Hi. On Fri, Oct 16, 2020 at 12:25:23PM +0200, Jesper Dybdal wrote: > I have a lot of iptables rules. > > Is it correctly understood that the upgrade to Buster will automatically > install iptables-nft, and that iptablés-nft provides complete and compatible > support > for the functionality of the old iptables command, so I can expect my > iptables scripts to just work?
Barring some kernel bugs - yes. For instance, I've seen kernel panics because of simple: iptables -A INPUT -m conntrack --ctstate INVALID -j DROP It *should* be fixed by now, but I cannot call my own usage of netfilter that advanced (filter, nat, *some* raw, that's it). > (If so, that would be really nice, since I can then postpone the move to > native nftables.) To switch back to conventional netfilter you'll have to execute these: update-alternatives --config iptables update-alternatives --config ip6tables update-alternatives --config arptables update-alternatives --config ebtables Last two are optional, and it all should be done after the migration to buster. Reco
