commit b112f366fb6853ca8582cdef2def20acc4717af5

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #81172 from misuzu/iptables-switch

iptables: switch from iptables-legacy to iptables-nftables-compat

authored by

Florian Klink and committed by

GitHub 4 years ago b112f366 234f96b4

+37 -50

13 changed files

expand all

unified split

nixos

doc

manual

from_md

release-notes

rl-2111.section.xml

release-notes

rl-2111.section.md

modules

virtualisation

libvirtd.nix

pkgs

applications

networking

cluster

k3s

default.nix

firehol

default.nix

development

libraries

libvirt

5.9.0.nix

default.nix

os-specific

linux

iptables

default.nix

nftables

default.nix

tools

admin

lxd

default.nix

networking

ferm

default.nix

shorewall

default.nix

top-level

all-packages.nix

+14

nixos/doc/manual/from_md/release-notes/rl-2111.section.xml

··· 17 17 <itemizedlist> 18 18 <listitem> 19 19 <para> 20 + <literal>iptables</literal> now uses 21 + <literal>nf_tables</literal> backend. 22 + </para> 23 + </listitem> 24 + <listitem> 25 + <para> 20 26 PHP now defaults to PHP 8.0, updated from 7.4. 21 27 </para> 22 28 </listitem> ··· 364 370 that before NixOS 21.11, specifying either setuid or setgid 365 371 but not owner/group resulted in wrappers owned by 366 372 nobody/nogroup, which is unsafe. 373 + </para> 374 + </listitem> 375 + <listitem> 376 + <para> 377 + Since <literal>iptables</literal> now uses 378 + <literal>nf_tables</literal> backend and 379 + <literal>ipset</literal> doesn’t support it, some applications 380 + (ferm, shorewall, firehol) may have limited functionality. 367 381 </para> 368 382 </listitem> 369 383 <listitem>

nixos/doc/manual/release-notes/rl-2111.section.md

··· 6 6 7 7 ## Highlights {#sec-release-21.11-highlights} 8 8 9 + - `iptables` now uses `nf_tables` backend. 10 + 9 11 - PHP now defaults to PHP 8.0, updated from 7.4. 10 12 11 13 - kOps now defaults to 1.21.1, which uses containerd as the default runtime. ··· 111 113 112 114 - The `security.wrappers` option now requires to always specify an owner, group and whether the setuid/setgid bit should be set. 113 115 This is motivated by the fact that before NixOS 21.11, specifying either setuid or setgid but not owner/group resulted in wrappers owned by nobody/nogroup, which is unsafe. 116 + 117 + - Since `iptables` now uses `nf_tables` backend and `ipset` doesn't support it, some applications (ferm, shorewall, firehol) may have limited functionality. 114 118 115 119 - The `paperless` module and package have been removed. All users should migrate to the 116 120 successor `paperless-ng` instead. The Paperless project [has been

+1 -1

nixos/modules/virtualisation/libvirtd.nix

··· 168 168 etc."qemu/bridge.conf".text = lib.concatMapStringsSep "\n" (e: 169 169 "allow ${e}") cfg.allowedBridges; 170 170 systemPackages = with pkgs; [ libressl.nc iptables cfg.package cfg.qemuPackage ]; 171 - etc.ethertypes.source = "${pkgs.ebtables}/etc/ethertypes"; 171 + etc.ethertypes.source = "${pkgs.iptables}/etc/ethertypes"; 172 172 }; 173 173 174 174 boot.kernelModules = [ "tun" ];

-2

pkgs/applications/networking/cluster/k3s/default.nix

··· 13 13 , pkg-config 14 14 , ethtool 15 15 , util-linux 16 - , ipset 17 16 , fetchFromGitHub 18 17 , fetchurl 19 18 , fetchzip ··· 254 253 bridge-utils 255 254 ethtool 256 255 util-linux # kubelet wants 'nsenter' from util-linux: https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-705994388 257 - ipset 258 256 conntrack-tools 259 257 ]; 260 258

