New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feature request] nftables support #26824
Comments
I'm not aware of plans in this direction ping @aboch is this planned? Worth doing? |
I remember @mrjana had thought of using nftables last year. He knows more about the plan. |
Yeah nftables are not in the kernel until 3.14 and we can't use it to generally replace iptables yet. |
Maybe add it as an option? That way, those who have the latest kernel can use it. Currently I have to disable my nftables firewall to get the network working, it's fine on my machine but it's not an option on a server. |
Any new ideas or progress. We are in transition to nftables and really would appreciate |
+1 for optional nftables support |
I wanted that RHEL 7 does have nfttables as a tech preview, and it would greatly simplify ipv6 as well as allowing for a simpler implementations of throttling and very useful tools like connection tracking or load-balancing. |
I want to add that i've been using nftables on Centos 7 for over a year now i believe, on dozens of different servers both with and without nat, using ipv6 and more, and have had no issues other than understanding the parse errors when i mess up. And i'm using Ansible to manage and generate the nftables rules file and atomically reload the service to apply new rules, or do nothing if it fails to parse. And since nftables applies the entire ruleset in one atomic operation, there is no moment when the system is in a partially configured state. In my opinion i would NOT use nftables integration with docker unless i could control which file docker puts rules into and control the imports into my current ruleset myself and that docker would only issue reload commands to nftables (reload meaning nft -f , or systemctl which does it correctly). I currently manage docker nat rules using ansible/manually. |
Meanwhile iptables is officially deprecated. |
I don't see the reason to bother with nftables when the whole community seems to be (rightly) pushing for bpf. |
nftables uses bpf internally. If you've implied bpfilter — it's not there yet. |
Sure it uses bpf internally, but it's not really any better than without bpf but rather about deduplication. For that matter isn't iptables using nftables in the backed? (Don't quote me on that, I think I read that somewhere at some point, haven't looked into it). |
According to https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables (which I'd imagine is pretty authoritative), using
I'd been playing with I've looked at doing eBPF, but it doesn't seem like there's nearly as many good examples (even Just to include what I've found for reference, here's a couple folks who've worked on getting what Docker needs implemented in
I think On implementation details, is the current (Not trying to be a bother, just trying to add some additional information about why folks might care about this and brainstorm ideas for how it could maybe move forward without being too invasive. ❤️) Edit (2018-08-13): #35777 is also relevant (even with |
It is horribly coupled right now. It's basically all the original iptables code from years ago moved out of docker/docker into docker/libnetwork and mostly not touched except to add more cruft to it to support custom chains (remember when docker didn't use it's own chain?) and firewalld, among other things. |
Hi all, any new progress on this? nftables are getting default with Debian 10 (Buster) due in couple of months and with it goes the wave of adoption in derivative distros such as Ubuntu I guess. Having upgrade season and iptables deprecation closing in quickly something will need to happen. |
No progress as far as I am aware.
Brian Goff
… On Jan 2, 2019, at 03:59, Goran ***@***.***> wrote:
Hi all, any new progress on this?
nftables are getting default with Debian 10 (Buster) due in couple of months and with it goes the wave of adoption in derivative distros such as Ubuntu I guess.
Having upgrade season and iptables deprecation closing in quickly something will need to happen.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Redhat 8 (currently in Beta) - Notes: The nftables framework replaces iptables in the role of the default network packet filtering facility. |
Thanks @camAtGitHub for the pointer.
makes it the correct transition path. No change required for existing software making use of |
That's accurate except with the catch that some of the complex "iptables"
expressions Docker invokes make the nftables shims choke, so either those
tools need more attention specific to how Docker is trying to use them, or
Docker needs explicit "nftables" support.
|
I'd go for the latter, but I've also had PR's open for multiple years untouched on libnetwork. |
Debian user reported that indeed, he can't use docker on a machine where a nftables-based firewall is enabled: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921600 |
i can confirm it works creating an empty /etc/nftables.conf with this content:
} table ip filter { } |
Is there any progress on this issue? Can Docker check if |
I want to play with this package https://github.com/google/nftables |
Hello again, Redhat 9 (just released) - Notes: The ipset and iptables-nft (iptables shim) packages have been deprecated. When loading iptables modules you get a kernel message: IPTables days (read: years) are numbered! |
Is there any news? It's been a while since the issue was created. |
There is work towards this in the networking support, starting with an IPVS feature that if successful may establish the way forward for introducing nftables support later IIRC. |
I'd like to re-emphasize that it be done in a way that supports Atomic rule replacement. Being able to modify my nftables file and reload(1) my firewall without it ever going down is amazing, and I also don't want my docker rules to vanish if I reload the firewall either. (1) AFAIK on systemd systems reload is implemented with a service that has |
While I agree with your point, I do want to make a note that |
Is |
FYI, we had to remove almost every usage of Docker in our organisation because of this. |
You can use both nftables and iptables using different priority hooks, see this answer: This does actually work. The answer mentions adding marks to packets handled by iptables, but it's not actually necessary. The key thing is to use higher hook priority than 0, which is the default for iptables:
Which means packets are first filtered by iptables, and then by nftables, allowing you to use both. |
But this will not work if you want to use confiscators like firewalld, foomuuri, etc, running in nftables mode, as everything will probably be flushed by these tools? |
docker supports firewalld. Is there some specific case with firewalld that is broken? |
Yes, but I believe it does only if firewalld runs in iptables mode, not on nftables. |
FWIU podman 5.0 w/ containers/netavark has support for nftables and aardvark-dns:
netavark:
fwiw also |
Docker seems to be optimized for iptables at the moment. Are there any plans to support nftables in future versions of Docker?
My workaround at the moment is to deactivate the iptables integration via
--iptables=false
and then set the right rules for nftables by hand.The text was updated successfully, but these errors were encountered: