On Sun, Nov 23, 2025 at 10:57:39AM +0100, Bastian Blank wrote: > Hi > > The Debian Kernel team decided to deprecate and remove support for the > legacy interfaces used by iptables, arptables and ebtables from the > kernel. The replacement nftables compatibility layer was introduced > around 2016. It is finally time to try and get rid of the legacy > interfaces, which are now disabled by default in the kernel. > > Our plan is to drop usage in all packages and the binaries for forky. > We will then go and remove the kernel support itself after the release > of forky. So in forky, using legacy iptables will still work, but > Debian will not provide any support and consider it deprecated. > > There are some packages that hardcode the use of iptables-legacy. In > those cases just using the non-legacy counterparts should work. It just > needs a reboot to get rid of the old incompatible rules loaded into the > kernel.
Bit late to the party, sorry. Can you please confirm that it's only iptables-legacy (and the underlying kernel code) going away, and that iptables-nft will keep working going forward? libvirt tried to switch to nft a year ago but unfortunately that turned out to be unfeasible at the time, so we are currently relying on the compatibility interface provided by iptables-nft. Additional details in #1090355. Thanks! -- Andrea Bolognani <[email protected]> Resistance is futile, you will be garbage collected.
signature.asc
Description: PGP signature