+4 -3

pkgs/applications/networking/firehol/default.nix

··· 1 1 { stdenv, lib, fetchFromGitHub, pkgs 2 - , autoconf, automake, curl, iprange, iproute2, ipset, iptables, iputils 2 + , autoconf, automake, curl, iprange, iproute2, iptables, iputils 3 3 , kmod, nettools, procps, tcpdump, traceroute, util-linux, whois 4 4 5 5 # If true, just install FireQOS without FireHOL ··· 35 35 36 36 nativeBuildInputs = [ autoconf automake ]; 37 37 buildInputs = [ 38 - curl iprange iproute2 ipset iptables iputils kmod 38 + curl iprange iproute2 iptables iputils kmod 39 39 nettools procps tcpdump traceroute util-linux whois 40 40 ]; 41 41 42 42 preConfigure = "./autogen.sh"; 43 43 configureFlags = [ "--localstatedir=/var" 44 - "--disable-doc" "--disable-man" ] ++ 44 + "--disable-doc" "--disable-man" 45 + "--disable-update-ipsets" ] ++ 45 46 lib.optional onlyQOS [ "--disable-firehol" ]; 46 47 47 48 meta = with lib; {

+3 -4

pkgs/development/libraries/libvirt/5.9.0.nix

··· 2 2 , pkg-config, makeWrapper, libtool, autoconf, automake, fetchpatch 3 3 , coreutils, libxml2, gnutls, perl, python2, attr 4 4 , iproute2, iptables, readline, lvm2, util-linux, systemd, libpciaccess, gettext 5 - , libtasn1, ebtables, libgcrypt, yajl, pmutils, libcap_ng, libapparmor 5 + , libtasn1, libgcrypt, yajl, pmutils, libcap_ng, libapparmor 6 6 , dnsmasq, libnl, libpcap, libxslt, xhtml1, numad, numactl, perlPackages 7 7 , curl, libiconv, gmp, zfs, parted, bridge-utils, dmidecode, glib, rpcsvc-proto, libtirpc 8 8 , enableXen ? false, xen ? null ··· 54 54 55 55 preConfigure = '' 56 56 ${ optionalString (!buildFromTarball) "./bootstrap --no-git --gnulib-srcdir=$(pwd)/.gnulib" } 57 - PATH=${lib.makeBinPath ([ dnsmasq ] ++ optionals stdenv.isLinux [ iproute2 iptables ebtables lvm2 systemd numad ] ++ optionals enableIscsi [ openiscsi ])}:$PATH 57 + PATH=${lib.makeBinPath ([ dnsmasq ] ++ optionals stdenv.isLinux [ iproute2 iptables lvm2 systemd numad ] ++ optionals enableIscsi [ openiscsi ])}:$PATH 58 58 # the path to qemu-kvm will be stored in VM's .xml and .save files 59 59 # do not use "''${qemu_kvm}/bin/qemu-kvm" to avoid bound VMs to particular qemu derivations 60 60 substituteInPlace src/lxc/lxc_conf.c \ ··· 75 75 ] ++ optionals stdenv.isLinux [ 76 76 "QEMU_BRIDGE_HELPER=/run/wrappers/bin/qemu-bridge-helper" 77 77 "QEMU_PR_HELPER=/run/libvirt/nix-helpers/qemu-pr-helper" 78 - "EBTABLES_PATH=${ebtables}/bin/ebtables-legacy" 79 78 "CFLAGS=-I${libtirpc.dev}/include/tirpc" 80 79 "--with-attr" 81 80 "--with-apparmor" ··· 101 100 102 101 103 102 postInstall = let 104 - binPath = [ iptables iproute2 pmutils numad numactl bridge-utils dmidecode dnsmasq ebtables ] ++ optionals enableIscsi [ openiscsi ]; 103 + binPath = [ iptables iproute2 pmutils numad numactl bridge-utils dmidecode dnsmasq ] ++ optionals enableIscsi [ openiscsi ]; 105 104 in '' 106 105 substituteInPlace $out/libexec/libvirt-guests.sh \ 107 106 --replace 'ON_BOOT=start' 'ON_BOOT=''${ON_BOOT:-start}' \

