From: Dan Winship <danwinship@redhat.com>
To: Phil Sutter <phil@nwl.cc>, Eric Garver <eric@garver.life>,
Jan Engelhardt <jengelh@inai.de>,
netfilter-devel@vger.kernel.org, fw@strlen.de,
pablo@netfilter.org, Kevin Fenzi <kevin@scrye.com>,
Matthias Gerstner <matthias.gerstner@suse.com>,
arturo@debian.org
Subject: Re: [PATCH] tools: add a systemd unit for static rulesets
Date: Thu, 27 Mar 2025 07:12:29 -0400 [thread overview]
Message-ID: <4cf4948f-e330-45e9-98b9-bbef7e2007be@redhat.com> (raw)
In-Reply-To: <Z-QjsRMmEq90F6Qg@orbyte.nwl.cc>
On 3/26/25 11:56, Phil Sutter wrote:
> The suggested 'flush ruleset' stems from Fedora's nftables.service and
> is also present in CentOS Stream and RHEL. So anyone running k8s there
> either doesn't use nftables.service (likely, firewalld is default) or
> doesn't restart the service. Maybe k8s should "officially" conflict with
> nftables and iptables services?
(It's weird that nftables.service is part of the nftables package, when
with iptables it was in a separate package, iptables-services? But
that's not a discussion for this mailing list...)
>> (If the nftables "owner" flag thwarts "flush ruleset", then that's
>> definitely *better*, though that flag is still too new to help very much.)
>
> Yes, "owned" tables may only be manipulated by their owner. Firewalld
> will use it as well, for the same reason as k8s.
So in the long run, this solves my problem, even if static firewalls are
using "flush ruleset".
>> Once upon a time, it was reasonable for the system firewall scripts to
>> assume that they were the only users of netfilter on the system, but
>> that is not the world we live in any more. Sure, *most* Linux users
>> aren't running Kubernetes, but many people run hypervisors, or
>> docker/podman, or other things that create a handful of dynamic
>> iptables/nftables rules, and then expect those rules to not suddenly
>> disappear for no apparent reason later.
>
> The question is whether the nftables and iptables services are meant for
> the world we live in now.
If they're not, then distros shouldn't install them by default. Having
them installed on the system (or provided as an example in the nftables
sources) suggests to admins that it's reasonable to use them. (And
having nftables.service use "flush ruleset" suggests to admins that
that's a reasonable command for them to run when they are building their
own things based on our examples.)
> At least with iptables, it is very hard not to
> stomp on others' feet when restarting.
Sure, there's nothing that can be done to improve the situation with
iptables. It just doesn't have the features needed to support multiple
users well. But nftables does. That's the whole point of multiple tables
isn't it?
> With nftables, we could cache the
> 'add table' commands for use later when stopping the service. There is
> margin for error though since the added table may well exist already.
I was thinking more like, the service documents that all of your rules
have to be in the table 'firewall', and while it may not actually
*prevent* you from setting up rules in other tables, it doesn't make any
effort to make that work either:
ExecStart=/sbin/nft 'destroy table firewall; add table firewall; include
"/etc/sysconfig/nftables.conf";'
ExecReload=/sbin/nft 'destroy table firewall; add table firewall;
include "/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft destroy table firewall
-- Dan
next prev parent reply other threads:[~2025-03-27 11:12 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-28 20:59 [PATCH] tools: add a systemd unit for static rulesets Jan Engelhardt
2025-03-05 21:35 ` Pablo Neira Ayuso
2025-03-21 13:29 ` Arturo Borrero Gonzalez
2025-03-22 1:49 ` Duncan Roe
2025-03-22 9:24 ` Jan Engelhardt
2025-03-23 10:00 ` Arturo Borrero Gonzalez
2025-03-23 13:34 ` Jan Engelhardt
2025-03-23 21:04 ` Phil Sutter
2025-03-23 10:24 ` Pablo Neira Ayuso
2025-03-06 14:16 ` Eric Garver
2025-03-20 14:05 ` Phil Sutter
2025-03-22 9:46 ` Jan Engelhardt
2025-03-25 1:34 ` Dan Winship
2025-03-26 15:56 ` Phil Sutter
2025-03-26 22:21 ` Jan Engelhardt
2025-04-17 12:39 ` Pablo Neira Ayuso
2025-03-27 11:12 ` Dan Winship [this message]
2025-03-27 13:29 ` Phil Sutter
2025-03-22 9:41 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4cf4948f-e330-45e9-98b9-bbef7e2007be@redhat.com \
--to=danwinship@redhat.com \
--cc=arturo@debian.org \
--cc=eric@garver.life \
--cc=fw@strlen.de \
--cc=jengelh@inai.de \
--cc=kevin@scrye.com \
--cc=matthias.gerstner@suse.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).