This adds a clear distinction between old iptables (formerly
xtables-multi, now xtables-legacy-multi) and new iptables
(formerly xtables-compat-multi, now xtables-nft-multi).
Users will get the ip/ip6tables names via symbolic links, having
a distinct name postfix for the legacy/nft variants helps to
make a clear distinction, as iptables-nft will always use
nf_tables and iptables-legacy always uses get/setsockopt wheres
"iptables" could be symlinked to either -nft or -legacy.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
iptables-test.py | 6 +-
iptables/Makefile.am | 74 +++++++++----------
.../{xtables-multi.c => xtables-legacy-multi.c} | 16 ++---
iptables/xtables-legacy.8 | 78 ++++++++++++++++++++
...{xtables-compat-multi.c => xtables-nft-multi.c} | 14 ++--
iptables/{xtables-compat.8 => xtables-nft.8} | 84 ++++++++++++++--------
6 files changed, 188 insertions(+), 84 deletions(-)
rename iptables/{xtables-multi.c => xtables-legacy-multi.c} (79%)
create mode 100644 iptables/xtables-legacy.8
rename iptables/{xtables-compat-multi.c => xtables-nft-multi.c} (76%)
rename iptables/{xtables-compat.8 => xtables-nft.8} (62%)
diff --git a/iptables-test.py b/iptables-test.py
index 75095d2de555..9bfb8086aa0a 100755
--- a/iptables-test.py
+++ b/iptables-test.py
@@ -269,6 +269,8 @@ def main():
parser.add_argument('filename', nargs='?',
metavar='path/to/file.t',
help='Run only this test')
+ parser.add_argument('-l', '--legacy', action='store_true',
+ help='Test iptables-legacy')
parser.add_argument('-m', '--missing', action='store_true',
help='Check for missing tests')
parser.add_argument('-n', '--nftables', action='store_true',
@@ -283,9 +285,9 @@ def main():
return
global EXECUTEABLE
- EXECUTEABLE = "xtables-multi"
+ EXECUTEABLE = "xtables-legacy-multi"
if args.nftables:
- EXECUTEABLE = "xtables-compat-multi"
+ EXECUTEABLE = "xtables-nft-multi"
if os.getuid() != 0:
print "You need to be root to run this, sorry"
diff --git a/iptables/Makefile.am b/iptables/Makefile.am
index 95e67b834f12..9eccaebf10f1 100644
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -6,39 +6,39 @@ AM_YFLAGS = -d
BUILT_SOURCES =
-xtables_multi_SOURCES = xtables-multi.c iptables-xml.c
-xtables_multi_CFLAGS = ${AM_CFLAGS}
-xtables_multi_LDADD = ../extensions/libext.a
+xtables_legacy_multi_SOURCES = xtables-legacy-multi.c iptables-xml.c
+xtables_legacy_multi_CFLAGS = ${AM_CFLAGS}
+xtables_legacy_multi_LDADD = ../extensions/libext.a
if ENABLE_STATIC
-xtables_multi_CFLAGS += -DALL_INCLUSIVE
+xtables_legacy_multi_CFLAGS += -DALL_INCLUSIVE
endif
if ENABLE_IPV4
-xtables_multi_SOURCES += iptables-save.c iptables-restore.c \
+xtables_legacy_multi_SOURCES += iptables-save.c iptables-restore.c \
iptables-standalone.c iptables.c
-xtables_multi_CFLAGS += -DENABLE_IPV4
-xtables_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a
+xtables_legacy_multi_CFLAGS += -DENABLE_IPV4
+xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a
endif
if ENABLE_IPV6
-xtables_multi_SOURCES += ip6tables-save.c ip6tables-restore.c \
+xtables_legacy_multi_SOURCES += ip6tables-save.c ip6tables-restore.c \
ip6tables-standalone.c ip6tables.c
-xtables_multi_CFLAGS += -DENABLE_IPV6
-xtables_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a
+xtables_legacy_multi_CFLAGS += -DENABLE_IPV6
+xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a
endif
-xtables_multi_SOURCES += xshared.c
-xtables_multi_LDADD += ../libxtables/libxtables.la -lm
+xtables_legacy_multi_SOURCES += xshared.c
+xtables_legacy_multi_LDADD += ../libxtables/libxtables.la -lm
-# nftables compatibility layer
+# nftables nfibility layer
if ENABLE_NFTABLES
BUILT_SOURCES += xtables-config-parser.h
-xtables_compat_multi_SOURCES = xtables-compat-multi.c iptables-xml.c
-xtables_compat_multi_CFLAGS = ${AM_CFLAGS}
-xtables_compat_multi_LDADD = ../extensions/libext.a ../extensions/libext_ebt.a
+xtables_nft_multi_SOURCES = xtables-nft-multi.c iptables-xml.c
+xtables_nft_multi_CFLAGS = ${AM_CFLAGS}
+xtables_nft_multi_LDADD = ../extensions/libext.a ../extensions/libext_ebt.a
if ENABLE_STATIC
-xtables_compat_multi_CFLAGS += -DALL_INCLUSIVE
+xtables_nft_multi_CFLAGS += -DALL_INCLUSIVE
endif
-xtables_compat_multi_CFLAGS += -DENABLE_NFTABLES -DENABLE_IPV4 -DENABLE_IPV6
-xtables_compat_multi_SOURCES += xtables-config-parser.y xtables-config-syntax.l
-xtables_compat_multi_SOURCES += xtables-save.c xtables-restore.c \
+xtables_nft_multi_CFLAGS += -DENABLE_NFTABLES -DENABLE_IPV4 -DENABLE_IPV6
+xtables_nft_multi_SOURCES += xtables-config-parser.y xtables-config-syntax.l
+xtables_nft_multi_SOURCES += xtables-save.c xtables-restore.c \
xtables-standalone.c xtables.c nft.c \
nft-shared.c nft-ipv4.c nft-ipv6.c nft-arp.c \
xtables-monitor.c \
@@ -47,38 +47,40 @@ xtables_compat_multi_SOURCES += xtables-save.c xtables-restore.c \
xtables-eb-standalone.c xtables-eb.c \
xtables-eb-translate.c \
xtables-translate.c
-xtables_compat_multi_LDADD += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS} ../extensions/libext4.a ../extensions/libext6.a ../extensions/libext_ebt.a ../extensions/libext_arpt.a
+xtables_nft_multi_LDADD += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS} ../extensions/libext4.a ../extensions/libext6.a ../extensions/libext_ebt.a ../extensions/libext_arpt.a
# yacc and lex generate dirty code
-xtables_compat_multi-xtables-config-parser.o xtables_compat_multi-xtables-config-syntax.o: AM_CFLAGS += -Wno-missing-prototypes -Wno-missing-declarations -Wno-implicit-function-declaration -Wno-nested-externs -Wno-undef -Wno-redundant-decls
-xtables_compat_multi_SOURCES += xshared.c
-xtables_compat_multi_LDADD += ../libxtables/libxtables.la -lm
+xtables_nft_multi-xtables-config-parser.o xtables_nft_multi-xtables-config-syntax.o: AM_CFLAGS += -Wno-missing-prototypes -Wno-missing-declarations -Wno-implicit-function-declaration -Wno-nested-externs -Wno-undef -Wno-redundant-decls
+xtables_nft_multi_SOURCES += xshared.c
+xtables_nft_multi_LDADD += ../libxtables/libxtables.la -lm
endif
-sbin_PROGRAMS = xtables-multi
+sbin_PROGRAMS = xtables-legacy-multi
if ENABLE_NFTABLES
-sbin_PROGRAMS += xtables-compat-multi
+sbin_PROGRAMS += xtables-nft-multi
endif
man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \
iptables-xml.1 ip6tables.8 ip6tables-restore.8 \
ip6tables-save.8 iptables-extensions.8 \
- xtables-compat.8 xtables-translate.8 \
+ xtables-nft.8 xtables-translate.8 xtables-legacy.8 \
xtables-monitor.8
CLEANFILES = iptables.8 xtables-monitor.8 \
xtables-config-parser.c xtables-config-syntax.c
vx_bin_links = iptables-xml
if ENABLE_IPV4
-v4_sbin_links = iptables iptables-restore iptables-save
+v4_sbin_links = iptables-legacy iptables-legacy-restore iptables-legacy-save \
+ iptables iptables-restore iptables-save
endif
if ENABLE_IPV6
-v6_sbin_links = ip6tables ip6tables-restore ip6tables-save
