You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The backing kernel module for iptables (x_tables) is extremely not recommended by the Linux netfilter team, so the iptables command now on most distros is deprecated and only the nft command is recommended that uses the new nftables kernel module, plus the iptables-nft command is also available that uses the legacy iptables syntax and converts it to then call nft.
As such, it's important to update Firecracker's networking documentation to use nftables.
The least-effort path but also a pretty bad one is to replace iptables with iptables-nft in the examples.
Additional context
I'm currently performing a large refactor of fcnet, which is a Rust-based Firecracker networking backend, and porting it from iptables CLI calls to nftables via libnftables-json, so as soon as I complete that and figure out all the nft calls necessary, I'll contribute these doc changes to Firecracker .
Checks
Have you searched the Firecracker Issues database for similar requests?
Have you read all the existing relevant Firecracker documentation?
Have you read and understood Firecracker's core tenets?
The text was updated successfully, but these errors were encountered:
An additional goal might be to migrate integration tests via the python-nftables thing (I think that's what it's called), but that call imo is up to the integration test maintainers and not me.
I forgot getting-started also uses iptables for its networking (and with some even more obscure commands than the current network-setup), so that should also fall into scope of a second PR.
For now, I'm too busy with the rust-firecracker projects to clean up Network for Clones, so anybody interested can take over. The same split between nft and iptables-nft should be done, as well as reworking the routing to use one forward chain to get connectivity to the netns, and a SNAT + DNAT pair inside the netns, as described in the relevant discussion. The issue can be marked as parked in the meantime, if needed.
Feature Request
The backing kernel module for iptables (x_tables) is extremely not recommended by the Linux netfilter team, so the iptables command now on most distros is deprecated and only the nft command is recommended that uses the new nftables kernel module, plus the iptables-nft command is also available that uses the legacy iptables syntax and converts it to then call nft.
As such, it's important to update Firecracker's networking documentation to use nftables.
Describe the desired solution
Update the following docs:
Describe possible alternatives
The least-effort path but also a pretty bad one is to replace iptables with iptables-nft in the examples.
Additional context
I'm currently performing a large refactor of
fcnet
, which is a Rust-based Firecracker networking backend, and porting it from iptables CLI calls to nftables via libnftables-json, so as soon as I complete that and figure out all the nft calls necessary, I'll contribute these doc changes to Firecracker .Checks
The text was updated successfully, but these errors were encountered: