pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #81172 from misuzu/iptables-switch

iptables: switch from iptables-legacy to iptables-nftables-compat

authored by

Florian Klink and committed by
GitHub b112f366 234f96b4

+37 -50
unified split
+14
nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
··· 17 <itemizedlist> 18 <listitem> 19 <para> 20 PHP now defaults to PHP 8.0, updated from 7.4. 21 </para> 22 </listitem> ··· 364 that before NixOS 21.11, specifying either setuid or setgid 365 but not owner/group resulted in wrappers owned by 366 nobody/nogroup, which is unsafe. 367 </para> 368 </listitem> 369 <listitem>
··· 17 <itemizedlist> 18 <listitem> 19 <para> 20 + <literal>iptables</literal> now uses 21 + <literal>nf_tables</literal> backend. 22 + </para> 23 + </listitem> 24 + <listitem> 25 + <para> 26 PHP now defaults to PHP 8.0, updated from 7.4. 27 </para> 28 </listitem> ··· 370 that before NixOS 21.11, specifying either setuid or setgid 371 but not owner/group resulted in wrappers owned by 372 nobody/nogroup, which is unsafe. 373 + </para> 374 + </listitem> 375 + <listitem> 376 + <para> 377 + Since <literal>iptables</literal> now uses 378 + <literal>nf_tables</literal> backend and 379 + <literal>ipset</literal> doesn’t support it, some applications 380 + (ferm, shorewall, firehol) may have limited functionality. 381 </para> 382 </listitem> 383 <listitem>
+4
nixos/doc/manual/release-notes/rl-2111.section.md
··· 6 7 ## Highlights {#sec-release-21.11-highlights} 8 9 - PHP now defaults to PHP 8.0, updated from 7.4. 10 11 - kOps now defaults to 1.21.1, which uses containerd as the default runtime. ··· 111 112 - The `security.wrappers` option now requires to always specify an owner, group and whether the setuid/setgid bit should be set. 113 This is motivated by the fact that before NixOS 21.11, specifying either setuid or setgid but not owner/group resulted in wrappers owned by nobody/nogroup, which is unsafe. 114 115 - The `paperless` module and package have been removed. All users should migrate to the 116 successor `paperless-ng` instead. The Paperless project [has been
··· 6 7 ## Highlights {#sec-release-21.11-highlights} 8 9 + - `iptables` now uses `nf_tables` backend. 10 + 11 - PHP now defaults to PHP 8.0, updated from 7.4. 12 13 - kOps now defaults to 1.21.1, which uses containerd as the default runtime. ··· 113 114 - The `security.wrappers` option now requires to always specify an owner, group and whether the setuid/setgid bit should be set. 115 This is motivated by the fact that before NixOS 21.11, specifying either setuid or setgid but not owner/group resulted in wrappers owned by nobody/nogroup, which is unsafe. 116 + 117 + - Since `iptables` now uses `nf_tables` backend and `ipset` doesn't support it, some applications (ferm, shorewall, firehol) may have limited functionality. 118 119 - The `paperless` module and package have been removed. All users should migrate to the 120 successor `paperless-ng` instead. The Paperless project [has been
+1 -1
nixos/modules/virtualisation/libvirtd.nix
··· 168 etc."qemu/bridge.conf".text = lib.concatMapStringsSep "\n" (e: 169 "allow ${e}") cfg.allowedBridges; 170 systemPackages = with pkgs; [ libressl.nc iptables cfg.package cfg.qemuPackage ]; 171 - etc.ethertypes.source = "${pkgs.ebtables}/etc/ethertypes"; 172 }; 173 174 boot.kernelModules = [ "tun" ];
