Systemd, nftables, and iptables

Systemd, nftables, and iptables

[Stephen Satchell]

I'm building a CentOS 8.1 system on a Protectly four-port appliance, to 
be my new firewall.  To avoid problems, I'm trying to remove IPTABLES 
completely from the system so there is no chance of interference between 
the two firewalls.

Problem:  systemd requires iptables-lib.

1.  Why?
2.  How to keep systemd from requiring iptables-lib?

Re: Systemd, nftables, and iptables

[kfm]

On 18/05/2020 15:13, Stephen Satchell wrote:
> I'm building a CentOS 8.1 system on a Protectly four-port appliance, to 
> be my new firewall.  To avoid problems, I'm trying to remove IPTABLES 
> completely from the system so there is no chance of interference between 
> the two firewalls.
> 
> Problem:  systemd requires iptables-lib.
> 
> 1.  Why?

systemd uses libiptc for some features. One example I'm aware of is the 
--port option of systemd-nspawn.

> 2.  How to keep systemd from requiring iptables-lib?

Build it with -Dlibiptc=false.

-- 
Kerin Millar

Re: Systemd, nftables, and iptables

[Reindl Harald]

Am 18.05.20 um 16:13 schrieb Stephen Satchell:
> I'm building a CentOS 8.1 system on a Protectly four-port appliance, to
> be my new firewall.  To avoid problems, I'm trying to remove IPTABLES
> completely from the system so there is no chance of interference between
> the two firewalls.
> 
> Problem:  systemd requires iptables-lib.
> 
> 1.  Why?
> 2.  How to keep systemd from requiring iptables-lib?

you are trying to solve a non-existing problem

the linked userland libraries have nothing to to with active iptables /
nftables in the kernel and rebuilding systemd just to avoid loading a
userkand library is pointless

Re: Systemd, nftables, and iptables

[Alexander Dahl]

Hei hei,

Am Montag, 18. Mai 2020, 16:13:21 CEST schrieb Stephen Satchell:
> I'm building a CentOS 8.1 system on a Protectly four-port appliance, to
> be my new firewall.  To avoid problems, I'm trying to remove IPTABLES
> completely from the system so there is no chance of interference between
> the two firewalls.
> 
> Problem:  systemd requires iptables-lib.
> 
> 1.  Why?

Don't know.

> 2.  How to keep systemd from requiring iptables-lib?

Maybe patch it? I stumbled over a ticket lately, and for me it reads like 
systemd does not support nftables, yet?

https://github.com/systemd/systemd/issues/13307

Greets
Alex

Re: Systemd, nftables, and iptables

[Trent W. Buck]

Stephen Satchell <list@satchell.net> writes:

> I'm building a CentOS 8.1 system on a Protectly four-port appliance,
> to be my new firewall.  To avoid problems, I'm trying to remove
> IPTABLES completely from the system so there is no chance of
> interference between the two firewalls.
>
> Problem:  systemd requires iptables-lib.
>
> 1.  Why?
> 2.  How to keep systemd from requiring iptables-lib?

I complained about this a while ago:

    https://bugs.debian.org/934584
    https://github.com/systemd/systemd/issues/13307

You CAN have both nftables and xtables rulesets active at the same time.
It works for me (for now), it's just EXTREMELY confusing because you
must know to check both "nft list ruleset" and "iptables-legacy-save".

systemd is built using meson, not autotools.
I don't speak meson, but meson_options.txt contains:

    option('libiptc',
           type : 'combo',
           choices : ['auto', 'true', 'false'],
           description : 'libiptc support')

So you can probably do something like "./configure --without-libiptc".

As at systemd v245-125-ga4f4a4e441,
the only thing using it seems to be systemd-nspawn --port.
So if you do not use systemd-based containers,
you will not miss this.