en/whats-new.dbk: nftables network filtering

Closes: #914423

en/whats-new.dbk: nftables network filtering
8cc130d4 · Paul Gevers · a867435f · 8cc130d4
Verified Commit 8cc130d4 authored 6 years ago by Paul Gevers
--- a/en/whats-new.dbk
+++ b/en/whats-new.dbk
@@ -367,5 +367,71 @@ code.
  </para>
 </section>

+<section id="nftables">
+  <!-- stretch to buster -->
+  <title>Network filtering based on nftables framework by default</title>
+  <para>
+    Starting with <systemitem role="package">iptables</systemitem> v1.8.2 the
+    binary package includes <literal>iptables-nft</literal> and
+    <literal>iptables-legacy</literal>, two variants of the
+    <literal>iptables</literal> command line interface. The nftables-based
+    variant is the default in buster and works with the
+    <literal>nf_tables</literal> Linux kernel subsystem. The legacy one uses
+    the <literal>x_tables</literal> Linux kernel subsystem. Users can use the
+    update-alternatives system to select one variant or the other.
+  </para>
+  <para>
+    This applies to all related tools and utilities:
+    <itemizedlist>
+      <listitem><para>iptables</para></listitem>
+      <listitem><para>iptables-save</para></listitem>
+      <listitem><para>iptables-restore</para></listitem>
+      <listitem><para>ip6tables</para></listitem>
+      <listitem><para>ip6tables-save</para></listitem>
+      <listitem><para>ip6tables-restore</para></listitem>
+      <listitem><para>arptables</para></listitem>
+      <listitem><para>arptables-save</para></listitem>
+      <listitem><para>arptables-restore</para></listitem>
+      <listitem><para>ebtables</para></listitem>
+      <listitem><para>ebtables-save</para></listitem>
+      <listitem><para>ebtables-restore</para></listitem>
+    </itemizedlist>
+  </para>
+  <para>
+    All these gained the <literal>-nft</literal> and <literal>-legacy</literal>
+    variants as well. The -nft option is for users that don't want -or can't-
+    migrate to the native <literal>nftables</literal> command line
+    interface. However users are really enouraged to switch to
+    <literal>nftables</literal> interface rather than using the old
+    <literal>iptables</literal> interface.
+  </para>
+  <para>
+    <literal>nftables</literal> provides a full replacement for
+    <literal>iptables</literal>, with much better performance, a refreshed
+    syntax, better support for IPv4/IPv6 dual-stack firewalls, full atomic
+    operations for dynamic ruleset updates, a Netlink API for third party
+    applications, faster packet classification through enhanced generic set and
+    map infrastructures, and <ulink url="https://wiki.nftables.org">many other
+    improvements</ulink>.
+  </para>
+  <para>
+    This movement is in line with what other major Linux distributions are
+    doing, like RedHat, that now uses <literal>nftables</literal> as <ulink
+    url="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8-beta/html-single/8.0_beta_release_notes/index#networking_2">default
+    firewalling tool</ulink>.
+  </para>
+  <para>
+    Also, please note that all <literal>iptables</literal> binaries are now
+    installed in <literal>/usr/sbin</literal> instead of
+    <literal>/sbin</literal>. A compatibility symlink is in place, but will be
+    dropped after the buster release cycle. Please, don't use hardcoded binary
+    paths in scripts or update them manually for the new location.
+  </para>
+  <para>
+    Extensive documentation is available in package's README and NEWS files and
+    on the <ulink url="&url-wiki;nftables">Debian Wiki</ulink>.
+  </para>
+</section>
+
 </section>
 </chapter>