From 753a43caf07790a923d8f6394744f1c5b0eb8ee4 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Tue, 22 Feb 2022 23:14:17 +0100 Subject: [PATCH] nixos/doc: improve release notes for iptables-nft and systemd with nftables backend This change probably wasn't documented sufficiently in the release notes, neither the fact systemd stopped using iptables on its own in case of nf_tables support. Fixes #156041. --- .../from_md/release-notes/rl-2111.section.xml | 22 +++++++++++++++++-- .../manual/release-notes/rl-2111.section.md | 10 ++++++++- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index 59da373f38e1..fc253a7a8b02 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -26,8 +26,26 @@ - iptables now uses - nf_tables backend. + iptables is now using + nf_tables under the hood, by using + iptables-nft, similar to + Debian + and + Fedora. + This means, ip[6]tables, + arptables and ebtables + commands will actually show rules from some specific tables in + the nf_tables kernel subsystem. + + + + + systemd got an nftables backend, and + configures (networkd) rules in their own + io.systemd.* tables. Check + nft list ruleset to see these rules, not + iptables-save (which only shows + iptables-created rules. diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index 1b59842e020b..2f667a7eb565 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -8,7 +8,15 @@ In addition to numerous new and upgraded packages, this release has the followin - Nix has been updated to version 2.4, reference its [release notes](https://discourse.nixos.org/t/nix-2-4-released/15822) for more information on what has changed. The previous version of Nix, 2.3.16, remains available for the time being in the `nix_2_3` package. -- `iptables` now uses `nf_tables` backend. +- `iptables` is now using `nf_tables` under the hood, by using `iptables-nft`, + similar to [Debian](https://wiki.debian.org/nftables#Current_status) and + [Fedora](https://fedoraproject.org/wiki/Changes/iptables-nft-default). + This means, `ip[6]tables`, `arptables` and `ebtables` commands will actually + show rules from some specific tables in the `nf_tables` kernel subsystem. + +- systemd got an `nftables` backend, and configures (networkd) rules in their + own `io.systemd.*` tables. Check `nft list ruleset` to see these rules, not + `iptables-save` (which only shows `iptables`-created rules. - PHP now defaults to PHP 8.0, updated from 7.4.