xtables-legacy.8 2.72 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
.\"
.\" (C) Copyright 2016-2017, Arturo Borrero Gonzalez <arturo@netfilter.org>
.\"
.\" %%%LICENSE_START(GPLv2+_DOC_FULL)
.\" This is free documentation; you can redistribute it and/or
.\" modify it under the terms of the GNU General Public License as
.\" published by the Free Software Foundation; either version 2 of
.\" the License, or (at your option) any later version.
.\"
.\" The GNU General Public License's references to "object code"
.\" and "executables" are to be interpreted as the output of any
.\" document formatting or typesetting system, including
.\" intermediate and printed output.
.\"
.\" This manual is distributed in the hope that it will be useful,
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
.\" GNU General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public
.\" License along with this manual; if not, see
.\" <http://www.gnu.org/licenses/>.
.\" %%%LICENSE_END
.\"
.TH XTABLES-LEGACY 8 "June 2018"

.SH NAME
xtables-legacy \(em iptables using old getsockopt/setsockopt-based kernel api

.SH DESCRIPTION
\fBxtables-legacy\fP are the original versions of iptables that use
old getsockopt/setsockopt-based kernel interface.
This kernel interface has some limitations, therefore iptables can also
be used with the newer nf_tables based API.
See
.B xtables\-nft(8)
for information about the xtables-nft variants of iptables.

.SH USAGE
The xtables-legacy-multi binary can be linked to the traditional names:

.nf
	/sbin/iptables -> /sbin/iptables\-legacy\-multi
	/sbin/ip6tables -> /sbin/ip6tables\-legacy\-multi
	/sbin/iptables\-save -> /sbin/ip6tables\-legacy\-multi
	/sbin/iptables\-restore -> /sbin/ip6tables\-legacy\-multi
.fi

The iptables version string will indicate whether the legacy API (get/setsockopt) or
the new nf_tables API is used:
.nf
	iptables \-V
	iptables v1.7 (legacy)
.fi

.SH LIMITATIONS

When inserting a rule using
iptables \-A or iptables \-I, iptables first needs to retrieve the current active
ruleset, change it to include the new rule, and then commit back the result.
This means that if two instances of iptables are running concurrently, one of the
updates might be lost.  This can be worked around partially with the \-\-wait option.

There is also no method to monitor changes to the ruleset, except periodically calling
iptables-legacy-save and checking for any differences in output.

.B xtables\-monitor(8)
will need the
.B xtables\-nft(8)
70
versions to work, it cannot display changes made using the
71
72
73
74
75
76
77
78
.B iptables-legacy
tools.

.SH SEE ALSO
\fBxtables\-nft(8)\fP, \fBxtables\-translate(8)\fP

.SH AUTHORS
Rusty Russell originally wrote iptables, in early consultation with Michael Neuling.