XPost: linux.debian.devel   
   From: cjwatson@debian.org   
      
   [fixed typo in debian-kernel@ address]   
      
   On Sun, Nov 23, 2025 at 10:57:39AM +0100, Bastian Blank wrote:   
   >The Debian Kernel team decided to deprecate and remove support for the   
   >legacy interfaces used by iptables, arptables and ebtables from the   
   >kernel.  The replacement nftables compatibility layer was introduced   
   >around 2016.  It is finally time to try and get rid of the legacy   
   >interfaces, which are now disabled by default in the kernel.   
   >   
   >Our plan is to drop usage in all packages and the binaries for forky.   
   >We will then go and remove the kernel support itself after the release   
   >of forky.  So in forky, using legacy iptables will still work, but   
   >Debian will not provide any support and consider it deprecated.   
   >   
   >There are some packages that hardcode the use of iptables-legacy.  In   
   >those cases just using the non-legacy counterparts should work.  It just   
   >needs a reboot to get rid of the old incompatible rules loaded into the   
   >kernel.   
      
   I wonder how many of these are conditional code in packages that also   
   support nft?  For example, incus caught my eye in your list: it has both   
   xtables and nftables drivers, and it prefers nftables if it's available.   
   It doesn't look as though anything would need to change in that package   
   to cope with a kernel without iptables support.   
      
   I'd expect many userspace programs to take similar strategies if they've   
   been around for long enough to have needed to support pre-nftables   
   kernels at some point, so this MBF will likely need a fair amount of   
   filtering.   
      
   --   
   Colin Watson (he/him)                              [cjwatson@debian.org]   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)