Make iptables-nft the preferred iptables variant.
Also see Changes/firewalld_default_to_nftables.
- Name: Phil Sutter
- Email: email@example.com
- Targeted release: Fedora 32
- Last updated: 2020-01-16
- Tracker bug: #1774046
- Release notes tracker: #420
iptables-nft package provides alternative implementations of
iptables, ip6tables, ebtables and arptables and associated save and restore
commands. These use nftables internally while providing the same look'n'feel as
the original tools. Users may choose between both implementations using
Upstream considers the traditional implementations legacy and therefore renamed
the binaries adding '-legacy' suffix. In Fedora, same has been done to
ebtables packages, namely renaming them
ip6tables remain in
iptables package, which in fact is the only one other packages
To change the status quo, two measures are planned:
Raise priority of nft-variants in
Currently, legacy variants are installed with priority 10 and nft variants with priority 5. This must be changed as otherwise installing
iptables-legacy in a system with
iptables-nft installed would change the active alternative (since they are in automatic mode by default).
On the other hand, existing systems using legacy variants should not be changed by a system update. Therefore nft variants' priorities should be chosen to match legacy ones.
Add needed Provides:/Suggests: lines to packages
Firewalld depending on iptables and being installed by default is changed to suggest iptables-nft so that is preferred over legacy iptables.
Iptables-nft package is extended to provide 'iptables', 'ebtables' and 'arptables' so it fulfills package dependencies.
Benefit to Fedora
- RHEL8 ships nft-variants exclusively, make Fedora align with that by default while still providing the option to fall back to legacy tools.
- New features and improvements are likely to hit nft-variants due to the possibility nftables backend allows for. Although at this point some legacy features (e.g. ebtables among match) are still missing, others are already there (like, e.g. xtables-monitor tool) or are being upstreamed right now (improved tool performance when dealing with large rulesets).
- Proposal owners:
Changes are rather simple: Rename
iptables package, add
Provides: line to
iptables-nft package, change priorities used when calling
- Other developers:
The changed tools may cause regressions among packages using them and it affects only new installations (or those manually switched over). So while no explicit effort is required from them, they should be made aware of the change so they take a possible regression in iptables into account, quickly test against legacy variant and file a ticket (or complain to the right person) if that fixes the problem.
- Release engineering: #8934
- Policies and guidelines: No change required
- Trademark approval: N/A (not needed for this Change)
Due to the package rename and
Provides: line, upgrades will pull
iptables-nft package. But due to the equal alternatives
priorities, existing choices won't be changed and so existing installations
shouldn't be harmed (apart from forced installation of
Sadly, there are a few known issues, like e.g. missing support for ebtables
broute table or among match and a few iptables targets/matches. Users depending
on such features are advised to install
and switch variants using
How To Test
Any users of iptables/ebtables/arptables should switch to nft-variants using alternatives tool (if necessary) and check that everything works as before. Any issues should be reported despite the known compatibility issues described above since knowledge about who uses the missing features is valuable information for both up- and downstream.
Ideally look'n'feel shouldn't change. Since iptables-nft does not need a lock file anymore, no problems with stale xtables-lock or parallel iptables calls in different mount namespaces are expected anymore. Given the changes currently being upstreamed, users dealing with large rulesets should see a performance increase when manipulating the ruleset (lower run-times of iptables or iptables-restore, packet processing speed should not really change).
Other packages depending on iptables:
Since nft-variants are supposed to be drop-in replacements, no outside contribution is needed in order to perform this change.
- Contingency mechanism: Nothing needs to be done, the change should be atomic.
- Contingency deadline: N/A
- Blocks release? No
- Man pages: