From Fedora Project Wiki
< Changes
(Created page with "<!-- Self Contained or System Wide Change Proposal? Use this guide to determine to which category your proposed change belongs to. Self Contained Changes are: * changes to is...") |
(→Summary: add link to nft change) |
||
| (20 intermediate revisions by 2 users not shown) | |||
| Line 25: | Line 25: | ||
Note that motivation for the change should be in the Motivation section below, and this part should answer the question "What?" rather than "Why?". --> | Note that motivation for the change should be in the Motivation section below, and this part should answer the question "What?" rather than "Why?". --> | ||
This change will toggle the default firewalld backend from iptables to nftables. All of firewalld's primitives will use nftables while direct rules continue to use iptables/ebtables. | This change will toggle the default firewalld backend from iptables to nftables. All of firewalld's primitives will use nftables while direct rules continue to use iptables/ebtables. | ||
Also see [[Changes/iptables-nft-default]]. | |||
== Owner == | == Owner == | ||
| Line 52: | Line 54: | ||
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | ||
--> | --> | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1757513 #1757513] | ||
* Release notes tracker: | * Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/396 #396] | ||
== Detailed Description == | == Detailed Description == | ||
<!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | <!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | ||
Firewalld upstream has used nftables as the default backend for the past two minor releases. It is also the default in other distributions (e.g. RHEL-8). This change will bring Fedora in line with upstream. | |||
Using nftables bring many advantages. See firewalld's upstream [https://firewalld.org/2018/07/nftables-backend blog post]. It also highlights a few behavioral changes. | |||
== Benefit to Fedora == | == Benefit to Fedora == | ||
| Line 88: | Line 93: | ||
https://fedoraproject.org/wiki/Changes/perl5.26 (major upgrade to a popular software stack, visible to users of that stack) | https://fedoraproject.org/wiki/Changes/perl5.26 (major upgrade to a popular software stack, visible to users of that stack) | ||
--> | --> | ||
* Fewer firewall rules (rule consolidation) | |||
All of firewalld's primitives will use the same underlying firewall (nftables) instead of duplicating rules both in iptables and ip6tables. In nftables rules can match both IPv4 and IPv6 packets. This reduces the number of firewall rules by half. | |||
* firewalld's rules are namespaced | |||
With nftables firewalld's rules are isolated to a "firewalld" table. A separate firewall (or user) can create its own independent ruleset and firewalld will never touch it. | |||
* Netfilter upstream is focusing on nftables, not iptables | |||
== Scope == | == Scope == | ||
* Proposal owners: | * Proposal owners: firewalld (erig0, Eric Garver) | ||
<!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | <!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | ||
Currently the firewalld package has a Fedora downstream patch to hide the nftables backend. The only firewalld change required is to remove that patch from the package and rebuild. | |||
* Other developers: | * Other developers: libvirt, podman, docker <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- What work do other developers have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | <!-- What work do other developers have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | ||
** libvirt | |||
*** libvirt already cooperates with the firewalld nftables backend. The only thing needed is to test/verify. | |||
** podman | |||
*** libvirt already cooperates with the firewalld nftables backend. The only thing needed is to test/verify. | |||
** docker | |||
*** Docker currently does not cooperate with the nftables backend. It currently side-steps firewalld by injecting its own rules in iptables ahead of firewalld's rules. However, with the nftables backend firewalld's rule will still be evaluated. Netfilter in the kernel will call iptables, then nftables for the same packet. This means firewalld/nftables is likely to drop the packet even if docker has iptables rules to ACCEPT. | |||
*** Proposed fix 1: Docker package should provide a firewalld zone definition that includes the docker interfaces (e.g. docker0). The zone should use the "ACCEPT" policy (firewalld --set-target). This will allow docker's traffic to pass through firewalld/nftables. | |||
**** Issue 1: If a user has configured a different docker bridge name, then they'll have to manually add the bridge to the docker zone (or firewalld's trusted zone). | |||
*** Proposed fix 2: Just like "Proposed fix 1", but instead of adding the zone definition to docker we created a "docker-firewalld" (or firewalld-docker?) package that has the zone definition. This could be installed by default when docker is installed. | |||
* Release engineering: [https://pagure.io/ | * Release engineering: [https://pagure.io/fesco/issue/2231] <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)? Is a mass rebuild required? include a link to the releng issue. | <!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)? Is a mass rebuild required? include a link to the releng issue. | ||
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication --> | The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication --> | ||
* Policies and guidelines: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | * Policies and guidelines: No updated needed. <!--- N/A (not a System Wide Change) --> <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- Do the packaging guidelines or other documents need to be updated for this feature? If so, does it need to happen before or after the implementation is done? If a FPC ticket exists, add a link here. --> | <!-- Do the packaging guidelines or other documents need to be updated for this feature? If so, does it need to happen before or after the implementation is done? If a FPC ticket exists, add a link here. --> | ||
| Line 108: | Line 129: | ||
== Upgrade/compatibility impact == | == Upgrade/compatibility impact == | ||
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? --> | <!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? --> | ||