··· 168 etc."qemu/bridge.conf".text = lib.concatMapStringsSep "\n" (e: 169 "allow ${e}") cfg.allowedBridges; 170 systemPackages = with pkgs; [ libressl.nc iptables cfg.package cfg.qemuPackage ]; 171 + etc.ethertypes.source = "${pkgs.iptables}/etc/ethertypes"; 172 }; 173 174 boot.kernelModules = [ "tun" ];
-2
pkgs/applications/networking/cluster/k3s/default.nix
··· 13 , pkg-config 14 , ethtool 15 , util-linux 16 - , ipset 17 , fetchFromGitHub 18 , fetchurl 19 , fetchzip ··· 254 bridge-utils 255 ethtool 256 util-linux # kubelet wants 'nsenter' from util-linux: https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-705994388 257 - ipset 258 conntrack-tools 259 ]; 260
··· 13 , pkg-config 14 , ethtool 15 , util-linux 16 , fetchFromGitHub 17 , fetchurl 18 , fetchzip ··· 253 bridge-utils 254 ethtool 255 util-linux # kubelet wants 'nsenter' from util-linux: https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-705994388 256 conntrack-tools 257 ]; 258
+4 -3
pkgs/applications/networking/firehol/default.nix
··· 1 { stdenv, lib, fetchFromGitHub, pkgs 2 - , autoconf, automake, curl, iprange, iproute2, ipset, iptables, iputils 3 , kmod, nettools, procps, tcpdump, traceroute, util-linux, whois 4 5 # If true, just install FireQOS without FireHOL ··· 35 36 nativeBuildInputs = [ autoconf automake ]; 37 buildInputs = [ 38 - curl iprange iproute2 ipset iptables iputils kmod 39 nettools procps tcpdump traceroute util-linux whois 40 ]; 41 42 preConfigure = "./autogen.sh"; 43 configureFlags = [ "--localstatedir=/var" 44 - "--disable-doc" "--disable-man" ] ++ 45 lib.optional onlyQOS [ "--disable-firehol" ]; 46 47 meta = with lib; {
··· 1 { stdenv, lib, fetchFromGitHub, pkgs 2 + , autoconf, automake, curl, iprange, iproute2, iptables, iputils 3 , kmod, nettools, procps, tcpdump, traceroute, util-linux, whois 4 5 # If true, just install FireQOS without FireHOL ··· 35 36 nativeBuildInputs = [ autoconf automake ]; 37 buildInputs = [ 38 + curl iprange iproute2 iptables iputils kmod 39 nettools procps tcpdump traceroute util-linux whois 40 ]; 41 42 preConfigure = "./autogen.sh"; 43 configureFlags = [ "--localstatedir=/var" 44 + "--disable-doc" "--disable-man" 45 + "--disable-update-ipsets" ] ++ 46 lib.optional onlyQOS [ "--disable-firehol" ]; 47 48 meta = with lib; {
+3 -4
pkgs/development/libraries/libvirt/5.9.0.nix
··· 2 , pkg-config, makeWrapper, libtool, autoconf, automake, fetchpatch 3 , coreutils, libxml2, gnutls, perl, python2, attr 4 , iproute2, iptables, readline, lvm2, util-linux, systemd, libpciaccess, gettext 5 - , libtasn1, ebtables, libgcrypt, yajl, pmutils, libcap_ng, libapparmor 6 , dnsmasq, libnl, libpcap, libxslt, xhtml1, numad, numactl, perlPackages 7 , curl, libiconv, gmp, zfs, parted, bridge-utils, dmidecode, glib, rpcsvc-proto, libtirpc 8 , enableXen ? false, xen ? null ··· 54 55 preConfigure = '' 56 ${ optionalString (!buildFromTarball) "./bootstrap --no-git --gnulib-srcdir=$(pwd)/.gnulib" } 57 - PATH=${lib.makeBinPath ([ dnsmasq ] ++ optionals stdenv.isLinux [ iproute2 iptables ebtables lvm2 systemd numad ] ++ optionals enableIscsi [ openiscsi ])}:$PATH 58 # the path to qemu-kvm will be stored in VM's .xml and .save files 59 # do not use "''${qemu_kvm}/bin/qemu-kvm" to avoid bound VMs to particular qemu derivations 60 substituteInPlace src/lxc/lxc_conf.c \ ··· 75 ] ++ optionals stdenv.isLinux [ 76 "QEMU_BRIDGE_HELPER=/run/wrappers/bin/qemu-bridge-helper" 77 "QEMU_PR_HELPER=/run/libvirt/nix-helpers/qemu-pr-helper" 78 - "EBTABLES_PATH=${ebtables}/bin/ebtables-legacy" 79 "CFLAGS=-I${libtirpc.dev}/include/tirpc" 80 "--with-attr" 81 "--with-apparmor" ··· 101 102 103 postInstall = let 104 - binPath = [ iptables iproute2 pmutils numad numactl bridge-utils dmidecode dnsmasq ebtables ] ++ optionals enableIscsi [ openiscsi ]; 105 in '' 106 substituteInPlace $out/libexec/libvirt-guests.sh \ 107 --replace 'ON_BOOT=start' 'ON_BOOT=''${ON_BOOT:-start}' \
··· 2 , pkg-config, makeWrapper, libtool, autoconf, automake, fetchpatch 3 , coreutils, libxml2, gnutls, perl, python2, attr 4 , iproute2, iptables, readline, lvm2, util-linux, systemd, libpciaccess, gettext 5 + , libtasn1, libgcrypt, yajl, pmutils, libcap_ng, libapparmor 6 , dnsmasq, libnl, libpcap, libxslt, xhtml1, numad, numactl, perlPackages 7 , curl, libiconv, gmp, zfs, parted, bridge-utils, dmidecode, glib, rpcsvc-proto, libtirpc 8 , enableXen ? false, xen ? null ··· 54 55 preConfigure = '' 56 ${ optionalString (!buildFromTarball) "./bootstrap --no-git --gnulib-srcdir=$(pwd)/.gnulib" } 57 + PATH=${lib.makeBinPath ([ dnsmasq ] ++ optionals stdenv.isLinux [ iproute2 iptables lvm2 systemd numad ] ++ optionals enableIscsi [ openiscsi ])}:$PATH 58 # the path to qemu-kvm will be stored in VM's .xml and .save files 59 # do not use "''${qemu_kvm}/bin/qemu-kvm" to avoid bound VMs to particular qemu derivations 60 substituteInPlace src/lxc/lxc_conf.c \ ··· 75 ] ++ optionals stdenv.isLinux [ 76 "QEMU_BRIDGE_HELPER=/run/wrappers/bin/qemu-bridge-helper" 77 "QEMU_PR_HELPER=/run/libvirt/nix-helpers/qemu-pr-helper" 78 "CFLAGS=-I${libtirpc.dev}/include/tirpc" 79 "--with-attr" 80 "--with-apparmor" ··· 100 101 102 postInstall = let 103 + binPath = [ iptables iproute2 pmutils numad numactl bridge-utils dmidecode dnsmasq ] ++ optionals enableIscsi [ openiscsi ]; 104 in '' 105 substituteInPlace $out/libexec/libvirt-guests.sh \ 106 --replace 'ON_BOOT=start' 'ON_BOOT=''${ON_BOOT:-start}' \
+2 -17
pkgs/development/libraries/libvirt/default.nix
··· 22 , gettext 23 , libtasn1 24 , iptables 25 - , ebtables 26 , libgcrypt 27 , yajl 28 , pmutils ··· 68 # if you update, also bump <nixpkgs/pkgs/development/python-modules/libvirt/default.nix> and SysVirt in <nixpkgs/pkgs/top-level/perl-packages.nix> 69 let 70 buildFromTarball = stdenv.isDarwin; 71 - # libvirt hardcodes the binary name 'ebtables', but in nixpkgs the ebtables 72 - # binary we want to use is named 'ebtables-legacy'. 73 - # Create a derivation to alias the binary name so that libvirt can find the right one, and use that below. 