man7.org > Linux > man-pages

Linux/UNIX system programming training

xtables-legacy(8) — Linux manual page

NAME | DESCRIPTION | USAGE | LIMITATIONS | SEE ALSO | AUTHORS | COLOPHON 

XTABLES-LEGACY(8)        System Manager's Manual        XTABLES-LEGACY(8)

NAME         top

       xtables-legacy — iptables using old getsockopt/setsockopt-based
       kernel api

DESCRIPTION         top

       xtables-legacy are the original versions of iptables that use old
       getsockopt/setsockopt-based kernel interface.  This kernel
       interface has some limitations, therefore iptables can also be
       used with the newer nf_tables based API.  See xtables-nft(8) for
       information about the xtables-nft variants of iptables.

USAGE         top

       The xtables-legacy-multi binary can be linked to the traditional
       names:

            /sbin/iptables -> /sbin/iptables-legacy-multi
            /sbin/ip6tables -> /sbin/ip6tables-legacy-multi
            /sbin/iptables-save -> /sbin/ip6tables-legacy-multi
            /sbin/iptables-restore -> /sbin/ip6tables-legacy-multi

       The iptables version string will indicate whether the legacy API
       (get/setsockopt) or the new nf_tables API is used:
            iptables -V
            iptables v1.7 (legacy)

LIMITATIONS         top

       When inserting a rule using iptables -A or iptables -I, iptables
       first needs to retrieve the current active ruleset, change it to
       include the new rule, and then commit back the result.  This means
       that if two instances of iptables are running concurrently, one of
       the updates might be lost.  This can be worked around partially
       with the --wait option.

       There is also no method to monitor changes to the ruleset, except
       periodically calling iptables-legacy-save and checking for any
       differences in output.  xtables-monitor(8) will need the
       xtables-nft(8) versions to work, it cannot display changes made
       using the iptables-legacy tools.

SEE ALSO         top

       xtables-nft(8), xtables-translate(8)

AUTHORS         top

       Rusty Russell originally wrote iptables, in early consultation
       with Michael Neuling.

COLOPHON         top

       This page is part of the iptables (administer and maintain packet
       filter rules) project.  Information about the project can be found
       at ⟨http://www.netfilter.org/⟩.  If you have a bug report for this
       manual page, see ⟨http://bugzilla.netfilter.org/⟩.  This page was
       obtained from the project's upstream Git repository
       ⟨git://git.netfilter.org/iptables⟩ on 2025-02-02.  (At that time,
       the date of the most recent commit that was found in the
       repository was 2025-01-28.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there is
       a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to
       man-pages@man7.org

                                June 2018               XTABLES-LEGACY(8)

Copyright and license for this manual page

HTML rendering created 2025-02-02 by Michael Kerrisk, author of The Linux Programming Interface.

For details of in-depth Linux/UNIX system programming training courses that I teach, look here.

Hosting by jambit GmbH.

Cover of TLPI