709856 – net-firewall/firewalld should not depend on net-firewall/iptables as it is optional and being phased out

Bug 709856 - net-firewall/firewalld should not depend on net-firewall/iptables as it is optional and being phased out

Summary: net-firewall/firewalld should not depend on net-firewall/iptables as it is op...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	AMD64 Linux

Importance:	Normal normal (vote)
Assignee:	Virtualization Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2020-02-16 21:51 UTC by asdfg
Modified:	2020-03-17 21:07 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description asdfg 2020-02-16 21:51:33 UTC

If you take a careful look at https://firewalld.org/2018/07/nftables-backend, you will see that firewalld uses the nftables backend by default and that the iptables funcionality is not being worked on anymore and will be even phazed out in the future.

Yet, the current firewalld ebuild pulls iptables as a mandatory dependency for firewalld, even though it is not required to run or even build it.

How to stumble upon this problem:

emerge firewalld

Expected outcome:

Firewalld being emerged without iptables, as I don't want to use it, and I can assure that many other users are on the same boat.

Proposed solution:

adding the iptables and/or nftables USE flags to the firewalld ebuild. This way, the user can select what backend better fits their intended use avoid having redundant security software, which expands the attack surface and opens breach for unexpected errors/bugs/security issues.

As this packages is essential for the basic security of most Linux users – not all of them have a firm grasp on how a firewall works, what a firewall is and how it should be configurated, let alone how to set rules for iptables/nftables –, I set the priority of this bug as high.

Comment 1 Matthias Maier gentoo-dev

2020-03-17 19:23:36 UTC

The whole dependency chain is a mess. I will clean it up and introduce a USE=nftables switch to switch the backend at compile time.

Comment 2 Larry the Git Cow gentoo-dev

2020-03-17 21:07:57 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18bfd37decfb73f79f113fdb70b010f263625843

commit 18bfd37decfb73f79f113fdb70b010f263625843
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2020-03-17 18:44:53 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2020-03-17 21:07:31 +0000

    net-firewall/firewalld: version bump to 0.73
    
    Also fix dependencies and add USE=+nftables
    
     - The iptables (ip6tables, ebtables, ipset) backend for firewalld is
       nowadays entirely optional. Thus add a use flags to control which
       backend is used and configured at compile time.
    
       This allows to drop iptables from the set of installed packages
       alltogether.
    
     - In case both, xtables and nftables are set also depend on
       nftables[xtables].
    
     - install locales
    
    Closes: https://bugs.gentoo.org/670932
    Closes: https://bugs.gentoo.org/709856
    Bug: https://bugs.gentoo.org/703322
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 net-firewall/firewalld/Manifest               |   1 +
 net-firewall/firewalld/firewalld-0.7.3.ebuild | 111 ++++++++++++++++++++++++++
 net-firewall/firewalld/metadata.xml           |   4 +
 3 files changed, 116 insertions(+)