From 4ee4bf062eb2602491f6cf4545b258da88bab5ab Mon Sep 17 00:00:00 2001
From: =?utf8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 22 Jul 2025 14:26:28 +0100
Subject: [PATCH] news: document fixed nwfilter driver base chain creation
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 NEWS.rst | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/NEWS.rst b/NEWS.rst
index 1513c2cafb..5a320b7f33 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -87,6 +87,15 @@ v11.6.0 (unreleased)
 
   * bhyve: Fix resetting of the autostart flag of the domain on destroy.
 
+  * The nwfilter driver no longer recreates the base iptable/ip6tables chains
+
+    The nwfilter driver had a impl mistake causing it to recreate the
+    base chains for iptables/ip6tables every time a VM was started.
+    This allowed a small window where traffic might not be fully
+    filtered. It now handles iptables/ip6tables the same way as
+    ebtables, creating the base chains only if they did not already
+    exist.
+
 v11.5.0 (2025-07-01)
 ====================
 
-- 
2.47.2