With this release, the
nftables filtering subsystem becomes the default firewall backend for the
firewalld daemon. To change the backend, use the
FirewallBackend option in the
/etc/firewalld/firewalld.conf file. This change introduces the following differences in behavior when using
iptablesrule executions always occur before
iptablesmeans a packet is never seen by
iptablesmeans a packet is still subject to
Direct-rule execution occurs before
firewalldgeneric acceptance of established connections.
For more information, see https://firewalld.org/2018/07/nftables-backend and https://fedoraproject.org/wiki/Changes/firewalld_default_to_nftables.