When users are upgraded to firewalld with nftables enabled (f32) all their firewall rules will exist in nftables instead of iptables. All of firewalld's primitives (zones, services, ports, rich rules, etc.) are 100% compatible between backends. | |||
Users of direct rules may need to consider the [https://firewalld.org/2018/07/nftables-backend behavioral changes] that were announced upstream. Some are also highlighted here: | |||
* direct rules execute before _all_ firewalld rules | |||
** This has been requested by users | |||
* packets dropped in iptables (or direct rules) will never be seen by firewalld | |||
* packets accepted in iptables (or direct rules) are still subject to firewalld's rules | |||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
== How To Test == | == How To Test == | ||
| Line 126: | Line 154: | ||
3. What are the expected results of those actions? | 3. What are the expected results of those actions? | ||
--> | --> | ||
Testing should mostly be integration based. Firewalld upstream has a fairly comprehensive testsuite that covers functional testing. | |||
The following are packages known to integrate with firewalld. They should be tested with the nftables backend. | |||
* libvirt | |||
** verify VMs with different network types (bridged, routed) have working network access | |||
** newer version of libvirt should create and use a "libvirt" firewalld zone. Interfaces should be dynamically added to the zone. | |||
* podman | |||
** verify podman adds container bridge interface to the "trusted" zone | |||
** verify container still has network access | |||
* docker | |||
** known to not work with the firewalld nftables backend out of the box | |||
** verify new package docker-firewalld installs firewalld docker zone and has "docker0" interface added | |||
** verify container still has network access | |||
* fail2ban-firewalld | |||
** verify the direct rules added to firewalld by fail2ban still block traffic | |||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
N/A (not a System Wide Change) | <!-- N/A (not a System Wide Change) --> | ||
== User Experience == | == User Experience == | ||
| Line 141: | Line 185: | ||
- Green has been scientifically proven to be the most relaxing color. The move to a default background color of green with green text will result in Fedora users being the most relaxed users of any operating system. | - Green has been scientifically proven to be the most relaxing color. The move to a default background color of green with green text will result in Fedora users being the most relaxed users of any operating system. | ||
--> | --> | ||
In general users shouldn't notice the change. Occasional a user will look at the iptables rule that firewalld generates. They'll now have to look at nftables instead. | |||
== Dependencies == | == Dependencies == | ||
<!-- What other packages (RPMs) depend on this package? Are there changes outside the developers' control on which completion of this change depends? In other words, completion of another change owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate? Other upstream projects like the kernel (if this is not a kernel change)? --> | <!-- What other packages (RPMs) depend on this package? Are there changes outside the developers' control on which completion of this change depends? In other words, completion of another change owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate? Other upstream projects like the kernel (if this is not a kernel change)? --> | ||
* libvirt >= 5.1.0 | |||
* CNI >= 0.8.0 (used by podman) | |||
* docker-firewalld (new package) | |||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
N/A (not a System Wide Change) | <!-- N/A (not a System Wide Change) --> | ||
== Contingency Plan == | == Contingency Plan == | ||
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan? This might be as simple as "Revert the shipped configuration". Or it might not (e.g. rebuilding a number of dependent packages). If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. --> | <!-- If you cannot complete your feature by the final development freeze, what is the backup plan? This might be as simple as "Revert the shipped configuration". Or it might not (e.g. rebuilding a number of dependent packages). If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. --> | ||
* Contingency mechanism: ( | * Contingency mechanism: firewalld maintainer (erig0) will reinstate the current patch to default to the iptables backend. <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- When is the last time the contingency mechanism can be put in place? This will typically be the beta freeze. --> | <!-- When is the last time the contingency mechanism can be put in place? This will typically be the beta freeze. --> | ||
* Contingency deadline: | * Contingency deadline: beta freeze <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? --> | <!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? --> | ||
* Blocks release? | * Blocks release? No <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
* Blocks product? | * Blocks product? No <!-- Applicable for Changes that blocks specific product release/Fedora.next --> | ||
== Documentation == | == Documentation == | ||
<!-- Is there upstream documentation on this change, or notes you have written yourself? Link to that material here so other interested developers can get involved. --> | <!-- Is there upstream documentation on this change, or notes you have written yourself? Link to that material here so other interested developers can get involved. --> | ||
* [https://firewalld.org/2018/07/nftables-backend Firewalld blog post] | |||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
N/A (not a System Wide Change) | <!-- N/A (not a System Wide Change) --> | ||
== Release Notes == | == Release Notes == | ||
| Line 171: | Line 221: | ||
--> | --> | ||
[[Category:ChangePageIncomplete]] | <!-- [[Category:ChangePageIncomplete]] --> | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | ||
| Line 180: | Line 230: | ||
<!-- [[Category:SelfContainedChange]] --> | <!-- [[Category:SelfContainedChange]] --> | ||
[[Category:SystemWideChange]] | [[Category:SystemWideChange]] | ||
[[Category:ChangeAcceptedF32]] | |||
Latest revision as of 13:19, 13 November 2019
Firewalld Default to nftables
Summary
This change will toggle the default firewalld backend from iptables to nftables. All of firewalld's primitives will use nftables while direct rules continue to use iptables/ebtables.
