#4620 closed enhancement (fixed)
Add nftables-0.9.2
| Reported by: | thomas | Owned by: | DJ Lucas |
|---|---|---|---|
| Priority: | normal | Milestone: | 9.1 |
| Component: | BOOK | Version: | SVN |
| Severity: | minor | Keywords: | |
| Cc: |
Description (last modified by ) ¶
http://www.netfilter.org/projects/nftables/index.html http://www.netfilter.org/projects/nftables/files/nftables-0.8.tar.bz2
I read somewhere that this is now fully supported by the >= 3.13 kernel. Maybe it becomes interesting as LFS now has 3.13 too.
Another nftables-howto: https://home.regit.org/netfilter-en/nftables-quick-howto/
Change History (23)
comment:1 by , 11 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 11 years ago
comment:3 by , 11 years ago
Another issue: make want to create a pdf for documentation and the build procedure errors out. I can disable it with a sed, but that will also take some time to figure out.
comment:5 by , 11 years ago
I see you have just built the 3.13.1 kernel, so, I will do it perhaps later than tomorrow.
comment:6 by , 11 years ago
Rebooted to 3.13.1 and at least ./nft --help worked. I wasn't sure what kernel options to use so I created most as modules. The only one loaded right now is nfnetlink. To use this package properly, I think we need a whole new section on fire-walling with nft. I don't know that this will make it into 7.5 or not.
comment:7 by , 11 years ago
Yes.
Below, a link that you probably already know. May be useful to anybody arriving here and trying to understand this and perhaps, wishing to discuss in dev.
comment:8 by , 11 years ago
| Milestone: | current → 7.6 |
|---|
comment:9 by , 11 years ago
| Milestone: | 7.6 → future |
|---|---|
| Owner: | changed from to |
| Status: | assigned → new |
Moving to future. The package is still beta at best. There is no documentation other than an xml file that was committed in 2009 (and written something before that -- apparently 2008). Generating the man page via the Makefile requires additional tools not in BLFS.
The man page can be generated with some FIXME entries with: xsltproc -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl nftables.xml
The contents of the man page are wrong. The program is referred to as nftables when in fact it is nft. I don't know about the accuracy of the rest after 6 years of development.
Let's let this package mature a bit
comment:10 by , 11 years ago
| Priority: | normal → low |
|---|
comment:11 by , 11 years ago
| Summary: | New package: nftables-0.100 → Add nftables-0.100 |
|---|
comment:12 by , 8 years ago
| Description: | modified (diff) |
|---|---|
| Severity: | normal → minor |
| Summary: | Add nftables-0.100 → Add nftables-0.6 |
Changed to nftables 0.6. Should this be put on hold?
comment:13 by , 8 years ago
I'm not sure putting it on hold would be the best idea. The "hold" milestone is basically packages that we are waiting for / waiting to update (As far as I understand it). The future milestone consists of tasks that we might do in the future, but are very low priority.
comment:14 by , 8 years ago
Ok. I'll just leave it. I didn't really know what's the hold milestone was for, so I was just putting the question out there.
comment:16 by , 7 years ago
| Description: | modified (diff) |
|---|---|
| Summary: | Add nftables-0.6 → Add nftables-0.8 |
comment:17 by , 7 years ago
| Owner: | changed from to |
|---|
comment:18 by , 7 years ago
| Owner: | changed from to |
|---|
comment:19 by , 6 years ago
Libmnl-1.0.4:
./configure --prefix=/usr && make && make install && mv -v /usr/lib/libmnl.so.* /lib && ln -sfv ../../lib/$(readlink /usr/lib/libmnl.so) /usr/lib/libmnl.so
Libnftnl:
./configure --prefix=/usr && make && make install && mv -v /usr/lib/libnftnl.so.* /lib && ln -sfv ../../lib/$(readlink /usr/lib/libnftnl.so) /usr/lib/libnftnl.so
Nftables:
Optional deps:
janson/--with-json
iptables/--with-xtables (reciprocal)
docbook2man/--enable-man-doc
./configure --prefix=/usr --sbindir=/sbin --sysconfdir=/etc --disable-man-doc && make && make install && mv -v /usr/lib/libnftables.so.* /lib && ln -sfv ../../lib/$(readlink /usr/lib/libnftables.so) /usr/lib/libnftables.so
comment:20 by , 6 years ago
| Milestone: | x-future → 9.1 |
|---|---|
| Owner: | changed from to |
| Priority: | low → normal |
| Status: | new → assigned |
This now required for firewalld on systemd.
comment:21 by , 6 years ago
| Summary: | Add nftables-0.8 → Add nftables-0.9.2 |
|---|
This package requires libmnl-1.0.3.tar.bz2 and libnftnl-1.0.0. Both of those build and install as simple CMMI. I built nftables-0.100 also as a CMMI, but executing a simple 'nft --help' gives a segfault. My current kernel is 3.11.4, but that shouldn't create a segfault for help.
I did try to pass ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes to configure, but that didn't help.
Using strace, I get:
socket(PF_NETLINK, SOCK_RAW, 12) = -1 EPROTONOSUPPORT (Protocol not supported) write(2, "Memory allocation failure\n", 26Memory allocation failure ) = 26 --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0} --- +++ killed by SIGSEGV +++ Segmentation faultSearching the source, it looks like I'll need to boot to the 3.13 kernel to test this out. I may not get to that for a few days.