Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improvement: use "inet" family for NAT instead of "ip" and "ip6" #628

Closed
erig0 opened this issue May 13, 2020 · 0 comments
Closed

Improvement: use "inet" family for NAT instead of "ip" and "ip6" #628

erig0 opened this issue May 13, 2020 · 0 comments
Assignees
@erig0
Labels
feature New feature or enhancement.
Projects
firewalld

Comments

@erig0
Copy link
Collaborator

erig0 commented May 13, 2020

Problem

This applies only to the nftables backend.
Currently forward-ports (DNAT) are done in the "ip" and "ip6" family tables. Historically nftables did not support NAT in "inet". This has recently been fixed.

Improvement

The kernel recently gained support for allowing NAT inside "inet" family. We should replace using "ip" and "ip6". This will consolidate all of firewalld rules into the "inet" family.
Benefits

  • rule consolidation
  • eliminate use of "ip" and "ip6" families
  • no more set (ipset) duplication

Caveats

This means bumping the minimal required kernel version and the minimal required nftables version.
@erig0 erig0 added the feature New feature or enhancement. label May 13, 2020
@erig0 erig0 added this to To do in firewalld May 13, 2020
@erig0 erig0 moved this from Priority to backlog in firewalld Oct 12, 2020
@erig0 erig0 moved this from backlog to Priority in firewalld Nov 24, 2020
erig0 added a commit to erig0/firewalld that referenced this issue Nov 24, 2020
@erig0
improvement(nftables): use inet family for nat rules
40f9c7b 
BREAKING CHANGE: This changes the rule layout and imposes a new linux
kernel >= 5.3 dependency.

This means we now require linux kernel >= 5.3. nftables nat inet family
support was added in d164385ec572 ("netfilter: nat: add inet family nat
support"), but we require linux >= 5.3 due to fix b4f1483cbfa5
("netfilter: nf_tables: Support auto-loading for inet nat").

The main advantage of this change is we now consolidate all rules into
the "inet" family. Previously we had to duplicate nat rules into the
"ip" and "ip6" families. It also meant duplicating sets. Thus we go from
three copies of "ipsets" to just one.

Fixes: firewalld#628
erig0 added a commit to erig0/firewalld that referenced this issue Nov 24, 2020
@erig0
improvement(nftables): use inet family for nat rules
146d68c 
BREAKING CHANGE: This changes the rule layout and imposes a new linux
kernel >= 5.3 dependency.

This means we now require linux kernel >= 5.3. nftables nat inet family
support was added in d164385ec572 ("netfilter: nat: add inet family nat
support"), but we require linux >= 5.3 due to fix b4f1483cbfa5
("netfilter: nf_tables: Support auto-loading for inet nat").

The main advantage of this change is we now consolidate all rules into
the "inet" family. Previously we had to duplicate nat rules into the
"ip" and "ip6" families. It also meant duplicating sets. Thus we go from
three copies of "ipsets" to just one.

Fixes: firewalld#628
erig0 added a commit to erig0/firewalld that referenced this issue Nov 24, 2020
@erig0
improvement(nftables): use inet family for nat rules
c917967 
BREAKING CHANGE: This changes the rule layout and imposes a new linux
kernel >= 5.3 dependency.

This means we now require linux kernel >= 5.3. nftables nat inet family
support was added in d164385ec572 ("netfilter: nat: add inet family nat
support"), but we require linux >= 5.3 due to fix b4f1483cbfa5
("netfilter: nf_tables: Support auto-loading for inet nat").

The main advantage of this change is we now consolidate all rules into
the "inet" family. Previously we had to duplicate nat rules into the
"ip" and "ip6" families. It also meant duplicating sets. Thus we go from
three copies of "ipsets" to just one.

Fixes: firewalld#628
@erig0 erig0 moved this from Priority to In progress in firewalld Nov 25, 2020
@erig0 erig0 self-assigned this Nov 25, 2020
erig0 added a commit to erig0/firewalld that referenced this issue Nov 30, 2020
@erig0
improvement(nftables): use inet family for nat rules
cfdd602 
BREAKING CHANGE: This changes the rule layout and imposes a new linux
kernel >= 5.3 dependency.

This means we now require linux kernel >= 5.3. nftables nat inet family
support was added in d164385ec572 ("netfilter: nat: add inet family nat
support"), but we require linux >= 5.3 due to fix b4f1483cbfa5
("netfilter: nf_tables: Support auto-loading for inet nat").

The main advantage of this change is we now consolidate all rules into
the "inet" family. Previously we had to duplicate nat rules into the
"ip" and "ip6" families. It also meant duplicating sets. Thus we go from
three copies of "ipsets" to just one.

Fixes: firewalld#628
erig0 added a commit to erig0/firewalld that referenced this issue Nov 30, 2020
@erig0
improvement(nftables): use inet family for nat rules
fcf42ca 
BREAKING CHANGE: This changes the rule layout and imposes a new linux
kernel >= 5.3 dependency.

This means we now require linux kernel >= 5.3. nftables nat inet family
support was added in d164385ec572 ("netfilter: nat: add inet family nat
support"), but we require linux >= 5.3 due to fix b4f1483cbfa5
("netfilter: nf_tables: Support auto-loading for inet nat").

The main advantage of this change is we now consolidate all rules into
the "inet" family. Previously we had to duplicate nat rules into the
"ip" and "ip6" families. It also meant duplicating sets. Thus we go from
three copies of "ipsets" to just one.

Fixes: firewalld#628
erig0 added a commit to erig0/firewalld that referenced this issue Nov 30, 2020
@erig0
improvement(nftables): use inet family for nat rules
64957e2 
BREAKING CHANGE: This changes the rule layout and imposes a new linux
kernel >= 5.3 dependency.

This means we now require linux kernel >= 5.3. nftables nat inet family
support was added in d164385ec572 ("netfilter: nat: add inet family nat
support"), but we require linux >= 5.3 due to fix b4f1483cbfa5
("netfilter: nf_tables: Support auto-loading for inet nat").

The main advantage of this change is we now consolidate all rules into
the "inet" family. Previously we had to duplicate nat rules into the
"ip" and "ip6" families. It also meant duplicating sets. Thus we go from
three copies of "ipsets" to just one.

Fixes: firewalld#628
erig0 added a commit to erig0/firewalld that referenced this issue Nov 30, 2020
@erig0
improvement(nftables): use inet family for nat rules
4c585e6 
BREAKING CHANGE: This changes the rule layout and imposes a new linux
kernel >= 5.3 dependency.

This means we now require linux kernel >= 5.3. nftables nat inet family
support was added in d164385ec572 ("netfilter: nat: add inet family nat
support"), but we require linux >= 5.3 due to fix b4f1483cbfa5
("netfilter: nf_tables: Support auto-loading for inet nat").

The main advantage of this change is we now consolidate all rules into
the "inet" family. Previously we had to duplicate nat rules into the
"ip" and "ip6" families. It also meant duplicating sets. Thus we go from
three copies of "ipsets" to just one.

Fixes: firewalld#628
erig0 added a commit to erig0/firewalld that referenced this issue Nov 30, 2020
@erig0
improvement(nftables): use inet family for nat rules
da850f2 
BREAKING CHANGE: This changes the rule layout and imposes a new linux
kernel >= 5.3 dependency.

This means we now require linux kernel >= 5.3. nftables nat inet family
support was added in d164385ec572 ("netfilter: nat: add inet family nat
support"), but we require linux >= 5.3 due to fix b4f1483cbfa5
("netfilter: nf_tables: Support auto-loading for inet nat").

The main advantage of this change is we now consolidate all rules into
the "inet" family. Previously we had to duplicate nat rules into the
"ip" and "ip6" families. It also meant duplicating sets. Thus we go from
three copies of "ipsets" to just one.

Fixes: firewalld#628
erig0 added a commit to erig0/firewalld that referenced this issue Nov 30, 2020
@erig0
improvement(nftables): use inet family for nat rules
8077ffa 
BREAKING CHANGE: This changes the rule layout and imposes a new linux
kernel >= 5.3 dependency.

This means we now require linux kernel >= 5.3. nftables nat inet family
support was added in d164385ec572 ("netfilter: nat: add inet family nat
support"), but we require linux >= 5.3 due to fix b4f1483cbfa5
("netfilter: nf_tables: Support auto-loading for inet nat").

