Given the changes currentlyīeing upstreamed, users dealing with large rulesets should see a performance Since iptables-nft does not need a lockįile anymore, no problems with stale xtables-lock or parallel iptables calls inĭifferent mount namespaces are expected anymore. Issues should be reported despite the known compatibility issues describedĪbove since knowledge about who uses the missing features is valuable On such features are advised to install iptables-legacy packageĪny users of iptables/ebtables/arptables should switch to nft-variants usingĪlternatives tool (if necessary) and check that everything works as before. missing support for ebtablesīroute table or among match and a few iptables targets/matches. Sadly, there are a few known issues, like e.g. Shouldn't be harmed (apart from forced installation of Priorities, existing choices won't be changed and so existing installations * Trademark approval: N/A (not needed for this Change)ĭue to the package rename and Provides: line, upgrades will pull * Policies and guidelines: No change required (or complain to the right person) if that fixes the problem. Into account, quickly test against legacy variant and file a ticket So while no explicit effort is required from them, they should be madeĪware of the change so they take a possible regression in iptables It affects only new installations (or those manually switched over). The changed tools may cause regressions among packages using them and xtables-monitor tool) or areīeing upstreamed right now (improved tool performance when dealingĬhanges are rather simple: Rename iptables package, addĬhange priorities used when calling alternatives. The possibility nftables backend allows for. * New features and improvements are likely to hit nft-variants due to * RHEL8 ships nft-variants exclusively, make Fedora align with that byĭefault while still providing the option to fall back to legacy tools. To resolveĭependencies, Provides: iptables statement will be added New name should be iptables-legacy which aligns withĮbtables and arptables and reflects upstream status. On the other hand, existing systems using legacy variants should notīe changed by a system update. Iptables-nft installed would change the activeĪlternative (since they are in automatic mode by default). This must be changed as otherwise installing = Raise priority of nft-variants in alternatives =Ĭurrently, legacy variants are installed with priority 10 and nft To change the status quo, two measures are planned: Iptables package, which in fact is the only one other packages In Fedora, same has been done toĪrptables and ebtables packages, namely renaming them Upstream considers the traditional implementations legacy and therefore renamed Users may choose between both implementations using These use nftables internally while providing the same look'n'feel as Iptables, ip6tables, ebtables and arptables and associated save and restoreĬommands. Iptables-nft package provides alternative implementations of Make iptables-nft the preferred iptables variant.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |