Bug 1659544 - RFE: On inplace upgrade to RHEL8, iptables configuration should be seamlessly migrated to nftables
Summary: RFE: On inplace upgrade to RHEL8, iptables configuration should be seamlessly...
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: nftables
Version: 8.0
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: 8.0
Assignee: Phil Sutter
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-14 16:18 UTC by afox@redhat.com
Modified: 2018-12-18 16:04 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-18 16:04:43 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Description afox@redhat.com 2018-12-14 16:18:54 UTC
1. Proposed title of this feature request
Seamless migration of iptables to nftables during RHEL8 inplace upgrades

2. Who is the customer behind the request?
Account: 748231
TAM customer: Yes
SRM customer: Yes
Strategic: Yes748231

3. What is the nature and description of this request? 
Following the second RHEL8 town hall, the customer has discovered that iptables will be replaced by nftables. They want to ensure that RHEL7 to RHEL8 upgrades seamlessly migrate their iptables configuration to nftables. 

4. Why does the customer need this? (List the business requirements here)
They have a very large estate consisting of over 600 RHEL desktop users, and need to avoid making manual interventions in these upgrades. 

5. How would the customer like to achieve this? (List the functional requirements here)
- iptables packages should be removed during upgrade
- iptables configuration should be migrated to nftables without requiring user intervention

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
Perform an inplace upgrade, and check post-upgrade that nftables functionality mirrors the previous iptables configuration. 

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
Not that I can find.

8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL6, RHEL7)?
RHEL 8 GA

9. Is the sales team involved in this request and do they have any additional input?
No. 

10. List any affected packages or components.
nftables

11. Would the customer be able to assist in testing this functionality if implemented?
Yes

Comment 1 Phil Sutter 2018-12-18 16:04:43 UTC
Hi afox,

(In reply to afox@redhat.com from comment #0)
> 1. Proposed title of this feature request
> Seamless migration of iptables to nftables during RHEL8 inplace upgrades
> 
> 2. Who is the customer behind the request?
> Account: 748231
> TAM customer: Yes
> SRM customer: Yes
> Strategic: Yes748231
> 
> 3. What is the nature and description of this request? 
> Following the second RHEL8 town hall, the customer has discovered that
> iptables will be replaced by nftables. They want to ensure that RHEL7 to
> RHEL8 upgrades seamlessly migrate their iptables configuration to nftables. 

Note that we did not exactly replace iptables by nftables, but we replaced
iptables-legacy by iptables-nft (which uses nftables internally).

> 4. Why does the customer need this? (List the business requirements here)
> They have a very large estate consisting of over 600 RHEL desktop users, and
> need to avoid making manual interventions in these upgrades. 

RHEL8 iptables package is supposed to be drop-in compatible with RHEL7 one. If
manual intervention is required in iptables-related configuration when
upgrading from RHEL7 to RHEL8, this should be considered a bug and reported to
us.

> 5. How would the customer like to achieve this? (List the functional
> requirements here)
> - iptables packages should be removed during upgrade
> - iptables configuration should be migrated to nftables without requiring
> user intervention

While this would be a cool thing to have, I fear it is beyond what we could
support at this point. Not every match and target existing in iptables is
supported by nftables yet (and some never will), so while fully automated
migration in theory is possible by using iptables-translate tool, there is a
certain unavoidable risk of breaking the setup while doing so.

> 6. For each functional requirement listed, specify how Red Hat and the
> customer can test to confirm the requirement is successfully implemented.
> Perform an inplace upgrade, and check post-upgrade that nftables
> functionality mirrors the previous iptables configuration. 

This would not only require static analysis of rulesets before and after the
upgrade but also functional tests - nothing one could achieve easily. Real
migration from iptables to nftables must be done on a per-case basis and
requires familiarity with both tools. For the time being, we provide iptables
package which installs nftables-variants in RHEL8. It is drop-in compatible in
accepted input (i.e., existing rulesets) and output but sets up firewalling in
kernel using nftables. This is different from a migration in that it reuses
legacy iptables matches and targets in kernel space unless there are practical
reasons to use native nftables statements instead (and it is safe to do so).

I'll hereby close the ticket because I don't see how we could implement (and
maintain) the requested feature and there is no urgent need for it. Feel free
to reopen in case you disagree.

Cheers, Phil


Note You need to log in before you can comment on or make changes to this bug.