The main advantage of this change is we now consolidate all rules into
the "inet" family. Previously we had to duplicate nat rules into the
"ip" and "ip6" families. It also meant duplicating sets. Thus we go from
three copies of "ipsets" to just one.

Fixes: firewalld#628
erig0 added a commit to erig0/firewalld that referenced this issue Nov 30, 2020
@erig0
improvement(nftables): use inet family for nat rules
bf01261 
BREAKING CHANGE: This changes the rule layout and imposes a new linux
kernel >= 5.3 dependency.

This means we now require linux kernel >= 5.3. nftables nat inet family
support was added in d164385ec572 ("netfilter: nat: add inet family nat
support"), but we require linux >= 5.3 due to fix b4f1483cbfa5
("netfilter: nf_tables: Support auto-loading for inet nat").

The main advantage of this change is we now consolidate all rules into
the "inet" family. Previously we had to duplicate nat rules into the
"ip" and "ip6" families. It also meant duplicating sets. Thus we go from
three copies of "ipsets" to just one.

Fixes: firewalld#628
erig0 added a commit to erig0/firewalld that referenced this issue Nov 30, 2020
@erig0
improvement(nftables): use inet family for nat rules
638af62 
BREAKING CHANGE: This changes the rule layout and imposes a new linux
kernel >= 5.3 dependency.

This means we now require linux kernel >= 5.3. nftables nat inet family
support was added in d164385ec572 ("netfilter: nat: add inet family nat
support"), but we require linux >= 5.3 due to fix b4f1483cbfa5
("netfilter: nf_tables: Support auto-loading for inet nat").

The main advantage of this change is we now consolidate all rules into
the "inet" family. Previously we had to duplicate nat rules into the
"ip" and "ip6" families. It also meant duplicating sets. Thus we go from
three copies of "ipsets" to just one.

Fixes: firewalld#628
erig0 added a commit to erig0/firewalld that referenced this issue Nov 30, 2020
@erig0
improvement(nftables): use inet family for nat rules
c070827 
BREAKING CHANGE: This changes the rule layout and imposes a new linux
kernel >= 5.3 dependency.

This means we now require linux kernel >= 5.3. nftables nat inet family
support was added in d164385ec572 ("netfilter: nat: add inet family nat
support"), but we require linux >= 5.3 due to fix b4f1483cbfa5
("netfilter: nf_tables: Support auto-loading for inet nat").

The main advantage of this change is we now consolidate all rules into
the "inet" family. Previously we had to duplicate nat rules into the
"ip" and "ip6" families. It also meant duplicating sets. Thus we go from
three copies of "ipsets" to just one.

Fixes: firewalld#628
erig0 added a commit to erig0/firewalld that referenced this issue Nov 30, 2020
@erig0
improvement(nftables): use inet family for nat rules
9e05517 
BREAKING CHANGE: This changes the rule layout and imposes a new linux
kernel >= 5.3 dependency.

This means we now require linux kernel >= 5.3. nftables nat inet family
support was added in d164385ec572 ("netfilter: nat: add inet family nat
support"), but we require linux >= 5.3 due to fix b4f1483cbfa5
("netfilter: nf_tables: Support auto-loading for inet nat").

The main advantage of this change is we now consolidate all rules into
the "inet" family. Previously we had to duplicate nat rules into the
"ip" and "ip6" families. It also meant duplicating sets. Thus we go from
three copies of "ipsets" to just one.

Fixes: firewalld#628
erig0 added a commit to erig0/firewalld that referenced this issue Nov 30, 2020
@erig0
improvement(nftables): use inet family for nat rules
2ad57cc 
BREAKING CHANGE: This changes the rule layout and imposes a new linux
kernel >= 5.3 dependency.

This means we now require linux kernel >= 5.3. nftables nat inet family
support was added in d164385ec572 ("netfilter: nat: add inet family nat
support"), but we require linux >= 5.3 due to fix b4f1483cbfa5
("netfilter: nf_tables: Support auto-loading for inet nat").

The main advantage of this change is we now consolidate all rules into
the "inet" family. Previously we had to duplicate nat rules into the
"ip" and "ip6" families. It also meant duplicating sets. Thus we go from
three copies of "ipsets" to just one.

