Re: MBF: Removal of iptables-legacy

[Tianon Gravi <tianon@debian.org>]

On Sun, 23 Nov 2025 at 02:15, Bastian Blank <waldi@debian.org> wrote:
> The Debian Kernel team decided to deprecate and remove support for the
> legacy interfaces used by iptables, arptables and ebtables from the
> kernel.  The replacement nftables compatibility layer was introduced
> around 2016.  It is finally time to try and get rid of the legacy
> interfaces, which are now disabled by default in the kernel.
>
> Our plan is to drop usage in all packages and the binaries for forky.
> We will then go and remove the kernel support itself after the release
> of forky.  So in forky, using legacy iptables will still work, but
> Debian will not provide any support and consider it deprecated.
>
> There are some packages that hardcode the use of iptables-legacy.  In
> those cases just using the non-legacy counterparts should work.  It just
> needs a reboot to get rid of the old incompatible rules loaded into the
> kernel.

Thanks for the src:docker.io heads-up!  However, I think this is a
false positive:

https://codesearch.debian.net/search?q=iptables-legacy+pkg%3Adocker.io&literal=1

(only 4 hits, two of which are Dockerfiles that aren't used in the
package build at all, nor shipped in the builds, and two in the
d/changelog -- even less hits for "ip6tables-legacy" and zero for
"ebtables-legacy")

♥,
- Tianon