+v6_sbin_links = ip6tables-legacy ip6tables-legacy-restore ip6tables-legacy-save \
+ ip6tables ip6tables-restore ip6tables-save
endif
if ENABLE_NFTABLES
-x_sbin_links = iptables-compat iptables-compat-restore iptables-compat-save \
- ip6tables-compat ip6tables-compat-restore ip6tables-compat-save \
+x_sbin_links = iptables-nft iptables-nft-restore iptables-nft-save \
+ ip6tables-nft ip6tables-nft-restore ip6tables-nft-save \
iptables-translate ip6tables-translate \
iptables-restore-translate ip6tables-restore-translate \
- arptables-compat ebtables-compat xtables-monitor
+ arptables ebtables xtables-monitor
endif
iptables-extensions.8: iptables-extensions.8.tmpl ../extensions/matches.man ../extensions/targets.man
@@ -92,7 +94,7 @@ pkgconfig_DATA = xtables.pc
install-exec-hook:
-if test -z "${DESTDIR}"; then /sbin/ldconfig; fi;
${INSTALL} -dm0755 "${DESTDIR}${bindir}";
- for i in ${vx_bin_links}; do ${LN_S} -f "${sbindir}/xtables-multi" "${DESTDIR}${bindir}/$$i"; done;
- for i in ${v4_sbin_links}; do ${LN_S} -f xtables-multi "${DESTDIR}${sbindir}/$$i"; done;
- for i in ${v6_sbin_links}; do ${LN_S} -f xtables-multi "${DESTDIR}${sbindir}/$$i"; done;
- for i in ${x_sbin_links}; do ${LN_S} -f xtables-compat-multi "${DESTDIR}${sbindir}/$$i"; done;
+ for i in ${vx_bin_links}; do ${LN_S} -f "${sbindir}/xtables-legacy-multi" "${DESTDIR}${bindir}/$$i"; done;
+ for i in ${v4_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done;
+ for i in ${v6_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done;
+ for i in ${x_sbin_links}; do ${LN_S} -f xtables-nft-multi "${DESTDIR}${sbindir}/$$i"; done;
diff --git a/iptables/xtables-multi.c b/iptables/xtables-legacy-multi.c
similarity index 79%
rename from iptables/xtables-multi.c
rename to iptables/xtables-legacy-multi.c
index e90885ddb0fd..71ec7f5ead85 100644
--- a/iptables/xtables-multi.c
+++ b/iptables/xtables-legacy-multi.c
@@ -25,6 +25,11 @@ static const struct subcommand multi_subcommands[] = {
{"save4", iptables_save_main},
{"iptables-restore", iptables_restore_main},
{"restore4", iptables_restore_main},
+ {"iptables-legacy", iptables_main},
+ {"iptables-legacy-save",iptables_save_main},
+ {"iptables-legacy-restore",iptables_restore_main},
+
+
#endif
{"iptables-xml", iptables_xml_main},
{"xml", iptables_xml_main},
@@ -35,14 +40,9 @@ static const struct subcommand multi_subcommands[] = {
{"save6", ip6tables_save_main},
{"ip6tables-restore", ip6tables_restore_main},
{"restore6", ip6tables_restore_main},
-#endif
-#ifdef ENABLE_NFTABLES
- {"xtables", xtables_main},
- {"xtables-save", xtables_save_main},
- {"xtables-restore", xtables_restore_main},
- {"xtables-config", xtables_config_main},
- {"xtables-arp", xtables_arp_main},
- {"xtables-ebtables", xtables_eb_main},
+ {"ip6tables", ip6tables_main},
+ {"ip6tables-legacy-save",ip6tables_save_main},
+ {"ip6tables-legacy-restore",ip6tables_restore_main},
#endif
{NULL},
};
diff --git a/iptables/xtables-legacy.8 b/iptables/xtables-legacy.8
new file mode 100644
index 000000000000..9a22d5f0cd34
--- /dev/null
+++ b/iptables/xtables-legacy.8
@@ -0,0 +1,78 @@
+.\"
+.\" (C) Copyright 2016-2017, Arturo Borrero Gonzalez <arturo@xxxxxxxxxxxxx>
+.\"
+.\" %%%LICENSE_START(GPLv2+_DOC_FULL)
+.\" This is free documentation; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License as
+.\" published by the Free Software Foundation; either version 2 of
+.\" the License, or (at your option) any later version.
