[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#914423: marked as done (document iptables/nftables situation)

Your message dated Mon, 4 Mar 2019 14:47:58 +0100
with message-id <3e53405c-49db-2ed2-d088-9b96f1aed4dc@debian.org>
and subject line Re: document iptables/nftables situation
has caused the Debian Bug report #914423,
regarding document iptables/nftables situation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
914423: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914423
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release-notes
Severity: normal
Tags: buster

Hi,

I think the iptables/nftables situation for Buster worth mentioning in the release
notes. We got some important changes that I will describe below:

=== 8< ===
Debian Buster uses now the nftables framework by default.

Starting with iptables v1.8.2 the binary package includes iptables-nft and
iptables-legacy, two variants of the iptables command line interface. The
nftables-based is the default in Debian Buster and works with the nf_tables
Linux kernel subsystem. The legacy one uses the x_tables Linux kernel
subsystem. Users can use the update-alternatives system to select one variant
or the other.

This applies to all related tools and utilities:
 * iptables
 * iptables-save
 * iptables-restore
 * ip6tables
 * ip6tables-save
 * ip6tables-restore
 * arptables
 * arptables-save
 * arptables-restore
 * ebtables
 * ebtables-save
 * ebtables-restore

All these gained the -nft and -legacy variants as well. The -nft option is for
users that don't want -or can't- migrate to the native nftables command line
interface.
However users are really enouraged to switch to nftables rather than using the
old iptables interface.

nftables provides a full replacement for iptables, with much better
performance, a refreshed syntax, better support for IPv4/IPv6 dual-stack
firewalls, full atomic operations for dynamic ruleset updates, a Netlink API
for third party applications, faster packet classification through enhanced
generic set and map infrastructures, and many other improvements [0].

This movement is in line with what other major Linux distributions are doing,
like the RedHat, that now uses nftables as default firewalling tool [1].

Also, please note that all iptables binaries are now installed in /usr/sbin
instead of /sbin. A compatibility symlink is in place, but will be dropped
after the Buster release cycle. Please, don't use hardcoded binary paths in
your scripts or update them manually for the new location.

Extensive documentation are available in package's README and NEWS files, and
also online [2].

[0] https://wiki.nftables.org
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8-beta/html-single/8.0_beta_release_notes/index#networking_2
[2] https://wiki.debian.org/nftables
=== 8< ===

--- End Message ---
--- Begin Message --- 
Hi Arturo,

On Fri, 23 Nov 2018 10:19:52 +0100 Arturo Borrero Gonzalez
<arturo@debian.org> wrote:
> I think the iptables/nftables situation for Buster worth mentioning in the release
> notes. We got some important changes that I will describe below:

Committed.
https://salsa.debian.org/ddp-team/release-notes/commit/8cc130d

Thanks for your contribution.

Paul

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
Reply to: