On Wednesday 2018-06-27 13:33, Florian Westphal wrote: >This adds a clear distinction between old iptables (formerly >xtables-multi, now xtables-legacy-multi) and new iptables >(formerly xtables-compat-multi, now xtables-nft-multi). > >Users will get the ip/ip6tables names via symbolic links, having >a distinct name postfix for the legacy/nft variants helps to >make a clear distinction, as iptables-nft will always use >nf_tables and iptables-legacy always uses get/setsockopt wheres >"iptables" could be symlinked to either -nft or -legacy. So it ultimately falls into the hands of the packager (at the distro level) what to make iptables a symlink to. I like that.. >-# nftables compatibility layer >+# nftables nfibility layer nfibility!? >+++ b/iptables/xtables-legacy.8 >@@ -0,0 +1,78 @@ >+.SH DESCRIPTION >+\fBxtables-legacy\fP are the original versions of iptables that use >+old getsockopt/setsockopt based kernel interface. >+This kernel interface has some limitations, therefore iptables can also >+be used with the newer nf_tables based API. >+See >+.B xtables-nft(8) >+for information about the xtables-nft variants of iptables. >+ >+.SH USAGE >+The xtables-legacy-multi binary can be linked to the traditional names: >+ >+.nf >+ /sbin/iptables -> /sbin/iptables-legacy-multi >+ /sbin/ip6tables -> /sbin/ip6tables-legacy-mulit >+ /sbin/iptables-save -> /sbin/ip6tables-legacy-mulit >+ /sbin/iptables-restore -> /sbin/ip6tables-legacy-mulit >+.fi more \- encoding needed here in the .nf block >+The iptables version string will indicate if the legacy API (get/setsockopt) or >+the new nf_tables api is used: >+.nf >+ iptables \-V >+ iptables v1.7 (legacy) >+.fi >+ >+.SH LIMITATIONS >+ >+When inserting a rule using >+iptables -A or iptables -I, iptables first needs to retrieve the current active \- encoding needed here for -A and -I. >+There is also no method to monitor changes to the ruleset, except periodically calling >+iptables-legacy-save and checking for any differences in output. >+ >+.B xtables-monitor(8) >+will need the >+.B xtables-nft(8) >+versions to work, it cannot display changes made using the. >+.B iptables-legacy >+tools. >+.SH SEE ALSO >+\fBxtables-nft(8)\fP, \fBxtables-translate(8)\fP the references to other manpages probably need \- encoding too, for use with hyperlink-capable manpage viewers (pinfo?). Same game in xtables-nft.8. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
