Legacy xtables tools

From nftables wiki
Revision as of 13:04, 8 January 2019 by Arturo (talk | contribs) (→‎How to know which tools I'm running: delete -suffix in commands)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

This page offers information on the status of the legacy xtables tools.

All the xtables/setsockopt based tools are all now considered legacy. New, modern tools exist based on the nf_tables kernel backend. This was decided in the annual Netfilter Workshop held in 2018 in Berlin (link to a summary).

Naming

This is a list of affected binaries:

  • iptables
  • iptables-restore
  • iptables-save
  • ip6tables
  • ip6tables-restore
  • ip6tables-save
  • arptables
  • ebtables

These tools are now installed with a '-legacy' string in the name:

  • iptables-legacy
  • iptables-legacy-restore
  • iptables-legacy-save
  • ip6tables-legacy
  • ip6tables-legacy-restore
  • ip6tables-legacy-save
  • arptables-legacy
  • ebtables-legacy

The new tools contains now the '-nft' string in the name (formerly it was '-compat'):

  • xtables-nft-multi (this binary runs all the tools by means of symlinks)
  • arptables-nft-save (new binary, not a direct equivalent in arptables-legacy)
  • arptables-nft-restore (new binary, not a direct equivalent in arptables-legacy)
  • ebtables-nft-save (new binary, not a direct equivalent in ebtables-legacy)
  • ebtables-nft-restore (new binary, not a direct equivalent in ebtables-legacy)

How to know which tools I'm running

In arptables-legacy, the string (legacy) has been included in the help output. Example:

user@machine:~$ sudo arptables --help
arptables v0.0.4 (legacy)

Usage: arptables -[AD] chain rule-specification [options]
       arptables -[RI] chain rulenum rule-specification [options]
       arptables -D chain rulenum [options]
       arptables -[LFZ] [chain] [options]
[...]

In arptables-nft, the version is the same as in iptables, included in the help output. Example:

user@machine:~$ sudo arptables --help
arptables v1.8.2

Usage: arptables -[AD] chain rule-specification [options]
[...]

Something similar happens with ebtables-legacy:

user@machine:~$ sudo ebtables --help
ebtables v2.0.10.4 (legacy) (December 2011)
Usage:
ebtables -[ADI] chain rule-specification [options]
[...]

And with ebtables-nft:

user@machine:~$ sudo ebtables --help
ebtables 1.8.2
Usage:
ebtables -[ADI] chain rule-specification [options]
[...]

In Linux distributions

Your Linux distribution/vendor must inform you in which capacity they are including legacy/nft tools.

We recommend that, for a while, distros keep building and distributing both the legacy tools and the new nft-based as have been happening until now. Since the name of the binaries has change, distros may need to provide a mechanism for users to freely switch back and forth from the legacy and the new tools.

In Debian-based distros, for example, this is done by means of the update-alternatives mechanism.

Where to find each tool

Please refer to your Linux distribution on vendor for specific details. You should probably be using a packaged version of these tools.

The source code repositories are:

See also