CentOS 8: rebuild iptables with legacy mode

Nftables backend is not compatible with the current kubeadm packages(it causes duplicated firewall rules and breaks kube-proxy) and will failed calico-node pod, either. Legacy mode is required by kubernetes, however, the sbins related to legacy are removed in el8 iptables rpm. this commit containes: 1. libnftnl: build iptables dependency libnftnl-dev rpm, which is not provided by centos offical repo. 2. iptables: pkg the "*legacy*" sbins and "/man8/xtables-legacy" into the iptables rpm. Change-Id: Ie5f09e14d5139ce0a2a58416f27d10d64622f0c2 Story: 2006729 Task: 38711 Signed-off-by: SidneyAn <ran1.an@intel.com>
2020-02-06 18:07:47 +08:00 · 2020-02-06 18:07:47 +08:00 · 6cf6e96910
parent a3267c2016
commit 6cf6e96910
9 changed files with 113 additions and 0 deletions
--- a/base/iptables/centos/build_srpm.data
+++ b/base/iptables/centos/build_srpm.data
@ -0,0 +1,2 @@
+TIS_PATCH_VER=1
+BUILD_IS_SLOW=7
--- a/base/iptables/centos/meta_patches/0001-Subject-update-package-versioning-for-STX.patch
+++ b/base/iptables/centos/meta_patches/0001-Subject-update-package-versioning-for-STX.patch
@ -0,0 +1,26 @@
+From 959a0ca2e8561b7928114e565c1328ec6b420e06 Mon Sep 17 00:00:00 2001
+From: SidneyAn <ran1.an@intel.com>
+Date: Tue, 4 Feb 2020 10:33:55 +0000
+Subject: [PATCH 1/2] Subject: update package versioning for STX
+
+Signed-off-by: SidneyAn <ran1.an@intel.com>
+---
+ SPECS/iptables.spec | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec
+index 464057c..7147745 100644
+--- a/SPECS/iptables.spec
+++ b/SPECS/iptables.spec
+@@ -7,7 +7,7 @@
+ Name: iptables
+ Summary: Tools for managing Linux kernel packet filtering capabilities
+ Version: 1.8.2
+-Release: 9%{?dist}.1
+Release: 9.el8_0.1%{?_tis_dist}.%{tis_patch_ver}
+ Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
+ Source1: iptables.init
+ Source2: iptables-config
+-- 
+2.18.1
+
--- a/base/iptables/centos/meta_patches/0002-Subject-enable-legacy-tools.patch
+++ b/base/iptables/centos/meta_patches/0002-Subject-enable-legacy-tools.patch
@ -0,0 +1,50 @@
+From 2792003159081a47b832e21310579ec052f675bc Mon Sep 17 00:00:00 2001
+From: SidneyAn <ran1.an@intel.com>
+Date: Tue, 4 Feb 2020 10:48:52 +0000
+Subject: [PATCH 2/2] Subject: enable legacy tools
+
+Signed-off-by: SidneyAn <ran1.an@intel.com>
+---
+ SPECS/iptables.spec | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec
+index 7147745..4a24703 100644
+--- a/SPECS/iptables.spec
+++ b/SPECS/iptables.spec
+@@ -280,10 +280,10 @@ rm -f %{buildroot}%{_sysconfdir}/ethertypes
+ %endif
+
+ # drop all legacy tools
+-rm -f %{buildroot}%{_sbindir}/*legacy*
+#rm -f %{buildroot}%{_sbindir}/*legacy*
+ rm -f %{buildroot}%{_bindir}/iptables-xml
+ rm -f %{buildroot}%{_mandir}/man1/iptables-xml*
