[meta-networking,3/5] networkmanager: use nftables by default

From NEWS file of netowrkmanager 1.32:

firewall: add nftables firewall backend for configuring IPv4 NAT with
shared mode. Now two backends are supported, "iptables" and "nftables".
The default gets detected based on whether /usr/sbin/nft or
/usr/sbin/iptables is installed, with nftables preferred.

With this change nftables is not the prefered backend also with OE. But
it's still possible to set NETWORKMANAGER_FIREWALL_DEFAULT back to
iptables.

Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
---
 .../networkmanager/networkmanager_1.36.2.bb                 | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Hi Adrian,

just out of curiosity: Why do you suggest to prefer nftables over iptables?

Andreas

On Tue, Jun 7, 2022 at 12:01 AM Adrian Freihofer
<adrian.freihofer@gmail.com> wrote:
>
> From NEWS file of netowrkmanager 1.32:
>
> firewall: add nftables firewall backend for configuring IPv4 NAT with
> shared mode. Now two backends are supported, "iptables" and "nftables".
> The default gets detected based on whether /usr/sbin/nft or
> /usr/sbin/iptables is installed, with nftables preferred.
>
> With this change nftables is not the prefered backend also with OE. But
> it's still possible to set NETWORKMANAGER_FIREWALL_DEFAULT back to
> iptables.
>
> Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
> ---
>  .../networkmanager/networkmanager_1.36.2.bb                 | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb
> index 9fc43dceb5..55eb3e7024 100644
> --- a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb
> +++ b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb
> @@ -42,6 +42,10 @@ NETWORKMANAGER_DNS_RC_MANAGER_DEFAULT ??= "auto"
>  # ['dhcpcanon', 'dhclient', 'dhcpcd', 'internal', 'nettools']
>  NETWORKMANAGER_DHCP_DEFAULT ??= "internal"
>
> +# The default gets detected based on whether /usr/sbin/nft or /usr/sbin/iptables is installed, with nftables preferred.
> +# ['', 'iptables', 'nftables']
> +NETWORKMANAGER_FIREWALL_DEFAULT ??= "nftables"
> +
>  EXTRA_OEMESON = "\
>      -Difcfg_rh=false \
>      -Dtests=yes \
> @@ -238,7 +242,7 @@ FILES:${PN}-daemon += " \
>      ${systemd_system_unitdir} \
>  "
>  RRECOMMENDS:${PN}-daemon += "\
> -    iptables \
> +    ${NETWORKMANAGER_FIREWALL_DEFAULT} \
>      ${@bb.utils.filter('PACKAGECONFIG', 'dnsmasq', d)} \
>  "
>  INITSCRIPT_NAME:${PN}-daemon = "network-manager"
> --
> 2.35.3
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#97434): https://lists.openembedded.org/g/openembedded-devel/message/97434
> Mute This Topic: https://lists.openembedded.org/mt/91588569/3617609
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [schnitzeltony@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

On Tue, Jun 7, 2022 at 10:26 AM Adrian Freihofer
<adrian.freihofer@gmail.com> wrote:
>
> Hi Andreas
>
> Good question. I changed it back and forth before I sent it to the
> mailing list. I finally changed it to the NetworkManager defaults (they
> changed it a few versions ago). I think it can easily be changed back.
> And after the LTS release, it's a good time to point out that nftables
> should be considered for future builds.

I think if defaults have changed to use nftables then this change is fine.

>
> But there is no strong argument for it. I'm also fine to put it on
> iptables.
>
> Maybe a distro feature to set a preference for iptables or nftables
> would also be useful. There are now various packages that support both
> configurably.
>
> Regards,
> Adrian
>
> On Tue, 2022-06-07 at 09:29 +0200, Andreas Müller wrote:
> > Hi Adrian,
> >
> > just out of curiosity: Why do you suggest to prefer nftables over iptables?
> >
> > Andreas
> >
> > On Tue, Jun 7, 2022 at 12:01 AM Adrian Freihofer
> > <adrian.freihofer@gmail.com> wrote:
> > >
> > > From NEWS file of netowrkmanager 1.32:
> > >
> > > firewall: add nftables firewall backend for configuring IPv4 NAT with
> > > shared mode. Now two backends are supported, "iptables" and "nftables".
> > > The default gets detected based on whether /usr/sbin/nft or
> > > /usr/sbin/iptables is installed, with nftables preferred.
> > >
> > > With this change nftables is not the prefered backend also with OE. But
> > > it's still possible to set NETWORKMANAGER_FIREWALL_DEFAULT back to
> > > iptables.
> > >
> > > Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
> > > ---
> > >  .../networkmanager/networkmanager_1.36.2.bb                 | 6 +++++-
> > >  1 file changed, 5 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb
> > > index 9fc43dceb5..55eb3e7024 100644
> > > --- a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb
> > > +++ b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb
> > > @@ -42,6 +42,10 @@ NETWORKMANAGER_DNS_RC_MANAGER_DEFAULT ??= "auto"
> > >  # ['dhcpcanon', 'dhclient', 'dhcpcd', 'internal', 'nettools']
> > >  NETWORKMANAGER_DHCP_DEFAULT ??= "internal"
> > >
> > > +# The default gets detected based on whether /usr/sbin/nft or /usr/sbin/iptables is installed, with nftables preferred.
> > > +# ['', 'iptables', 'nftables']
> > > +NETWORKMANAGER_FIREWALL_DEFAULT ??= "nftables"
> > > +
> > >  EXTRA_OEMESON = "\
> > >      -Difcfg_rh=false \
> > >      -Dtests=yes \
> > > @@ -238,7 +242,7 @@ FILES:${PN}-daemon += " \
> > >      ${systemd_system_unitdir} \
> > >  "
> > >  RRECOMMENDS:${PN}-daemon += "\
> > > -    iptables \
> > > +    ${NETWORKMANAGER_FIREWALL_DEFAULT} \
> > >      ${@bb.utils.filter('PACKAGECONFIG', 'dnsmasq', d)} \
> > >  "
> > >  INITSCRIPT_NAME:${PN}-daemon = "network-manager"
> > > --
> > > 2.35.3
> > >
> > >
> > >
> > >
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#97441): https://lists.openembedded.org/g/openembedded-devel/message/97441
> Mute This Topic: https://lists.openembedded.org/mt/91588569/1997914
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

On Tue, Jun 7, 2022 at 7:26 PM Adrian Freihofer
<adrian.freihofer@gmail.com> wrote:
>
> Hi Andreas
>
> Good question. I changed it back and forth before I sent it to the
> mailing list. I finally changed it to the NetworkManager defaults (they
> changed it a few versions ago). I think it can easily be changed back.
> And after the LTS release, it's a good time to point out that nftables
> should be considered for future builds.
>
> But there is no strong argument for it. I'm also fine to put it on
> iptables.
>
> Maybe a distro feature to set a preference for iptables or nftables
> would also be useful. There are now various packages that support both
> configurably.
>
Thanks for detailed backgrounds and i am fine in following their
suggestion and in case of issues it is simple to undo.

Cheers,

Andreas