+.\"
+.\" The GNU General Public License's references to "object code"
+.\" and "executables" are to be interpreted as the output of any
+.\" document formatting or typesetting system, including
+.\" intermediate and printed output.
+.\"
+.\" This manual is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public
+.\" License along with this manual; if not, see
+.\" <http://www.gnu.org/licenses/>.
+.\" %%%LICENSE_END
+.\"
+.TH XTABLES-LEGACY 8 "June 2018"
+
+.SH NAME
+xtables-legacy \- iptables using old getsockopt/setsockopt based kernel api
+
+.SH DESCRIPTION
+\fBxtables-legacy\fP are the original versions of iptables that use
+old getsockopt/setsockopt based kernel interface.
+This kernel interface has some limitations, therefore iptables can also
+be used with the newer nf_tables based API.
+See
+.B xtables-nft(8)
+for information about the xtables-nft variants of iptables.
+
+.SH USAGE
+The xtables-legacy-multi binary can be linked to the traditional names:
+
+.nf
+ /sbin/iptables -> /sbin/iptables-legacy-multi
+ /sbin/ip6tables -> /sbin/ip6tables-legacy-mulit
+ /sbin/iptables-save -> /sbin/ip6tables-legacy-mulit
+ /sbin/iptables-restore -> /sbin/ip6tables-legacy-mulit
+.fi
+
+The iptables version string will indicate if the legacy API (get/setsockopt) or
+the new nf_tables api is used:
+.nf
+ iptables \-V
+ iptables v1.7 (legacy)
+.fi
+
+.SH LIMITATIONS
+
+When inserting a rule using
+iptables -A or iptables -I, iptables first needs to retrieve the current active
+ruleset, change it to include the new rule, and then commit back the result.
+This means that if two instances of iptables are running concurrently, one of the
+updates might be lost. This can be worked around partially with the \-\-wait option.
+
+There is also no method to monitor changes to the ruleset, except periodically calling
+iptables-legacy-save and checking for any differences in output.
+
+.B xtables-monitor(8)
+will need the
+.B xtables-nft(8)
+versions to work, it cannot display changes made using the.
+.B iptables-legacy
+tools.
+
+.SH SEE ALSO
+\fBxtables-nft(8)\fP, \fBxtables-translate(8)\fP
+
+.SH AUTHORS
+Rusty Russell originally wrote iptables, in early consultation with Michael Neuling.
