libnetwork icon indicating copy to clipboard operation
libnetwork copied to clipboard

Published 20 hours ago verified publisher icon moby

Add support for nftables

Open ghost opened this issue 4 years ago • 3 comments

With the release of EL8, nftables has become the default firewall implementation on minimal installs of CentOS/OEL/RHEL8. While an iptables driver is available (both in libnetwork and a mapper in nftables itself), this is not guaranteed to be present. firewalld pulls in iptables, but firewalld itself does not yet support raw commands to nftables.

iptables calls were heavily enmeshed in libnetwork. It was necessary to create a relatively large interface in order to break the coupling to native iptables implementations, but this offers the flexibility to support or add other drivers in the future

Remaining changes are needed to:

drivers/bridge/link.go
drivers/bridge/setup_tables.go
drivers/overlay/encryption.go
drivers/overlay/filter.go
resolver_unix.go
service_linux.go

But all are sall in scope compared to this, and are translating remaining raw iptables rules to nftables and adding additional interface methods/methods for re-used logic

ghost avatar Dec 23 '20 01:12 ghost

thanks for your contribution @evol262, adding the interfaces for the iptble layer will make it simpler to extend the codebase and the nftable implementation will improve the speed of programming the network rules. looking forward to the final draft !

arkodg avatar Dec 24 '20 00:12 arkodg

Hi! Very interesting in nftables support... any updates on reviewing this PR?

passcod avatar Mar 11 '21 21:03 passcod

Note we have migrated this codebase over to github.com/moby/moby/libnetwork. We are not accepting PR's on this repo anymore except for backports to be included in moby 20.10

cpuguy83 avatar Jun 18 '21 22:06 cpuguy83