From: Daniel P. Berrangé <berrange@redhat.com>

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 NEWS.rst | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/NEWS.rst b/NEWS.rst
index e5e8626729..c7bfac1db4 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -48,6 +48,14 @@ v11.6.0 (unreleased)
 
 * **Bug fixes**
 
+  * The nwfilter driver no longer recreates the base iptable/ip6tables chains
+
+    The nwfilter driver had a impl mistake causing it to recreate the
+    base chains for iptables/ip6tables every time a VM was started.
+    This allowed a small window where traffic might not be fully
+    filtered. It now handles iptables/ip6tables the same way as
+    ebtables, creating the base chains only if they did not already
+    exist.
 
 v11.5.0 (2025-07-01)
 ====================
-- 
2.50.1

On a Tuesday in 2025, Daniel P. Berrangé via Devel wrote:
>From: Daniel P. Berrangé <berrange@redhat.com>
>
>Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
>---
> NEWS.rst | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
>diff --git a/NEWS.rst b/NEWS.rst
>index e5e8626729..c7bfac1db4 100644
>--- a/NEWS.rst
>+++ b/NEWS.rst
>@@ -48,6 +48,14 @@ v11.6.0 (unreleased)
>
> * **Bug fixes**
>
>+  * The nwfilter driver no longer recreates the base iptable/ip6tables chains
>+
>+    The nwfilter driver had a impl mistake causing it to recreate the

I'd rather spell out implementation fully here.

>+    base chains for iptables/ip6tables every time a VM was started.
>+    This allowed a small window where traffic might not be fully
>+    filtered. It now handles iptables/ip6tables the same way as
>+    ebtables, creating the base chains only if they did not already
>+    exist.
>
> v11.5.0 (2025-07-01)
> ====================

Reviewed-by: Ján Tomko <jtomko@redhat.com>

Jano