DevHeads.net

Should we be reverting iptables to iptables-legacy for eoan?

Hi folks,

it turns out that lxd is broken by iptables now using the nft
based stuff, because lxd is still using the legacy one from
inside the snap.

This provides a terrible experience because networking in lxd
is not working at all once you enable ufw.

I'd suggest we increase the priority of iptables-legacy for eoan,
so that it is the default, and move the switch to xtables-nft-based
one to next release.

This will allow us to have working lxd networking, and gives
the lxd team some breathing room.

Comments

Re: Should we be reverting iptables to iptables-legacy for eoan?

By =?UTF-8?Q?St=C3... at 09/10/2019 - 12:32

Hi,

I'm strongly on the revert camp. This change landed in the release
pocket after Feature Freeze and effectively causes the majority of
software in the Ubuntu archive to rely on compatibility wrappers to
function.
Those wrappers aren't perfect match for the tools they replace,
causing failures or worse, success but leading to non-matching rules
in nft.

Due to both legacy iptables and nft functioning at the same time, we
may also now be in the very confusing situation of having some rules
loaded into nft while some older tools load directly into iptables,
causing only half the rules to be visible.

I agree that nft is the future, but this needs coordination, we need
to figure out what packages in main are using
iptables/ip6tables/ebtables and make sure that they're either
perfectly compatible with the compat wrappers OR have native nft
support.
And for software that grows direct nft support, they will need to
detect whether nft is in use rather than just check if it's supported
by the kernel, that's necessary to avoid ending up with rules in both.

For LXD specifically, we think it would take us about 3 weeks of
engineering work to sort this in a way that can work on all
distributions, properly detecting and supporting:
- no nft present
- nft present but old iptables used
- nft present and used

The other problem we'll need to look into is that many of the nft
tools appear and user guides start with doing a full clear of nft
before populating it and using it, so that may cause some headaches
due to ordering as LXD needs to add some rules, obviously doesn't want
things reset underneath it. nft is actually more flexible than
iptables for updating the ruleset, but we need to ensure it's setup
properly so we don't end up with surprises.

St├ęphane

On Tue, Sep 10, 2019 at 5:12 PM Julian Andres Klode
<julian. ... at canonical dot com> wrote: