Message ID | 20241204182913.4085670-1-fiona.klute@gmx.de |
---|---|
Headers | show |
Series | nftables firewall support | expand |
Hi, is there anything I can do to get this series merged? Having a proper firewall is important, and I'd rather get it into shape and merged than keep carrying local patches. :-) AFAIK the only open question is if the current approach of warning on reload if the rules file doesn't contain a flush (to replace current rules, instead of adding to them) is good, or if doing a flush unconditionally, or nothing at all is better. I can quickly adjust that if needed. Patchwork link for the series: https://patchwork.ozlabs.org/project/buildroot/list/?series=435291 Best regards, Fiona Am 04.12.24 um 19:29 schrieb Fiona Klute: > From: "Fiona Klute (WIWA)" <fiona.klute@gmx.de> > > This series builds on two patches I've sent previously before, with > the main goal of supporting firewall configuration through an nftables > rules file. Offering the choice of iptables-nft as the default > iptables implementation (smilar to e.g. update-alternatives on Debian) > makes it easier to integrate that with legacy applications that rely > on the iptables command (e.g. Docker). > > Changes v4 -> v5: > * nftables init script: run any target only if rules file exists > * iptables init script: run any target only if rules file exists, > except for "save" (which may be used to create it) > * rename series to clarify that nftables firewall support is > non-existent otherwise > * v4 for reference: > https://patchwork.ozlabs.org/project/buildroot/list/?series=416810 > > Changes v3 -> v4: > * set ip6tables symlinks when selecting nftables compat > > Changes v2 -> v3: > * move change from "iptables -F" to "iptables --flush" to the correct > patch (3/6) > > Changes v1 -> v2: > * add patches 3-6 > * clarify comments & commit messages > * nftables init script: Warning about missing flush in ruleset on reload > * nftables init script: check for rules file only on start > * nftables init script: return nft return code from start/stop functions > * iptables init script: start only if rules file exists > * add tests for init scripts > * use long form options in init scripts > * fix typecheck warnings > > Fiona Klute (WIWA) (6): > package/nftables: add init script > package/iptables: optionally default to nftables compat > package/iptables: check for rules in init script > support/testing: test for nftables init script > support/testing: include init script in iptables test > support/testing: fix MyPy warnings about BRConfigTest > > .checkpackageignore | 1 - > DEVELOPERS | 1 + > package/iptables/Config.in | 12 ++++ > package/iptables/S35iptables | 16 +++-- > package/iptables/iptables.mk | 13 +++- > package/nftables/S35nftables | 67 +++++++++++++++++++ > package/nftables/nftables.mk | 5 ++ > support/testing/infra/basetest.py | 4 +- > .../testing/tests/package/test_iptables.py | 18 +++++ > .../testing/tests/package/test_nftables.py | 37 +++++++++- > .../rootfs-overlay/etc/nftables.conf | 8 +++ > 11 files changed, 172 insertions(+), 10 deletions(-) > create mode 100644 package/nftables/S35nftables > create mode 100644 support/testing/tests/package/test_nftables/rootfs-overlay/etc/nftables.conf >
From: "Fiona Klute (WIWA)" <fiona.klute@gmx.de> This series builds on two patches I've sent previously before, with the main goal of supporting firewall configuration through an nftables rules file. Offering the choice of iptables-nft as the default iptables implementation (smilar to e.g. update-alternatives on Debian) makes it easier to integrate that with legacy applications that rely on the iptables command (e.g. Docker). Changes v4 -> v5: * nftables init script: run any target only if rules file exists * iptables init script: run any target only if rules file exists, except for "save" (which may be used to create it) * rename series to clarify that nftables firewall support is non-existent otherwise * v4 for reference: https://patchwork.ozlabs.org/project/buildroot/list/?series=416810 Changes v3 -> v4: * set ip6tables symlinks when selecting nftables compat Changes v2 -> v3: * move change from "iptables -F" to "iptables --flush" to the correct patch (3/6) Changes v1 -> v2: * add patches 3-6 * clarify comments & commit messages * nftables init script: Warning about missing flush in ruleset on reload * nftables init script: check for rules file only on start * nftables init script: return nft return code from start/stop functions * iptables init script: start only if rules file exists * add tests for init scripts * use long form options in init scripts * fix typecheck warnings Fiona Klute (WIWA) (6): package/nftables: add init script package/iptables: optionally default to nftables compat package/iptables: check for rules in init script support/testing: test for nftables init script support/testing: include init script in iptables test support/testing: fix MyPy warnings about BRConfigTest .checkpackageignore | 1 - DEVELOPERS | 1 + package/iptables/Config.in | 12 ++++ package/iptables/S35iptables | 16 +++-- package/iptables/iptables.mk | 13 +++- package/nftables/S35nftables | 67 +++++++++++++++++++ package/nftables/nftables.mk | 5 ++ support/testing/infra/basetest.py | 4 +- .../testing/tests/package/test_iptables.py | 18 +++++ .../testing/tests/package/test_nftables.py | 37 +++++++++- .../rootfs-overlay/etc/nftables.conf | 8 +++ 11 files changed, 172 insertions(+), 10 deletions(-) create mode 100644 package/nftables/S35nftables create mode 100644 support/testing/tests/package/test_nftables/rootfs-overlay/etc/nftables.conf