#2231 F32 System-Wide Change: Firewalld Default to nftables
Closed: Accepted 4 years ago by sgallagh. Opened 4 years ago by bcotton.

This change will toggle the default firewalld backend from iptables to nftables. All of firewalld's primitives will use nftables while direct rules continue to use iptables/ebtables.

We don't maintain Docker. That is a company. We do maintain container engines. Our use of filewall rules is through CNI plugins, So we really need to know if they are ok with this.
@dcbw @mcambria

You are the maintainers of the "docker" package. That's why I've CCed you.

The "docker" package does/should not exist in Fedora 32 or Fedora 31 for that matter.
We are the maintaines of podman, buildah, cri-o, skopeo.

There is a moby-engine package, but I should not be a maintainer of this.

Correct, sorry, I've missed that "docker" is retired.

I don't think we should block this change by moby-engine support.


I think we should block this change by moby-engine support.

I agree we should NOT block the change based on moby-engine support.

Based on the description in the change page, adding support in moby-engine is not complicated.

I think the switch is a big improvement for majority of users and we should not block on moby-engine support, though of course it would be nice if it is done in time.


Let me make my vote -1.

I realize that we prefer podman over moby/docker, but the reality probably is the majority of developers and poweradmins (power users/admins) will blame Fedora if docker breaks for them.

The change explicitly says a fix is possible, and I would like to block this change on an ack from whoever maintains the package that provides the docker command (that is AFAIK both the moby-engine package maintained by @olem and the podman-docker package maintained by @lsm5 and co., while only moby-engine also provides the docker name).

After a week, the vote is +4,0,-1. By the ticket policy, I am tagging this for the next meeting.

Metadata Update from @bcotton:
- Issue tagged with: meeting

4 years ago

Approved in the meeting (+6,0,-1).

Note that the FESCo decision is that "The maintainers of moby-engine are responsible for how [this] turns out for them.".

Metadata Update from @sgallagh:
- Issue close_status updated to: Accepted
- Issue status updated to: Closed (was: Open)

4 years ago

Login to comment on this ticket.