XPost: linux.debian.devel   
   From: azazel@debian.org   
      
   On 2026-01-07, at 02:40:37 +0100, Andrea Bolognani wrote:   
   > On Sun, Nov 23, 2025 at 10:57:39AM +0100, Bastian Blank wrote:   
   > > The Debian Kernel team decided to deprecate and remove support for the   
   > > legacy interfaces used by iptables, arptables and ebtables from the   
   > > kernel.  The replacement nftables compatibility layer was introduced   
   > > around 2016.  It is finally time to try and get rid of the legacy   
   > > interfaces, which are now disabled by default in the kernel.   
   > >   
   > > Our plan is to drop usage in all packages and the binaries for forky.   
   > > We will then go and remove the kernel support itself after the release   
   > > of forky.  So in forky, using legacy iptables will still work, but   
   > > Debian will not provide any support and consider it deprecated.   
   > >   
   > > There are some packages that hardcode the use of iptables-legacy.  In   
   > > those cases just using the non-legacy counterparts should work.  It just   
   > > needs a reboot to get rid of the old incompatible rules loaded into the   
   > > kernel.   
   >    
   > Bit late to the party, sorry.   
   >    
   > Can you please confirm that it's only iptables-legacy (and the   
   > underlying kernel code) going away, and that iptables-nft will keep   
   > working going forward?   
      
   Correct.   
      
   > libvirt tried to switch to nft a year ago but unfortunately that   
   > turned out to be unfeasible at the time, so we are currently relying   
   > on the compatibility interface provided by iptables-nft. Additional   
   > details in #1090355.   
      
   J.   
      
   -----BEGIN PGP SIGNATURE-----   
      
   wsG7BAABCgBvBYJpXhY1CRAphqwKvfEEDUcUAAAAAAAeACBzYWx0QG5vdGF0aW9u   
   cy5zZXF1b2lhLXBncC5vcmcGzgyScrbZSlEuQocTZhiXO4Thx5vTRk4btC5yexuL   
   fhYhBGwdtFNj70A3vVbVFymGrAq98QQNAAATlg//Vl96M/yzXAtBbGkKbieWM1GE   
   NE3EQiAL3II7oRsKkxQMp9HaCtKZ+2nmHL7P8G+8IMGBaVNJJSa337SI3zREw8fu   
   NK1WgdQZqVOTFxBWloqYYn12hC54jzyf8qoAlc0icRnjVnb10qJJQdmRQ9YcVbRt   
   wBIYTiKSrIE3ChlyC0BR2pNIeu3/u4mhTJDSJ7dCp0qyDuBCPyxdc4hr3CPlvQBi   
   E/HThW5KWrHNioO/v9ZvL+TCudYMEGu1lQlnRTaKMXOHLNB3NyndJVj6y/c70Cgn   
   vyxy2o2d7ClH2I+3umuWZtUYhCVGpFScwBxMiKoMZLHzznZOXpH546Vdc/Z9LyCy   
   V6NFyua0UMUjj41/ty/qHlKMdmVsi02ZRMefklufXJB+B7uxayE2Rssp/SfA6hZP   
   WWjerSU2v7Ksi3h99EizxcdiMKfB87IvK7tMNZPtdlxihEqVYKUKsaTeddJxAmMb   
   5klGAUcz2YGLJNVj5nAcVQjeQrlhEx1/TF0O79N1+f3q6FhznmHyXCqfNtNRfY2i   
   ecgnL6nfW3ATRJWIfYTGrAVvgm4PrC2BV6jZAVaVMUMMQt74gRl+4n8XpdSrFM8U   
   oejrlskiFjh3AQe5qtqsMF/RUxz3SW7qxwBI4qkZnrymioEyLKqIITAw9rON6P3h   
   vNJ6rFv0rhT5CvjYObI=   
   =zkNh   
   -----END PGP SIGNATURE-----   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)