Message ID | 20220606220137.1887491-4-adrian.freihofer@siemens.com |
---|---|
State | Under Review |
Headers | show |
Series | networkmanager modemmanager updates | expand |
Hi Adrian, just out of curiosity: Why do you suggest to prefer nftables over iptables? Andreas On Tue, Jun 7, 2022 at 12:01 AM Adrian Freihofer <adrian.freihofer@gmail.com> wrote: > > From NEWS file of netowrkmanager 1.32: > > firewall: add nftables firewall backend for configuring IPv4 NAT with > shared mode. Now two backends are supported, "iptables" and "nftables". > The default gets detected based on whether /usr/sbin/nft or > /usr/sbin/iptables is installed, with nftables preferred. > > With this change nftables is not the prefered backend also with OE. But > it's still possible to set NETWORKMANAGER_FIREWALL_DEFAULT back to > iptables. > > Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> > --- > .../networkmanager/networkmanager_1.36.2.bb | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb > index 9fc43dceb5..55eb3e7024 100644 > --- a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb > +++ b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb > @@ -42,6 +42,10 @@ NETWORKMANAGER_DNS_RC_MANAGER_DEFAULT ??= "auto" > # ['dhcpcanon', 'dhclient', 'dhcpcd', 'internal', 'nettools'] > NETWORKMANAGER_DHCP_DEFAULT ??= "internal" > > +# The default gets detected based on whether /usr/sbin/nft or /usr/sbin/iptables is installed, with nftables preferred. > +# ['', 'iptables', 'nftables'] > +NETWORKMANAGER_FIREWALL_DEFAULT ??= "nftables" > + > EXTRA_OEMESON = "\ > -Difcfg_rh=false \ > -Dtests=yes \ > @@ -238,7 +242,7 @@ FILES:${PN}-daemon += " \ > ${systemd_system_unitdir} \ > " > RRECOMMENDS:${PN}-daemon += "\ > - iptables \ > + ${NETWORKMANAGER_FIREWALL_DEFAULT} \ > ${@bb.utils.filter('PACKAGECONFIG', 'dnsmasq', d)} \ > " > INITSCRIPT_NAME:${PN}-daemon = "network-manager" > -- > 2.35.3 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#97434): https://lists.openembedded.org/g/openembedded-devel/message/97434 > Mute This Topic: https://lists.openembedded.org/mt/91588569/3617609 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [schnitzeltony@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Tue, Jun 7, 2022 at 10:26 AM Adrian Freihofer <adrian.freihofer@gmail.com> wrote: > > Hi Andreas > > Good question. I changed it back and forth before I sent it to the > mailing list. I finally changed it to the NetworkManager defaults (they > changed it a few versions ago). I think it can easily be changed back. > And after the LTS release, it's a good time to point out that nftables > should be considered for future builds. I think if defaults have changed to use nftables then this change is fine. > > But there is no strong argument for it. I'm also fine to put it on > iptables. > > Maybe a distro feature to set a preference for iptables or nftables > would also be useful. There are now various packages that support both > configurably. > > Regards, > Adrian > > On Tue, 2022-06-07 at 09:29 +0200, Andreas Müller wrote: > > Hi Adrian, > > > > just out of curiosity: Why do you suggest to prefer nftables over iptables? > > > > Andreas > > > > On Tue, Jun 7, 2022 at 12:01 AM Adrian Freihofer > > <adrian.freihofer@gmail.com> wrote: > > > > > > From NEWS file of netowrkmanager 1.32: > > > > > > firewall: add nftables firewall backend for configuring IPv4 NAT with > > > shared mode. Now two backends are supported, "iptables" and "nftables". > > > The default gets detected based on whether /usr/sbin/nft or > > > /usr/sbin/iptables is installed, with nftables preferred. > > > > > > With this change nftables is not the prefered backend also with OE. But > > > it's still possible to set NETWORKMANAGER_FIREWALL_DEFAULT back to > > > iptables. > > > > > > Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> > > > --- > > > .../networkmanager/networkmanager_1.36.2.bb | 6 +++++- > > > 1 file changed, 5 insertions(+), 1 deletion(-) > > > > > > diff --git a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb > > > index 9fc43dceb5..55eb3e7024 100644 > > > --- a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb > > > +++ b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb > > > @@ -42,6 +42,10 @@ NETWORKMANAGER_DNS_RC_MANAGER_DEFAULT ??= "auto" > > > # ['dhcpcanon', 'dhclient', 'dhcpcd', 'internal', 'nettools'] > > > NETWORKMANAGER_DHCP_DEFAULT ??= "internal" > > > > > > +# The default gets detected based on whether /usr/sbin/nft or /usr/sbin/iptables is installed, with nftables preferred. > > > +# ['', 'iptables', 'nftables'] > > > +NETWORKMANAGER_FIREWALL_DEFAULT ??= "nftables" > > > + > > > EXTRA_OEMESON = "\ > > > -Difcfg_rh=false \ > > > -Dtests=yes \ > > > @@ -238,7 +242,7 @@ FILES:${PN}-daemon += " \ > > > ${systemd_system_unitdir} \ > > > " > > > RRECOMMENDS:${PN}-daemon += "\ > > > - iptables \ > > > + ${NETWORKMANAGER_FIREWALL_DEFAULT} \ > > > ${@bb.utils.filter('PACKAGECONFIG', 'dnsmasq', d)} \ > > > " > > > INITSCRIPT_NAME:${PN}-daemon = "network-manager" > > > -- > > > 2.35.3 > > > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#97441): https://lists.openembedded.org/g/openembedded-devel/message/97441 > Mute This Topic: https://lists.openembedded.org/mt/91588569/1997914 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Tue, Jun 7, 2022 at 7:26 PM Adrian Freihofer <adrian.freihofer@gmail.com> wrote: > > Hi Andreas > > Good question. I changed it back and forth before I sent it to the > mailing list. I finally changed it to the NetworkManager defaults (they > changed it a few versions ago). I think it can easily be changed back. > And after the LTS release, it's a good time to point out that nftables > should be considered for future builds. > > But there is no strong argument for it. I'm also fine to put it on > iptables. > > Maybe a distro feature to set a preference for iptables or nftables > would also be useful. There are now various packages that support both > configurably. > Thanks for detailed backgrounds and i am fine in following their suggestion and in case of issues it is simple to undo. Cheers, Andreas
diff --git a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb index 9fc43dceb5..55eb3e7024 100644 --- a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb +++ b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb @@ -42,6 +42,10 @@ NETWORKMANAGER_DNS_RC_MANAGER_DEFAULT ??= "auto" # ['dhcpcanon', 'dhclient', 'dhcpcd', 'internal', 'nettools'] NETWORKMANAGER_DHCP_DEFAULT ??= "internal" +# The default gets detected based on whether /usr/sbin/nft or /usr/sbin/iptables is installed, with nftables preferred. +# ['', 'iptables', 'nftables'] +NETWORKMANAGER_FIREWALL_DEFAULT ??= "nftables" + EXTRA_OEMESON = "\ -Difcfg_rh=false \ -Dtests=yes \ @@ -238,7 +242,7 @@ FILES:${PN}-daemon += " \ ${systemd_system_unitdir} \ " RRECOMMENDS:${PN}-daemon += "\ - iptables \ + ${NETWORKMANAGER_FIREWALL_DEFAULT} \ ${@bb.utils.filter('PACKAGECONFIG', 'dnsmasq', d)} \ " INITSCRIPT_NAME:${PN}-daemon = "network-manager"
From NEWS file of netowrkmanager 1.32: firewall: add nftables firewall backend for configuring IPv4 NAT with shared mode. Now two backends are supported, "iptables" and "nftables". The default gets detected based on whether /usr/sbin/nft or /usr/sbin/iptables is installed, with nftables preferred. With this change nftables is not the prefered backend also with OE. But it's still possible to set NETWORKMANAGER_FIREWALL_DEFAULT back to iptables. Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> --- .../networkmanager/networkmanager_1.36.2.bb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)