Alessandro Vesely <vesely@xxxxxxx> wrote: > I'm using Debian 9 (stretch) and saw that the current version (Debian 10, buster) transparently installs nftables instead of iptables, offering to switch back by setting alternatives. > I'm worried how smoothly an upgrade would go. I have calls similar to these: > > iptables -A INPUT -j NFQUEUE > > or > > iptables -t raw -A OUTPUT -p tcp ! --syn -j NFQUEUE --queue-num 2 > iptables -A OUTPUT -p tcp ! --syn -m mark --mark 4 -j REJECT --reject-with tcp-reset > > There is a user space filter reading queued packets and issuing verdicts. It is linked to libnetfilter_queue, libnfnetlink and libmnl. > Does automatic translation work fine in this case? It has nothing to do with translation, userspace doesn't care, its the same interface. > Do I have (better) to relink, recompile, and/or rewrite the user space packet filter in order to use nftable? How simple is that? No relink/rewrite needed, userspace can't tell if queueing came via -j NFQUEUE or nftables' queue, its the same kernel facility (nfnetlink_queue).
