From 3fb87b6358ff4b3c4e82ae97af82bff58cf68ba9 Mon Sep 17 00:00:00 2001 From: Petr Bokoc Date: Apr 14 2020 20:19:03 +0000 Subject: Issue 420 - nftables replaces iptables --- diff --git a/modules/release-notes/nav.adoc b/modules/release-notes/nav.adoc index 60d60ad..2960577 100644 --- a/modules/release-notes/nav.adoc +++ b/modules/release-notes/nav.adoc @@ -8,6 +8,7 @@ include::{partialsdir}/entities.adoc[] *** xref:sysadmin/Distribution.adoc[Distribution-wide Changes] *** xref:sysadmin/Installation.adoc[Installation] *** xref:sysadmin/Security.adoc[Security] +*** xref:sysadmin/Networking.adoc[Networking] *** xref:sysadmin/Storage.adoc[Storage] *** xref:sysadmin/System_Utilities.adoc[System Utilities] ** xref:desktop/Desktop_index.adoc[Desktop Users] diff --git a/modules/release-notes/pages/sysadmin/Networking.adoc b/modules/release-notes/pages/sysadmin/Networking.adoc new file mode 100644 index 0000000..4c1a2e3 --- /dev/null +++ b/modules/release-notes/pages/sysadmin/Networking.adoc @@ -0,0 +1,47 @@ + +include::{partialsdir}/entities.adoc[] + +[[networking]] += Networking + +== nftables replaces iptables as the default network packet filtering framework + +The `nftables` framework provides packet classification facilities and it is the designated successor to the `iptables`, `ip6tables`, `arptables`, and `ebtables` tools. +It offers numerous improvements in convenience, features, and performance over previous packet-filtering tools, most notably: + + * Lookup tables instead of linear processing. + * A single framework for both the IPv4 and IPv6 protocols. + * Rules all applied atomically instead of fetching, updating, and storing a complete ruleset. + * Support for debugging and tracing in the ruleset (`nftrace`) and monitoring trace events (in the `nft` tool). + * More consistent and compact syntax, no protocol-specific extensions. + * A Netlink API for third-party applications. + +Similarly to `iptables`, `nftables` use tables for storing chains. +The chains contain individual rules for performing actions. +The `nft` tool replaces all tools from the previous packet-filtering frameworks. +The `libnftables` library can be used for low-level interaction with `nftables` Netlink API over the `libmnl` library. + +The `iptables`, `ip6tables`, `ebtables` and `arptables` tools are replaced by nftables-based drop-in replacements with the same name. +While external behavior is identical to their legacy counterparts, internally they use `nftables` with legacy `netfilter` kernel modules through a compatibility interface where required. + +Effect of the modules on the `nftables` ruleset can be observed using the `nft list ruleset` command. +Since these tools add tables, chains, and rules to the `nftables` ruleset, be aware that `nftables` rule-set operations, such as the `nft flush ruleset` command, might affect rule sets installed using the formerly separate legacy commands. + +To quickly identify which variant of the tool is present, version information has been updated to include the back-end name. +In RHEL 8, the nftables-based `iptables` tool prints the following version string: + +[source,bash] +---- +$ iptables --version +iptables v1.8.0 (nf_tables) +---- + +For comparison, the following version information is printed if legacy `iptables` tool is present: + +[source,bash] +---- +$ iptables --version +iptables v1.8.0 (legacy) +---- + +For more information, see link:https://fedoraproject.org/wiki/Changes/iptables-nft-default[] and link:https://wiki.nftables.org/wiki-nftables/index.php/Legacy_xtables_tools[].