Load ip_tables modules at boot

Rootless users cannot load the ip_tables module, in fedora 36 this module is no longer loaded by default so we have to add it manually. This is needed because rootless network setup tries to use iptables and if iptables-legacy is used instead of iptables-nft it will fail. To provide a better user experience we will load the module at boot. Note that this is not needed for RHEL because iptables-legacy is not supported on RHEL 8 and newer. [NO NEW TESTS NEEDED] Fixes containers#12661 Signed-off-by: Paul Holzinger <[email protected]>
mheon · Feb 23, 2022 · a0c34d6 · a0c34d6
1 parent 172b745
commit a0c34d6
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 0 deletions.
diff --git a/Makefile b/Makefile
@@ -44,6 +44,7 @@ MANDIR ?= ${PREFIX}/share/man
 SHAREDIR_CONTAINERS ?= ${PREFIX}/share/containers
 ETCDIR ?= ${PREFIX}/etc
 TMPFILESDIR ?= ${PREFIX}/lib/tmpfiles.d
+MODULESLOADDIR ?= ${PREFIX}/lib/modules-load.d
 SYSTEMDDIR ?= ${PREFIX}/lib/systemd/system
 USERSYSTEMDDIR ?= ${PREFIX}/lib/systemd/user
 REMOTETAGS ?= remote exclude_graphdriver_btrfs btrfs_noversion exclude_graphdriver_devicemapper containers_image_openpgp
@@ -779,6 +780,11 @@ install.bin:
 	install ${SELINUXOPT} -m 755 -d ${DESTDIR}${TMPFILESDIR}
 	install ${SELINUXOPT} -m 644 contrib/tmpfile/podman.conf ${DESTDIR}${TMPFILESDIR}/podman.conf
 
+.PHONY: install.modules-load
+install.modules-load: # This should only be used by distros which might use iptables-legacy, this is not needed on RHEL
+	install ${SELINUXOPT} -m 755 -d ${DESTDIR}${MODULESLOADDIR}
+	install ${SELINUXOPT} -m 644 contrib/modules-load.d/podman-iptables.conf ${DESTDIR}${MODULESLOADDIR}/podman-iptables.conf
+
 .PHONY: install.man
 install.man:
 	install ${SELINUXOPT} -d -m 755 $(DESTDIR)$(MANDIR)/man1

diff --git a/contrib/modules-load.d/podman-iptables.conf b/contrib/modules-load.d/podman-iptables.conf
@@ -0,0 +1,5 @@
+# On fedora 36 ip_tables is no longer auto loaded and rootless user have no permsissions to load it.
+# When we have actual nftables support in the future we might want to revisit this.
+# If you use iptables-nft this is not needed.
+ip_tables
+ip6_tables
diff --git a/podman.spec.rpkg b/podman.spec.rpkg
@@ -203,6 +203,9 @@ PODMAN_VERSION=%{version} %{__make} DESTDIR=%{buildroot} PREFIX=%{_prefix} ETCDI
         install.docker \
         install.docker-docs \
         install.remote \
+%if 0%{?fedora} >= 36
+        install.modules-load
+%endif
 
 install -d -p %{buildroot}/%{_datadir}/%{name}/test/system
 cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/
@@ -239,6 +242,9 @@ done
 %{_userunitdir}/%{name}.socket
 %{_userunitdir}/%{name}-restart.service
 %{_usr}/lib/tmpfiles.d/%{name}.conf
+%if 0%{?fedora} >= 36
+    %{_usr}/lib/modules-load.d/%{name}-iptables.conf
+%endif
 
 %files docker
 %{_bindir}/docker