RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1659544 - RFE: On inplace upgrade to RHEL8, iptables configuration should be seamlessly migrated to nftables
Summary: RFE: On inplace upgrade to RHEL8, iptables configuration should be seamlessly...
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: nftables
Version: 8.0
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: 8.0
Assignee: Phil Sutter
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-14 16:18 UTC by afox@redhat.com
Modified: 2018-12-18 16:04 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-18 16:04:43 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description afox@redhat.com 2018-12-14 16:18:54 UTC 
1. Proposed title of this feature request
Seamless migration of iptables to nftables during RHEL8 inplace upgrades

2. Who is the customer behind the request?
Account: 748231
TAM customer: Yes
SRM customer: Yes
Strategic: Yes748231

3. What is the nature and description of this request? 
Following the second RHEL8 town hall, the customer has discovered that iptables will be replaced by nftables. They want to ensure that RHEL7 to RHEL8 upgrades seamlessly migrate their iptables configuration to nftables. 

4. Why does the customer need this? (List the business requirements here)
They have a very large estate consisting of over 600 RHEL desktop users, and need to avoid making manual interventions in these upgrades. 

5. How would the customer like to achieve this? (List the functional requirements here)
- iptables packages should be removed during upgrade
- iptables configuration should be migrated to nftables without requiring user intervention

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
Perform an inplace upgrade, and check post-upgrade that nftables functionality mirrors the previous iptables configuration. 

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
Not that I can find.

8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL6, RHEL7)?
RHEL 8 GA

9. Is the sales team involved in this request and do they have any additional input?
No. 

10. List any affected packages or components.
nftables

11. Would the customer be able to assist in testing this functionality if implemented?
Yes
Comment 1 Phil Sutter 2018-12-18 16:04:43 UTC 
Hi afox,

(In reply to afox from comment #0)
> 1. Proposed title of this feature request
> Seamless migration of iptables to nftables during RHEL8 inplace upgrades
> 
> 2. Who is the customer behind the request?
> Account: 748231
> TAM customer: Yes
> SRM customer: Yes
> Strategic: Yes748231
> 
> 3. What is the nature and description of this request? 
> Following the second RHEL8 town hall, the customer has discovered that
> iptables will be replaced by nftables. They want to ensure that RHEL7 to
> RHEL8 upgrades seamlessly migrate their iptables configuration to nftables. 

Note that we did not exactly replace iptables by nftables, but we replaced
iptables-legacy by iptables-nft (which uses nftables internally).

> 4. Why does the customer need this? (List the business requirements here)
> They have a very large estate consisting of over 600 RHEL desktop users, and
> need to avoid making manual interventions in these upgrades. 

RHEL8 iptables package is supposed to be drop-in compatible with RHEL7 one. If
manual intervention is required in iptables-related configuration when
upgrading from RHEL7 to RHEL8, this should be considered a bug and reported to
us.

> 5. How would the customer like to achieve this? (List the functional
> requirements here)
> - iptables packages should be removed during upgrade
> - iptables configuration should be migrated to nftables without requiring
> user intervention

While this would be a cool thing to have, I fear it is beyond what we could
support at this point. Not every match and target existing in iptables is
supported by nftables yet (and some never will), so while fully automated
migration in theory is possible by using iptables-translate tool, there is a
certain unavoidable risk of breaking the setup while doing so.

> 6. For each functional requirement listed, specify how Red Hat and the
> customer can test to confirm the requirement is successfully implemented.
> Perform an inplace upgrade, and check post-upgrade that nftables
> functionality mirrors the previous iptables configuration. 

This would not only require static analysis of rulesets before and after the
upgrade but also functional tests - nothing one could achieve easily. Real
migration from iptables to nftables must be done on a per-case basis and
requires familiarity with both tools. For the time being, we provide iptables
package which installs nftables-variants in RHEL8. It is drop-in compatible in
accepted input (i.e., existing rulesets) and output but sets up firewalling in
kernel using nftables. This is different from a migration in that it reuses
legacy iptables matches and targets in kernel space unless there are practical
reasons to use native nftables statements instead (and it is safe to do so).

I'll hereby close the ticket because I don't see how we could implement (and
maintain) the requested feature and there is no urgent need for it. Feel free
to reopen in case you disagree.

Cheers, Phil
Note You need to log in before you can comment on or make changes to this bug.