Re: [PATCH v2 27/27] RFC: spec: change iptables/ebtables from Requires to Recommends, add nftables
On 4/23/24 6:46 AM, Daniel P. Berrangé wrote:
On Sun, Apr 21, 2024 at 10:53:35PM -0400, Laine Stump wrote:
> We really shouldn't be requiring ebtables and iptables any more, since
> they don't always need to be used. Likewise, we probably should at
> least Recommend nftables, even though it's pretty much always
> installed already anyway.
>
> (Changing Requires to Recommends for the nwfilter package is a bit
> premature, since it currently will always require iptables and
> ebtables to function properly, but changing those to Recommends leads
> to a much smaller list of dependent packages removed by "dnf rm
> iptables/ebtables").
>
> Signed-off-by: Laine Stump <laine(a)redhat.com>
> ---
> libvirt.spec.in | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/libvirt.spec.in b/libvirt.spec.in
> index 05f7a7e7c0..66b328671d 100644
> --- a/libvirt.spec.in
> +++ b/libvirt.spec.in
> @@ -592,7 +592,8 @@ Summary: Network driver plugin for the libvirtd daemon
> Requires: libvirt-daemon-common = %{version}-%{release}
> Requires: libvirt-libs = %{version}-%{release}
> Requires: dnsmasq >= 2.41
> -Requires: iptables
> +Recommends: iptables
> +Recommends: nftables
Or we use a bool expression:
Requires: (iptables or nftables)
which guarantees at least one is present and thus no possibility of
a broken install
TIL.
>
> %description daemon-driver-network
> The network driver plugin for the libvirtd daemon, providing
> @@ -603,8 +604,8 @@ bridge capabilities.
> Summary: Nwfilter driver plugin for the libvirtd daemon
> Requires: libvirt-daemon-common = %{version}-%{release}
> Requires: libvirt-libs = %{version}-%{release}
> -Requires: iptables
> -Requires: ebtables
> +Recommends: iptables
> +Recommends: ebtables
This looks premature since we've not provided an nft backend option
for nwfilter. Thus the only effect of this change is to guarantee
the ability to create a broken instalation
Yeah, I only left it in here because this is an RFC patch, and I was
curious how much it would reduce the side-effect package removals when
someone did "dnf rm ebtables iptables" (a lot, it turns out).
When the time comes though we would do
Requires: (iptables or nftables)
Requires: (ebtables if iptables)
If only specfiles had a way to slap the admin with a rubber chicken "if
iptables"...