Bug#914423: document iptables/nftables situation
I think the iptables/nftables situation for Buster worth mentioning in the release
notes. We got some important changes that I will describe below:
=== 8< ===
Debian Buster uses now the nftables framework by default.
Starting with iptables v1.8.2 the binary package includes iptables-nft and
iptables-legacy, two variants of the iptables command line interface. The
nftables-based is the default in Debian Buster and works with the nf_tables
Linux kernel subsystem. The legacy one uses the x_tables Linux kernel
subsystem. Users can use the update-alternatives system to select one variant
or the other.
This applies to all related tools and utilities:
All these gained the -nft and -legacy variants as well. The -nft option is for
users that don't want -or can't- migrate to the native nftables command line
However users are really enouraged to switch to nftables rather than using the
old iptables interface.
nftables provides a full replacement for iptables, with much better
performance, a refreshed syntax, better support for IPv4/IPv6 dual-stack
firewalls, full atomic operations for dynamic ruleset updates, a Netlink API
for third party applications, faster packet classification through enhanced
generic set and map infrastructures, and many other improvements .
This movement is in line with what other major Linux distributions are doing,
like the RedHat, that now uses nftables as default firewalling tool .
Also, please note that all iptables binaries are now installed in /usr/sbin
instead of /sbin. A compatibility symlink is in place, but will be dropped
after the Buster release cycle. Please, don't use hardcoded binary paths in
your scripts or update them manually for the new location.
Extensive documentation are available in package's README and NEWS files, and
also online .
=== 8< ===