Skip to content

nftables, firewalld: add to runmode#725

Closed
rtollert wants to merge 2 commits intoni:nilrt/master/kirkstonefrom
rtollert:dev/rtollert/kirkstone/nftables
Closed

nftables, firewalld: add to runmode#725
rtollert wants to merge 2 commits intoni:nilrt/master/kirkstonefrom
rtollert:dev/rtollert/kirkstone/nftables

Conversation

@rtollert
Copy link
Copy Markdown
Contributor

@rtollert rtollert commented Aug 29, 2024
edited
Loading

Summary of Changes

Add nftables (modern Linux packet filtering support) and firewalld (modern Linux high-level firewall administration tool) packages to runmode. At present, neither will be enabled, but they can be enabled by the user. The existing iptables initscript is unchanged. This is tracked by Azure DevOps workitem AB#2823118.

Testing

Built nilrt-base-system-image and confirmed it runs on a VM. nft runs; iptables still runs. firewall-cmd is not yet tested.

This change will grow the uncompressed BSI by approximately 9.5MB (!). The largest new files break down along the following lines:

Directory Size (KiB)
/usr/lib/python-3.10/ 2458
/usr/lib/girepository-1.0/ 724
/usr/lib/gobject-introspection/ 669
/usr/lib/*.so.* 1264
/lib/modules/ 870
/usr/*bin/ 897
/usr/share/licenses/ 341
/usr/share/firewalld/ 712

Several things about this seem problematic.

  • The entirety of the increased disk usage in /usr/lib/girepository-1.0/, /usr/lib/gobject-introspection/, and /usr/share/licenses/, and a substantial fraction of /usr/lib/python-3.10/ — perhaps 3 MiB in all — is solely due to firewalld's dependency on python3-pygobject, which in turn pulls in gobject-introspection, libcairo2 (!), libcairo-gobject2 (!!), python3-pycairo, etc.
  • The entirety of the disk usage in /usr/share/firewalld/ is due to a new file firewall-config.glade, which appears to solely exist for the sake of GTK3-based firewalld configuration UI; this appears to be installed as firewall-config; we don't need it, but if we need GTK3 anyway, I guess it can't hurt.
  • /usr/bin/firewall-applet is a python script which requires PyQt5 which is not installed.

I fear the gobject-related bits will be hard to remove; they've been in firewalld since 2012. That said, the only thing I can find so far that clearly requires it is DBus (?). I think I'm missing something.

  • I have built the core package feed with this PR in place. (bitbake packagefeed-ni-core)

Procedure

@rtollert
packagegroup-ni-runmode: add nftables
462ee86 
nftables is the modern packet filtering solution on Linux. The nftables
userspace can be installed alongside iptables, but in general, only one can be
enabled at once. This commit adds the userspace but does not do anything with
the present iptables-based firewall configuration.

At present, there are no plans to introduce nftables into safemode, so add it
to the runmode packagegroup, not base.

Signed-off-by: Rich Tollerton <rich.tollerton@ni.com>
@rtollert
packagegroup-ni-runmode: add firewalld
3e54fcb 
firewalld is the best-maintained high-level firewall administration tool on
Linux. We ultimately wish to replace our present direct use of iptables (via
initscript) with firewalld; but at present the existing configuration is
unchanged.

There are no plans at present to add firewalld to safemode. (Additionally,
firewalld presently depends on nftables, which is also not going to be in
safemode.) So add this specifically to runmode.
@rtollert
Copy link
Copy Markdown
Contributor Author

rtollert commented Aug 29, 2024
edited
Loading

@gratian @amstewart lemme know what sort of bar you think is acceptable for disk size increases; I'm not sure if I'm OK with where I'm at right now.

EDIT: Best I can offer on short notice is to cut the cairo bits out of python3-pygobject. Might be good for a meg?

EDIT: Nope, no real size savings from PACKAGEGROUP="".

@rtollert
Copy link
Copy Markdown
Contributor Author

rtollert commented Aug 30, 2024

New plan: nftables in runmode, firewalld in extras.

@amstewart
Copy link
Copy Markdown
Contributor

amstewart commented Aug 30, 2024

We're only targeting SNAC OE changes to the nilrt/master/next ref right now - which will become the NILRT 11.0 (scarthgap) release in 2025Q1.

RE: runmode sizes.
I'm not that worried about the 9MB increase. Our max runmode size threshold is somewhere around 1400MB and we have something like 500MB of headroom. 9MB is fine for a real unit of value like firewalld.

New plan: nftables in runmode, firewalld in extras.

The extras/ feed is disabled in the SNAC configuration. We can only install packages from feeds that we "officially support" - so the core feed.

@rtollert
Copy link
Copy Markdown
Contributor Author

rtollert commented Aug 30, 2024

New branch so new PR; closing in lieu of a PR to be created soon.

@rtollert rtollert closed this Aug 30, 2024
@rtollert rtollert deleted the dev/rtollert/kirkstone/nftables branch August 30, 2024 18:40
@rtollert rtollert mentioned this pull request Aug 30, 2024
Merged
2 tasks
@amstewart amstewart mentioned this pull request Sep 26, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rtollert @amstewart