fedora-docs / release-notes

Clone
Source Code
GIT

#420 F32 System-Wide Change: iptables-nft-default
Closed 5 years ago by pbokoc. Opened 6 years ago by bcotton.

Closed
Reopen Issue

This issue tracks the release note for the following Fedora Change:

https://fedoraproject.org/wiki/Changes/iptables-nft-default

If you own this change, please add additional information here that we should communicate to Fedora users. Specifically, please consider:

  • New features available because of this change - pick 2 or 3 that are important
  • Considerations for users of previous releases of Fedora (upgrade issues, format changes, etc.)
  • Links to any upstream Release Notes
  • If this helps Fedora be a superior environment for our target audiences, please explain how so that we can emphasize this.

Your notes to us do not need to be formally written. We will edit them and add details as needed. This is a way for you to ensure that we know what is critical about your change.

If you want to write this release note, then:

  • Assign this issue to yourself
  • Check the wiki page linked above, find out what the change is about
  • Determine whether the change actually made it into the release or not[0]
  • Write a draft release note using that information against the correct branch here, in Pagure. (or see below)
  • Get in touch with the contact person/people listed on the wiki page, either through IRC or e-mail, and ask them to check your draft for technical accuracy
  • Submit your Release Note as a PR to this repository.

Once you're done with the above, make sure to either commit the relnote to an appropriate section of the Release Notes book, or, if you're not familiar with Git, AsciiDoc, or whatever else, just add it to this issue as a comment and let pbokoc[1] know that you're done with this one and you'd like the note included. Be sure to do this at least one day before the final release (October 29 according to the current schedule). Also make sure to do this even for relnotes that haven't been checked by the change owner.

[0] You can do that by asking the change owner listed on the wiki page; alternatively you can infer it by checking the tracker bug (linked in Wiki) in Bugzilla and looking at its status; see bug comments for details. Ask someone on the mailing list or on IRC if you're not sure.
[1] In #fedora-docs on FreeNode (UTC+1 timezone, online mostly during the day on weekdays), or pbokoc @redhat.com if you can't get a hold of me on IRC.

Metadata Update from @mjahoda:
- Issue assigned to mjahoda
5 years ago

@psutter Phil, could we use a description text based on the text for the RHEL 8.0 GA? I have checked the Wiki page but all the details there did not answer my questions regarding the difference of the state (and implementation) in RHEL 8.0 vs. F32.

`nftables` replaces `iptables` as the default network packet filtering framework

The `nftables` framework provides packet classification facilities and it is the designated successor to the `iptables`, `ip6tables`, `arptables`, and `ebtables` tools. It offers numerous improvements in convenience, features, and performance over previous packet-filtering tools, most notably:

 * lookup tables instead of linear processing
 * a single framework for both the `IPv4` and `IPv6` protocols
 * rules all applied atomically instead of fetching, updating, and storing a complete ruleset
 * support for debugging and tracing in the ruleset (`nftrace`) and monitoring trace events (in the `nft` tool)
 * more consistent and compact syntax, no protocol-specific extensions
 * a Netlink API for third-party applications

Similarly to `iptables`, `nftables` use tables for storing chains. The chains contain individual rules for performing actions. The `nft` tool replaces all tools from the previous packet-filtering frameworks. The `libnftables` library can be used for low-level interaction with `nftables` Netlink API over the `libmnl` library.

The `iptables`, `ip6tables`, `ebtables` and `arptables` tools are replaced by nftables-based drop-in replacements with the same name. While external behavior is identical to their legacy counterparts, internally they use `nftables` with legacy `netfilter` kernel modules through a compatibility interface where required. 

Effect of the modules on the `nftables` ruleset can be observed using the `nft list ruleset` command. Since these tools add tables, chains, and rules to the `nftables` ruleset, be aware that `nftables` rule-set operations, such as the `nft flush ruleset` command, might affect rule sets installed using the formerly separate legacy commands.

To quickly identify which variant of the tool is present, version information has been updated to include the back-end name. In RHEL 8, the nftables-based `iptables` tool prints the following version string:
----
$ iptables --version
iptables v1.8.0 (nf_tables)
----
For comparison, the following version information is printed if legacy `iptables` tool is present:
----
$ iptables --version
iptables v1.8.0 (legacy)
----

For more information, see link:https://fedoraproject.org/wiki/Changes/iptables-nft-default[] and link:https://wiki.nftables.org/wiki-nftables/index.php/Legacy_xtables_tools[].

PR is at #489

Well, I need to merge the PR so I'll go ahead and do that, the PR looks reasonable. If you want to change anything in the text, add a comment here and I'll do another update.

Whoops, guess I forgot about that.

Metadata Update from @pbokoc:
- Issue status updated to: Closed (was: Open)
5 years ago

Log in to comment on this ticket.

Metadata
None
None
None
None
Related Pull Requests
  • #489 Closed 5 years ago
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.