diff options
Diffstat (limited to 'nixpkgs/nixos/doc/manual/release-notes/rl-2111.section.md')
-rw-r--r-- | nixpkgs/nixos/doc/manual/release-notes/rl-2111.section.md | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2111.section.md b/nixpkgs/nixos/doc/manual/release-notes/rl-2111.section.md index 1b59842e020b..310d32cfdd72 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2111.section.md @@ -8,7 +8,22 @@ In addition to numerous new and upgraded packages, this release has the followin - Nix has been updated to version 2.4, reference its [release notes](https://discourse.nixos.org/t/nix-2-4-released/15822) for more information on what has changed. The previous version of Nix, 2.3.16, remains available for the time being in the `nix_2_3` package. -- `iptables` now uses `nf_tables` backend. +- `iptables` is now using `nf_tables` under the hood, by using `iptables-nft`, + similar to [Debian](https://wiki.debian.org/nftables#Current_status) and + [Fedora](https://fedoraproject.org/wiki/Changes/iptables-nft-default). + This means, `ip[6]tables`, `arptables` and `ebtables` commands will actually + show rules from some specific tables in the `nf_tables` kernel subsystem. + In case you're migrating from an older release without rebooting, there might + be cases where you end up with iptable rules configured both in the legacy + `iptables` kernel backend, as well as in the `nf_tables` backend. + This can lead to confusing firewall behaviour. An `iptables-save` after + switching will complain about "iptables-legacy tables present". + It's probably best to reboot after the upgrade, or manually removing all + legacy iptables rules (via the `iptables-legacy` package). + +- systemd got an `nftables` backend, and configures (networkd) rules in their + own `io.systemd.*` tables. Check `nft list ruleset` to see these rules, not + `iptables-save` (which only shows `iptables`-created rules. - PHP now defaults to PHP 8.0, updated from 7.4. @@ -419,6 +434,9 @@ In addition to numerous new and upgraded packages, this release has the followin - The Linux kernel for security reasons now restricts access to BPF syscalls via `BPF_UNPRIV_DEFAULT_OFF=y`. Unprivileged access can be reenabled via the `kernel.unprivileged_bpf_disabled` sysctl knob. +- `/usr` will always be included in the initial ramdisk. See the `fileSystems.<name>.neededForBoot` option. + If any files exist under `/usr` (which is not typical for NixOS), they will be included in the initial ramdisk, increasing its size to a possibly problematic extent. + ## Other Notable Changes {#sec-release-21.11-notable-changes} |