The ipset and iptables-nft packages have been deprecated
Red Hat Insights can detect this issue
Environment
- Red Hat Enterprise Linux 9
Issue
The following warning is logged when you load the iptables, ip6tables, ipset, ebtables, arptables, or nft_compat module:
Warning: <module_name> - this driver is not recommended for new deployments. It continues to be supported in this RHEL release, but it is likely to be removed in the next major release. Driver updates and fixes will be limited to critical issues. Please contact Red Hat Support for additional information.
Resolution
-
Use the nft command-line tool provided by the nftables package to manage firewall rules.
-
Migrate existing iptables-based setups to nftables. For details, see:
- Migrating from iptables to nftables
- The iptables-translate(8) man page
- The ip6tables-translate(8) man page
-
Migrate existing iptables-based setups to firewalld.
Root Cause
The ipset and iptables-nft packages have been deprecated in RHEL 9. The iptables-nft package contains different tools such as iptables, ip6tables, ebtables and arptables.
Additionally, when you load the iptables, ip6tables, ipset, ebtables, arptables, or nft_compat module, the module logs the mentioned warning to the /var/log/messages file.
Red Hat still supports these utilities and modules, but they will no longer receive new features and using them for new deployments is not recommended.
Diagnostic Steps
The system logs one or multiple of the following warnings in the /var/log/messages file:
Warning: ebtables - this driver is not recommended for new deployments. It continues to be supported in this RHEL release, but it is likely to be removed in the next major release. Driver updates and fixes will be limited to critical issues. Please contact Red Hat Support for additional information.
Warning: arptables - this driver is not recommended for new deployments. It continues to be supported in this RHEL release, but it is likely to be removed in the next major release. Driver updates and fixes will be limited to critical issues. Please contact Red Hat Support for additional information.
Warning: iptables - this driver is not recommended for new deployments. It continues to be supported in this RHEL release, but it is likely to be removed in the next major release. Driver updates and fixes will be limited to critical issues. Please contact Red Hat Support for additional information.
Warning: ip6tables - this driver is not recommended for new deployments. It continues to be supported in this RHEL release, but it is likely to be removed in the next major release. Driver updates and fixes will be limited to critical issues. Please contact Red Hat Support for additional information.
Warning: ipset - this driver is not recommended for new deployments. It continues to be supported in this RHEL release, but it is likely to be removed in the next major release. Driver updates and fixes will be limited to critical issues. Please contact Red Hat Support for additional information.
Warning: nft_compat - this driver is not recommended for new deployments. It continues to be supported in this RHEL release, but it is likely to be removed in the next major release. Driver updates and fixes will be limited to critical issues. Please contact Red Hat Support for additional information.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments