From Fedora Project Wiki


iptables-nft-default

Summary

Make iptables-nft the preferred iptables variant.

Also see Changes/firewalld_default_to_nftables.

Owner

Current status

Detailed Description

iptables-nft package provides alternative implementations of iptables, ip6tables, ebtables and arptables and associated save and restore commands. These use nftables internally while providing the same look'n'feel as the original tools. Users may choose between both implementations using alternatives tool.

Upstream considers the traditional implementations legacy and therefore renamed the binaries adding '-legacy' suffix. In Fedora, same has been done to arptables and ebtables packages, namely renaming them to arptables-legacy and ebtables-legacy. Legacy iptables and ip6tables remain in iptables package, which in fact is the only one other packages depend upon.

To change the status quo, two measures are planned:

Raise priority of nft-variants in alternatives

Currently, legacy variants are installed with priority 10 and nft variants with priority 5. This must be changed as otherwise installing iptables-legacy in a system with iptables-nft installed would change the active alternative (since they are in automatic mode by default).

On the other hand, existing systems using legacy variants should not be changed by a system update. Therefore nft variants' priorities should be chosen to match legacy ones.

Add needed Provides:/Suggests: lines to packages

Firewalld depending on iptables and being installed by default is changed to suggest iptables-nft so that is preferred over legacy iptables.

Iptables-nft package is extended to provide 'iptables', 'ebtables' and 'arptables' so it fulfills package dependencies.

Benefit to Fedora

  • RHEL8 ships nft-variants exclusively, make Fedora align with that by default while still providing the option to fall back to legacy tools.
  • New features and improvements are likely to hit nft-variants due to the possibility nftables backend allows for. Although at this point some legacy features (e.g. ebtables among match) are still missing, others are already there (like, e.g. xtables-monitor tool) or are being upstreamed right now (improved tool performance when dealing with large rulesets).

Scope

  • Proposal owners:

Changes are rather simple: Rename iptables package, add Provides: line to iptables-nft package, change priorities used when calling alternatives.

  • Other developers:

The changed tools may cause regressions among packages using them and it affects only new installations (or those manually switched over). So while no explicit effort is required from them, they should be made aware of the change so they take a possible regression in iptables into account, quickly test against legacy variant and file a ticket (or complain to the right person) if that fixes the problem.

  • Release engineering: #8934
  • Policies and guidelines: No change required
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

Due to the package rename and Provides: line, upgrades will pull in iptables-nft package. But due to the equal alternatives priorities, existing choices won't be changed and so existing installations shouldn't be harmed (apart from forced installation of iptables-nft package).

Sadly, there are a few known issues, like e.g. missing support for ebtables broute table or among match and a few iptables targets/matches. Users depending on such features are advised to install iptables-legacy package and switch variants using alternatives.


How To Test

Any users of iptables/ebtables/arptables should switch to nft-variants using alternatives tool (if necessary) and check that everything works as before. Any issues should be reported despite the known compatibility issues described above since knowledge about who uses the missing features is valuable information for both up- and downstream.

User Experience

Ideally look'n'feel shouldn't change. Since iptables-nft does not need a lock file anymore, no problems with stale xtables-lock or parallel iptables calls in different mount namespaces are expected anymore. Given the changes currently being upstreamed, users dealing with large rulesets should see a performance increase when manipulating the ruleset (lower run-times of iptables or iptables-restore, packet processing speed should not really change).

Dependencies

Other packages depending on iptables:

  • NFStest
  • clatd
  • ctdb
  • fail2ban-server
  • firewalld
  • fwsnort
  • iptstate
  • libvirt-daemon-driver-network
  • libvirt-daemon-driver-nwfilter
  • moby-engine
  • nfacct
  • origin
  • podman
  • psad
  • python3-ipatests
  • ravada
  • rkt
  • shorewall
  • shorewall-init
  • shorewall-lite
  • shorewall6
  • shorewall6-lite
  • sshuttle
  • sslsplit
  • ufw

Since nft-variants are supposed to be drop-in replacements, no outside contribution is needed in order to perform this change.

Contingency Plan

  • Contingency mechanism: Nothing needs to be done, the change should be atomic.
  • Contingency deadline: N/A
  • Blocks release? No

Documentation

Release Notes