Legacy xtables tools: Difference between revisions
(Create page with basic content) |
m (→In Linux distributions: grammar) |
||
| (5 intermediate revisions by one other user not shown) | |||
| Line 8: | Line 8: | ||
This is a list of affected binaries: | This is a list of affected binaries: | ||
* | * iptables | ||
* | * iptables-restore | ||
* | * iptables-save | ||
* | * ip6tables | ||
* | * ip6tables-restore | ||
* | * ip6tables-save | ||
* | * arptables | ||
* | * ebtables | ||
These tools are now installed with a '-legacy' string in the name: | These tools are now installed with a '-legacy' string in the name: | ||
* | * iptables-legacy | ||
* | * iptables-legacy-restore | ||
* | * iptables-legacy-save | ||
* | * ip6tables-legacy | ||
* | * ip6tables-legacy-restore | ||
* | * ip6tables-legacy-save | ||
* | * arptables-legacy | ||
* | * ebtables-legacy | ||
The new tools contains now the '-nft' string in the name (formerly it was '-compat'): | The new tools contains now the '-nft' string in the name (formerly it was '-compat'): | ||
* | * xtables-nft-multi (this binary runs all the tools by means of symlinks) | ||
* arptables-nft-save (new binary, not a direct equivalent in arptables-legacy) | |||
* arptables-nft-restore (new binary, not a direct equivalent in arptables-legacy) | |||
* ebtables-nft-save (new binary, not a direct equivalent in ebtables-legacy) | |||
* ebtables-nft-restore (new binary, not a direct equivalent in ebtables-legacy) | |||
== How to know which tools I'm running == | == How to know which tools I'm running == | ||
| Line 47: | Line 51: | ||
</pre> | </pre> | ||
In arptables-nft, the version is the same as in iptables, included in the help output. Example: | |||
<pre> | |||
user@machine:~$ sudo arptables --help | |||
arptables v1.8.2 | |||
Usage: arptables -[AD] chain rule-specification [options] | |||
[...] | |||
</pre> | |||
Something similar happens with ebtables-legacy: | |||
<pre> | |||
user@machine:~$ sudo ebtables --help | |||
ebtables v2.0.10.4 (legacy) (December 2011) | |||
Usage: | |||
ebtables -[ADI] chain rule-specification [options] | |||
[...] | |||
</pre> | |||
And with ebtables-nft: | |||
<pre> | |||
user@machine:~$ sudo ebtables --help | |||
ebtables 1.8.2 | |||
Usage: | |||
ebtables -[ADI] chain rule-specification [options] | |||
[...] | |||
</pre> | |||
== In Linux distributions == | == In Linux distributions == | ||
| Line 54: | Line 86: | ||
We recommend that, for a while, distros keep building and distributing both the legacy tools and the new nft-based as have been happening until now. | We recommend that, for a while, distros keep building and distributing both the legacy tools and the new nft-based as have been happening until now. | ||
Since the name of the binaries has | Since the name of the binaries has changed, distros may need to provide a mechanism for users to freely switch back and forth from the legacy and the new tools. | ||
In Debian-based distros, for example, this is done by means of the ''update-alternatives'' mechanism. | In Debian-based distros, for example, this is done by means of the ''update-alternatives'' mechanism. | ||
Latest revision as of 12:33, 12 February 2021
This page offers information on the status of the legacy xtables tools.
All the xtables/setsockopt based tools are all now considered legacy. New, modern tools exist based on the nf_tables kernel backend. This was decided in the annual Netfilter Workshop held in 2018 in Berlin (link to a summary).
Naming
This is a list of affected binaries:
- iptables
- iptables-restore
- iptables-save
- ip6tables
- ip6tables-restore
- ip6tables-save
- arptables
- ebtables
These tools are now installed with a '-legacy' string in the name:
- iptables-legacy
- iptables-legacy-restore
- iptables-legacy-save
- ip6tables-legacy
- ip6tables-legacy-restore
- ip6tables-legacy-save
- arptables-legacy
- ebtables-legacy
The new tools contains now the '-nft' string in the name (formerly it was '-compat'):
- xtables-nft-multi (this binary runs all the tools by means of symlinks)
- arptables-nft-save (new binary, not a direct equivalent in arptables-legacy)
- arptables-nft-restore (new binary, not a direct equivalent in arptables-legacy)
- ebtables-nft-save (new binary, not a direct equivalent in ebtables-legacy)
- ebtables-nft-restore (new binary, not a direct equivalent in ebtables-legacy)
How to know which tools I'm running
In arptables-legacy, the string (legacy) has been included in the help output. Example:
user@machine:~$ sudo arptables --help
arptables v0.0.4 (legacy)
Usage: arptables -[AD] chain rule-specification [options]
arptables -[RI] chain rulenum rule-specification [options]
arptables -D chain rulenum [options]
arptables -[LFZ] [chain] [options]
[...]
In arptables-nft, the version is the same as in iptables, included in the help output. Example:
user@machine:~$ sudo arptables --help arptables v1.8.2 Usage: arptables -[AD] chain rule-specification [options] [...]
Something similar happens with ebtables-legacy:
user@machine:~$ sudo ebtables --help ebtables v2.0.10.4 (legacy) (December 2011) Usage: ebtables -[ADI] chain rule-specification [options] [...]
And with ebtables-nft:
user@machine:~$ sudo ebtables --help ebtables 1.8.2 Usage: ebtables -[ADI] chain rule-specification [options] [...]
In Linux distributions
Your Linux distribution/vendor must inform you in which capacity they are including legacy/nft tools.
We recommend that, for a while, distros keep building and distributing both the legacy tools and the new nft-based as have been happening until now. Since the name of the binaries has changed, distros may need to provide a mechanism for users to freely switch back and forth from the legacy and the new tools.
In Debian-based distros, for example, this is done by means of the update-alternatives mechanism.
Where to find each tool
Please refer to your Linux distribution on vendor for specific details. You should probably be using a packaged version of these tools.
The source code repositories are:
- (new tools) http://git.netfilter.org/iptables/ (same repo of the old legacy tools, it includes new arptables and ebtables)
- (iptables-legacy) http://git.netfilter.org/iptables/ (same repo of the new, nf_tables-based, tools)
- (arptables-legacy) http://git.netfilter.org/ebtables/
- (ebtables-legacy) http://git.netfilter.org/arptables/