This repository was archived by the owner on Aug 5, 2022. It is now read-only.
Add nftables support. #113
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ipuustin
force-pushed
the
nftables
branch
13 times, most recently
from
c843574 to
bee4a1e
Compare
ipuustin
force-pushed
the
nftables
branch
5 times, most recently
from
f7843a3 to
aed2bdc
Compare
ipuustin
force-pushed
the
nftables
branch
4 times, most recently
from
a0ddfb5 to
eb1112c
Compare
Contributor
Author
|
Systemd changes are tracked here: systemd/systemd#5839 |
ipuustin
force-pushed
the
nftables
branch
2 times, most recently
from
8744b63 to
17896c7
Compare
|
Can one of the admins verify this patch? |
Contributor
|
test this please |
Contributor
|
@ipuustin looks like this is now failing in networking tests |
Contributor
Author
|
@mythi Yes. Perhaps the rebase went somehow wrong. I'll investigate now. |
Contributor
Author
|
Might have caught it. Related to iotivity test refactoring. Retest this please. |
* meta-intel 7e8f98a...86c55b1 (6): > iucode-tool: upgrade to 2.1.2 > rmc: add support for Broxton-M based Joule board (rev. 1F1) > rmc: add fingerprint for generic Broxton-M (rev. 1F1) > rmc-db: allow multiple fingerprint per board directory > layer.conf: Add LAYERSERIES_COMPAT markup to layer.conf > linux-intel/4.9: Update yocto-kernel-cache SRCREV Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Compile nftables without readline support -- it's GPLv3 and not needed for non-interactive use. Depend on a virtual settings package. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Test dropping, rejecting and prerouting SSH with nftables. Signed-off-by: Simo Kuusela <simo.kuusela@intel.com>
Signed-off-by: Simo Kuusela <simo.kuusela@intel.com>
It doesn't work with the way QEMU is tested so disable it. Signed-off-by: Simo Kuusela <simo.kuusela@intel.com>
A race condition in systemd .path handling prevented safe reloading of firewall rules. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Contributor
Author
|
test this please |
Contributor
Author
|
retest this please |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Move Refkit firewall support from iptables to nftables. The benefit of the new framework would be file-based configuration of firewall rules and the ability to assign interfaces to zones. Also, in the framework the firewall rules are executed as a single ruleset, meaning ports might be opened already before the port user is started up. The firewall transactions are now completely atomic.