nixos/doc: update rl-2111 w.r.t. iptables-nft migration

Follow-up on NixOS#161426. Explain why having legacy iptables rules installed can lead to confusing firewall behaviour, and provide some guidance on how to fix this.
yayayayaka · Mar 9, 2022 · 788abdb · 788abdb
1 parent 1559891
commit 788abdb
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
@@ -35,7 +35,17 @@
           This means, <literal>ip[6]tables</literal>,
           <literal>arptables</literal> and <literal>ebtables</literal>
           commands will actually show rules from some specific tables in
-          the <literal>nf_tables</literal> kernel subsystem.
+          the <literal>nf_tables</literal> kernel subsystem. In case
+          you’re migrating from an older release without rebooting,
+          there might be cases where you end up with iptable rules
+          configured both in the legacy <literal>iptables</literal>
+          kernel backend, as well as in the <literal>nf_tables</literal>
+          backend. This can lead to confusing firewall behaviour. An
+          <literal>iptables-save</literal> after switching will complain
+          about <quote>iptables-legacy tables present</quote>. It’s
+          probably best to reboot after the upgrade, or manually
+          removing all legacy iptables rules (via the
+          <literal>iptables-legacy</literal> package).
         </para>
       </listitem>
       <listitem>

diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md
@@ -13,6 +13,13 @@ In addition to numerous new and upgraded packages, this release has the followin
   [Fedora](https://fedoraproject.org/wiki/Changes/iptables-nft-default).
   This means, `ip[6]tables`, `arptables` and `ebtables` commands  will actually
   show rules from some specific tables in the `nf_tables` kernel subsystem.
+  In case you're migrating from an older release without rebooting, there might
+  be cases where you end up with iptable rules configured both in the legacy
+  `iptables` kernel backend, as well as in the `nf_tables` backend.
+  This can lead to confusing firewall behaviour. An `iptables-save` after
+  switching will complain about "iptables-legacy tables present".
+  It's probably best to reboot after the upgrade, or manually removing all
+  legacy iptables rules (via the `iptables-legacy` package).
 
 - systemd got an `nftables` backend, and configures (networkd) rules in their
   own `io.systemd.*` tables. Check `nft list ruleset` to see these rules, not