Bug#914423: document iptables/nftables situation

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#914423: document iptables/nftables situation
From: Arturo Borrero Gonzalez <arturo@debian.org>
Date: Fri, 23 Nov 2018 10:19:52 +0100
Message-id: <[🔎] 154296479234.3039.1913565561361841678.reportbug@endurance>
Reply-to: Arturo Borrero Gonzalez <arturo@debian.org>, 914423@bugs.debian.org

Package: release-notes
Severity: normal
Tags: buster

Hi,

I think the iptables/nftables situation for Buster worth mentioning in the release
notes. We got some important changes that I will describe below:

=== 8< ===
Debian Buster uses now the nftables framework by default.

Starting with iptables v1.8.2 the binary package includes iptables-nft and
iptables-legacy, two variants of the iptables command line interface. The
nftables-based is the default in Debian Buster and works with the nf_tables
Linux kernel subsystem. The legacy one uses the x_tables Linux kernel
subsystem. Users can use the update-alternatives system to select one variant
or the other.

This applies to all related tools and utilities:
* iptables
* iptables-save
* iptables-restore
* ip6tables
* ip6tables-save
* ip6tables-restore
* arptables
* arptables-save
* arptables-restore
* ebtables
* ebtables-save
* ebtables-restore

All these gained the -nft and -legacy variants as well. The -nft option is for
users that don't want -or can't- migrate to the native nftables command line
interface.
However users are really enouraged to switch to nftables rather than using the
old iptables interface.

nftables provides a full replacement for iptables, with much better
performance, a refreshed syntax, better support for IPv4/IPv6 dual-stack
firewalls, full atomic operations for dynamic ruleset updates, a Netlink API
for third party applications, faster packet classification through enhanced
generic set and map infrastructures, and many other improvements [0].

This movement is in line with what other major Linux distributions are doing,
like the RedHat, that now uses nftables as default firewalling tool [1].

Also, please note that all iptables binaries are now installed in /usr/sbin
instead of /sbin. A compatibility symlink is in place, but will be dropped
after the Buster release cycle. Please, don't use hardcoded binary paths in
your scripts or update them manually for the new location.

Extensive documentation are available in package's README and NEWS files, and
also online [2].

[0] https://wiki.nftables.org
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8-beta/html-single/8.0_beta_release_notes/index#networking_2
[2] https://wiki.debian.org/nftables
=== 8< ===

Reply to:

Prev by Date: ifenslave: typo in bonding example
Next by Date: Líneas ICO (análisis sin compromiso)
Previous by thread: ifenslave: typo in bonding example
Next by thread: Líneas ICO (análisis sin compromiso)
Index(es):
- Date
- Thread