RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1817265 - [spec] Disable libiptc support in RHEL8
Summary: [spec] Disable libiptc support in RHEL8
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: systemd
Version: 8.3
Hardware: Unspecified
OS: Unspecified
urgent
unspecified
Target Milestone: rc
: 8.3
Assignee: Jan Macku
QA Contact: Frantisek Sumsal
URL:
Whiteboard:
Depends On:
Blocks: 2064592
TreeView+ depends on / blocked
 
Reported: 2020-03-26 00:53 UTC by Phil Sutter
Modified: 2022-04-05 13:58 UTC (History)
11 users (show)

Fixed In Version: systemd-239-48.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1934638 1940893 2064592 (view as bug list)
Environment:
Last Closed: 2021-11-09 19:54:49 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:4469 0 None None None 2021-11-09 19:55:24 UTC

Description Phil Sutter 2020-03-26 00:53:58 UTC 
For RHEL8, we decided to go with iptables-nft as a full replacement to legacy
iptables. Sadly, doing so we forgot about libiptc. This means that applications
creating rules via libiptc add them to legacy xtables hooks in kernel which are
not manageable from iptables-nft and probably don't work as expected, either.

I searched systemd package dist-git history and it seems libiptc support was
never explicitly enabled but came in via a rebase. Is this correct or do you
have a use-case requiring libiptc (and the associated firewalling
functionality)?

Considering the next steps, did you consider interfacing with firewalld once?
Comment 1 David Tardon 2020-03-26 12:35:46 UTC 
It seems libiptc is only needed for networkd, which we disable, and systemd-nspawn, where it's used to implement the --port= option. This is no change compared to RHEL7, so I think libiptc should continue to be disabled.
Comment 2 Phil Sutter 2020-03-27 12:43:15 UTC 
Hi David,

(In reply to David Tardon from comment #1)
> It seems libiptc is only needed for networkd, which we disable, and
> systemd-nspawn, where it's used to implement the --port= option. This is no
> change compared to RHEL7, so I think libiptc should continue to be disabled.

Thanks for the clarification. I don't comprehend what you mean with "continue
to be disabled", though: In RHEL8.2, systemd is configured with
'-Dlibiptc=true'. Are you suggesting to set that to 'false'? I would welcome
that change but can we tell if someone would miss the functionality?

Cheers, Phil
Comment 3 David Tardon 2020-03-29 15:06:33 UTC 
I meant "continue to be disabled, as it was in RHEL-7". Or, in other words, to disable it again starting with RHEL-8.3.
Comment 4 Phil Sutter 2020-03-30 15:04:30 UTC 
Hi David,

(In reply to David Tardon from comment #3)
> I meant "continue to be disabled, as it was in RHEL-7". Or, in other words,
> to disable it again starting with RHEL-8.3.

Ah, I wasn't aware it is disabled in RHEL7. Hereby updating the ticket to emphasize the request.

Thanks, Phil
Comment 6 Phil Sutter 2021-02-16 12:46:22 UTC 
What's the status here please? I would like to eliminate libiptc from RHEL9 entirely. Are you still positive about removing said dependency from systemd?
Comment 8 David Tardon 2021-02-18 11:50:01 UTC 
(In reply to Phil Sutter from comment #6)
> What's the status here please? I would like to eliminate libiptc from RHEL9
> entirely. Are you still positive about removing said dependency from systemd?

I don't think anything has changed since comment 1, so I'm pretty sure we are. In addition, current upstream code already uses nftables by default, with iptables just as a fallback, so libiptc will be even less needed in near future than it is now...
Comment 13 errata-xmlrpc 2021-11-09 19:54:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (systemd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4469
Note You need to log in before you can comment on or make changes to this bug.