Opened 7 years ago

Closed 21 months ago

Last modified 21 months ago

#4620 closed enhancement (fixed)

Add nftables-0.9.2

Reported by: thomas Owned by: DJ Lucas
Priority: normal Milestone: 9.1
Component: BOOK Version: SVN
Severity: minor Keywords:
Cc:

Description (last modified by thomas)

http://www.netfilter.org/projects/nftables/index.html http://www.netfilter.org/projects/nftables/files/nftables-0.8.tar.bz2

I read somewhere that this is now fully supported by the >= 3.13 kernel. Maybe it becomes interesting as LFS now has 3.13 too.

Another nftables-howto: https://home.regit.org/netfilter-en/nftables-quick-howto/

Change History (23)

comment:1 by bdubbs@…, 7 years ago

Owner: changed from blfs-book@… to bdubbs@…
Status: newassigned

comment:2 by bdubbs@…, 7 years ago

This package requires libmnl-1.0.3.tar.bz2 and libnftnl-1.0.0. Both of those build and install as simple CMMI. I built nftables-0.100 also as a CMMI, but executing a simple 'nft --help' gives a segfault. My current kernel is 3.11.4, but that shouldn't create a segfault for help.

I did try to pass ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes to configure, but that didn't help.

Using strace, I get:

socket(PF_NETLINK, SOCK_RAW, 12)        = -1 EPROTONOSUPPORT (Protocol not supported)
write(2, "Memory allocation failure\n", 26Memory allocation failure
) = 26
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0} ---
+++ killed by SIGSEGV +++
Segmentation fault

Searching the source, it looks like I'll need to boot to the 3.13 kernel to test this out. I may not get to that for a few days.

comment:3 by bdubbs@…, 7 years ago

Another issue: make want to create a pdf for documentation and the build procedure errors out. I can disable it with a sed, but that will also take some time to figure out.

comment:4 by Fernando de Oliveira, 7 years ago

I will build a 3.13.1 kernel tomorrow and will try.

comment:5 by Fernando de Oliveira, 7 years ago

I see you have just built the 3.13.1 kernel, so, I will do it perhaps later than tomorrow.

comment:6 by bdubbs@…, 7 years ago

Rebooted to 3.13.1 and at least ./nft --help worked. I wasn't sure what kernel options to use so I created most as modules. The only one loaded right now is nfnetlink. To use this package properly, I think we need a whole new section on fire-walling with nft. I don't know that this will make it into 7.5 or not.

comment:7 by Fernando de Oliveira, 7 years ago

Yes.

Below, a link that you probably already know. May be useful to anybody arriving here and trying to understand this and perhaps, wishing to discuss in dev.

https://home.regit.org/netfilter-en/nftables-quick-howto/

comment:8 by bdubbs@…, 7 years ago

Milestone: current7.6

comment:9 by bdubbs@…, 7 years ago

Milestone: 7.6future
Owner: changed from bdubbs@… to blfs-book@…
Status: assignednew

Moving to future. The package is still beta at best. There is no documentation other than an xml file that was committed in 2009 (and written something before that -- apparently 2008). Generating the man page via the Makefile requires additional tools not in BLFS.

The man page can be generated with some FIXME entries with: xsltproc -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl nftables.xml

The contents of the man page are wrong. The program is referred to as nftables when in fact it is nft. I don't know about the accuracy of the rest after 6 years of development.

Let's let this package mature a bit

comment:10 by bdubbs@…, 7 years ago

Priority: normallow

comment:11 by bdubbs@…, 7 years ago

Summary: New package: nftables-0.100Add nftables-0.100

comment:12 by Samuel, 5 years ago

Description: modified (diff)
Severity: normalminor
Summary: Add nftables-0.100Add nftables-0.6

Changed to nftables 0.6. Should this be put on hold?

comment:13 by Douglas R. Reno, 5 years ago

I'm not sure putting it on hold would be the best idea. The "hold" milestone is basically packages that we are waiting for / waiting to update (As far as I understand it). The future milestone consists of tasks that we might do in the future, but are very low priority.

comment:14 by Samuel, 5 years ago

Ok. I'll just leave it. I didn't really know what's the hold milestone was for, so I was just putting the question out there.

comment:15 by bdubbs@…, 4 years ago

Milestone: futurex-future

Milestone renamed

comment:16 by thomas, 4 years ago

Description: modified (diff)
Summary: Add nftables-0.6Add nftables-0.8

comment:17 by bdubbs@…, 3 years ago

Owner: changed from blfs-book@… to bdubbs@…

comment:18 by bdubbs@…, 3 years ago

Owner: changed from bdubbs@… to blfs-book

comment:19 by DJ Lucas, 3 years ago

Libmnl-1.0.4:

./configure --prefix=/usr &&
make &&
make install &&
mv -v /usr/lib/libmnl.so.* /lib &&
ln -sfv ../../lib/$(readlink /usr/lib/libmnl.so) /usr/lib/libmnl.so

Libnftnl:

./configure --prefix=/usr &&
make &&
make install &&
mv -v /usr/lib/libnftnl.so.* /lib &&
ln -sfv ../../lib/$(readlink /usr/lib/libnftnl.so) /usr/lib/libnftnl.so

Nftables:

Optional deps:

janson/--with-json

iptables/--with-xtables (reciprocal)

docbook2man/--enable-man-doc

./configure --prefix=/usr --sbindir=/sbin --sysconfdir=/etc --disable-man-doc &&
make &&
make install &&
mv -v /usr/lib/libnftables.so.* /lib &&
ln -sfv ../../lib/$(readlink /usr/lib/libnftables.so) /usr/lib/libnftables.so
Last edited 3 years ago by DJ Lucas (previous) (diff)

comment:20 by DJ Lucas, 23 months ago

Milestone: x-future9.1
Owner: changed from blfs-book to DJ Lucas
Priority: lownormal
Status: newassigned

This now required for firewalld on systemd.

comment:21 by DJ Lucas, 23 months ago

Summary: Add nftables-0.8Add nftables-0.9.2

comment:22 by DJ Lucas, 21 months ago

Resolution: fixed
Status: assignedclosed

Fixed in r22301.

comment:23 by Douglas R. Reno, 21 months ago

Hi DJ, do I need to add a unit for nftables to the units tarball?

Note: See TracTickets for help on using tickets.