From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Ryan Roberts <ryan.roberts@arm.com>
Cc: netfilter-devel@vger.kernel.org, davem@davemloft.net,
netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com,
edumazet@google.com, fw@strlen.de, horms@kernel.org,
Aishwarya Rambhadran <Aishwarya.Rambhadran@arm.com>
Subject: Re: [PATCH net-next 06/19] netfilter: Exclude LEGACY TABLES on PREEMPT_RT.
Date: Thu, 7 Aug 2025 13:46:05 +0200 [thread overview]
Message-ID: <aJSR_cFHvqtmGb-B@calendula> (raw)
In-Reply-To: <81bdc56d-a3da-4fc4-b2d0-2561b4d96723@arm.com>
Hi Ryan,
On Tue, Aug 05, 2025 at 04:43:06PM +0100, Ryan Roberts wrote:
[...]
> > +config NETFILTER_XTABLES_LEGACY
> > + bool "Netfilter legacy tables support"
> > + depends on !PREEMPT_RT
> > + help
> > + Say Y here if you still require support for legacy tables. This is
> > + required by the legacy tools (iptables-legacy) and is not needed if
> > + you use iptables over nftables (iptables-nft).
> > + Legacy support is not limited to IP, it also includes EBTABLES and
> > + ARPTABLES.
> > +
>
> This has caused some minor pain for me using Docker on Ubuntu 22.04, which I
> guess is still using iptables-legacy. I've had to debug why Docker has stopped
> working and eventually ended here. Explcitly enabling NETFILTER_XTABLES_LEGACY
> solved the problem.
I apologize for the inconvenience. Using iptables-nft should fix it,
if you encounter any issue with iptables-nft in Ubuntu 22.04, it
should be straight forward to compile lastest iptables version, given
you compile your own kernels for such distro version.
> I thought I'd try my luck at convincing you to default this to enabled for
> !PREEMPT_RT to save others from such issues?
Not so easy as removing PREEMPT_RT dependency, x_tables need to be
fixed in order to support it, last time we discussed this there was a
way to address it by making the counters more unreliable in turn.
No objections if anyone wants to fix x_tables to make it work with
PREEMPT_RT from my side.
next prev parent reply other threads:[~2025-08-07 11:46 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-25 17:03 [PATCH net-next 00/19] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 01/19] netfilter: conntrack: table full detailed log Pablo Neira Ayuso
2025-07-25 23:50 ` patchwork-bot+netdevbpf
2025-07-25 17:03 ` [PATCH net-next 02/19] netfilter: load nf_log_syslog on enabling nf_conntrack_log_invalid Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 03/19] netfilter: x_tables: Remove unused functions xt_{in|out}name() Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 04/19] netfilter: nf_tables: Remove unused nft_reduce_is_readonly() Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 05/19] netfilter: conntrack: Remove unused net in nf_conntrack_double_lock() Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 06/19] netfilter: Exclude LEGACY TABLES on PREEMPT_RT Pablo Neira Ayuso
2025-08-05 15:43 ` Ryan Roberts
2025-08-07 11:46 ` Pablo Neira Ayuso [this message]
2025-07-25 17:03 ` [PATCH net-next 07/19] selftests: net: Enable legacy netfilter legacy options Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 08/19] selftests: netfilter: Enable CONFIG_INET_SCTP_DIAG Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 09/19] ipvs: Rename del_timer in comment in ip_vs_conn_expire_now() Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 10/19] netfilter: nfnetlink: New NFNLA_HOOK_INFO_DESC helper Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 11/19] netfilter: nfnetlink_hook: Dump flowtable info Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 12/19] netfilter: nft_set_pipapo: remove unused arguments Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 13/19] netfilter: nft_set: remove one argument from lookup and update functions Pablo Neira Ayuso
2025-07-25 23:37 ` Jakub Kicinski
2025-07-25 23:45 ` Jakub Kicinski
2025-07-25 17:03 ` [PATCH net-next 14/19] netfilter: nft_set: remove indirection from update API call Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 15/19] netfilter: nft_set_pipapo: merge pipapo_get/lookup Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 16/19] netfilter: nft_set_pipapo: prefer kvmalloc for scratch maps Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 17/19] netfilter: xt_nfacct: don't assume acct name is null-terminated Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 18/19] selftests: netfilter: Ignore tainted kernels in interface stress test Pablo Neira Ayuso
2025-07-25 17:03 ` [PATCH net-next 19/19] selftests: netfilter: ipvs.sh: Explicity disable rp_filter on interface tunl0 Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aJSR_cFHvqtmGb-B@calendula \
--to=pablo@netfilter.org \
--cc=Aishwarya.Rambhadran@arm.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=ryan.roberts@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).