If you take a careful look at https://firewalld.org/2018/07/nftables-backend, you will see that firewalld uses the nftables backend by default and that the iptables funcionality is not being worked on anymore and will be even phazed out in the future. Yet, the current firewalld ebuild pulls iptables as a mandatory dependency for firewalld, even though it is not required to run or even build it. How to stumble upon this problem: emerge firewalld Expected outcome: Firewalld being emerged without iptables, as I don't want to use it, and I can assure that many other users are on the same boat. Proposed solution: adding the iptables and/or nftables USE flags to the firewalld ebuild. This way, the user can select what backend better fits their intended use avoid having redundant security software, which expands the attack surface and opens breach for unexpected errors/bugs/security issues. As this packages is essential for the basic security of most Linux users – not all of them have a firm grasp on how a firewall works, what a firewall is and how it should be configurated, let alone how to set rules for iptables/nftables –, I set the priority of this bug as high.
The whole dependency chain is a mess. I will clean it up and introduce a USE=nftables switch to switch the backend at compile time.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18bfd37decfb73f79f113fdb70b010f263625843 commit 18bfd37decfb73f79f113fdb70b010f263625843 Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2020-03-17 18:44:53 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2020-03-17 21:07:31 +0000 net-firewall/firewalld: version bump to 0.73 Also fix dependencies and add USE=+nftables - The iptables (ip6tables, ebtables, ipset) backend for firewalld is nowadays entirely optional. Thus add a use flags to control which backend is used and configured at compile time. This allows to drop iptables from the set of installed packages alltogether. - In case both, xtables and nftables are set also depend on nftables[xtables]. - install locales Closes: https://bugs.gentoo.org/670932 Closes: https://bugs.gentoo.org/709856 Bug: https://bugs.gentoo.org/703322 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Matthias Maier <tamiko@gentoo.org> net-firewall/firewalld/Manifest | 1 + net-firewall/firewalld/firewalld-0.7.3.ebuild | 111 ++++++++++++++++++++++++++ net-firewall/firewalld/metadata.xml | 4 + 3 files changed, 116 insertions(+)