On 2026-01-07, at 02:40:37 +0100, Andrea Bolognani wrote:
On Sun, Nov 23, 2025 at 10:57:39AM +0100, Bastian Blank wrote: > The Debian Kernel team decided to deprecate and remove support for the > legacy interfaces used by iptables, arptables and ebtables from the > kernel. The replacement nftables compatibility layer was introduced > around 2016. It is finally time to try and get rid of the legacy > interfaces, which are now disabled by default in the kernel. > > Our plan is to drop usage in all packages and the binaries for forky. > We will then go and remove the kernel support itself after the release > of forky. So in forky, using legacy iptables will still work, but > Debian will not provide any support and consider it deprecated. > > There are some packages that hardcode the use of iptables-legacy. In > those cases just using the non-legacy counterparts should work. It just > needs a reboot to get rid of the old incompatible rules loaded into the > kernel.Bit late to the party, sorry. Can you please confirm that it's only iptables-legacy (and the underlying kernel code) going away, and that iptables-nft will keep working going forward?
Correct.
libvirt tried to switch to nft a year ago but unfortunately that turned out to be unfeasible at the time, so we are currently relying on the compatibility interface provided by iptables-nft. Additional details in #1090355.
J.
signature.asc
Description: PGP signature
