Re: Fedora 32 System-Wide Change proposal: iptables-nft-default

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Bex,

On Thu, Oct 21, 2021 at 12:58:11PM +0200, Brian (bex) Exelbierd wrote:
> On Thu, Oct 21, 2021 at 3:23 AM Phil Sutter <psutter@xxxxxxxxxx> wrote:
> > On Wed, Oct 20, 2021 at 01:40:35PM -0700, Adam Williamson wrote:
> > > On Wed, 2021-10-20 at 18:39 +0200, Brian (bex) Exelbierd wrote:
> > [...]
> > > > AIUI, we made the change to use iptables-nft as the default with F32.
> > We
> > > > also decided that existing iptables-legacy users shouldn't be moved to
> > > > iptables-nft during an upgrade.
> > > >
> > > > However, I think that new installations are still defaulting to
> > > > iptables-legacy.  The group "Common NetworkManager Submodules" pulls in
> > > > `iptables` which seems to pull in iptables-legacy by default.
> > > >
> > > > This feels like an oversight and should be fixed.  Is this correct?
> >
> > I just had a bright moment! It told me to check fedora-comps: Indeed the
> > above issue was reported[1] and fixed[2] for F35.
> >
> 
> Thank you for catching the update is already in the works.
> 
> Does this also remove iptables-compat?  I gather from its description it
> should have been removed by now.

The -compat package is merely there as transitioning aid during updates.
It provides no functionality at all. The relevant pieces are:

* nftables - the successor to (old) iptables, all new, no bounds

* iptables-legacy - the old iptables, not related to nftables at all

* iptables-nft - a drop-in replacement to -legacy, using nftables with
                 (some) legacy matches/targets

The decision between legacy and nft variants of iptables happens via
alternatives. Switching should not be noticeable to users apart from
corner-cases.

> I also can't help but wonder what the impact of this change will be on
> OSTree users.  Will they be force upgraded from iptables to nftables
> through the removal?

A key point in the above is that 'dnf update' won't change the currently
used variant on a system. New installs should default to iptables-nft,
though. I'm not familiar with ostree, so I can't tell if this promise
holds there. If it doesn't and we can fix it in RPM, please let me know
(or just file a ticket so we can track it).

Cheers, Phil
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux