From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Ryan Roberts <ryan.roberts@arm.com>
Cc: netfilter-devel@vger.kernel.org, davem@davemloft.net,
netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com,
edumazet@google.com, fw@strlen.de, horms@kernel.org,
Aishwarya Rambhadran <Aishwarya.Rambhadran@arm.com>
Subject: Re: [PATCH net-next 06/19] netfilter: Exclude LEGACY TABLES on PREEMPT_RT.
Date: Thu, 7 Aug 2025 13:46:05 +0200 [thread overview]
Message-ID: <aJSR_cFHvqtmGb-B@calendula> (raw)
In-Reply-To: <81bdc56d-a3da-4fc4-b2d0-2561b4d96723@arm.com>
Hi Ryan,
On Tue, Aug 05, 2025 at 04:43:06PM +0100, Ryan Roberts wrote:
[...]
> > +config NETFILTER_XTABLES_LEGACY
> > + bool "Netfilter legacy tables support"
> > + depends on !PREEMPT_RT
> > + help
> > + Say Y here if you still require support for legacy tables. This is
> > + required by the legacy tools (iptables-legacy) and is not needed if
> > + you use iptables over nftables (iptables-nft).
> > + Legacy support is not limited to IP, it also includes EBTABLES and
> > + ARPTABLES.
> > +
>
> This has caused some minor pain for me using Docker on Ubuntu 22.04, which I
> guess is still using iptables-legacy. I've had to debug why Docker has stopped
> working and eventually ended here. Explcitly enabling NETFILTER_XTABLES_LEGACY
> solved the problem.
I apologize for the inconvenience. Using iptables-nft should fix it,
if you encounter any issue with iptables-nft in Ubuntu 22.04, it
should be straight forward to compile lastest iptables version, given
you compile your own kernels for such distro version.
> I thought I'd try my luck at convincing you to default this to enabled for
> !PREEMPT_RT to save others from such issues?
Not so easy as removing PREEMPT_RT dependency, x_tables need to be
fixed in order to support it, last time we discussed this there was a
way to address it by making the counters more unreliable in turn.
No objections if anyone wants to fix x_tables to make it work with
PREEMPT_RT from my side.
next prev parent reply other threads:[~2025-08-07 11:46 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-25 17:03 [PATCH net-next 00/19] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 01/19] netfilter: conntrack: table full detailed log Pablo Neira Ayuso
2025-07-25 23:50 ` patchwork-bot+netdevbpf
2025-07-25 17:03 ` [PATCH net-next 02/19] netfilter: load nf_log_syslog on enabling nf_conntrack_log_invalid Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 03/19] netfilter: x_tables: Remove unused functions xt_{in|out}name() Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 04/19] netfilter: nf_tables: Remove unused nft_reduce_is_readonly() Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 05/19] netfilter: conntrack: Remove unused net in nf_conntrack_double_lock() Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 06/19] netfilter: Exclude LEGACY TABLES on PREEMPT_RT Pablo Neira Ayuso
2025-08-05 15:43 ` Ryan Roberts
2025-08-07 11:46 ` Pablo Neira Ayuso [this message]
2025-07-25 17:03 ` [PATCH net-next 07/19] selftests: net: Enable legacy netfilter legacy options Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 08/19] selftests: netfilter: Enable CONFIG_INET_SCTP_DIAG Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 09/19] ipvs: Rename del_timer in comment in ip_vs_conn_expire_now() Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 10/19] netfilter: nfnetlink: New NFNLA_HOOK_INFO_DESC helper Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 11/19] netfilter: nfnetlink_hook: Dump flowtable info Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 12/19] netfilter: nft_set_pipapo: remove unused arguments Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 13/19] netfilter: nft_set: remove one argument from lookup and update functions Pablo Neira Ayuso
2025-07-25 23:37 ` Jakub Kicinski
2025-07-25 23:45 ` Jakub Kicinski
2025-07-25 17:03 ` [PATCH net-next 14/19] netfilter: nft_set: remove indirection from update API call Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 15/19] netfilter: nft_set_pipapo: merge pipapo_get/lookup Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 16/19] netfilter: nft_set_pipapo: prefer kvmalloc for scratch maps Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 17/19] netfilter: xt_nfacct: don't assume acct name is null-terminated Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 18/19] selftests: netfilter: Ignore tainted kernels in interface stress test Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 19/19] selftests: netfilter: ipvs.sh: Explicity disable rp_filter on interface tunl0 Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aJSR_cFHvqtmGb-B@calendula \
--to=pablo@netfilter.org \
--cc=Aishwarya.Rambhadran@arm.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=ryan.roberts@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.