---
features:
  - TripleO will now configure `iptables` using the TripleO-Ansible role,
    **tripleo-firewall**. This role implements all of the same interfaces
    and behaviors as the puppet manifest.
  - A new parameter has been added, `ExtraFirewallRules`. This parameter
    provides a user interface to configure additional `iptables` rules.
deprecations:
  - The heat template `tripleo-firewall-baremetal-puppet.yaml` has been
    deprecated. While this template can still be used to configure the
    TripleO-Firewall service, it is no longer preferred and will be removed
    in a future release.
  - Configuring firewall rules with extraconfig is no longer being supported.
    All firewall rules should be converted such that they're set within the
    user defined parameter `ExtraFirewallRules`.