Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature Request] Migrate networking documentation to nftables #4874

Open
3 tasks done
kanpov opened this issue Oct 27, 2024 · 4 comments
Open
3 tasks done

[Feature Request] Migrate networking documentation to nftables #4874

kanpov opened this issue Oct 27, 2024 · 4 comments
Labels
Status: WIP Indicates that an issue is currently being worked on or triaged

Comments

@kanpov
Copy link
Contributor

kanpov commented Oct 27, 2024

Feature Request

The backing kernel module for iptables (x_tables) is extremely not recommended by the Linux netfilter team, so the iptables command now on most distros is deprecated and only the nft command is recommended that uses the new nftables kernel module, plus the iptables-nft command is also available that uses the legacy iptables syntax and converts it to then call nft.

As such, it's important to update Firecracker's networking documentation to use nftables.

Describe the desired solution

Update the following docs:

Describe possible alternatives

The least-effort path but also a pretty bad one is to replace iptables with iptables-nft in the examples.

Additional context

I'm currently performing a large refactor of fcnet, which is a Rust-based Firecracker networking backend, and porting it from iptables CLI calls to nftables via libnftables-json, so as soon as I complete that and figure out all the nft calls necessary, I'll contribute these doc changes to Firecracker .

Checks

  • Have you searched the Firecracker Issues database for similar requests?
  • Have you read all the existing relevant Firecracker documentation?
  • Have you read and understood Firecracker's core tenets?
@kanpov
Copy link
Contributor Author

kanpov commented Oct 27, 2024

An additional goal might be to migrate integration tests via the python-nftables thing (I think that's what it's called), but that call imo is up to the integration test maintainers and not me.

@bchalios bchalios added the Status: WIP Indicates that an issue is currently being worked on or triaged label Oct 30, 2024
@kanpov
Copy link
Contributor Author

kanpov commented Oct 30, 2024

I forgot getting-started also uses iptables for its networking (and with some even more obscure commands than the current network-setup), so that should also fall into scope of a second PR.

@kanpov
Copy link
Contributor Author

kanpov commented Nov 21, 2024

#4922 fixed only part of this, Network Setup of Clones needs plenty of attention as well :)

@kanpov
Copy link
Contributor Author

kanpov commented Nov 25, 2024

For now, I'm too busy with the rust-firecracker projects to clean up Network for Clones, so anybody interested can take over. The same split between nft and iptables-nft should be done, as well as reworking the routing to use one forward chain to get connectivity to the netns, and a SNAT + DNAT pair inside the netns, as described in the relevant discussion. The issue can be marked as parked in the meantime, if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Status: WIP Indicates that an issue is currently being worked on or triaged
Projects
None yet
Development

No branches or pull requests

2 participants