Also see Changes/iptables-nft-default.
Owner
- Name: Eric Garver
- Email: egarver@redhat.com
Current status
- Targeted release: Fedora 32
- Last updated: 2019-11-13
- Tracker bug: #1757513
- Release notes tracker: #396
Detailed Description
Firewalld upstream has used nftables as the default backend for the past two minor releases. It is also the default in other distributions (e.g. RHEL-8). This change will bring Fedora in line with upstream.
Using nftables bring many advantages. See firewalld's upstream blog post. It also highlights a few behavioral changes.
Benefit to Fedora
- Fewer firewall rules (rule consolidation)
All of firewalld's primitives will use the same underlying firewall (nftables) instead of duplicating rules both in iptables and ip6tables. In nftables rules can match both IPv4 and IPv6 packets. This reduces the number of firewall rules by half.
- firewalld's rules are namespaced
With nftables firewalld's rules are isolated to a "firewalld" table. A separate firewall (or user) can create its own independent ruleset and firewalld will never touch it.
- Netfilter upstream is focusing on nftables, not iptables
Scope
- Proposal owners: firewalld (erig0, Eric Garver)
Currently the firewalld package has a Fedora downstream patch to hide the nftables backend. The only firewalld change required is to remove that patch from the package and rebuild.
- Other developers: libvirt, podman, docker
- libvirt
- libvirt already cooperates with the firewalld nftables backend. The only thing needed is to test/verify.
- podman
- libvirt already cooperates with the firewalld nftables backend. The only thing needed is to test/verify.
- docker
- Docker currently does not cooperate with the nftables backend. It currently side-steps firewalld by injecting its own rules in iptables ahead of firewalld's rules. However, with the nftables backend firewalld's rule will still be evaluated. Netfilter in the kernel will call iptables, then nftables for the same packet. This means firewalld/nftables is likely to drop the packet even if docker has iptables rules to ACCEPT.
- Proposed fix 1: Docker package should provide a firewalld zone definition that includes the docker interfaces (e.g. docker0). The zone should use the "ACCEPT" policy (firewalld --set-target). This will allow docker's traffic to pass through firewalld/nftables.
- Issue 1: If a user has configured a different docker bridge name, then they'll have to manually add the bridge to the docker zone (or firewalld's trusted zone).
- Proposed fix 2: Just like "Proposed fix 1", but instead of adding the zone definition to docker we created a "docker-firewalld" (or firewalld-docker?) package that has the zone definition. This could be installed by default when docker is installed.
- libvirt
- Release engineering: [1]
- Policies and guidelines: No updated needed.
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
When users are upgraded to firewalld with nftables enabled (f32) all their firewall rules will exist in nftables instead of iptables. All of firewalld's primitives (zones, services, ports, rich rules, etc.) are 100% compatible between backends.
Users of direct rules may need to consider the behavioral changes that were announced upstream. Some are also highlighted here:
- direct rules execute before _all_ firewalld rules
- This has been requested by users
- packets dropped in iptables (or direct rules) will never be seen by firewalld
- packets accepted in iptables (or direct rules) are still subject to firewalld's rules
How To Test
Testing should mostly be integration based. Firewalld upstream has a fairly comprehensive testsuite that covers functional testing.
The following are packages known to integrate with firewalld. They should be tested with the nftables backend.
- libvirt
- verify VMs with different network types (bridged, routed) have working network access
- newer version of libvirt should create and use a "libvirt" firewalld zone. Interfaces should be dynamically added to the zone.
- podman
- verify podman adds container bridge interface to the "trusted" zone
- verify container still has network access
- docker
- known to not work with the firewalld nftables backend out of the box
- verify new package docker-firewalld installs firewalld docker zone and has "docker0" interface added
- verify container still has network access
- fail2ban-firewalld
- verify the direct rules added to firewalld by fail2ban still block traffic
User Experience
In general users shouldn't notice the change. Occasional a user will look at the iptables rule that firewalld generates. They'll now have to look at nftables instead.
Dependencies
- libvirt >= 5.1.0
- CNI >= 0.8.0 (used by podman)
- docker-firewalld (new package)
Contingency Plan
- Contingency mechanism: firewalld maintainer (erig0) will reinstate the current patch to default to the iptables backend.
- Contingency deadline: beta freeze
- Blocks release? No
- Blocks product? No
Documentation