22 lines
989 B
YAML
22 lines
989 B
YAML
---
|
|
security:
|
|
- |
|
|
TripleO is now configuring the firewall using nftables instead of iptables.
|
|
- |
|
|
The firewall layout is now a bit different, since all of the TripleO managed rules are in
|
|
dedicated chains, such as TRIPLEO_INPUT. Jumps are added in the original chains.
|
|
- |
|
|
The INPUT chain has now a "drop" policy, meaning we do not need the final "drop" rule
|
|
like we had while using iptables. This means any packet that don't match a rule will be
|
|
dropped. This also mean rule ordering is less important.
|
|
upgrade:
|
|
- |
|
|
All firewall rules are implemented by nftables instead of iptables. This means we don't
|
|
need to edit anything anymore on the generated iptables/ip6tables files, and keep only the
|
|
cleaning of service and files in the upgrade tasks.
|
|
other:
|
|
- |
|
|
iptables cli cannot see nftables content we inject, since we're
|
|
using the "inet" family. Therefore, please use the "nft" CLI from
|
|
now on. Doc has been updated accordingly.
|