Hans Malissa <hmalissa76@xxxxxxxxx> wrote: > A very general question about nftables: > On the project homepage it says 'nftables replaces the popular > {ip,ip6,arp,eb}tables...' and on another page it says that nftables > replaces ipset as well. What is not clear to me: when another > application relies on iptables etc., and iptables is replaced by > nftables, there must be an interface that provides backwards > compatibility and allows the other application to invoke iptables with > the traditional syntax. You can use classic iptables just fine even if another entity uses nftables on the same system. > I've been reading through the 'Legacy xtables > tools' page (https://wiki.nftables.org/wiki-nftables/index.php/Legacy_xtables_tools) > and it seems to me that this would do the job, but I'm not quite sure. Those are versions of xtables that will use the nf_tables api to talk to the kernel. They come with limitations -- nf_tables allows to express features that do not exist in iptables, e.g. verdict maps -- in those cases, iptables-save etc. will fail with a 'use nft' error. > I also don't understand whether the legacy xtables tools are part of > nftables or a separate package. They reside in the iptables.git repository.