Skip to content

RHEL RPM: require nftables #1262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
thaJeztah merged 1 commit into from
Oct 4, 2025
Merged

RHEL RPM: require nftables #1262

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 0 additions & 4 deletions rpm/SPECS/docker-ce.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,7 @@ Requires: iptables-nft
%else
Requires: iptables
%endif
%if %{undefined _no_libnftables}
# When dockerd is not linked against libnftables, the nftables package
# is not a hard requirement.
Requires: nftables
Copy link
Copy Markdown
Contributor

@vvoland vvoland Oct 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not an expert on the nftables, so might be a silly question but Is it safe to unconditionally require nftables, even for systems that don't use it?

My worry is that just installing Docker could alter the configuration of the user system and e.g. stop using the existing iptables rules, or resulting in some conflict between iptables and nft?

Copy link
Copy Markdown
Contributor Author

@robmry robmry Oct 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think there's any conflict ... nftables, iptables-nft, and iptables can all be installed on a host.

Using iptables (legacy) and nftables / iptables-nft together in the same netns (mixing xtables and nftables) gets messy. But, even if a host's using legacy iptables, installing nftables won't cause a problem unless both are used.

And, this is RHEL 10 - so it'll probably have nftables, might have iptables-nft, and it's unlikely to have iptables-legacy (because they've moved the kernel module to kernel-modules-extra which "Provides kernel modules for rare hardware. Loading of the module is disabled by default.").

Copy link
Copy Markdown
Member

@thaJeztah thaJeztah Oct 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also discussed the next steps after this; once our nftables implementation is proven to be complete, we can move the iptables package to be "Recommended" or even less ("Suggests"), or could even be removed from the list.

Copy link
Copy Markdown
Contributor Author

@robmry robmry Oct 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And, this is RHEL 10 ...

That was wrong, it's all-RHEL, not CentOS/Fedora because _no_libnftables is only defined for RHEL. But, even so, I think the change is safe.

Copy link
Copy Markdown
Contributor

@tianon tianon Oct 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also discussed the next steps after this; once our nftables implementation is proven to be complete, we can move the iptables package to be "Recommended" or even less ("Suggests"), or could even be removed from the list.

In Debian at least, it sounds like nftables should be Recommends ("found in all but unusual installations") and iptables should be either Suggests or dropped.

%endif
%if %{undefined rhel} || 0%{?rhel} < 9
# Libcgroup is no longer available in RHEL/CentOS >= 9 distros.
Requires: libcgroup
Expand Down