xtables: rename xt-multi binaries to -nft, -legacy

This adds a clear distinction between old iptables (formerly
xtables-multi, now xtables-legacy-multi) and new iptables
(formerly xtables-compat-multi, now xtables-nft-multi).

Users will get the ip/ip6tables names via symbolic links, having
a distinct name postfix for the legacy/nft variants helps to
make a clear distinction, as iptables-nft will always use
nf_tables and iptables-legacy always uses get/setsockopt wheres
"iptables" could be symlinked to either -nft or -legacy.

Signed-off-by: Florian Westphal <fw@strlen.de>

1 files changed, 78 insertions, 0 deletions

diff --git a/iptables/xtables-legacy.8 b/iptables/xtables-legacy.8
new file mode 100644
index 00000000..eb075e2c
--- /dev/null
+++ b/iptables/xtables-legacy.8
@@ -0,0 +1,78 @@
+.\"
+.\" (C) Copyright 2016-2017, Arturo Borrero Gonzalez <arturo@netfilter.org>
+.\"
+.\" %%%LICENSE_START(GPLv2+_DOC_FULL)
+.\" This is free documentation; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License as
+.\" published by the Free Software Foundation; either version 2 of
+.\" the License, or (at your option) any later version.
+.\"
+.\" The GNU General Public License's references to "object code"
+.\" and "executables" are to be interpreted as the output of any
+.\" document formatting or typesetting system, including
+.\" intermediate and printed output.
+.\"
+.\" This manual is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public
+.\" License along with this manual; if not, see
+.\" <http://www.gnu.org/licenses/>.
+.\" %%%LICENSE_END
+.\"
+.TH XTABLES-LEGACY 8 "June 2018"
+
+.SH NAME
+xtables-legacy \- iptables using old getsockopt/setsockopt based kernel api
+
+.SH DESCRIPTION
+\fBxtables-legacy\fP are the original versions of iptables that use
+old getsockopt/setsockopt based kernel interface.
+This kernel interface has some limitations, therefore iptables can also
+be used with the newer nf_tables based API.
+See
+.B xtables-nft(8)
+for information about the xtables-nft variants of iptables.
+
+.SH USAGE
+The xtables-legacy-multi binary can be linked to the traditional names:
+
+.nf
+	/sbin/iptables  \-> /sbin/iptables-legacy-multi
+	/sbin/ip6tables \-> /sbin/ip6tables-legacy-mulit
+	/sbin/iptables-save \-> /sbin/ip6tables-legacy-mulit
+	/sbin/iptables-restore \-> /sbin/ip6tables-legacy-mulit
+.fi
+
+The iptables version string will indicate if the legacy API (get/setsockopt) or
+the new nf_tables api is used:
+.nf
+	iptables \-V
+	iptables v1.7 (legacy)
+.fi
+
+.SH LIMITATIONS
+
+When inserting a rule using
+iptables \-A or iptables \-I, iptables first needs to retrieve the current active
+ruleset, change it to include the new rule, and then commit back the result.
+This means that if two instances of iptables are running concurrently, one of the
+updates might be lost.  This can be worked around partially with the \-\-wait option.
+
+There is also no method to monitor changes to the ruleset, except periodically calling
+iptables-legacy-save and checking for any differences in output.
+
+.B xtables-monitor(8)
+will need the
+.B xtables-nft(8)
+versions to work, it cannot display changes made using the.
+.B iptables-legacy
+tools.
+
+.SH SEE ALSO
+\fBxtables\-nft(8)\fP, \fBxtables\-translate(8)\fP
+
+.SH AUTHORS
+Rusty Russell originally wrote iptables, in early consultation with Michael Neuling.