Merge "Document Linux Bridge compatibility with "nftables""

2021-04-12 21:14:35 +00:00 · 2021-04-12 21:14:35 +00:00 · 841ad51678
commit 841ad51678
parent 51cccd4b1a 960b810eac
2 changed files with 73 additions and 0 deletions
--- a/doc/source/admin/deploy-lb.rst
+++ b/doc/source/admin/deploy-lb.rst
@ -9,6 +9,72 @@ as interconnection devices. A layer-2 agent manages Linux bridges on each
 compute node and any other node that provides layer-3 (routing), DHCP,
 metadata, or other network services.

+Compatibility with nftables
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+`nftables <https://netfilter.org/projects/nftables/>`_ replaces iptables,
+ip6tables, arptables and ebtables, in order to provide a single API for all
+``Netfilter`` operations. ``nftables`` provides a backwards compatibility set
+of tools for those replaced binaries that present the legacy API to the user
+while using the new packet classification framework. As reported in
+`LP#1915341 <https://bugs.launchpad.net/neutron/+bug/1915341>`_ and
+`LP#1922892 <https://bugs.launchpad.net/neutron/+bug/1922892>`_, the tool
+``ebtables-nft`` is not totally compatible with the legacy API and returns some
+errors. To use Linux Bridge mechanism driver in newer operating systems that
+use ``nftables`` by default, it is needed to switch back to the legacy tool.
+
+.. code-block:: console
+
+   # /usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-legacy
+
+
+Since `LP#1922127 <https://bugs.launchpad.net/neutron/+bug/1922127>`_ and
+`LP#1922892 <https://bugs.launchpad.net/neutron/+bug/1922892>`_ were fixed,
+Neutron Linux Bridge mechanism driver is compatible with the ``nftables``
+binaries using the legacy API.
+
+.. note::
+
+   Just to unravel the possible terminology confusion, these are the three
+   ``Netfilter`` available framework alternatives:
+
+   * The legacy binaries (``iptables``, ``ip6tables``, ``arptables`` and
+     ``ebtables``) that use the legacy API.
+   * The new ``nftables`` binaries that use the legacy API, to help in the
+     transition to this new framework. Those binaries replicate the same
+     commands as the legacy one but using the new framework. The binaries
+     have the same name ended in ``-nft``.
+   * The new ``nftables`` framework using the new API. All Netfilter
+     operations are executed using this new API and one single binary, ``nft``.
+
+   Currently we support the first two options. The migration (total or partial)
+   to the new API is tracked in
+   `LP#1508155 <https://bugs.launchpad.net/neutron/+bug/1508155>`_.
+
+
+In order to use the ``nftables`` binaries with the legacy API, it is needed to
+execute the following commands.
+
+.. code-block:: console
+
+   # /usr/bin/update-alternatives --set iptables /usr/sbin/iptables-nft
+   # /usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
+   # /usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-nft
+   # /usr/bin/update-alternatives --set arptables /usr/sbin/arptables-nft
+
+
+The ``ipset`` tool is not compatible with ``nftables``. To disable it,
+``enable_ipset`` must be set to ``False`` in the ML2 plugin configuration file
+``/etc/neutron/plugins/ml2/ml2_conf.ini``.
+
+.. path /etc/neutron/plugins/ml2/ml2_conf.ini
+.. code-block:: ini
+
+   [securitygroup]
+   # ...
+   enable_ipset = False
+
+
 .. toctree::
   :maxdepth: 2

--- a/releasenotes/notes/lb-nftables-8252105fb23ec75d.yaml
+++ b/releasenotes/notes/lb-nftables-8252105fb23ec75d.yaml
@ -0,0 +1,7 @@
+---
+issues:
+  - |
+    When using Linux Bridge mechanism driver in newer operating systems that
+    use ``nftables`` by default, it is needed to switch back to the legacy
+    tool, as documented in the admin documentation for ``Linux bridge
+    mechanism driver``.