Consider moving iptables dependency from podman to network packages
Description:
podman itself doesn't make use of anything firewall-related, it is done by either of netavark or cni-plugins (which is deprecated).
I am not sure what is the best course of action here because:
- you can't simply add hard dependency on iptables in cni-plugins as
- you can choose between firewalld and iptables
- nerdctl doesn't require it
- cri-o depends on iptables (although it indirectly pulls iptables from iproute2 anyway)
- kubelet uses iptables-nft (but it has optional dep on cri-o so you can't use kubelet and iptables-legacy)
You can't simply add hard dependency on iptables in netavark either because it also can choose between iptables, firewalld and nftables. But it is likely possible to add optional dependencies for all of them.
However, while firewall backend is optional, parent packages (in case of netavark it is only podman) still imply use of iptables. It might be reasonable because netavark will use iptables backend by default, but their developers package RPMs with nftables by default instead.
Additional info:
- package version(s): 5.1.1
config and/or log files:link to upstream bug report, if any: