Bug 2061288

Summary: Deprecation RN for xt_u32 module
Product: Red Hat Enterprise Linux 8 Reporter: Marc Muehlfeld <mmuehlfe>
Component: doc-Release_Notes-8-en-USAssignee: Lucie Vařáková <lmanasko>
Status: CLOSED CURRENTRELEASE QA Contact: RHEL DPM <rhel-docs>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: medium    
Version: 8.6CC: egarver, pasik, rhel-docs
Target Milestone: rcKeywords: Documentation
Target Release: 8.6   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Deprecated Functionality
Doc Text:
.The unsupported `xt_u32` module is now deprecated Using the unsupported `xt_u32` module, users of `iptables` can match arbitrary 32 bits in the packet header or payload. Since RHEL 8.6, the `xt_u32` module is deprecated and will be removed in RHEL 9. If you use `xt_u32`, migrate to the `nftables` packet filtering framework. For example, first change your firewall to use `iptables` with native matches to incrementally replace individual rules, and later use the `iptables-translate` and accompanying utilities to migrate to `nftables`. If no native match exists in `nftables`, use the raw payload matching feature of `nftables`. For details, see the `raw payload expression` section in the `nft(8)` man page.
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-07 05:30:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 3 Marc Muehlfeld 2022-03-07 15:05:05 UTC
I've enhanced the RN and the Considerations entry. Eric ACK'ed it on IRC.



== RHEL 8.6 deprecation release note:

.The unsupported `xt_u32` module module is now deprecated

Using the unsupported `xt_u32` module, `iptables` users can match arbitrary 32 bits in the packet header or payload. With RHEL 8.6, the `xt_u32` module is deprecated, and will be removed in RHEL 9.

If you use `xt_u32`, migrate to the `nftables` packet filtering framework. For example, first change your firewall to use `iptables` with native matches to incrementally replace individual rules, and later use the `iptables-translate` and accompanying utilities to migrate to `nftables`. If no native match exists in `nftables`, use the raw payload matching feature of `nftables`. For details, see the `raw payload expression` section in the `nft(8)` man page.



== Entry for the "Considerations in adopting RHEL 9" title:

.The unsupported `xt_u32` Netfilter module module has been removed

RHEL 8 contained the unsupported `xt_u32` module, which enabled `iptables` users to match arbitrary 32 bits in the packet header or payload. This module has been removed from RHEL 9. As a replacement, use the `nftables` packet filtering framework. If no native match exists in `nftables`, use the raw payload matching feature of `nftables`. For details, see the `raw payload expression` section in the `nft(8)` man page.

Comment 4 Marc Muehlfeld 2022-03-09 12:57:36 UTC
I've added the final RN to the Doc Text field and the text for the  "Considerations" title to the corresponding branch: https://gitlab.cee.redhat.com/red-hat-enterprise-linux-documentation/rhel-8-docs/-/commit/be4882d9e4e34b7c420bcb1b391f7eee8ea2fb1f