diff --git a/iptables/xtables-compat-multi.c b/iptables/xtables-nft-multi.c
similarity index 76%
rename from iptables/xtables-compat-multi.c
rename to iptables/xtables-nft-multi.c
index 014e5a4e3c8f..187da81e9f59 100644
--- a/iptables/xtables-compat-multi.c
+++ b/iptables/xtables-nft-multi.c
@@ -9,30 +9,28 @@ static const struct subcommand multi_subcommands[] = {
{"iptables-xml", iptables_xml_main},
{"xml", iptables_xml_main},
{"iptables", xtables_ip4_main},
- {"iptables-compat", xtables_ip4_main},
+ {"iptables-nft", xtables_ip4_main},
{"main4", xtables_ip4_main},
{"save4", xtables_ip4_save_main},
{"restore4", xtables_ip4_restore_main},
{"iptables-save", xtables_ip4_save_main},
{"iptables-restore", xtables_ip4_restore_main},
- {"iptables-compat-save", xtables_ip4_save_main},
- {"iptables-compat-restore", xtables_ip4_restore_main},
+ {"iptables-nft-save", xtables_ip4_save_main},
+ {"iptables-nft-restore", xtables_ip4_restore_main},
{"ip6tables", xtables_ip6_main},
- {"ip6tables-compat", xtables_ip6_main},
+ {"ip6tables-nft", xtables_ip6_main},
{"main6", xtables_ip6_main},
{"save6", xtables_ip6_save_main},
{"restore6", xtables_ip6_restore_main},
{"ip6tables-save", xtables_ip6_save_main},
{"ip6tables-restore", xtables_ip6_restore_main},
- {"ip6tables-compat-save", xtables_ip6_save_main},
- {"ip6tables-compat-restore", xtables_ip6_restore_main},
+ {"ip6tables-nft-save", xtables_ip6_save_main},
+ {"ip6tables-nft-restore", xtables_ip6_restore_main},
{"iptables-translate", xtables_ip4_xlate_main},
{"ip6tables-translate", xtables_ip6_xlate_main},
{"iptables-restore-translate", xtables_ip4_xlate_restore_main},
{"ip6tables-restore-translate", xtables_ip6_xlate_restore_main},
{"arptables", xtables_arp_main},
- {"arptables-compat", xtables_arp_main},
- {"ebtables-compat", xtables_eb_main},
{"ebtables-translate", xtables_eb_xlate_main},
{"ebtables", xtables_eb_main},
{"xtables-monitor", xtables_monitor_main},
diff --git a/iptables/xtables-compat.8 b/iptables/xtables-nft.8
similarity index 62%
rename from iptables/xtables-compat.8
rename to iptables/xtables-nft.8
index 90f887e151d4..34f47d21965b 100644
--- a/iptables/xtables-compat.8
+++ b/iptables/xtables-nft.8
@@ -22,43 +22,44 @@
.\" <http://www.gnu.org/licenses/>.
.\" %%%LICENSE_END
.\"
-.TH XTABLES-COMPAT 8 "Feb 25, 2017"
+.TH XTABLES-NFT 8 "June 2018"
.SH NAME
-xtables-compat \- compat tools to migrate from iptables to nftables
+xtables-nft \- iptables using nftables kernel api
.SH DESCRIPTION
-\fBxtables-compat\fP is set of tools to help the system administrator migrate the
+\fBxtables-nft\fP are versions of iptables that use the nftables api.
+ is set of tools to help the system administrator migrate the
ruleset from \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and
\fBebtables(8)\fP to \fBnftables(8)\fP.
-The \fBxtables-compat\fP set is composed of several commands:
+The \fBxtables-nft\fP set is composed of several commands:
.IP \[bu] 2
-iptables-compat
+iptables-nft
.IP \[bu]
-iptables-compat-save
+iptables-nft-save
.IP \[bu]
-iptables-compat-restore
+iptables-nft-restore
.IP \[bu]
-ip6tables-compat
+ip6tables-nft
.IP \[bu]
-ip6tables-compat-save
+ip6tables-nft-save
.IP \[bu]
-ip6tables-compat-restore
+ip6tables-nft-restore
.IP \[bu]
-arptables-compat
+arptables-nft
.IP \[bu]
-ebtables-compat
+ebtables-nft
These tools use the libxtables framework extensions and hook to the nf_tables
kernel subsystem using the \fBnft_compat\fP module.
.SH USAGE
-The compat tools set allows you to manage the nf_tables backend using the
+The xtables-nft tools allow you to manage the nf_tables backend using the
native syntax of \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and
\fBebtables(8)\fP.