74 - ebtables-compat = stdenv.mkDerivation { 75 - pname = "ebtables-compat"; 76 - version = ebtables.version; 77 - src = null; 78 - buildInputs = [ ebtables ]; 79 - buildCommand = '' 80 - mkdir -p $out/bin 81 - ln -sf ${ebtables}/bin/ebtables-legacy $out/bin/ebtables 82 - ''; 83 - }; 84 in 85 stdenv.mkDerivation rec { 86 pname = "libvirt"; ··· 178 ''; 179 in 180 '' 181 - PATH=${lib.makeBinPath ([ dnsmasq ] ++ optionals stdenv.isLinux [ iproute2 iptables ebtables-compat lvm2 systemd numad ] ++ optionals enableIscsi [ openiscsi ])}:$PATH 182 # the path to qemu-kvm will be stored in VM's .xml and .save files 183 # do not use "''${qemu_kvm}/bin/qemu-kvm" to avoid bound VMs to particular qemu derivations 184 substituteInPlace src/lxc/lxc_conf.c \ ··· 226 227 postInstall = 228 let 229 - # Keep the legacy iptables binary for now for backwards compatibility (comment on #109332) 230 - binPath = [ iptables ebtables-compat iproute2 pmutils numad numactl bridge-utils dmidecode dnsmasq ] ++ optionals enableIscsi [ openiscsi ]; 231 in 232 '' 233 substituteInPlace $out/libexec/libvirt-guests.sh \
··· 22 , gettext 23 , libtasn1 24 , iptables 25 , libgcrypt 26 , yajl 27 , pmutils ··· 67 # if you update, also bump <nixpkgs/pkgs/development/python-modules/libvirt/default.nix> and SysVirt in <nixpkgs/pkgs/top-level/perl-packages.nix> 68 let 69 buildFromTarball = stdenv.isDarwin; 70 in 71 stdenv.mkDerivation rec { 72 pname = "libvirt"; ··· 164 ''; 165 in 166 '' 167 + PATH=${lib.makeBinPath ([ dnsmasq ] ++ optionals stdenv.isLinux [ iproute2 iptables lvm2 systemd numad ] ++ optionals enableIscsi [ openiscsi ])}:$PATH 168 # the path to qemu-kvm will be stored in VM's .xml and .save files 169 # do not use "''${qemu_kvm}/bin/qemu-kvm" to avoid bound VMs to particular qemu derivations 170 substituteInPlace src/lxc/lxc_conf.c \ ··· 212 213 postInstall = 214 let 215 + binPath = [ iptables iproute2 pmutils numad numactl bridge-utils dmidecode dnsmasq ] ++ optionals enableIscsi [ openiscsi ]; 216 in 217 '' 218 substituteInPlace $out/libexec/libvirt-guests.sh \
+1 -1
pkgs/os-specific/linux/iptables/default.nix
··· 1 { lib, stdenv, fetchurl, pkg-config, pruneLibtoolFiles, flex, bison 2 , libmnl, libnetfilter_conntrack, libnfnetlink, libnftnl, libpcap 3 - , nftablesCompat ? false 4 }: 5 6 with lib;
··· 1 { lib, stdenv, fetchurl, pkg-config, pruneLibtoolFiles, flex, bison 2 , libmnl, libnetfilter_conntrack, libnfnetlink, libnftnl, libpcap 3 + , nftablesCompat ? true 4 }: 5 6 with lib;
+1 -1
pkgs/os-specific/linux/nftables/default.nix
··· 4 , gmp, jansson, readline 5 , withDebugSymbols ? false 6 , withPython ? false , python3 7 - , withXtables ? false , iptables 8 }: 9 10 with lib;
··· 4 , gmp, jansson, readline 5 , withDebugSymbols ? false 6 , withPython ? false , python3 7 + , withXtables ? true , iptables 8 }: 9 10 with lib;
+2 -10
pkgs/tools/admin/lxd/default.nix
··· 1 { lib, hwdata, pkg-config, lxc, buildGoPackage, fetchurl 2 , makeWrapper, acl, rsync, gnutar, xz, btrfs-progs, gzip, dnsmasq, attr 3 - , squashfsTools, iproute2, iptables, ebtables, iptables-nftables-compat, libcap 4 , dqlite, raft-canonical, sqlite-replication, udev 5 , writeShellScriptBin, apparmor-profiles, apparmor-parser 6 , criu 7 , bash 8 , installShellFiles 9 - , nftablesSupport ? false 10 , nixosTests 11 }: 12 13 - let 14 - networkPkgs = if nftablesSupport then 15 - [ iptables-nftables-compat ] 16 - else 17 - [ iptables ebtables ]; 18 - 19 - in 20 buildGoPackage rec { 21 pname = "lxd"; 22 version = "4.19"; ··· 45 rm $out/bin/{deps,macaroon-identity,generate} 46 47 wrapProgram $out/bin/lxd --prefix PATH : ${lib.makeBinPath ( 48 - networkPkgs 49 ++ [ acl rsync gnutar xz btrfs-progs gzip dnsmasq squashfsTools iproute2 bash criu attr ] 50 ++ [ (writeShellScriptBin "apparmor_parser" '' 51 exec '${apparmor-parser}/bin/apparmor_parser' -I '${apparmor-profiles}/etc/apparmor.d' "$@"
