.\"

.\" (C) Copyright 2016-2017, Arturo Borrero Gonzalez <arturo@netfilter.org>

.\"

.\" %%%LICENSE_START(GPLv2+_DOC_FULL)

.\" This is free documentation; you can redistribute it and/or

.\" modify it under the terms of the GNU General Public License as

.\" published by the Free Software Foundation; either version 2 of

.\" the License, or (at your option) any later version.

.\"

.\" The GNU General Public License's references to "object code"

.\" and "executables" are to be interpreted as the output of any

.\" document formatting or typesetting system, including

.\" intermediate and printed output.

.\"

.\" This manual is distributed in the hope that it will be useful,

.\" but WITHOUT ANY WARRANTY; without even the implied warranty of

.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

.\" GNU General Public License for more details.

.\"

.\" You should have received a copy of the GNU General Public

.\" License along with this manual; if not, see

.\" <http://www.gnu.org/licenses/>.

.\" %%%LICENSE_END

.\"

.TH XTABLES-LEGACY 8 "June 2018"

.SH NAME

xtables-legacy \(em iptables using old getsockopt/setsockopt-based kernel api

.SH DESCRIPTION

\fBxtables-legacy\fP are the original versions of iptables that use

old getsockopt/setsockopt-based kernel interface.

This kernel interface has some limitations, therefore iptables can also

be used with the newer nf_tables based API.

See

.B xtables\-nft(8)

for information about the xtables-nft variants of iptables.

.SH USAGE

The xtables-legacy-multi binary can be linked to the traditional names:

.nf

	/sbin/iptables -> /sbin/iptables\-legacy\-multi

	/sbin/ip6tables -> /sbin/ip6tables\-legacy\-multi

	/sbin/iptables\-save -> /sbin/ip6tables\-legacy\-multi

	/sbin/iptables\-restore -> /sbin/ip6tables\-legacy\-multi

.fi

The iptables version string will indicate whether the legacy API (get/setsockopt) or

the new nf_tables API is used:

.nf

	iptables \-V

	iptables v1.7 (legacy)

.fi

.SH LIMITATIONS

When inserting a rule using

iptables \-A or iptables \-I, iptables first needs to retrieve the current active

ruleset, change it to include the new rule, and then commit back the result.

This means that if two instances of iptables are running concurrently, one of the

updates might be lost.  This can be worked around partially with the \-\-wait option.

There is also no method to monitor changes to the ruleset, except periodically calling

iptables-legacy-save and checking for any differences in output.

.B xtables\-monitor(8)

will need the

.B xtables\-nft(8)

versions to work, it cannot display changes made using the

.B iptables-legacy

tools.

.SH SEE ALSO

\fBxtables\-nft(8)\fP, \fBxtables\-translate(8)\fP

.SH AUTHORS

Rusty Russell originally wrote iptables, in early consultation with Michael Neuling.