Hi all, I'm using Debian 9 (stretch) and saw that the current version (Debian 10, buster) transparently installs nftables instead of iptables, offering to switch back by setting alternatives. I'm worried how smoothly an upgrade would go. I have calls similar to these: iptables -A INPUT -j NFQUEUE or iptables -t raw -A OUTPUT -p tcp ! --syn -j NFQUEUE --queue-num 2 iptables -A OUTPUT -p tcp ! --syn -m mark --mark 4 -j REJECT --reject-with tcp-reset There is a user space filter reading queued packets and issuing verdicts. It is linked to libnetfilter_queue, libnfnetlink and libmnl. Does automatic translation work fine in this case? Do I have (better) to relink, recompile, and/or rewrite the user space packet filter in order to use nftable? How simple is that? TIA Ale --