··· 1 { lib, hwdata, pkg-config, lxc, buildGoPackage, fetchurl 2 , makeWrapper, acl, rsync, gnutar, xz, btrfs-progs, gzip, dnsmasq, attr 3 + , squashfsTools, iproute2, iptables, libcap 4 , dqlite, raft-canonical, sqlite-replication, udev 5 , writeShellScriptBin, apparmor-profiles, apparmor-parser 6 , criu 7 , bash 8 , installShellFiles 9 , nixosTests 10 }: 11 12 buildGoPackage rec { 13 pname = "lxd"; 14 version = "4.19"; ··· 37 rm $out/bin/{deps,macaroon-identity,generate} 38 39 wrapProgram $out/bin/lxd --prefix PATH : ${lib.makeBinPath ( 40 + [ iptables ] 41 ++ [ acl rsync gnutar xz btrfs-progs gzip dnsmasq squashfsTools iproute2 bash criu attr ] 42 ++ [ (writeShellScriptBin "apparmor_parser" '' 43 exec '${apparmor-parser}/bin/apparmor_parser' -I '${apparmor-profiles}/etc/apparmor.d' "$@"
+2 -2
pkgs/tools/networking/ferm/default.nix
··· 1 - { lib, stdenv, fetchurl, makeWrapper, perl, ebtables, ipset, iptables, nixosTests }: 2 3 let 4 inherit (lib.versions) majorMinor; ··· 23 postInstall = '' 24 rm -r $out/lib/systemd 25 for i in "$out/sbin/"*; do 26 - wrapProgram "$i" --prefix PATH : "${lib.makeBinPath [ iptables ipset ebtables ]}" 27 done 28 ''; 29
··· 1 + { lib, stdenv, fetchurl, makeWrapper, perl, iptables, nixosTests }: 2 3 let 4 inherit (lib.versions) majorMinor; ··· 23 postInstall = '' 24 rm -r $out/lib/systemd 25 for i in "$out/sbin/"*; do 26 + wrapProgram "$i" --prefix PATH : "${lib.makeBinPath [ iptables ]}" 27 done 28 ''; 29
-6
pkgs/tools/networking/shorewall/default.nix
··· 1 { coreutils 2 - , ebtables 3 , fetchurl 4 , gnugrep 5 , gnused 6 , iproute2 7 - , ipset 8 , iptables 9 , perl 10 , perlPackages ··· 17 [ "${coreutils}/bin" 18 "${iproute2}/bin" 19 "${iptables}/bin" 20 - "${ipset}/bin" 21 - "${ebtables}/bin" 22 "${util-linux}/bin" 23 "${gnugrep}/bin" 24 "${gnused}/bin" ··· 47 buildInputs = [ 48 coreutils 49 iproute2 50 - ipset 51 iptables 52 - ebtables 53 util-linux 54 gnugrep 55 gnused
··· 1 { coreutils 2 , fetchurl 3 , gnugrep 4 , gnused 5 , iproute2 6 , iptables 7 , perl 8 , perlPackages ··· 15 [ "${coreutils}/bin" 16 "${iproute2}/bin" 17 "${iptables}/bin" 18 "${util-linux}/bin" 19 "${gnugrep}/bin" 20 "${gnused}/bin" ··· 43 buildInputs = [ 44 coreutils 45 iproute2 46 iptables 47 util-linux 48 gnugrep 49 gnused
+3 -3
pkgs/top-level/all-packages.nix
··· 21653 iputils = hiPrio (callPackage ../os-specific/linux/iputils { }); 21654 # hiPrio for collisions with inetutils (ping and tftpd.8.gz) 21655 21656 - iptables = iptables-legacy; 21657 - iptables-legacy = callPackage ../os-specific/linux/iptables { }; 21658 - iptables-nftables-compat = callPackage ../os-specific/linux/iptables { nftablesCompat = true; }; 21659 21660 iptstate = callPackage ../os-specific/linux/iptstate { } ; 21661
··· 21653 iputils = hiPrio (callPackage ../os-specific/linux/iputils { }); 21654 # hiPrio for collisions with inetutils (ping and tftpd.8.gz) 21655 21656 + iptables = callPackage ../os-specific/linux/iptables { }; 21657 + iptables-legacy = callPackage ../os-specific/linux/iptables { nftablesCompat = false; }; 21658 + iptables-nftables-compat = iptables; 21659 21660 iptstate = callPackage ../os-specific/linux/iptstate { } ; 21661