Re: [pve-devel] [RFC pve-firewall v1 1/1] pve-firewall.service: update-alternatives to {ip, eb}tables-nft

From: "Max R. Carrara" <m.carrara@proxmox.com>
To: "Thomas Lamprecht" <t.lamprecht@proxmox.com>,
	"Proxmox VE development discussion" <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [RFC pve-firewall v1 1/1] pve-firewall.service: update-alternatives to {ip, eb}tables-nft
Date: Fri, 01 Aug 2025 18:07:47 +0200	[thread overview]
Message-ID: <DBR7YK3UGYL4.2ZLBOCRY2BY1S@proxmox.com> (raw)
In-Reply-To: <99a6c3dd-9d62-4586-b819-c7be7e084314@proxmox.com>

On Fri Aug 1, 2025 at 6:00 PM CEST, Thomas Lamprecht wrote:
> Am 01.08.25 um 17:45 schrieb Max R. Carrara:
> > Back in c743e671d it was necessary to update-alternative `ebtables`
> > to `ebtables-legacy` due to some bugs [0][1]. However, these bugs
> > appear to be fixed now.
>
> Oh, what a throwback ^^ Yeah might be good to change this, but we're
> a bit to late for the next release, still see below for a potential
> option.
>
> >
> > In Trixie, `ebtables-legacy` seems to cause an enormous amount of audit
> > message spam in `dmesg` after upgrading from Bookworm--about 5 long
> > lines every ~10 seconds-- making it very tedious to find anything one
> > actually cares about.
> >
> > Thus, use the -nft variants instead of the -legacy ones as the
> > aforementioned bugs have since long been fixed and the audit log spam
> > is silenced that way.
> >
> > [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929527
> > [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929976
> >
> > Signed-off-by: Max R. Carrara <m.carrara@proxmox.com>
> > ---
> >  debian/pve-firewall.service | 6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/debian/pve-firewall.service b/debian/pve-firewall.service
> > index f95ce6d..c99db26 100644
> > --- a/debian/pve-firewall.service
> > +++ b/debian/pve-firewall.service
> > @@ -8,9 +8,9 @@ Before=shutdown.target
> >  Conflicts=shutdown.target
> >
> >  [Service]
> > -ExecStartPre=-/usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-legacy
> > -ExecStartPre=-/usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy
> > -ExecStartPre=-/usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
> > +ExecStartPre=-/usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-nft
> > +ExecStartPre=-/usr/bin/update-alternatives --set iptables /usr/sbin/iptables-nft
> > +ExecStartPre=-/usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
>
> Could we make this opt-in? Then we could a. take more time to thoroughly test
> this while b. still being able to tell willing users that they could enabled
> the nft variant if they are annoyed by the auditd messages.
>
> An implementation option might be using an node-local environment file
> sourced by the unit file, e.g.
>
> Environment="VARIANT=legacy"
> EnvironmentFile=-/var/lib/pve-firewall/tables-variant
>
> ExecStartPre=-/usr/bin/update-alternatives --set ebtables-${VARIANT}
> ...

That's a good idea actually! I'll see what I can do on Monday.

Also, I forgot to mention: Shoutout to Stoiko for pointing me to that
one old commit off-list that sparked the idea of changing to the -nft
variants; much appreciated! Would otherwise probably still be poking
around in the dark.

>
>
>
>
> >  ExecStart=/usr/sbin/pve-firewall start
> >  ExecStop=/usr/sbin/pve-firewall stop
> >  ExecReload=/usr/sbin/pve-firewall restart
>

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel