[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: MBF: Removal of iptables-legacy

[fixed typo in debian-kernel@ address]

On Sun, Nov 23, 2025 at 10:57:39AM +0100, Bastian Blank wrote:

The Debian Kernel team decided to deprecate and remove support for the
legacy interfaces used by iptables, arptables and ebtables from the
kernel.  The replacement nftables compatibility layer was introduced
around 2016.  It is finally time to try and get rid of the legacy
interfaces, which are now disabled by default in the kernel.

Our plan is to drop usage in all packages and the binaries for forky.
We will then go and remove the kernel support itself after the release
of forky.  So in forky, using legacy iptables will still work, but
Debian will not provide any support and consider it deprecated.

There are some packages that hardcode the use of iptables-legacy.  In
those cases just using the non-legacy counterparts should work.  It just
needs a reboot to get rid of the old incompatible rules loaded into the
kernel.
I wonder how many of these are conditional code in packages that also support nft? For example, incus caught my eye in your list: it has both xtables and nftables drivers, and it prefers nftables if it's available. It doesn't look as though anything would need to change in that package to cope with a kernel without iptables support.
I'd expect many userspace programs to take similar strategies if they've been around for long enough to have needed to support pre-nftables kernels at some point, so this MBF will likely need a fair amount of filtering. 

--
Colin Watson (he/him)                              [cjwatson@debian.org]
Reply to: