Nftables support
kabakaev opened this issue · comments
As of now, the nftables backend is not implemented.
Hence, it is not possible to run netavark on a Linux kernel with nftables modules and without iptables.
Altough the CONFIG_NFT_MASQ kernel config is enabled, the /usr/sbin/iptables-nft alternative iptables CLI cannot emulate the masquerade action and complains:
Error: netavark: unable to append rule '! -d 224.0.0.0/4 -j MASQUERADE' to table 'nat': code: 4, msg: Warning: Extension MASQUERADE revision 0 not supported, missing kernel module?
iptables v1.8.9 (nf_tables): RULE_APPEND failed (No such file or directory): rule in chain NETAVARK-1700E948C4CCE
Supposedly, native nftables driver should fix the issue.
iptables-nft should work, to my understanding distros like RHEL do not even ship the legacy iptables command and I know netavark works on RHEL. So I suggest you take a look at their kernel config.
I also tested iptables-nft on fedora before and it seems to work there as well.
But yes a proper nftables driver is on our TODO list, it just hasn't gotten enough prioritization so far.
Indeed, it works fine on a normal kernel in any distro. I'm referring to my case of an embedded system with pure nftables compiled in kernel, without CONFIG_NFT_COMPAT module for iptables/xt_tables compatibility.
Yes I guess it is not possible at the moment then. Would you be interested in contributing this feature?
I would love this feature as well. As a DevOps engineer it becomes a bit annoying when you have a standard deployed e.g. with Ansible and then again you get pulled back into reality when you get reminded that it won't work with podman hosts...
Hello,
I am having the same issue, however it should not happen to me as I have the latest podman and netavark versions. Please help me with troubleshooting, thanks!
Details
Error: netavark: unable to append rule '! -d 224.0.0.0/4 -j MASQUERADE' to table 'nat': code: 4, msg: Warning: Extension MASQUERADE revision 0 not supported, missing kernel module?
iptables v1.8.9 (nf_tables): RULE_APPEND failed (No such file or directory): rule in chain NETAVARK-1D8721804F16F
admin@fedora:~$ sudo podman info --debug
host:
arch: amd64
buildahVersion: 1.33.2-dev
cgroupControllers:
- cpuset
- cpu
- io
- memory
- hugetlb
- pids
- rdma
- misc
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.8-2.fc39.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.8, commit: '
cpuUtilization:
idlePercent: 94.38
systemPercent: 3.17
userPercent: 2.45
cpus: 1
databaseBackend: sqlite
distribution:
distribution: fedora
version: "39"
eventLogger: journald
freeLocks: 2045
hostname: fedora
idMappings:
gidmap: null
uidmap: null
kernel: 6.6.13-200.fc39.x86_64
linkmode: dynamic
logDriver: journald
memFree: 970092544
memTotal: 1493110784
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns-1.9.0-1.20240124201435179069.main.26.g2fddbdf.fc39.x86_64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.11.0-dev
package: netavark-1.10.1-1.20240126120738774699.main.4.gca3cf7a.fc39.x86_64
path: /usr/libexec/podman/netavark
version: netavark 1.11.0-dev
ociRuntime:
name: crun
package: crun-1.14-1.20240124163144650285.main.1.g6507628.fc39.x86_64
path: /usr/bin/crun
version: |-
crun version UNKNOWN
commit: ef91050a09bb69cfaea8084e92969b18e84db0a8
rundir: /run/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt-0^20231230.gf091893-1.fc39.x86_64
version: |
pasta 0^20231230.gf091893-1.fc39.x86_64
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: true
path: /run/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: false
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.2-1.fc39.x86_64
version: |-
slirp4netns version 1.2.2
commit: 0ee2d87523e906518d34a6b423271e4826f71faf
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.3
swapFree: 1492119552
swapTotal: 1492119552
uptime: 0h 3m 29.00s
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
- quay.io
store:
configFile: /usr/share/containers/storage.conf
containerStore:
number: 3
paused: 0
running: 0
stopped: 3
graphDriverName: overlay
graphOptions:
overlay.mountopt: nodev,metacopy=on
graphRoot: /var/lib/containers/storage
graphRootAllocated: 41872785408
graphRootUsed: 1915011072
graphStatus:
Backing Filesystem: btrfs
Native Overlay Diff: "false"
Supports d_type: "true"
Supports shifting: "true"
Supports volatile: "true"
Using metacopy: "true"
imageCopyTmpDir: /var/tmp
imageStore:
number: 1
runRoot: /run/containers/storage
transientStore: false
volumePath: /var/lib/containers/storage/volumes
version:
APIVersion: 5.0.0-dev-4bef65240
Built: 1706293970
BuiltTime: Fri Jan 26 18:32:50 2024
GitCommit: ""
GoVersion: go1.21.6
Os: linux
OsArch: linux/amd64
Version: 5.0.0-dev-4bef65240
UPD: adding NETAVARK_FW=nftables to the /etc/environment solves this issue.
You can set firewall driver from containers.conf via the firewall_driver option; see https://github.com/containers/common/blob/main/pkg/config/containers.conf#L355