Bug 1323161 - iptables-libiptc
Summary: iptables-libiptc
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: iptables
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: base-minimization
TreeView+ depends on / blocked
 
Reported: 2016-04-01 12:21 UTC by Harald Hoyer
Modified: 2016-04-16 02:15 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-04-13 17:23:35 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Harald Hoyer 2016-04-01 12:21:24 UTC 
please consider splitting out a iptables-libs subpackage with:

/usr/lib*/libip4tc.so*
/usr/lib*/libip6tc.so*
/usr/lib*/libiptc.so*

We would like to minimize the container image size and iptables pulls in a lot of other deps:

https://harald.fedorapeople.org/rawhide-20160401-systemd/Tree-iptables.svg

e.g. systemd only needs libiptc
Comment 1 Harald Hoyer 2016-04-01 12:22:17 UTC 
"iptables-libiptc" might be a better name though
Comment 2 Lennart Poettering 2016-04-01 12:47:29 UTC 
note that systemd-networkd/systemd-nspawn (i.e. the iptables-using components of systemd) only need libiptc itself, and not any of the modules, hence it would make sense to split out only libiptc without any of the modules in their own package, which would then just be 32K in size or so...
Comment 3 Thomas Woerner 2016-04-01 16:17:07 UTC 
Adding an sub package for an unsupported and internal only library (see further down) would not be good in my opinion. I'd favor to move some extensions into an extensions sub package to get the libnetfilter_conntrack and libnfnetlink dependency out of the the base package. Additionally with the latest iptables version it would also be needed to create a compat sub package to keep the dependencies out.


libiptc does not have a stable API, not even a real so version.

Excerpt form http://www.netfilter.org/documentation/FAQ/netfilter-faq-4.html#ss4.5

4.5 Is there an C/C++ API for adding/removing rules?

The answer unfortunately is: No.

Now you might think 'but what about libiptc?'. As has been pointed out numerous times on the mailinglist(s), libiptc was _NEVER_ meant to be used as a public interface. We don't guarantee a stable interface, and it is planned to remove it in the next incarnation of linux packet filtering. libiptc is way too low-layer to be used reasonably anyway.

We are well aware that there is a fundamental lack for such an API, and we are working on improving that situation. Until then, it is recommended to either use system() or open a pipe into stdin of iptables-restore. The latter will give you a way better performance.

--

This means that there is no upstream support for libiptc usage and absolutely no guarantee that the interface will be similar or the same in a newer version. If systemd build breaks because of libiptc incompatibilities than there will also be no support from upstream. It will not even be possible to add fixes without breaking the iptables tools.
Comment 4 Thomas Woerner 2016-04-13 15:57:48 UTC 
I thought about this some more an there is now an iptables-libs sub package containing libxtables and libip*tc with an extra description about libip*tc limitations.
Comment 5 Thomas Woerner 2016-04-13 17:23:35 UTC 
Fixed in rawhide in package iptables-1.6.0-1.fc25
Comment 6 Harald Hoyer 2016-04-14 13:54:58 UTC 
Thanks! :-)
Comment 7 Patrick Uiterwijk 2016-04-16 02:15:24 UTC 
Please note that there might be packages that depended on iptables always being installed, which no longer applies.
You should probably chase these down and tell them they now need to explicitly depend on iptables.

Example bug: 1327809
Note You need to log in before you can comment on or make changes to this bug.