Revision as of 09:53, 10 July 2024

Netavark Nftables Default

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Netavark should use nftables by default to create/manage the firewall rules for the Podman containers.

Owner

Name: Paul Holzinger
Email: <pholzing@redhat.com>, <mheon@redhat.com>
Name: Matthew Heon
Email: <mheon@redhat.com>

Current status

Targeted release: Fedora Linux 41
Last updated: 2024-07-10
[Announced]
[<will be assigned by the Wrangler> Discussion thread]
FESCo issue: <will be assigned by the Wrangler>
Tracker bug: <will be assigned by the Wrangler>
Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Netavark is used by Podman to configure networking for the containers. It manages interfaces and firewall rules. Currently it uses iptables by default to create the firewall rules for the containers but it can also be configured to use nftables (nft). The goal is to switch the default over to nftables. We also expect a small speed up for the container start-up times as nftables allows us to batch insert rules at once which makes it more performant and robust compared to iptables.

Feedback

Benefit to Fedora

netavark no longer requires iptables
all rules are now part of the netavark table so there are less conflicts with other tools/users who manage firewall rules
slightly faster container start-up time

Scope

Proposal owners: Paul Holzinger, Matthew Heon
- Using nftables is already supported in netavark as of version v1.10 (already included in fedora). Set a build option in the specfile to change the default driver from iptables to nftables

Other developers:

Release engineering: #Releng issue number

Policies and guidelines: N/A (not needed for this Change)

Trademark approval: N/A (not needed for this Change)

Alignment with the Fedora Strategy:

Upgrade/compatibility impact

Early Testing (Optional)

Do you require 'QA Blueprint' support? Y/N

How To Test

The change can be tested by setting the firewall driver to nftables in containers.conf:

$ sudo mkdir -p /etc/containers/containers.conf.d
$ echo $'[network]\nfirewall_driver="nftables"' | sudo tee /etc/containers/containers.conf.d/50-netavark-nftables.conf

Changing the firewall driver while you have running containers will likely cause some conflicting rules so it is best to reboot when this option is changed.

Now start the containers and make sure the network works as usual. The rules can be checked with

$ sudo nft list table inet netavark

User Experience

There should no change in behavior for end users unless they manually messed with the netavark firewall rules.

Dependencies

N/A

Contingency Plan

Contingency mechanism: Keep using iptables as default.
Contingency deadline: beta freeze
Blocks release? N/A

Documentation

N/A (not a System Wide Change)

Release Notes

@@ Line 1: / Line 1: @@
-{{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.<br/> '''Copy the source to a ''new page'' before making changes!  DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.'''}}
-{{admon/tip | Guidance | For details on how to fill out this form, see the [https://docs.fedoraproject.org/en-US/program_management/changes_guide/ documentation].}}
-{{admon/tip | Report issues | To report an issue with this template, file an issue in the [https://pagure.io/fedora-pgm/pgm_docs pgm_docs repo].}}
-<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
 = Netavark Nftables Default <!-- The name of your change proposal --> =

Search

Changes/NetavarkNftablesDefault: Difference between revisions