831259 – net-firewall/firewalld-1.0.2: update CONFIG_CHECK for kernel 5.15

Bug 831259 - net-firewall/firewalld-1.0.2: update CONFIG_CHECK for kernel 5.15

Summary: net-firewall/firewalld-1.0.2: update CONFIG_CHECK for kernel 5.15

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Virtualization Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2022-01-15 14:59 UTC by Erik Quaeghebeur
Modified:	2022-02-26 04:07 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Erik Quaeghebeur 2022-01-15 14:59:08 UTC

Upon emerge, net-firewall/firewalld-1.0.2 gave me a list of modules that should be added to my kernel, which is 5.15.11. Some of these are actually not in the kernel anymore (under the names listed). Two examples seem to be CONFIG_NFT_NET and CONFIG_NF_TABLES_SET. Likely there are more, so I guess running a comparative search against the 5.15 config would be necessary.

Reproducible: Always

Comment 1 genBTC 2022-01-15 23:22:31 UTC

Problem:
 *   CONFIG_NF_CONNTRACK_NETBIOS:	 is not set when it should be.
 *   CONFIG_NF_TABLES_SET:	 is not set when it should be.
 *   CONFIG_NFT_NET:	 is not set when it should be.

Analysis:
<genr8eofl_> CONFIG_NF_TABLES_SET is from 5.4, gone completely now. In 5.10+ this option is gone and merged into core NF functionality as far as I can tell
<genr8eofl_> I believe NFT_NET was supposed to be NFT_NAT since its right next to it and NFT_NET doesnt exist (possibly a typo, I cant find evidence of it ever existing).
<genr8eofl_> and the NETBIOS one should have been NETBIOS_NS all along (same thing, no evidence of old symbol existing)

Reason being:
I will take the blame for this error, we updated a largely inadequate config symbol list in the ebuild with a cheat sheet from a blog, https://zigford.org/firewalld-kernel-requirements.html last month, and it was signed off by a dev who deemed it as a temporary path, awaiting better options. The exact needed symbols are very time consuming to analyze, upstream does not provide guidance.

We should for sure change these three now that I have determined some corrections.

Solution:
1) delete CONFIG_NFT_NET entirely
2) change CONFIG_NF_CONNTRACK_NETBIOS to CONFIG_NF_CONNTRACK_NETBIOS_NS
3) guard CONFIG_NF_TABLES_SET for <=5.4 only. 

Thank you for the bug report as we work to improve Gentoo!

Comment 2 Larry the Git Cow gentoo-dev

2022-02-26 04:07:46 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eaf5a9d096bc19ea688b4cfb7612cab7fa5658ab

commit eaf5a9d096bc19ea688b4cfb7612cab7fa5658ab
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-02-26 04:05:47 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-02-26 04:07:07 +0000

    net-firewall/firewalld: add 1.1.0
    
    - Add updated firewalld.service for systemd (drops Conflicts line w/ now-gone
      iptables-and-friends unit files)
    - Fix needed kernel config options
    - Add optfeature for gnome-extra/nm-applet
    
    Closes: https://bugs.gentoo.org/831259
    Closes: https://bugs.gentoo.org/833506
    Closes: https://bugs.gentoo.org/833569
    Thanks-to: <genBTC@gmx.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-firewall/firewalld/Manifest                |   1 +
 net-firewall/firewalld/files/firewalld.service |  22 +++
 net-firewall/firewalld/firewalld-1.1.0.ebuild  | 213 +++++++++++++++++++++++++
 3 files changed, 236 insertions(+)