2061288 – Deprecation RN for xt_u32 module

Bug 2061288 - Deprecation RN for xt_u32 module

Summary: Deprecation RN for xt_u32 module

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	doc-Release_Notes-8-en-US
Sub Component:
Version:	8.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.6
Assignee:	Lucie Vařáková
QA Contact:	RHEL DPM
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-03-07 09:40 UTC by Marc Muehlfeld
Modified:	2023-03-08 21:46 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Deprecated Functionality
Doc Text:	.The unsupported `xt_u32` module is now deprecated Using the unsupported `xt_u32` module, users of `iptables` can match arbitrary 32 bits in the packet header or payload. Since RHEL 8.6, the `xt_u32` module is deprecated and will be removed in RHEL 9. If you use `xt_u32`, migrate to the `nftables` packet filtering framework. For example, first change your firewall to use `iptables` with native matches to incrementally replace individual rules, and later use the `iptables-translate` and accompanying utilities to migrate to `nftables`. If no native match exists in `nftables`, use the raw payload matching feature of `nftables`. For details, see the `raw payload expression` section in the `nft(8)` man page.
Clone Of:
Environment:
Last Closed:	2022-04-07 05:30:39 UTC
Type:	Bug
Target Upstream Version:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-114617	0	None	None	None	2022-03-07 09:42:23 UTC

Comment 3 Marc Muehlfeld 2022-03-07 15:05:05 UTC

I've enhanced the RN and the Considerations entry. Eric ACK'ed it on IRC.



== RHEL 8.6 deprecation release note:

.The unsupported `xt_u32` module module is now deprecated

Using the unsupported `xt_u32` module, `iptables` users can match arbitrary 32 bits in the packet header or payload. With RHEL 8.6, the `xt_u32` module is deprecated, and will be removed in RHEL 9.

If you use `xt_u32`, migrate to the `nftables` packet filtering framework. For example, first change your firewall to use `iptables` with native matches to incrementally replace individual rules, and later use the `iptables-translate` and accompanying utilities to migrate to `nftables`. If no native match exists in `nftables`, use the raw payload matching feature of `nftables`. For details, see the `raw payload expression` section in the `nft(8)` man page.



== Entry for the "Considerations in adopting RHEL 9" title:

.The unsupported `xt_u32` Netfilter module module has been removed

RHEL 8 contained the unsupported `xt_u32` module, which enabled `iptables` users to match arbitrary 32 bits in the packet header or payload. This module has been removed from RHEL 9. As a replacement, use the `nftables` packet filtering framework. If no native match exists in `nftables`, use the raw payload matching feature of `nftables`. For details, see the `raw payload expression` section in the `nft(8)` man page.

Comment 4 Marc Muehlfeld 2022-03-09 12:57:36 UTC

I've added the final RN to the Doc Text field and the text for the  "Considerations" title to the corresponding branch: https://gitlab.cee.redhat.com/red-hat-enterprise-linux-documentation/rhel-8-docs/-/commit/be4882d9e4e34b7c420bcb1b391f7eee8ea2fb1f

Comment 5 Lucie Vařáková 2022-04-07 05:30:39 UTC

Published to Portal: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8-beta/html-single/8.6_release_notes/index#BZ-2061288

Note You need to log in before you can comment on or make changes to this bug.