linux-kvm should support nftables
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-kvm (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Low
|
Unassigned |
Bug Description
[Impact]
LXD can't use nftables on the latest Focal/linux-kvm kernel, since nftables support is off (contrary to generic, where nftables is enabled).
[Fix]
Apply the attached config change
[Regression potential]
Low, we are enabling CONFIG_NF* options widely used in generic since a while.
Boot performance wise, the config change has been tested on a isolated KVM instance, iterating over 100 reboots and we didn't notice any evident regression:
5.4.0-1018-kvm 20.04 focal (CPUS=1):
kernel: 2.16371, user: 7.58647, total: 9.75018
kernel_std: .03405, user_std: .33445, total_std: .33524
5.4.0-1018-kvm~nft 20.04 focal (CPUS=1):
kernel: 2.15961, user: 7.63694, total: 9.79655
kernel_std: .03420, user_std: .36585, total_std: .37049
---
LXD can't use nftables on the latest linux-kvm kernels for eoan, focal, and groovy:
- groovy: 5.4.0.1009.9
- focal: 5.4.0-1011.11
- eoan: 5.3.0.1017.19
LXD detects that nft tools are available, and nft tables can be listed; however, trying to create a new table or rule fails.
Because of this, LXD has to fall back on xtables, which is a legacy package.
description: | updated |
description: | updated |
Changed in linux-kvm (Ubuntu Focal): | |
importance: | Undecided → Low |
status: | New → Triaged |
Changed in linux-kvm (Ubuntu): | |
status: | New → Invalid |
Changed in linux-kvm (Ubuntu Focal): | |
status: | Triaged → Fix Committed |
Right, I've sent a tweak to LXD upstream to detect such kernel setup and fallback to xtables, but that's obviously not a situation we'd like to rely on.
nftables is the current supported way of doing firewalling and is what Ubuntu uses by default (through shim packages) as of 20.04, so we need to ensure that all our kernels support it.
Easy fix would be to align CONFIG_NFT* to what we have in generic. If that increases size too much, then I guess we can look at trimming things a bit to only include the usually bits we need (ipv4, ipv6, nat, mangling, mac filtering, ...).