Hi Bex,
On Thu, Oct 21, 2021 at 12:58:11PM +0200, Brian (bex) Exelbierd wrote:
On Thu, Oct 21, 2021 at 3:23 AM Phil Sutter
<psutter(a)redhat.com> wrote:
> On Wed, Oct 20, 2021 at 01:40:35PM -0700, Adam Williamson wrote:
> > On Wed, 2021-10-20 at 18:39 +0200, Brian (bex) Exelbierd wrote:
> [...]
> > > AIUI, we made the change to use iptables-nft as the default with F32.
> We
> > > also decided that existing iptables-legacy users shouldn't be moved
to
> > > iptables-nft during an upgrade.
> > >
> > > However, I think that new installations are still defaulting to
> > > iptables-legacy. The group "Common NetworkManager Submodules"
pulls in
> > > `iptables` which seems to pull in iptables-legacy by default.
> > >
> > > This feels like an oversight and should be fixed. Is this correct?
>
> I just had a bright moment! It told me to check fedora-comps: Indeed the
> above issue was reported[1] and fixed[2] for F35.
>
Thank you for catching the update is already in the works.
Does this also remove iptables-compat? I gather from its description it
should have been removed by now.
The -compat package is merely there as transitioning aid during updates.
It provides no functionality at all. The relevant pieces are:
* nftables - the successor to (old) iptables, all new, no bounds
* iptables-legacy - the old iptables, not related to nftables at all
* iptables-nft - a drop-in replacement to -legacy, using nftables with
(some) legacy matches/targets
The decision between legacy and nft variants of iptables happens via
alternatives. Switching should not be noticeable to users apart from
corner-cases.
I also can't help but wonder what the impact of this change will
be on
OSTree users. Will they be force upgraded from iptables to nftables
through the removal?
A key point in the above is that 'dnf update' won't change the currently
used variant on a system. New installs should default to iptables-nft,
though. I'm not familiar with ostree, so I can't tell if this promise
holds there. If it doesn't and we can fix it in RPM, please let me know
(or just file a ticket so we can track it).
Cheers, Phil