+2 -17

pkgs/development/libraries/libvirt/default.nix

··· 22 22 , gettext 23 23 , libtasn1 24 24 , iptables 25 - , ebtables 26 25 , libgcrypt 27 26 , yajl 28 27 , pmutils ··· 68 67 # if you update, also bump <nixpkgs/pkgs/development/python-modules/libvirt/default.nix> and SysVirt in <nixpkgs/pkgs/top-level/perl-packages.nix> 69 68 let 70 69 buildFromTarball = stdenv.isDarwin; 71 - # libvirt hardcodes the binary name 'ebtables', but in nixpkgs the ebtables 72 - # binary we want to use is named 'ebtables-legacy'. 73 - # Create a derivation to alias the binary name so that libvirt can find the right one, and use that below. 74 - ebtables-compat = stdenv.mkDerivation { 75 - pname = "ebtables-compat"; 76 - version = ebtables.version; 77 - src = null; 78 - buildInputs = [ ebtables ]; 79 - buildCommand = '' 80 - mkdir -p $out/bin 81 - ln -sf ${ebtables}/bin/ebtables-legacy $out/bin/ebtables 82 - ''; 83 - }; 84 70 in 85 71 stdenv.mkDerivation rec { 86 72 pname = "libvirt"; ··· 178 164 ''; 179 165 in 180 166 '' 181 - PATH=${lib.makeBinPath ([ dnsmasq ] ++ optionals stdenv.isLinux [ iproute2 iptables ebtables-compat lvm2 systemd numad ] ++ optionals enableIscsi [ openiscsi ])}:$PATH 167 + PATH=${lib.makeBinPath ([ dnsmasq ] ++ optionals stdenv.isLinux [ iproute2 iptables lvm2 systemd numad ] ++ optionals enableIscsi [ openiscsi ])}:$PATH 182 168 # the path to qemu-kvm will be stored in VM's .xml and .save files 183 169 # do not use "''${qemu_kvm}/bin/qemu-kvm" to avoid bound VMs to particular qemu derivations 184 170 substituteInPlace src/lxc/lxc_conf.c \ ··· 226 212 227 213 postInstall = 228 214 let 229 - # Keep the legacy iptables binary for now for backwards compatibility (comment on #109332) 230 - binPath = [ iptables ebtables-compat iproute2 pmutils numad numactl bridge-utils dmidecode dnsmasq ] ++ optionals enableIscsi [ openiscsi ]; 215 + binPath = [ iptables iproute2 pmutils numad numactl bridge-utils dmidecode dnsmasq ] ++ optionals enableIscsi [ openiscsi ]; 231 216 in 232 217 '' 233 218 substituteInPlace $out/libexec/libvirt-guests.sh \

+1 -1

pkgs/os-specific/linux/iptables/default.nix

··· 1 1 { lib, stdenv, fetchurl, pkg-config, pruneLibtoolFiles, flex, bison 2 2 , libmnl, libnetfilter_conntrack, libnfnetlink, libnftnl, libpcap 3 - , nftablesCompat ? false 3 + , nftablesCompat ? true 4 4 }: 5 5 6 6 with lib;

+1 -1

pkgs/os-specific/linux/nftables/default.nix

··· 4 4 , gmp, jansson, readline 5 5 , withDebugSymbols ? false 6 6 , withPython ? false , python3 7 - , withXtables ? false , iptables 7 + , withXtables ? true , iptables 8 8 }: 9 9 10 10 with lib;