+-rm -f %{buildroot}%{_mandir}/man8/xtables-legacy*
+#rm -f %{buildroot}%{_mandir}/man8/xtables-legacy*
+
+ # rename nft versions to standard name
+ pfx=%{buildroot}%{_sbindir}/iptables
+@@ -374,12 +374,20 @@ done
+ %{_sbindir}/ip6tables-translate
+ %{_sbindir}/xtables-monitor
+ %{_sbindir}/xtables-nft-multi
+%{_sbindir}/iptables-legacy
+%{_sbindir}/iptables-legacy-restore
+%{_sbindir}/iptables-legacy-save
+%{_sbindir}/ip6tables-legacy
+%{_sbindir}/ip6tables-legacy-restore
+%{_sbindir}/ip6tables-legacy-save
+%{_sbindir}/xtables-legacy-multi
+ %{_mandir}/man8/iptables*
+ %{_mandir}/man8/ip6tables*
+ %{_mandir}/man8/nfnl_osf*
+ %{_mandir}/man8/xtables-monitor*
+ %{_mandir}/man8/xtables-nft*
+ %{_mandir}/man8/xtables-translate*
+%{_mandir}/man8/xtables-legacy*
+ %dir %{_libdir}/xtables
+ %{_libdir}/xtables/libarpt*
+ %{_libdir}/xtables/libebt*
+--
+2.17.1
--- a/base/iptables/centos/meta_patches/PATCH_ORDER
+++ b/base/iptables/centos/meta_patches/PATCH_ORDER
@ -0,0 +1,2 @@
+0001-Subject-update-package-versioning-for-STX.patch
+0002-Subject-enable-legacy-tools.patch
--- a/base/iptables/centos/srpm_path
+++ b/base/iptables/centos/srpm_path
@ -0,0 +1 @@
+mirror:Source/iptables-1.8.2-9.el8_0.1.src.rpm
--- a/base/libnftnl/centos/build_srpm.data
+++ b/base/libnftnl/centos/build_srpm.data
@ -0,0 +1,2 @@
+TIS_PATCH_VER=1
+BUILD_IS_SLOW=7
--- a/base/libnftnl/centos/meta_patches/PATCH_ORDER
+++ b/base/libnftnl/centos/meta_patches/PATCH_ORDER
@ -0,0 +1 @@
+update-package-versioning-for-STX.patch
--- a/base/libnftnl/centos/meta_patches/update-package-versioning-for-STX.patch
+++ b/base/libnftnl/centos/meta_patches/update-package-versioning-for-STX.patch
@ -0,0 +1,28 @@
+From 90b243ff4c05787cb3d0c765e0aef4a7deb02401 Mon Sep 17 00:00:00 2001
+From: SidneyAn <ran1.an@intel.com>
+Date: Wed, 5 Feb 2020 03:59:26 +0000
+Subject: [PATCH] Subject: update package versioning for STX
+
+Signed-off-by: SidneyAn <ran1.an@intel.com>
+---
+ SPECS/libnftnl.spec | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/SPECS/libnftnl.spec b/SPECS/libnftnl.spec
+index f13138f..8de5ebf 100644
+--- a/SPECS/libnftnl.spec
+++ b/SPECS/libnftnl.spec
+@@ -1,9 +1,8 @@
+ %define rpmversion 1.1.1
+-%define specrelease 4%{?dist}
+
+ Name:           libnftnl
+ Version:        %{rpmversion}
+-Release:        %{specrelease}%{?buildid}
+Release:        4.el8%{?_tis_dist}.%{tis_patch_ver}
+ Summary:        Library for low-level interaction with nftables Netlink's API over libmnl
+ License:        GPLv2+
+ URL:            http://netfilter.org/projects/libnftnl/
+--
+2.18.1
+
--- a/base/libnftnl/centos/srpm_path
+++ b/base/libnftnl/centos/srpm_path
@ -0,0 +1 @@
+mirror:Source/libnftnl-1.1.1-4.el8.src.rpm
				`@ -0,0 +1 @@`
				`mirror:Source/iptables-1.8.2-9.el8_0.1.src.rpm`