1XTABLES-LEGACY(8) System Manager's Manual XTABLES-LEGACY(8)
2
6 xtables-legacy — iptables using old getsockopt/setsockopt-based kernel
7 api
8
11 xtables-legacy are the original versions of iptables that use old get‐
12 sockopt/setsockopt-based kernel interface. This kernel interface has
13 some limitations, therefore iptables can also be used with the newer
14 nf_tables based API. See xtables-nft(8) for information about the xta‐
15 bles-nft variants of iptables.
16
19 The xtables-legacy-multi binary can be linked to the traditional names:
20 /sbin/iptables -> /sbin/iptables-legacy-multi
22 /sbin/ip6tables -> /sbin/ip6tables-legacy-multi
23 /sbin/iptables-save -> /sbin/ip6tables-legacy-multi
24 /sbin/iptables-restore -> /sbin/ip6tables-legacy-multi
25 The iptables version string will indicate whether the legacy API
27 (get/setsockopt) or the new nf_tables API is used:
28 iptables -V
29 iptables v1.7 (legacy)
30
33 When inserting a rule using iptables -A or iptables -I, iptables first
34 needs to retrieve the current active ruleset, change it to include the
35 new rule, and then commit back the result. This means that if two
36 instances of iptables are running concurrently, one of the updates
37 might be lost. This can be worked around partially with the --wait
38 option.
39 There is also no method to monitor changes to the ruleset, except peri‐
41 odically calling iptables-legacy-save and checking for any differences
42 in output.
43 xtables-monitor(8) will need the xtables-nft(8) versions to work, it
45 cannot display changes made using the iptables-legacy tools.
46
49 xtables-nft(8), xtables-translate(8)
50
53 Rusty Russell originally wrote iptables, in early consultation with
54 Michael Neuling.
55 June 2018 XTABLES-LEGACY(8)