• New features available because of this change - pick 2 or 3 that are important
  • Fewer firewall rules (rule consolidation)
  • firewalld's rules are namespaced
  • Netfilter upstream is focusing on nftables, not iptables
• Considerations for users of previous releases of Fedora (upgrade issues, format changes, etc.)
  • direct rules execute before all of firewalld's other rules
  • iptables rules executed before firewalld's rules
    • packets dropped in iptables (or direct rules) will never be seen by firewalld
    • packets accepted in iptables (or direct rules) are still subject to firewalld's rules
• Links to any upstream Release Notes
  • https://firewalld.org/2018/07/nftables-backend
• If this helps Fedora be a superior environment for our target audiences, please explain how so that we can emphasize this.
  • No. Brings Fedora inline with other distributions and RHEL

See #487

@erig0 I have put together the description text in the RHEL 8.0 Rel. notes and the information from your comment and wiki:

`firewalld` now uses `nftables` as its default backend

With this release, the `nftables` filtering subsystem becomes the default firewall backend for the `firewalld` daemon.
To change the backend, use the `FirewallBackend` option in the `/etc/firewalld/firewalld.conf` file.
This change introduces the following differences in behavior when using `nftables`:
* `iptables` rule executions always occur _before_ `firewalld` rules
** DROP in `iptables` means a packet is never seen by `firewalld`
** ACCEPT in `iptables` means a packet is still subject to `firewalld` rules
* direct-rule execution occurs _before_ `firewalld` generic acceptance of established connections

For more information, see link:https://firewalld.org/2018/07/nftables-backend[] and link:https://fedoraproject.org/wiki/Changes/firewalld_default_to_nftables[].

#487 has been merged - thanks!