F41 Change Proposal: Netavark Nftables Default (self-contained)

Netavark Nftables Default

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Wiki
Announced

:link: Summary

Netavark should use nftables by default to create/manage the firewall rules for the Podman containers.

:link: Owner

:link: Current status

  • Targeted release: Fedora Linux 41
  • Last updated: 2024-07-10
  • [Announced]
  • [ Discussion thread]
  • FESCo issue:
  • Tracker bug:
  • Release notes tracker:

:link: Detailed Description

Netavark is used by Podman to configure networking for the containers. It manages interfaces and firewall rules. Currently it uses iptables by default to create the firewall rules for the containers but it can also be configured to use nftables (nft). The goal is to switch the default over to nftables. We also expect a small speed up for the container start-up times as nftables allows us to batch insert rules at once which makes it more performant and robust compared to iptables.

:link: Feedback

:link: Benefit to Fedora

  • netavark no longer requires iptables
  • all rules are now part of the netavark table so there are less conflicts with other tools/users who manage firewall rules
  • slightly faster container start-up time

:link: Scope

  • Proposal owners: Paul Holzinger, Matthew Heon

    • Using nftables is already supported in netavark as of version v1.10 (already included in fedora). Set a build option in the specfile to change the default driver from iptables to nftables
  • Other developers: N/A

  • Release engineering: N/A

  • Policies and guidelines: N/A (not needed for this Change)

  • Trademark approval: N/A (not needed for this Change)

  • Alignment with the Fedora Strategy:

:link: Upgrade/compatibility impact

:link: Early Testing (Optional)

Do you require ‘QA Blueprint’ support? N

:link: How To Test

The change can be tested by setting the firewall driver to nftables in containers.conf:

$ sudo mkdir -p /etc/containers/containers.conf.d $ echo $‘[network]\nfirewall_driver=“nftables”’ | sudo tee /etc/containers/containers.conf.d/50-netavark-nftables.conf

Changing the firewall driver while you have running containers will likely cause some conflicting rules so it is best to reboot when this option is changed.

Now start the containers and make sure the network works as usual. The rules can be checked with

$ sudo nft list table inet netavark

:link: User Experience

There should no change in behavior for end users unless they manually messed with the netavark firewall rules.

:link: Dependencies

N/A

:link: Contingency Plan

  • Contingency mechanism: Keep using iptables as default.
  • Contingency deadline: beta freeze
  • Blocks release? N/A

:link: Documentation

N/A (not a System Wide Change)

:link: Release Notes

Last edited by @amoloney 2024-07-12T15:37:54Z

1 Like

How do you feel about the proposal as written?

  • Strongly in favor
  • In favor, with reservations
  • Neutral
  • Opposed, but could be convinced
  • Strongly opposed
0 voters

If you are in favor but have reservations, or are opposed but something could change your mind, please explain in a reply.

We want everyone to be heard, but many posts repeating the same thing actually makes that harder. If you have something new to say, please say it. If, instead, you find someone has already covered what you’d like to express, please simply giving that post a :heart: instead of reiterating. You can even do this by email, by replying with the heart emoji or just “+1”. This will make long topics easier to follow.

Please note that this is an advisory “straw poll” meant to gauge sentiment. It isn’t a vote or a scientific survey. See About the Change Proposals category for more about the Change Process and moderation policy.

1 Like

This change proposal has now been submitted to FESCo with ticket #3253 for voting.

To find out more, please visit our Changes Policy documentation.

This change has been accepted by FESCo for Fedora Linux 41. A full list of approved changes to date can be found on the Change Set Page.

To find out more about how our changes policy works, please visit our docs site.

What happens in this case?

If the user has existing scripts that depend on Podman making iptables rules (something that attempts to filter container traffic, perhaps?) those will be broken unless the user manually reverts to iptables using our config file (or they adapt them to nftables instead). I don’t believe this is actually common (we don’t have any documented way for a user to interface with our iptables rules and I’ve never heard of anyone actually doing it) but I know of enough people interested in the idea that I wouldn’t be surprised if someone has done it.

1 Like

@mheon I think I found one place where these custom scripts interfere with this change: Gitlab runners.

By default, Gitlab.com runners run in a virtual machine that is created with certain policies and these now seem to interfere with netavark. When I start a job with a Fedora 41 based image, it has problems running images with podman. Of cause, this is one of those docker-in-docker scenarios, but alas.

Trying to pull registry.gitlab.com/company/private-project:master...
Getting image source signatures
Copying blob sha256:b0b7bd72434a1342400b6e1758cffdce0dd65c8e406904a57d7697b4e8eb94d8
Copying blob sha256:343a30a202cb3f86ebe70ebd4b32072a76c728648fab951d6d33e4a6c6670664
Copying blob sha256:32abda57a7990d41567efb83100ea58879ac6da73fb27483bbb465a1627acb1c
Copying blob sha256:206a0710c9fddfcbdc6e18b1c01afe65cbcbbdff35a83b87e6b657898117cfb0
Copying config sha256:918372ab8f0ec875f8e7adf1b1cf64b6120573e34a5d4685c8bc8d5d1002ca70
Writing manifest to image destination
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
starting container 00a4a8568e6be05261ef11841b13db37feb73083fd48aed8efabbb8c6ba5ed0c: a dependency of container 00a4a8568e6be05261ef11841b13db37feb73083fd48aed8efabbb8c6ba5ed0c failed to start: container state improper
starting container aa5399bea55b34f60fb8e99960781fd88c06a923844f21e81eec7a8139eb06c3: a dependency of container aa5399bea55b34f60fb8e99960781fd88c06a923844f21e81eec7a8139eb06c3 failed to start: container state improper
starting container 892cbca957a2a505f41ff5c980241afcaeaddd004d8ea28dcb40a1ffb4f4f6f5: netavark: nftables error: nft did not return successfully while applying ruleset
Error: failed to start 3 containers
[starting container 00a4a8568e6be05261ef11841b13db37feb73083fd48aed8efabbb8c6ba5ed0c: a dependency of container 00a4a8568e6be05261ef11841b13db37feb73083fd48aed8efabbb8c6ba5ed0c failed to start: container state improper]
[starting container 00a4a8568e6be05261ef11841b13db37feb73083fd48aed8efabbb8c6ba5ed0c: a dependency of container 00a4a8568e6be05261ef11841b13db37feb73083fd48aed8efabbb8c6ba5ed0c failed to start: container state improper starting container aa5399bea55b34f60fb8e99960781fd88c06a923844f21e81eec7a8139eb06c3: a dependency of container aa5399bea55b34f60fb8e99960781fd88c06a923844f21e81eec7a8139eb06c3 failed to start: container state improper]
[starting container 00a4a8568e6be05261ef11841b13db37feb73083fd48aed8efabbb8c6ba5ed0c: a dependency of container 00a4a8568e6be05261ef11841b13db37feb73083fd48aed8efabbb8c6ba5ed0c failed to start: container state improper starting container aa5399bea55b34f60fb8e99960781fd88c06a923844f21e81eec7a8139eb06c3: a dependency of container aa5399bea55b34f60fb8e99960781fd88c06a923844f21e81eec7a8139eb06c3 failed to start: container state improper starting container 892cbca957a2a505f41ff5c980241afcaeaddd004d8ea28dcb40a1ffb4f4f6f5: netavark: nftables error: nft did not return successfully while applying ruleset]

What would be the appropriate place to log this bug properly?