Difference between revisions of "Legacy xtables tools"

From nftables wiki
Jump to navigation Jump to search
(→‎How to know which tools I'm running: add example of arptables-nft)
 
(2 intermediate revisions by one other user not shown)
Line 54: Line 54:


<pre>
<pre>
user@machine:~$ sudo arptables-nft --help
user@machine:~$ sudo arptables --help
arptables v1.8.2
arptables v1.8.2


Usage: arptables -[AD] chain rule-specification [options]
Usage: arptables -[AD] chain rule-specification [options]
[...]
</pre>
Something similar happens with ebtables-legacy:
<pre>
user@machine:~$ sudo ebtables --help
ebtables v2.0.10.4 (legacy) (December 2011)
Usage:
ebtables -[ADI] chain rule-specification [options]
[...]
</pre>
And with ebtables-nft:
<pre>
user@machine:~$ sudo ebtables --help
ebtables 1.8.2
Usage:
ebtables -[ADI] chain rule-specification [options]
[...]
[...]
</pre>
</pre>
Line 66: Line 86:


We recommend that, for a while, distros keep building and distributing both the legacy tools and the new nft-based as have been happening until now.
We recommend that, for a while, distros keep building and distributing both the legacy tools and the new nft-based as have been happening until now.
Since the name of the binaries has change, distros may need to provide a mechanism for users to freely switch back and forth from the legacy and the new tools.
Since the name of the binaries has changed, distros may need to provide a mechanism for users to freely switch back and forth from the legacy and the new tools.


In Debian-based distros, for example, this is done by means of the ''update-alternatives'' mechanism.
In Debian-based distros, for example, this is done by means of the ''update-alternatives'' mechanism.

Latest revision as of 12:33, 12 February 2021

This page offers information on the status of the legacy xtables tools.

All the xtables/setsockopt based tools are all now considered legacy. New, modern tools exist based on the nf_tables kernel backend. This was decided in the annual Netfilter Workshop held in 2018 in Berlin (link to a summary).

Naming

This is a list of affected binaries:

  • iptables
  • iptables-restore
  • iptables-save
  • ip6tables
  • ip6tables-restore
  • ip6tables-save
  • arptables
  • ebtables

These tools are now installed with a '-legacy' string in the name:

  • iptables-legacy
  • iptables-legacy-restore
  • iptables-legacy-save
  • ip6tables-legacy
  • ip6tables-legacy-restore
  • ip6tables-legacy-save
  • arptables-legacy
  • ebtables-legacy

The new tools contains now the '-nft' string in the name (formerly it was '-compat'):

  • xtables-nft-multi (this binary runs all the tools by means of symlinks)
  • arptables-nft-save (new binary, not a direct equivalent in arptables-legacy)
  • arptables-nft-restore (new binary, not a direct equivalent in arptables-legacy)
  • ebtables-nft-save (new binary, not a direct equivalent in ebtables-legacy)
  • ebtables-nft-restore (new binary, not a direct equivalent in ebtables-legacy)

How to know which tools I'm running

In arptables-legacy, the string (legacy) has been included in the help output. Example:

user@machine:~$ sudo arptables --help
arptables v0.0.4 (legacy)

Usage: arptables -[AD] chain rule-specification [options]
       arptables -[RI] chain rulenum rule-specification [options]
       arptables -D chain rulenum [options]
       arptables -[LFZ] [chain] [options]
[...]

In arptables-nft, the version is the same as in iptables, included in the help output. Example:

user@machine:~$ sudo arptables --help
arptables v1.8.2

Usage: arptables -[AD] chain rule-specification [options]
[...]

Something similar happens with ebtables-legacy:

user@machine:~$ sudo ebtables --help
ebtables v2.0.10.4 (legacy) (December 2011)
Usage:
ebtables -[ADI] chain rule-specification [options]
[...]

And with ebtables-nft:

user@machine:~$ sudo ebtables --help
ebtables 1.8.2
Usage:
ebtables -[ADI] chain rule-specification [options]
[...]

In Linux distributions

Your Linux distribution/vendor must inform you in which capacity they are including legacy/nft tools.

We recommend that, for a while, distros keep building and distributing both the legacy tools and the new nft-based as have been happening until now. Since the name of the binaries has changed, distros may need to provide a mechanism for users to freely switch back and forth from the legacy and the new tools.

In Debian-based distros, for example, this is done by means of the update-alternatives mechanism.

Where to find each tool

Please refer to your Linux distribution on vendor for specific details. You should probably be using a packaged version of these tools.

The source code repositories are:

See also