-You should use the compat tools exactly the same way as you would use the
+You should use the xtables-nft tools exactly the same way as you would use the
corresponding original tool.
Adding a rule will result in that rule being added to the nf_tables kernel
@@ -66,27 +67,51 @@ subsystem instead.
Listing the ruleset will use the nf_tables backend as well.
When these tools were designed, the main idea was to replace each legacy binary
-with a symlink to the corresponding compat tool, for example:
+with a symlink to the xtables-nft program, for example:
.nf
- /sbin/iptables --> /usr/sbin/iptables-compat
- /sbin/ip6tables --> /usr/sbin/ip6tables-compat
- /sbin/arptables --> /usr/sbin/arptables-compat
- /sbin/ebtables --> /usr/sbin/ebtables-compat
+ /sbin/iptables --> /usr/sbin/iptables-nft-multi
+ /sbin/ip6tables --> /usr/sbin/ip6tables-nft-mulit
+ /sbin/arptables --> /usr/sbin/arptables-nft-multi
+ /sbin/ebtables --> /usr/sbin/ebtables-nft-multi
.fi
+The iptables version string will indicate if the legacy API (get/setsockopt) or
+the new nf_tables api is used:
+.nf
+ iptables \-V
+ iptables v1.7 (nf_tables)
+.fi
+
+.SH DIFFERENCES TO LEGACY IPTABLES
+
+Because the xtables-nft tools use the nf_tables kernel api, rule additions
+are deletions are always atomic. Unlike iptables-legacy, iptables-nft \-A ..
+will NOT need to retrieve the current ruleset from the kernel, change it, and
+re-load the altered ruleset. Instead, iptables-nft will tell the kernel to add
+one rule. For this reason, the iptables-legacy \-\-wait option is a no-op in
+iptables-nft.
+
+Use of the xtables-nft tools allow monitoring ruleset changes using the
+.B xtables-monitor(8)
+command.
+
+When using \-j TRACE to debug packet traversal to the ruleset, note that you will need to use
+.B xtables-monitor(8)
+in \-\-trace mode to obtain monitoring trace events.
+
.SH EXAMPLES
One basic example is creating the skeleton ruleset in nf_tables from the
-compat tools, in a fresh machine:
+xtables-nft tools, in a fresh machine:
.nf
- root@machine:~# iptables-compat -L
+ root@machine:~# iptables-nft -L
[...]
- root@machine:~# ip6tables-compat -L
+ root@machine:~# ip6tables-nft -L
[...]
- root@machine:~# arptables-compat -L
+ root@machine:~# arptables-nft -L
[...]
- root@machine:~# ebtables-compat -L
+ root@machine:~# ebtables-nft -L
[...]
root@machine:~# nft list ruleset
table ip filter {
@@ -150,22 +175,21 @@ To migrate your complete filter ruleset, in the case of \fBiptables(8)\fP,
you would use:
.nf
- root@machine:~# iptables-save > myruleset # reads from x_tables
- root@machine:~# iptables-compat-restore myruleset # writes to nf_tables
+ root@machine:~# iptables-legacy-save > myruleset # reads from x_tables
+ root@machine:~# iptables-nft-restore myruleset # writes to nf_tables
.fi
.SH LIMITATIONS
-You should use \fBLinux kernel >= 4.2\fP.
+You should use \fBLinux kernel >= 4.17\fP.
-Some (few) extensions may be not supported (or fully-supported) for whatever
-reason (for example, they were considered obsolete).
+The CLUSTERIP target is not supported.
To get up-to-date information about this, please head to
\fBhttp://wiki.nftables.org/\fP.
.SH SEE ALSO
-\fBnft(8)\fP, \fBxtables-translate(8)\fP
+\fBnft(8)\fP, \fBxtables-translate(8)\fP, \fBxtables-monitor(8)\fP
.SH AUTHORS
The nftables framework is written by the Netfilter project
--
2.16.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
