Bug 2069852
| Summary: | iptables-services is empty | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Michel Lind <michel> |
| Component: | iptables | Assignee: | Phil Sutter <psutter> |
| Status: | CLOSED MIGRATED | QA Contact: | qe-baseos-daemons |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | CentOS Stream | CC: | bstinson, davide, jwboyer, kcleveng, michel, todoleza |
| Target Milestone: | rc | Keywords: | MigratedToJIRA, Reopened |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 2065788 | Environment: | |
| Last Closed: | 2023-09-21 10:04:05 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2065788 | ||
| Bug Blocks: | |||
|
Description
Michel Lind
2022-03-29 21:23:46 UTC
Hi, Why don't you use iptables-nft-services? Are you really depending on legacy iptables in C9S? If so, why? Cheers, Phil (In reply to Phil Sutter from comment #1) > Hi, > > Why don't you use iptables-nft-services? Are you really depending on legacy > iptables in C9S? If so, why? > Yes, we are - it's a long story :( (Though that also means we're not affected by the recent nftables CVEs) TL;DR - we run custom kernels, and for internal reasons we don't support NFT By the way, Phil, any idea why the c9s iptables.spec has legacy subpackages obsoleting older non-legacy ones, but the Fedora spec doesn't? Seems to be introduced in this commit on the CentOS side. https://gitlab.com/redhat/centos-stream/rpms/iptables/-/commit/4a68e9f94a009775f3133e69780c375979740e2e (we're noticing this because I rebased the EPEL one to the latest Stream spec, and it's not installable because -30 has not made it out past QA yet, and we noticed the Obsoletes line (even without that it would have FTIed anyway) (In reply to Michel Alexandre Salim from comment #4) > By the way, Phil, any idea why the c9s iptables.spec has legacy subpackages > obsoleting older non-legacy ones, but the Fedora spec doesn't? I think this is to accommodate for upgrades, maybe from CentOS8 to CentOS9. I don't quite remember, sorry. Originally, the plan was to ship legacy iptables with C9S or at least build
packages for it but it seems this never worked (and I didn't check). At least I
just noticed that:
| %global do_legacy_pkg ! 0%{?rhel}
does not distinguish between RHEL9 and C9S as %rhel is defined for the latter,
too.
The reason why iptables' spec file is so complicated is that existence of
legacy ebtables and arptables packages is assumed and the legacy services
packages conflict with iptables-nft-services.
To my surprise though, legacy arptables and ebtables packages were retired from C9S a year ago. So we might just drop all these workarounds.
So what do you need for EPEL? Does an iptables-legacy package like in Fedora
suffice? Are you fine with having to flip a switch in spec file to build it?
Otherwise we'll have to actively exclude it from RHEL9, I guess.
Cheers, Phil
Closing for lack of feedback from reporter. (In reply to Phil Sutter from comment #6) > So what do you need for EPEL? Does an iptables-legacy package like in Fedora > suffice? Are you fine with having to flip a switch in spec file to build it? > Otherwise we'll have to actively exclude it from RHEL9, I guess. > Ideally this MR is merged: https://gitlab.com/redhat/centos-stream/rpms/iptables/-/merge_requests/27 this basically fixes the empty service file. We want to keep the iptables-epel spec as close as possible to the centos stream spec - but if you want to clean up the stream spec to drop the legacy parts completely, that works too. The middle ground where the legacy parts are present but disabled, *but* buggy, makes it hard to keep the iptables-epel package (which ships only the legacy packages) in sync. Thanks! Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug. This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there. Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information. To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer. You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like: "Bugzilla Bug" = 1234567 In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information. |