On 4/4/26 8:56 PM, Felix Yan wrote:
On 4/3/26 10:14, David C Rankin wrote:
Felix, thank you for the heads up,
I need legacy-only behavior. Can you tell us what the versions
numbers will be for this switch so we can make sure we can install
iptables-legacy and remove iptables when the change is made.
Hi David,
The switch is already visible in core-testing:
- iptables 1:1.8.11-4 is the nft backend and replaces iptables-nft
- iptables-legacy 1:1.8.11-4 is the legacy backend and provides iptables
Also, to preserve the current iptables behavior is there anything
other than installing iptables-legacy necessary?
Other than that, there should not be any extra migration step for the
backend itself. The main thing to check is whether pacman leaves your
saved rules as .pacsave files when switching packages. Please check:
- /etc/iptables/iptables.rules.pacsave
- /etc/iptables/ip6tables.rules.pacsave
In my case docker stopped to work after this change. I had my own
nftables firewall and fail2ban configured, and after iptables started to
use nft backend docker returns errors when trying to configure its own
iptables rules.
I switched to experimental support for nftables in docker and everything
seems to work as expected for now.
Regards,
Łukasz
