On Sun, 23 Nov 2025 at 02:15, Bastian Blank <[email protected]> wrote: > The Debian Kernel team decided to deprecate and remove support for the > legacy interfaces used by iptables, arptables and ebtables from the > kernel. The replacement nftables compatibility layer was introduced > around 2016. It is finally time to try and get rid of the legacy > interfaces, which are now disabled by default in the kernel. > > Our plan is to drop usage in all packages and the binaries for forky. > We will then go and remove the kernel support itself after the release > of forky. So in forky, using legacy iptables will still work, but > Debian will not provide any support and consider it deprecated. > > There are some packages that hardcode the use of iptables-legacy. In > those cases just using the non-legacy counterparts should work. It just > needs a reboot to get rid of the old incompatible rules loaded into the > kernel.
Thanks for the src:docker.io heads-up! However, I think this is a false positive: https://codesearch.debian.net/search?q=iptables-legacy+pkg%3Adocker.io&literal=1 (only 4 hits, two of which are Dockerfiles that aren't used in the package build at all, nor shipped in the builds, and two in the d/changelog -- even less hits for "ip6tables-legacy" and zero for "ebtables-legacy") ♥, - Tianon
