Iptables support removal

Cargo.toml

@@ -37,7 +37,6 @@ anyhow = "1.0.93"
 clap = { version = "~4.5.51", features = ["derive", "env"] }
 env_logger = "0.11.8"
 ipnet = { version = "2.11.0", features = ["serde"] }
-iptables = "0.6.0"
 libc = "0.2.157"
 log = "0.4.28"
 serde = { version = "1.0.228", features = ["derive"] }

README.md

@@ -10,7 +10,7 @@ Netavark is a tool for configuring networking for Linux containers. Its features
 * Configuration of container networks via JSON configuration file
 * Creation and management of required network interfaces, including MACVLAN networks
 * All required firewall configuration to perform NAT and port forwarding as required for containers
-* Support for iptables, firewalld and nftables
+* Support for firewalld and nftables
 * Support for rootless containers
 * Support for IPv4 and IPv6
 * Support for container DNS resolution via the [aardvark-dns](https://github.com/containers/aardvark-dns) project

build.rs

@@ -64,17 +64,16 @@ fn main() {
     println!("cargo:rustc-env=GIT_COMMIT={commit}");
 
     // Handle default firewall driver.
-    // Allowed values "nftables" and "iptables".
+    // Allowed values "nftables" and "none".
     let fwdriver = match env::var("NETAVARK_DEFAULT_FW")
-        .unwrap_or("iptables".to_string())
+        .unwrap_or("nftables".to_string())
         .as_str()
     {
         "nftables" => "nftables",
-        "iptables" => "iptables",
         "none" => "none",
         inv => panic!("Invalid default firewall driver {inv}"),
     };
-    println!("cargo:rustc-check-cfg=cfg(default_fw, values(\"nftables\", \"iptables\", \"none\"))");
+    println!("cargo:rustc-check-cfg=cfg(default_fw, values(\"nftables\", \"none\"))");
     println!("cargo:rustc-cfg=default_fw=\"{fwdriver}\"");
     println!("cargo:rustc-env=DEFAULT_FW={fwdriver}");
 }

docs/netavark-firewalld.7.md

@@ -9,7 +9,7 @@ netavark-firewalld - description of the interaction of Netavark and firewalld
 ## Description
 
 Netavark can be used on systems with firewalld enabled without issue.
-When using the default `nftables` or `iptables` firewall drivers, on systems where firewalld is running, firewalld will automatically be configured to allow connectivity to Podman containers.
+When using the default `nftables` firewall driver, on systems where firewalld is running, firewalld will automatically be configured to allow connectivity to Podman containers.
 All subnets of Podman-managed networks will be automatically added to the `trusted` zone to allow this access.
 
 ### Firewalld Driver
@@ -18,7 +18,7 @@ There is also a dedicated firewalld driver in Netavark.
 This driver uses the firewalld DBus API to natively interact with firewalld.
 It can be enabled by setting `firewall_driver` to `firewalld` in `containers.conf`.
 The native firewalld driver offers better integration with firewalld, but presently suffers from several limitations.
-It does not support isolation (the `--opt isolate=` option to `podman network create`.
+It does not support isolation (the `--opt isolate=` option to `podman network create`).
 Connections to ports forwarded by a container on the same host can only be made through the IPv4 localhost IP (`127.0.0.1`).
 Using other IPs on the host will not work, unless the connection comes from a separate host.
 

rpm/netavark.spec

@@ -14,15 +14,6 @@
 # Minimum X.Y dep for aardvark-dns
 %define major_minor %((v=%{version}; echo ${v%.*}))
 
-# Set default firewall to nftables on CentOS Stream 10+, RHEL 10+, Fedora 41+
-# and default to iptables on all other environments
-# The `rhel` macro is defined on CentOS Stream, RHEL as well as Fedora ELN.
-%if (%{defined rhel} && 0%{?rhel} >= 10) || (%{defined fedora} && 0%{?fedora} >= 41)
-%define default_fw nftables
-%else
-%define default_fw iptables
-%endif
-
 Name: netavark
 # Set a different Epoch for copr builds
 %if %{defined copr_username}
@@ -49,11 +40,7 @@ BuildRequires: %{_bindir}/go-md2man
 # aardvark-dns and %%{name} are usually released in sync
 Requires: aardvark-dns >=  %{epoch}:%{major_minor}
 Provides: container-network-stack = 2
-%if "%{default_fw}" == "nftables"
 Requires: nftables
-%else
-Requires: iptables
-%endif
 BuildRequires: make
 BuildRequires: protobuf-c
 BuildRequires: protobuf-compiler
@@ -82,7 +69,7 @@ Its features include:
     including MACVLAN networks
 * All required firewall configuration to perform NAT and port
     forwarding as required for containers
-* Support for iptables, firewalld and nftables
+* Support for firewalld and nftables
 * Support for rootless containers
 * Support for IPv4 and IPv6
 * Support for container DNS resolution via aardvark-dns.
@@ -102,7 +89,7 @@ tar fx %{SOURCE1}
 %endif
 
 %build
-NETAVARK_DEFAULT_FW=%{default_fw} %{__make} CARGO="%{__cargo}" build
+%{__make} CARGO="%{__cargo}" build
 %if (0%{?fedora} || 0%{?rhel} >= 10) && !%{defined copr_username}
 %cargo_license_summary
 %{cargo_license} > LICENSE.dependencies

src/firewall/fwnone.rs

@@ -4,7 +4,7 @@ use crate::network::internal_types::{
     PortForwardConfig, SetupNetwork, TearDownNetwork, TeardownPortForward,
 };
 
-// Iptables driver - uses direct iptables commands via the iptables crate.
+// Fwnone driver - No-op firewall implementation.
 pub struct Fwnone {}
 
 pub fn new() -> NetavarkResult<Box<dyn firewall::FirewallDriver>> {