Merge pull request #163454 from flokli/iptables-nft-legacy-more-rl
nixos/doc: update rl-2111 w.r.t. iptables-nft migration
This commit is contained in:
commit
8e428f654c
|
@ -35,7 +35,17 @@
|
||||||
This means, <literal>ip[6]tables</literal>,
|
This means, <literal>ip[6]tables</literal>,
|
||||||
<literal>arptables</literal> and <literal>ebtables</literal>
|
<literal>arptables</literal> and <literal>ebtables</literal>
|
||||||
commands will actually show rules from some specific tables in
|
commands will actually show rules from some specific tables in
|
||||||
the <literal>nf_tables</literal> kernel subsystem.
|
the <literal>nf_tables</literal> kernel subsystem. In case
|
||||||
|
you’re migrating from an older release without rebooting,
|
||||||
|
there might be cases where you end up with iptable rules
|
||||||
|
configured both in the legacy <literal>iptables</literal>
|
||||||
|
kernel backend, as well as in the <literal>nf_tables</literal>
|
||||||
|
backend. This can lead to confusing firewall behaviour. An
|
||||||
|
<literal>iptables-save</literal> after switching will complain
|
||||||
|
about <quote>iptables-legacy tables present</quote>. It’s
|
||||||
|
probably best to reboot after the upgrade, or manually
|
||||||
|
removing all legacy iptables rules (via the
|
||||||
|
<literal>iptables-legacy</literal> package).
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
|
|
|
@ -13,6 +13,13 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||||
[Fedora](https://fedoraproject.org/wiki/Changes/iptables-nft-default).
|
[Fedora](https://fedoraproject.org/wiki/Changes/iptables-nft-default).
|
||||||
This means, `ip[6]tables`, `arptables` and `ebtables` commands will actually
|
This means, `ip[6]tables`, `arptables` and `ebtables` commands will actually
|
||||||
show rules from some specific tables in the `nf_tables` kernel subsystem.
|
show rules from some specific tables in the `nf_tables` kernel subsystem.
|
||||||
|
In case you're migrating from an older release without rebooting, there might
|
||||||
|
be cases where you end up with iptable rules configured both in the legacy
|
||||||
|
`iptables` kernel backend, as well as in the `nf_tables` backend.
|
||||||
|
This can lead to confusing firewall behaviour. An `iptables-save` after
|
||||||
|
switching will complain about "iptables-legacy tables present".
|
||||||
|
It's probably best to reboot after the upgrade, or manually removing all
|
||||||
|
legacy iptables rules (via the `iptables-legacy` package).
|
||||||
|
|
||||||
- systemd got an `nftables` backend, and configures (networkd) rules in their
|
- systemd got an `nftables` backend, and configures (networkd) rules in their
|
||||||
own `io.systemd.*` tables. Check `nft list ruleset` to see these rules, not
|
own `io.systemd.*` tables. Check `nft list ruleset` to see these rules, not
|
||||||
|
|
Loading…
Reference in a new issue