Hi Bex,
On Thu, Oct 21, 2021 at 12:58:11PM +0200, Brian (bex) Exelbierd wrote:
> On Thu, Oct 21, 2021 at 3:23 AM Phil Sutter <psut...@redhat.com> wrote:
> > On Wed, Oct 20, 2021 at 01:40:35PM -0700, Adam Williamson wrote:
> > > On Wed, 2021-10-20 at 18:39 +0200, Brian (bex) Exelbierd wrote:
> > [...]
> > > > AIUI, we made the change to use iptables-nft as the default with F32.
> > We
> > > > also decided that existing iptables-legacy users shouldn't be moved to
> > > > iptables-nft during an upgrade.
> > > >
> > > > However, I think that new installations are still defaulting to
> > > > iptables-legacy. The group "Common NetworkManager Submodules" pulls in
> > > > `iptables` which seems to pull in iptables-legacy by default.
> > > >
> > > > This feels like an oversight and should be fixed. Is this correct?
> >
> > I just had a bright moment! It told me to check fedora-comps: Indeed the
> > above issue was reported[1] and fixed[2] for F35.
> >
>
> Thank you for catching the update is already in the works.
>
> Does this also remove iptables-compat? I gather from its description it
> should have been removed by now.
The -compat package is merely there as transitioning aid during updates.
It provides no functionality at all. The relevant pieces are:
* nftables - the successor to (old) iptables, all new, no bounds
* iptables-legacy - the old iptables, not related to nftables at all
* iptables-nft - a drop-in replacement to -legacy, using nftables with
(some) legacy matches/targets
The decision between legacy and nft variants of iptables happens via
alternatives. Switching should not be noticeable to users apart from
corner-cases.
> I also can't help but wonder what the impact of this change will be on
> OSTree users. Will they be force upgraded from iptables to nftables
> through the removal?
A key point in the above is that 'dnf update' won't change the currently
used variant on a system. New installs should default to iptables-nft,
though. I'm not familiar with ostree, so I can't tell if this promise
holds there. If it doesn't and we can fix it in RPM, please let me know
(or just file a ticket so we can track it).
Cheers, Phil
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
