CentOS 8: rebuild iptables with legacy mode

Nftables backend is not compatible with the current kubeadm packages(it causes duplicated firewall rules and breaks kube-proxy) and will failed calico-node pod, either. Legacy mode is required by kubernetes, however, the sbins related to legacy are removed in el8 iptables rpm. this commit containes: 1. libnftnl: build iptables dependency libnftnl-dev rpm, which is not provided by centos offical repo. 2. iptables: pkg the "*legacy*" sbins and "/man8/xtables-legacy" into the iptables rpm. Change-Id: Ie5f09e14d5139ce0a2a58416f27d10d64622f0c2 Story: 2006729 Task: 38711 Signed-off-by: SidneyAn <ran1.an@intel.com>
2020-02-06 18:07:47 +08:00 · 2020-02-06 18:07:47 +08:00 · 6cf6e96910
commit 6cf6e96910
parent a3267c2016
9 changed files with 113 additions and 0 deletions
--- a/base/iptables/centos/build_srpm.data
+++ b/base/iptables/centos/build_srpm.data
@ -0,0 +1,2 @@
 TIS_PATCH_VER=1
 BUILD_IS_SLOW=7
--- a/base/iptables/centos/meta_patches/0001-Subject-update-package-versioning-for-STX.patch
+++ b/base/iptables/centos/meta_patches/0001-Subject-update-package-versioning-for-STX.patch
@ -0,0 +1,26 @@
 From 959a0ca2e8561b7928114e565c1328ec6b420e06 Mon Sep 17 00:00:00 2001
 From: SidneyAn <ran1.an@intel.com>
 Date: Tue, 4 Feb 2020 10:33:55 +0000
 Subject: [PATCH 1/2] Subject: update package versioning for STX
 Signed-off-by: SidneyAn <ran1.an@intel.com>
 ---
 SPECS/iptables.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec
 index 464057c..7147745 100644
 --- a/SPECS/iptables.spec
 +++ b/SPECS/iptables.spec
@@ -7,7 +7,7 @@
 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 Version: 1.8.2
 -Release: 9%{?dist}.1
 +Release: 9.el8_0.1%{?_tis_dist}.%{tis_patch_ver}
 Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
 -- 
 2.18.1
--- a/base/iptables/centos/meta_patches/0002-Subject-enable-legacy-tools.patch
+++ b/base/iptables/centos/meta_patches/0002-Subject-enable-legacy-tools.patch
@ -0,0 +1,50 @@
 From 2792003159081a47b832e21310579ec052f675bc Mon Sep 17 00:00:00 2001
 From: SidneyAn <ran1.an@intel.com>
 Date: Tue, 4 Feb 2020 10:48:52 +0000
 Subject: [PATCH 2/2] Subject: enable legacy tools
 Signed-off-by: SidneyAn <ran1.an@intel.com>
 ---
 SPECS/iptables.spec | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)
 diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec
 index 7147745..4a24703 100644
 --- a/SPECS/iptables.spec
 +++ b/SPECS/iptables.spec
@@ -280,10 +280,10 @@ rm -f %{buildroot}%{_sysconfdir}/ethertypes
 %endif
 # drop all legacy tools
 -rm -f %{buildroot}%{_sbindir}/*legacy*
 +#rm -f %{buildroot}%{_sbindir}/*legacy*
 rm -f %{buildroot}%{_bindir}/iptables-xml
 rm -f %{buildroot}%{_mandir}/man1/iptables-xml*
 -rm -f %{buildroot}%{_mandir}/man8/xtables-legacy*
 +#rm -f %{buildroot}%{_mandir}/man8/xtables-legacy*
 # rename nft versions to standard name
 pfx=%{buildroot}%{_sbindir}/iptables
@@ -374,12 +374,20 @@ done
 %{_sbindir}/ip6tables-translate
 %{_sbindir}/xtables-monitor
 %{_sbindir}/xtables-nft-multi
 +%{_sbindir}/iptables-legacy
 +%{_sbindir}/iptables-legacy-restore
 +%{_sbindir}/iptables-legacy-save
 +%{_sbindir}/ip6tables-legacy
 +%{_sbindir}/ip6tables-legacy-restore
 +%{_sbindir}/ip6tables-legacy-save
 +%{_sbindir}/xtables-legacy-multi
 %{_mandir}/man8/iptables*
 %{_mandir}/man8/ip6tables*
 %{_mandir}/man8/nfnl_osf*
 %{_mandir}/man8/xtables-monitor*
 %{_mandir}/man8/xtables-nft*
 %{_mandir}/man8/xtables-translate*
 +%{_mandir}/man8/xtables-legacy*
 %dir %{_libdir}/xtables
 %{_libdir}/xtables/libarpt*
 %{_libdir}/xtables/libebt*
 --
 2.17.1
--- a/base/iptables/centos/meta_patches/PATCH_ORDER
+++ b/base/iptables/centos/meta_patches/PATCH_ORDER
@ -0,0 +1,2 @@
 0001-Subject-update-package-versioning-for-STX.patch
 0002-Subject-enable-legacy-tools.patch
--- a/base/iptables/centos/srpm_path
+++ b/base/iptables/centos/srpm_path
@ -0,0 +1 @@
 mirror:Source/iptables-1.8.2-9.el8_0.1.src.rpm
--- a/base/libnftnl/centos/build_srpm.data
+++ b/base/libnftnl/centos/build_srpm.data
@ -0,0 +1,2 @@
 TIS_PATCH_VER=1
 BUILD_IS_SLOW=7
--- a/base/libnftnl/centos/meta_patches/PATCH_ORDER
+++ b/base/libnftnl/centos/meta_patches/PATCH_ORDER
@ -0,0 +1 @@
 update-package-versioning-for-STX.patch
--- a/base/libnftnl/centos/meta_patches/update-package-versioning-for-STX.patch
+++ b/base/libnftnl/centos/meta_patches/update-package-versioning-for-STX.patch
@ -0,0 +1,28 @@
 From 90b243ff4c05787cb3d0c765e0aef4a7deb02401 Mon Sep 17 00:00:00 2001
 From: SidneyAn <ran1.an@intel.com>
 Date: Wed, 5 Feb 2020 03:59:26 +0000
 Subject: [PATCH] Subject: update package versioning for STX
 Signed-off-by: SidneyAn <ran1.an@intel.com>
 ---
 SPECS/libnftnl.spec | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
 diff --git a/SPECS/libnftnl.spec b/SPECS/libnftnl.spec
 index f13138f..8de5ebf 100644
 --- a/SPECS/libnftnl.spec
 +++ b/SPECS/libnftnl.spec
@@ -1,9 +1,8 @@
 %define rpmversion 1.1.1
 -%define specrelease 4%{?dist}
 Name:           libnftnl
 Version:        %{rpmversion}
 -Release:        %{specrelease}%{?buildid}
 +Release:        4.el8%{?_tis_dist}.%{tis_patch_ver}
 Summary:        Library for low-level interaction with nftables Netlink's API over libmnl
 License:        GPLv2+
 URL:            http://netfilter.org/projects/libnftnl/
 --
 2.18.1
--- a/base/libnftnl/centos/srpm_path
+++ b/base/libnftnl/centos/srpm_path
@ -0,0 +1 @@
 mirror:Source/libnftnl-1.1.1-4.el8.src.rpm
		`@ -0,0 +1,2 @@`
							`0001-Subject-update-package-versioning-for-STX.patch`
							`0002-Subject-enable-legacy-tools.patch`
		`@ -0,0 +1 @@`
							`mirror:Source/iptables-1.8.2-9.el8_0.1.src.rpm`