diff options
author | Florian Westphal <fw@strlen.de> | 2018-06-18 09:18:28 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2018-06-27 23:44:04 +0200 |
commit | be70918eab26e0c5fe219fefab325056144976d9 (patch) | |
tree | ab256347ade0a13ccc8f91da83282436a18c8957 /iptables/xtables-legacy.8 | |
parent | d49ba500efd4dc50eef10324f3c0b4f7ce5d6e3e (diff) |
xtables: rename xt-multi binaries to -nft, -legacy
This adds a clear distinction between old iptables (formerly
xtables-multi, now xtables-legacy-multi) and new iptables
(formerly xtables-compat-multi, now xtables-nft-multi).
Users will get the ip/ip6tables names via symbolic links, having
a distinct name postfix for the legacy/nft variants helps to
make a clear distinction, as iptables-nft will always use
nf_tables and iptables-legacy always uses get/setsockopt wheres
"iptables" could be symlinked to either -nft or -legacy.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'iptables/xtables-legacy.8')
-rw-r--r-- | iptables/xtables-legacy.8 | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/iptables/xtables-legacy.8 b/iptables/xtables-legacy.8 new file mode 100644 index 00000000..eb075e2c --- /dev/null +++ b/iptables/xtables-legacy.8 @@ -0,0 +1,78 @@ +.\" +.\" (C) Copyright 2016-2017, Arturo Borrero Gonzalez <arturo@netfilter.org> +.\" +.\" %%%LICENSE_START(GPLv2+_DOC_FULL) +.\" This is free documentation; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License as +.\" published by the Free Software Foundation; either version 2 of +.\" the License, or (at your option) any later version. +.\" +.\" The GNU General Public License's references to "object code" +.\" and "executables" are to be interpreted as the output of any +.\" document formatting or typesetting system, including +.\" intermediate and printed output. +.\" +.\" This manual is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public +.\" License along with this manual; if not, see +.\" <http://www.gnu.org/licenses/>. +.\" %%%LICENSE_END +.\" +.TH XTABLES-LEGACY 8 "June 2018" + +.SH NAME +xtables-legacy \- iptables using old getsockopt/setsockopt based kernel api + +.SH DESCRIPTION +\fBxtables-legacy\fP are the original versions of iptables that use +old getsockopt/setsockopt based kernel interface. +This kernel interface has some limitations, therefore iptables can also +be used with the newer nf_tables based API. +See +.B xtables-nft(8) +for information about the xtables-nft variants of iptables. + +.SH USAGE +The xtables-legacy-multi binary can be linked to the traditional names: + +.nf + /sbin/iptables \-> /sbin/iptables-legacy-multi + /sbin/ip6tables \-> /sbin/ip6tables-legacy-mulit + /sbin/iptables-save \-> /sbin/ip6tables-legacy-mulit + /sbin/iptables-restore \-> /sbin/ip6tables-legacy-mulit +.fi + +The iptables version string will indicate if the legacy API (get/setsockopt) or +the new nf_tables api is used: +.nf + iptables \-V + iptables v1.7 (legacy) +.fi + +.SH LIMITATIONS + +When inserting a rule using +iptables \-A or iptables \-I, iptables first needs to retrieve the current active +ruleset, change it to include the new rule, and then commit back the result. +This means that if two instances of iptables are running concurrently, one of the +updates might be lost. This can be worked around partially with the \-\-wait option. + +There is also no method to monitor changes to the ruleset, except periodically calling +iptables-legacy-save and checking for any differences in output. + +.B xtables-monitor(8) +will need the +.B xtables-nft(8) +versions to work, it cannot display changes made using the. +.B iptables-legacy +tools. + +.SH SEE ALSO +\fBxtables\-nft(8)\fP, \fBxtables\-translate(8)\fP + +.SH AUTHORS +Rusty Russell originally wrote iptables, in early consultation with Michael Neuling. |