+2 -10

pkgs/tools/admin/lxd/default.nix

··· 1 1 { lib, hwdata, pkg-config, lxc, buildGoPackage, fetchurl 2 2 , makeWrapper, acl, rsync, gnutar, xz, btrfs-progs, gzip, dnsmasq, attr 3 - , squashfsTools, iproute2, iptables, ebtables, iptables-nftables-compat, libcap 3 + , squashfsTools, iproute2, iptables, libcap 4 4 , dqlite, raft-canonical, sqlite-replication, udev 5 5 , writeShellScriptBin, apparmor-profiles, apparmor-parser 6 6 , criu 7 7 , bash 8 8 , installShellFiles 9 - , nftablesSupport ? false 10 9 , nixosTests 11 10 }: 12 11 13 - let 14 - networkPkgs = if nftablesSupport then 15 - [ iptables-nftables-compat ] 16 - else 17 - [ iptables ebtables ]; 18 - 19 - in 20 12 buildGoPackage rec { 21 13 pname = "lxd"; 22 14 version = "4.19"; ··· 45 37 rm $out/bin/{deps,macaroon-identity,generate} 46 38 47 39 wrapProgram $out/bin/lxd --prefix PATH : ${lib.makeBinPath ( 48 - networkPkgs 40 + [ iptables ] 49 41 ++ [ acl rsync gnutar xz btrfs-progs gzip dnsmasq squashfsTools iproute2 bash criu attr ] 50 42 ++ [ (writeShellScriptBin "apparmor_parser" '' 51 43 exec '${apparmor-parser}/bin/apparmor_parser' -I '${apparmor-profiles}/etc/apparmor.d' "$@"

+2 -2

pkgs/tools/networking/ferm/default.nix

··· 1 - { lib, stdenv, fetchurl, makeWrapper, perl, ebtables, ipset, iptables, nixosTests }: 1 + { lib, stdenv, fetchurl, makeWrapper, perl, iptables, nixosTests }: 2 2 3 3 let 4 4 inherit (lib.versions) majorMinor; ··· 23 23 postInstall = '' 24 24 rm -r $out/lib/systemd 25 25 for i in "$out/sbin/"*; do 26 - wrapProgram "$i" --prefix PATH : "${lib.makeBinPath [ iptables ipset ebtables ]}" 26 + wrapProgram "$i" --prefix PATH : "${lib.makeBinPath [ iptables ]}" 27 27 done 28 28 ''; 29 29

-6

pkgs/tools/networking/shorewall/default.nix

··· 1 1 { coreutils 2 - , ebtables 3 2 , fetchurl 4 3 , gnugrep 5 4 , gnused 6 5 , iproute2 7 - , ipset 8 6 , iptables 9 7 , perl 10 8 , perlPackages ··· 17 15 [ "${coreutils}/bin" 18 16 "${iproute2}/bin" 19 17 "${iptables}/bin" 20 - "${ipset}/bin" 21 - "${ebtables}/bin" 22 18 "${util-linux}/bin" 23 19 "${gnugrep}/bin" 24 20 "${gnused}/bin" ··· 47 43 buildInputs = [ 48 44 coreutils 49 45 iproute2 50 - ipset 51 46 iptables 52 - ebtables 53 47 util-linux 54 48 gnugrep 55 49 gnused

+3 -3

pkgs/top-level/all-packages.nix

··· 21653 21653 iputils = hiPrio (callPackage ../os-specific/linux/iputils { }); 21654 21654 # hiPrio for collisions with inetutils (ping and tftpd.8.gz) 21655 21655 21656 - iptables = iptables-legacy; 21657 - iptables-legacy = callPackage ../os-specific/linux/iptables { }; 21658 - iptables-nftables-compat = callPackage ../os-specific/linux/iptables { nftablesCompat = true; }; 21656 + iptables = callPackage ../os-specific/linux/iptables { }; 21657 + iptables-legacy = callPackage ../os-specific/linux/iptables { nftablesCompat = false; }; 21658 + iptables-nftables-compat = iptables; 21659 21659 21660 21660 iptstate = callPackage ../os-specific/linux/iptstate { } ; 21661 21661