.TH XTABLES-LEGACY 8 "June 2018"
.SH NAME
-xtables-legacy \- iptables using old getsockopt/setsockopt based kernel api
+xtables-legacy \(em iptables using old getsockopt/setsockopt-based kernel api
.SH DESCRIPTION
\fBxtables-legacy\fP are the original versions of iptables that use
-old getsockopt/setsockopt based kernel interface.
+old getsockopt/setsockopt-based kernel interface.
This kernel interface has some limitations, therefore iptables can also
be used with the newer nf_tables based API.
See
-.B xtables-nft(8)
+.B xtables\-nft(8)
for information about the xtables-nft variants of iptables.
.SH USAGE
The xtables-legacy-multi binary can be linked to the traditional names:
.nf
- /sbin/iptables \-> /sbin/iptables-legacy-multi
- /sbin/ip6tables \-> /sbin/ip6tables-legacy-mulit
- /sbin/iptables-save \-> /sbin/ip6tables-legacy-mulit
- /sbin/iptables-restore \-> /sbin/ip6tables-legacy-mulit
+ /sbin/iptables -> /sbin/iptables\-legacy\-multi
+ /sbin/ip6tables -> /sbin/ip6tables\-legacy\-multi
+ /sbin/iptables\-save -> /sbin/ip6tables\-legacy\-multi
+ /sbin/iptables\-restore -> /sbin/ip6tables\-legacy\-multi
.fi
-The iptables version string will indicate if the legacy API (get/setsockopt) or
-the new nf_tables api is used:
+The iptables version string will indicate whether the legacy API (get/setsockopt) or
+the new nf_tables API is used:
.nf
iptables \-V
iptables v1.7 (legacy)
There is also no method to monitor changes to the ruleset, except periodically calling
iptables-legacy-save and checking for any differences in output.
-.B xtables-monitor(8)
+.B xtables\-monitor(8)
will need the
-.B xtables-nft(8)
+.B xtables\-nft(8)
versions to work, it cannot display changes made using the.
.B iptables-legacy
tools.
.TH XTABLES-NFT 8 "June 2018"
.SH NAME
-xtables-nft \- iptables using nftables kernel api
+xtables-nft \(em iptables using nftables kernel api
.SH DESCRIPTION
-\fBxtables-nft\fP are versions of iptables that use the nftables api.
- is set of tools to help the system administrator migrate the
+\fBxtables-nft\fP are versions of iptables that use the nftables API.
+This is a set of tools to help the system administrator migrate the
ruleset from \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and
\fBebtables(8)\fP to \fBnftables(8)\fP.
The \fBxtables-nft\fP set is composed of several commands:
.IP \[bu] 2
-iptables-nft
+iptables\-nft
.IP \[bu]
-iptables-nft-save
+iptables\-nft\-save
.IP \[bu]
-iptables-nft-restore
+iptables\-nft\-restore
.IP \[bu]
-ip6tables-nft
+ip6tables\-nft
.IP \[bu]
-ip6tables-nft-save
+ip6tables\-nft\-save
.IP \[bu]
-ip6tables-nft-restore
+ip6tables\-nft\-restore
.IP \[bu]
-arptables-nft
+arptables\-nft
.IP \[bu]
-ebtables-nft
+ebtables\-nft
These tools use the libxtables framework extensions and hook to the nf_tables
kernel subsystem using the \fBnft_compat\fP module.
\fBebtables(8)\fP.
You should use the xtables-nft tools exactly the same way as you would use the
-corresponding original tool.
+corresponding original tools.
Adding a rule will result in that rule being added to the nf_tables kernel
subsystem instead.
with a symlink to the xtables-nft program, for example:
.nf
- /sbin/iptables \-> /usr/sbin/iptables-nft-multi
- /sbin/ip6tables \-> /usr/sbin/ip6tables-nft-mulit
- /sbin/arptables \-> /usr/sbin/arptables-nft-multi
- /sbin/ebtables \-> /usr/sbin/ebtables-nft-multi
+ /sbin/iptables -> /usr/sbin/iptables\-nft\-multi
+ /sbin/ip6tables -> /usr/sbin/ip6tables\-nft\-multi
+ /sbin/arptables -> /usr/sbin/arptables\-nft\-multi
+ /sbin/ebtables -> /usr/sbin/ebtables\-nft\-multi
.fi
-The iptables version string will indicate if the legacy API (get/setsockopt) or
+The iptables version string will indicate whether the legacy API (get/setsockopt) or
the new nf_tables api is used:
.nf
iptables \-V
.SH DIFFERENCES TO LEGACY IPTABLES
-Because the xtables-nft tools use the nf_tables kernel api, rule additions
-are deletions are always atomic. Unlike iptables-legacy, iptables-nft \-A ..
+Because the xtables-nft tools use the nf_tables kernel API, rule additions
+and deletions are always atomic. Unlike iptables-legacy, iptables-nft \-A ..
will NOT need to retrieve the current ruleset from the kernel, change it, and
re-load the altered ruleset. Instead, iptables-nft will tell the kernel to add
one rule. For this reason, the iptables-legacy \-\-wait option is a no-op in
iptables-nft.
Use of the xtables-nft tools allow monitoring ruleset changes using the
-.B xtables-monitor(8)
+.B xtables\-monitor(8)
command.
When using \-j TRACE to debug packet traversal to the ruleset, note that you will need to use
-.B xtables-monitor(8)
+.B xtables\-monitor(8)
in \-\-trace mode to obtain monitoring trace events.
.SH EXAMPLES
xtables-nft tools, in a fresh machine:
.nf
- root@machine:~# iptables-nft -L
+ root@machine:~# iptables\-nft \-L
[...]
- root@machine:~# ip6tables-nft -L
+ root@machine:~# ip6tables\-nft \-L
[...]
- root@machine:~# arptables-nft -L
+ root@machine:~# arptables\-nft \-L
[...]
- root@machine:~# ebtables-nft -L
+ root@machine:~# ebtables\-nft \-L
[...]
root@machine:~# nft list ruleset
table ip filter {
}
table bridge filter {
chain INPUT {
- type filter hook input priority -200; policy accept;
+ type filter hook input priority \-200; policy accept;
}
chain FORWARD {
- type filter hook forward priority -200; policy accept;
+ type filter hook forward priority \-200; policy accept;
}
chain OUTPUT {
- type filter hook output priority -200; policy accept;
+ type filter hook output priority \-200; policy accept;
}
}
table arp filter {
you would use:
.nf
- root@machine:~# iptables-legacy-save > myruleset # reads from x_tables
- root@machine:~# iptables-nft-restore myruleset # writes to nf_tables
+ root@machine:~# iptables\-legacy\-save > myruleset # reads from x_tables
+ root@machine:~# iptables\-nft\-restore myruleset # writes to nf_tables
.fi
projects / thirdparty / iptables.git / commitdiff
