Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fcos-base: add utils for static firewalling #40

Merged
merged 1 commit into from
Jan 22, 2019
Merged

fcos-base: add utils for static firewalling #40

merged 1 commit into from
Jan 22, 2019

Conversation

lucab
Copy link
Contributor

@lucab lucab commented Jan 10, 2019

This adds utils and service units for loading static firewalling rules,
supporting both iptables and nftables flavors.
Ref: coreos/fedora-coreos-tracker#103

@lucab
Copy link
Contributor Author

lucab commented Jan 10, 2019

I cross-checked packages name/content on F29, but I didn't run this through a composer run.

/cc @dustymabe

@dustymabe
Copy link
Member

i'll run through an assembler run :) - thanks luca

@dustymabe dustymabe mentioned this pull request Jan 10, 2019
Merged
@dustymabe
Copy link
Member

ok so with this change to the configs the change that was applied to the ostree was this:

[dustymabe@media repo]$ rpm-ostree --repo=./ db diff fedora/29/x86_64/coreos^ fedora/29/x86_64/coreos
ostree diff commit old: fedora/29/x86_64/coreos^ (95c547351440987a8c28e7671f35ca41dae0639853f7d39c243dd25418134918)
ostree diff commit new: fedora/29/x86_64/coreos (4f4db64f70730c870460328350e75821738ca2bb2680d9f241ce33f25cdda578)
Removed:
  iptables-services-1.8.0-3.fc29.x86_64
Added:
  iptables-nft-1.8.0-3.fc29.x86_64

@dustymabe
Copy link
Member

is it safe to say we still need the iptables-services rpm?

@lucab
fcos-base: add utils for static firewalling
1a1ba3b 
This adds utils and service units for loading static firewalling rules,
supporting both iptables and nftables flavors.
Ref: coreos/fedora-coreos-tracker#103
@lucab lucab force-pushed the ups/static-firewall branch from 65046b3 to 1a1ba3b Compare January 18, 2019 13:33
@lucab
Copy link
Contributor Author

lucab commented Jan 18, 2019

I've added back the iptables-services package. Even though I still believe it is (two layers) of initrc compat, I don't have enough knowledge about compat layers in fedora. For reference, ContainerLinux has dedicated restoring units which are straightforward: https://gitweb.gentoo.org/repo/gentoo.git/tree/net-firewall/iptables/files/systemd/iptables-restore.service. However, I fear fedora does not currently provide those.

@dustymabe
Copy link
Member

However, I fear fedora does not currently provide those.

yes, I have the same concern.. Could you open a BZ against iptables-services rpm and start a discussion ?

@lucab
Copy link
Contributor Author

lucab commented Jan 21, 2019

@dustymabe ack, reported https://bugzilla.redhat.com/show_bug.cgi?id=1667875 for clarification/RFE.

@dustymabe
Copy link
Member

thanks.. finally got around to testing this.. LGTM

@dustymabe dustymabe merged commit 6551a97 into coreos:master Jan 22, 2019
@dustymabe dustymabe mentioned this pull request Jan 22, 2019
Closed
c4rt0 pushed a commit to c4rt0/fedora-coreos-config that referenced this pull request Mar 27, 2023
@openshift-merge-robot
Merge pull request coreos#40 from cgwalters/db-diff
54f3f6b 
treecompose: Add db-diff
dustymabe pushed a commit to jbtrystram/fedora-coreos-config that referenced this pull request Apr 19, 2024
@miabbott
static-ip-config: fix FCCT file contents (coreos#40)
d2e8c3c 
This fixes the FCCT example to be able to be used and provides some
additional information about workarounds for the static IP config not
working right away.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dustymabe dustymabe dustymabe left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lucab @dustymabe