FS#65608 - Enable nftables routing flags for linux-lts
Attached to Project:
Arch Linux
Opened by terusus (terusus) - Monday, 24 February 2020, 08:43 GMT
Last edited by Andreas Radke (AndyRTR) - Wednesday, 18 March 2020, 09:39 GMT
Opened by terusus (terusus) - Monday, 24 February 2020, 08:43 GMT
Last edited by Andreas Radke (AndyRTR) - Wednesday, 18 March 2020, 09:39 GMT
|
Details
Description:
With the newer versions (5+) of the Kernel support for some `nftables` functionality was dropped. For example these flags for IPv4 (also missing for IPv6 respectively): ``` CONFIG_NFT_CHAIN_ROUTE_IPV4=m CONFIG_NFT_CHAIN_NAT_IPV4=m CONFIG_NFT_MASQ_IPV4=m CONFIG_NFT_REDIR_IPV4=m ``` If this is not common functionality for all users and if it should not influence the majority of the systems it is fine to drop it from the stable version of the kernel. However, I would argue that the LTS version of the kernel should be more versatile and have support for the `neftables` functionality. Please, add the extra `nftables` functionality in the future versions of the Kernel config for LTS. Additional info: * package version(s) -> linux-lts 5.4.21-1 * config and/or log files etc. -> config * link to upstream bug report, if any -> none Steps to reproduce: ```/etc/nftables.conf #!/usr/bin/nft -f define real_nic = enp3s0 define virtual_nic = tap0 table inet filter { chain input { type filter hook input priority 0; # allow established/related connections ct state {established, related} accept # early drop of invalid connections ct state invalid drop # allow from loopback iif lo accept # allow icmp ip protocol icmp accept ip6 nexthdr icmpv6 accept # allow ssh tcp dport ssh limit rate 5/minute accept # last overrides jump input_extended # everything else reject with icmpx type port-unreachable } chain input_extended { udp dport domain iifname $virtual_nic accept udp dport bootps iifname $virtual_nic limit rate 5/minute accept } chain forward { type filter hook forward priority 0; } chain output { type filter hook output priority 0; } } table ip vm_nat { chain pre { type nat hook prerouting priority 0; policy accept; udp dport domain iifname $virtual_nic redirect } chain post { type nat hook postrouting priority 100; policy accept; ip saddr 192.168.1.0/24 oifname $real_nic masquerade } } ``` |
This task depends upon
Closed by Andreas Radke (AndyRTR)
Wednesday, 18 March 2020, 09:39 GMT
Reason for closing: Won't implement
Additional comments about closing: We don't add any feature back. ARCH will stay upstream here. Use a custom built kernel or some AUR maintained kernel.
Wednesday, 18 March 2020, 09:39 GMT
Reason for closing: Won't implement
Additional comments about closing: We don't add any feature back. ARCH will stay upstream here. Use a custom built kernel or some AUR maintained kernel.