Bug 2061288 - Deprecation RN for xt_u32 module
Summary: Deprecation RN for xt_u32 module
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: doc-Release_Notes-8-en-US
Version: 8.6
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: 8.6
Assignee: Lucie Vařáková
QA Contact: RHEL DPM
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-07 09:40 UTC by Marc Muehlfeld
Modified: 2023-03-08 21:46 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Deprecated Functionality
Doc Text:
.The unsupported `xt_u32` module is now deprecated Using the unsupported `xt_u32` module, users of `iptables` can match arbitrary 32 bits in the packet header or payload. Since RHEL 8.6, the `xt_u32` module is deprecated and will be removed in RHEL 9. If you use `xt_u32`, migrate to the `nftables` packet filtering framework. For example, first change your firewall to use `iptables` with native matches to incrementally replace individual rules, and later use the `iptables-translate` and accompanying utilities to migrate to `nftables`. If no native match exists in `nftables`, use the raw payload matching feature of `nftables`. For details, see the `raw payload expression` section in the `nft(8)` man page.
Clone Of:
Environment:
Last Closed: 2022-04-07 05:30:39 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-114617 0 None None None 2022-03-07 09:42:23 UTC

Comment 3 Marc Muehlfeld 2022-03-07 15:05:05 UTC
I've enhanced the RN and the Considerations entry. Eric ACK'ed it on IRC.



== RHEL 8.6 deprecation release note:

.The unsupported `xt_u32` module module is now deprecated

Using the unsupported `xt_u32` module, `iptables` users can match arbitrary 32 bits in the packet header or payload. With RHEL 8.6, the `xt_u32` module is deprecated, and will be removed in RHEL 9.

If you use `xt_u32`, migrate to the `nftables` packet filtering framework. For example, first change your firewall to use `iptables` with native matches to incrementally replace individual rules, and later use the `iptables-translate` and accompanying utilities to migrate to `nftables`. If no native match exists in `nftables`, use the raw payload matching feature of `nftables`. For details, see the `raw payload expression` section in the `nft(8)` man page.



== Entry for the "Considerations in adopting RHEL 9" title:

.The unsupported `xt_u32` Netfilter module module has been removed

RHEL 8 contained the unsupported `xt_u32` module, which enabled `iptables` users to match arbitrary 32 bits in the packet header or payload. This module has been removed from RHEL 9. As a replacement, use the `nftables` packet filtering framework. If no native match exists in `nftables`, use the raw payload matching feature of `nftables`. For details, see the `raw payload expression` section in the `nft(8)` man page.

Comment 4 Marc Muehlfeld 2022-03-09 12:57:36 UTC
I've added the final RN to the Doc Text field and the text for the  "Considerations" title to the corresponding branch: https://gitlab.cee.redhat.com/red-hat-enterprise-linux-documentation/rhel-8-docs/-/commit/be4882d9e4e34b7c420bcb1b391f7eee8ea2fb1f


Note You need to log in before you can comment on or make changes to this bug.