Fixes: firewalld#628
erig0 added a commit to erig0/firewalld that referenced this issue Nov 30, 2020
@erig0
improvement(nftables): use inet family for nat rules
3828759 
BREAKING CHANGE: This changes the rule layout and imposes a new linux
kernel >= 5.3 dependency.

This means we now require linux kernel >= 5.3. nftables nat inet family
support was added in d164385ec572 ("netfilter: nat: add inet family nat
support"), but we require linux >= 5.3 due to fix b4f1483cbfa5
("netfilter: nf_tables: Support auto-loading for inet nat").

The main advantage of this change is we now consolidate all rules into
the "inet" family. Previously we had to duplicate nat rules into the
"ip" and "ip6" families. It also meant duplicating sets. Thus we go from
three copies of "ipsets" to just one.

Fixes: firewalld#628
erig0 added a commit to erig0/firewalld that referenced this issue Dec 1, 2020
@erig0
improvement(nftables): use inet family for nat rules
16bb74e 
BREAKING CHANGE: This changes the rule layout and imposes a new linux
kernel >= 5.3 dependency.

This means we now require linux kernel >= 5.3. nftables nat inet family
support was added in d164385ec572 ("netfilter: nat: add inet family nat
support"), but we require linux >= 5.3 due to fix b4f1483cbfa5
("netfilter: nf_tables: Support auto-loading for inet nat").

The main advantage of this change is we now consolidate all rules into
the "inet" family. Previously we had to duplicate nat rules into the
"ip" and "ip6" families. It also meant duplicating sets. Thus we go from
three copies of "ipsets" to just one.

Fixes: firewalld#628
erig0 added a commit to erig0/firewalld that referenced this issue Dec 1, 2020
@erig0
improvement(nftables): use inet family for nat rules
8f74137 
BREAKING CHANGE: This changes the rule layout and imposes a new linux
kernel >= 5.3 dependency.

This means we now require linux kernel >= 5.3. nftables nat inet family
support was added in d164385ec572 ("netfilter: nat: add inet family nat
support"), but we require linux >= 5.3 due to fix b4f1483cbfa5
("netfilter: nf_tables: Support auto-loading for inet nat").

The main advantage of this change is we now consolidate all rules into
the "inet" family. Previously we had to duplicate nat rules into the
"ip" and "ip6" families. It also meant duplicating sets. Thus we go from
three copies of "ipsets" to just one.

Fixes: firewalld#628
erig0 added a commit to erig0/firewalld that referenced this issue Dec 1, 2020
@erig0
improvement(nftables): use inet family for nat rules
03c0fa4 
BREAKING CHANGE: This changes the rule layout and imposes a new linux
kernel >= 5.3 dependency.

This means we now require linux kernel >= 5.3. nftables nat inet family
support was added in d164385ec572 ("netfilter: nat: add inet family nat
support"), but we require linux >= 5.3 due to fix b4f1483cbfa5
("netfilter: nf_tables: Support auto-loading for inet nat").

The main advantage of this change is we now consolidate all rules into
the "inet" family. Previously we had to duplicate nat rules into the
"ip" and "ip6" families. It also meant duplicating sets. Thus we go from
three copies of "ipsets" to just one.

Fixes: firewalld#628
erig0 added a commit to erig0/firewalld that referenced this issue Dec 1, 2020
@erig0
improvement(nftables): use inet family for nat rules
57d9987 
BREAKING CHANGE: This changes the rule layout and imposes a new linux
kernel >= 5.3 dependency.

This means we now require linux kernel >= 5.3. nftables nat inet family
support was added in d164385ec572 ("netfilter: nat: add inet family nat
support"), but we require linux >= 5.3 due to fix b4f1483cbfa5
("netfilter: nf_tables: Support auto-loading for inet nat").

The main advantage of this change is we now consolidate all rules into
the "inet" family. Previously we had to duplicate nat rules into the
"ip" and "ip6" families. It also meant duplicating sets. Thus we go from
three copies of "ipsets" to just one.

Fixes: firewalld#628
@erig0 erig0 closed this as completed in 9d9a1a8 Dec 2, 2020
firewalld automation moved this from In progress to Done Dec 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@erig0 erig0

Labels
feature New feature or enhancement.
Projects
firewalld
  
Done
Milestone
No milestone
Development

No branches or pull requests
1 participant
@erig0