Hans Malissa <hmalissa76@xxxxxxxxx> wrote:
> A very general question about nftables:
> On the project homepage it says 'nftables replaces the popular
> {ip,ip6,arp,eb}tables...' and on another page it says that nftables
> replaces ipset as well. What is not clear to me: when another
> application relies on iptables etc., and iptables is replaced by
> nftables, there must be an interface that provides backwards
> compatibility and allows the other application to invoke iptables with
> the traditional syntax.
You can use classic iptables just fine even if another entity uses
nftables on the same system.
> I've been reading through the 'Legacy xtables
> tools' page (https://wiki.nftables.org/wiki-nftables/index.php/Legacy_xtables_tools)
> and it seems to me that this would do the job, but I'm not quite sure.
Those are versions of xtables that will use the nf_tables api to talk
to the kernel.
They come with limitations -- nf_tables allows to express features that
do not exist in iptables, e.g. verdict maps -- in those cases,
iptables-save etc. will fail with a 'use nft' error.
> I also don't understand whether the legacy xtables tools are part of
> nftables or a separate package.
They reside in the iptables.git repository.
