Le 23/11/2025 à 16:12, Colin Watson a écrit :
[fixed typo in debian-kernel@ address] On Sun, Nov 23, 2025 at 10:57:39AM +0100, Bastian Blank wrote:The Debian Kernel team decided to deprecate and remove support for the legacy interfaces used by iptables, arptables and ebtables from the kernel. The replacement nftables compatibility layer was introduced around 2016. It is finally time to try and get rid of the legacy interfaces, which are now disabled by default in the kernel. Our plan is to drop usage in all packages and the binaries for forky. We will then go and remove the kernel support itself after the release of forky. So in forky, using legacy iptables will still work, but Debian will not provide any support and consider it deprecated.
I'm not sure to correctly understand.
Is it only the kernel interface that will be removed (and the 'iptables-legacy' package) ?
Or would the binary 'iptables', ... from the 'nftables' package also be removed ? (compat layer on top of nftables)
I'm using the shorewall{,6} firewall for now. I've never found another firewall packaged by Debian being able to handle multi-ISP (I would be please to be wrong).
If I recall correctly, shorewall relies on iptables (but works with nftables compat layer) and upstream does not want to work on a switch to a pure nftable implementation (too much work)[1]
Regards,
Vincent
[1] https://gitlab.com/shorewall/code/-/issues/2