Bug 1659544
Summary: | RFE: On inplace upgrade to RHEL8, iptables configuration should be seamlessly migrated to nftables | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | afox <afox> |
Component: | nftables | Assignee: | Phil Sutter <psutter> |
Status: | CLOSED CANTFIX | QA Contact: | qe-baseos-daemons |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.0 | CC: | todoleza |
Target Milestone: | rc | ||
Target Release: | 8.0 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-12-18 16:04:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
afox@redhat.com
2018-12-14 16:18:54 UTC
Hi afox, (In reply to afox from comment #0) > 1. Proposed title of this feature request > Seamless migration of iptables to nftables during RHEL8 inplace upgrades > > 2. Who is the customer behind the request? > Account: 748231 > TAM customer: Yes > SRM customer: Yes > Strategic: Yes748231 > > 3. What is the nature and description of this request? > Following the second RHEL8 town hall, the customer has discovered that > iptables will be replaced by nftables. They want to ensure that RHEL7 to > RHEL8 upgrades seamlessly migrate their iptables configuration to nftables. Note that we did not exactly replace iptables by nftables, but we replaced iptables-legacy by iptables-nft (which uses nftables internally). > 4. Why does the customer need this? (List the business requirements here) > They have a very large estate consisting of over 600 RHEL desktop users, and > need to avoid making manual interventions in these upgrades. RHEL8 iptables package is supposed to be drop-in compatible with RHEL7 one. If manual intervention is required in iptables-related configuration when upgrading from RHEL7 to RHEL8, this should be considered a bug and reported to us. > 5. How would the customer like to achieve this? (List the functional > requirements here) > - iptables packages should be removed during upgrade > - iptables configuration should be migrated to nftables without requiring > user intervention While this would be a cool thing to have, I fear it is beyond what we could support at this point. Not every match and target existing in iptables is supported by nftables yet (and some never will), so while fully automated migration in theory is possible by using iptables-translate tool, there is a certain unavoidable risk of breaking the setup while doing so. > 6. For each functional requirement listed, specify how Red Hat and the > customer can test to confirm the requirement is successfully implemented. > Perform an inplace upgrade, and check post-upgrade that nftables > functionality mirrors the previous iptables configuration. This would not only require static analysis of rulesets before and after the upgrade but also functional tests - nothing one could achieve easily. Real migration from iptables to nftables must be done on a per-case basis and requires familiarity with both tools. For the time being, we provide iptables package which installs nftables-variants in RHEL8. It is drop-in compatible in accepted input (i.e., existing rulesets) and output but sets up firewalling in kernel using nftables. This is different from a migration in that it reuses legacy iptables matches and targets in kernel space unless there are practical reasons to use native nftables statements instead (and it is safe to do so). I'll hereby close the ticket because I don't see how we could implement (and maintain) the requested feature and there is no urgent need for it. Feel free to reopen in case you disagree. Cheers, Phil |