From 272bf29f97fc50dd5c3213cb1dd1a01ea6623161 Mon Sep 17 00:00:00 2001
From: Petr Bokoc <pbokoc@redhat.com>
Date: Apr 14 2020 14:16:42 +0000
Subject: Issue 396 - firewalld now uses nftables as its default backend


---

diff --git a/modules/release-notes/pages/sysadmin/Security.adoc b/modules/release-notes/pages/sysadmin/Security.adoc
index dcabdc5..6e8460b 100644
--- a/modules/release-notes/pages/sysadmin/Security.adoc
+++ b/modules/release-notes/pages/sysadmin/Security.adoc
@@ -3,3 +3,15 @@ include::{partialsdir}/entities.adoc[]
 
 [[sect-security]]
 = Security
+
+== firewalld now uses nftables as its default backend
+
+With this release, the `nftables` filtering subsystem becomes the default firewall backend for the `firewalld` daemon.
+To change the backend, use the `FirewallBackend` option in the `/etc/firewalld/firewalld.conf` file.
+This change introduces the following differences in behavior when using `nftables`:
+* `iptables` rule executions always occur _before_ `firewalld` rules
+** `DROP` in `iptables` means a packet is never seen by `firewalld`
+** `ACCEPT` in `iptables` means a packet is still subject to `firewalld` rules
+* direct-rule execution occurs _before_ `firewalld` generic acceptance of established connections
+
+For more information, see link:https://firewalld.org/2018/07/nftables-backend[] and link:https://fedoraproject.org/wiki/Changes/firewalld_default_to_nftables[].