FS#70252 : [iptables] rename iptables to iptable-legacy and make iptables-nft the default iptables package

FS#70252 - [iptables] rename iptables to iptable-legacy and make iptables-nft the default iptables package

Attached to Project: Arch Linux
Opened by AMM (amish) - Thursday, 01 April 2021, 02:40 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:14 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	Felix Yan (felixonmars)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	10 RoundCube (RoundCube) (2023-09-29) Therealmate (therealmate) (2023-06-11) Dev S (dev) (2023-06-08) Sebastian Wiesner (lunaryorn) (2023-06-06) Mitch (ipha) (2023-02-27) Daniel Gray (dngray) (2022-07-27) Cherrot Luo (cherrot) (2022-07-12) Robert Cegliński (codicodi) (2022-01-23) nl6720 (nl6720) (2021-04-01) AMM (amish) (2021-04-01)
Private	No

Details

Description:
iptables shipped with Arch is legacy iptables which is no more recommended by Netfilter guys. [1] (outdated since 2018 i.e. its outdated since almost 3 years)

Netfilter suggested to use nftables OR if not possible then suggestion is to use modern iptables which is based on nf_tables backend. Netfilter guys are no more focusing on legacy iptables.

Since iptables-nft is a drop-in replacement for iptables(-legacy), I propose to make (rename) iptables-nft the default iptables package and rename current iptables to iptables-legacy.

This way we have a hybrid firewall without any changes by administration. And later they may migrate to nftables completely at their convenience.

Major distributions like Fedora, Debian, Ubuntu have already made the switch. [2][3][4]

I have switched many of my systems without changing any iptables rule.

Those who use non-standard iptables modules can easily switch back by installing iptables-legacy.

Proper announcement can be made well in advance to warn such users. Or post install message can be displayed.

References:
[1] https://ral-arturo.org/2018/06/16/nfws2018.html
[2] https://docs.fedoraproject.org/de/fedora/f32/release-notes/sysadmin/Networking/
[3] https://wiki.debian.org/nftables#Current_status
[4] https://itsfoss.com/ubuntu-20-10-features/

Additional info:
* package version(s)
iptables 1:1.8.7-1
iptables-nft 1:1.8.7-1

This task depends upon

Closed by Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:14 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/iptables/issues/1

Comment by AMM (amish) - Wednesday, 20 April 2022, 08:45 GMT

One year passed. Is anyone looking in to it? I see task keeps getting reassigned. We really need to move out of legacy iptables.

Comment by Daniel Gray (dngray) - Wednesday, 27 July 2022, 07:01 GMT

I would really like to see this happen. Default to legacy xtables causes issues when you use something that expects to make "iptables" rules like libvirtd, podman, docker etc. Docker containers which use nft inside them, won't even work unless you're using nf_tables on the host https://github.com/wfg/docker-openvpn-client/issues/66#issuecomment-1172890742. You cannot mix and match the two.

There is just no good reason to be using the old backend. Even if you like iptables and don't want to use "nft" you should still be using "nf_tables" backend like most sane distributions, Debian-based, Fedora based do.

One of the reasons I switched my diskless-alpine Linux system to Arch. At least I can manually change them although they will be overwritten on package updates.

[1] https://gitlab.alpinelinux.org/alpine/aports/-/issues/14058

Comment by Daniel Gray (dngray) - Wednesday, 27 July 2022, 07:10 GMT

I just found you can install "iptables-nft" this will remove legacy xtables, so really all that is needed is updating it on the archiso media.

Comment by nl6720 (nl6720) - Wednesday, 27 July 2022, 07:16 GMT

The packages on the ISO don't matter for installed systems. The proposed iptables->iptables-legacy, iptables-nft->iptables changes are still needed to properly fix this.

Comment by AMM (amish) - Tuesday, 06 June 2023, 09:11 GMT

5 years have passed since the iptables (legacy) deprecation was announced.

But Arch continues to use legacy iptables as default.

Is there any reason why we continue to use legacy iptables by default and let users switch manually to iptables (nft)

I think we should do reverse, make iptables (nft) default and those who still want deprecated firewall can switch to iptables-legacy. (see comments above)

Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT

This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#70252 - [iptables] rename iptables to iptable-legacy and make iptables-nft the default iptables package

Details

Loading...