using iptables as default. * Contingency deadline: beta freeze * Blocks release? N/A == Documentation == N/A (not a System Wide Change) == Release Notes == -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue