XTABLES-LEGACY(8) System Manager's Manual XTABLES-LEGACY(8)
NAME
xtables-legacy — iptables using old getsockopt/setsockopt-based kernel
api
DESCRIPTION
xtables-legacy are the original versions of iptables that use old get-
sockopt/setsockopt-based kernel interface. This kernel interface has
some limitations, therefore iptables can also be used with the newer
nf_tables based API. See xtables-nft(8) for information about the xta-
bles-nft variants of iptables.
USAGE
The xtables-legacy-multi binary can be linked to the traditional names:
/sbin/iptables -> /sbin/iptables-legacy-multi
/sbin/ip6tables -> /sbin/ip6tables-legacy-multi
/sbin/iptables-save -> /sbin/ip6tables-legacy-multi
/sbin/iptables-restore -> /sbin/ip6tables-legacy-multi
The iptables version string will indicate whether the legacy API
(get/setsockopt) or the new nf_tables API is used:
iptables -V
iptables v1.7 (legacy)
LIMITATIONS
When inserting a rule using iptables -A or iptables -I, iptables first
needs to retrieve the current active ruleset, change it to include the
new rule, and then commit back the result. This means that if two in-
stances of iptables are running concurrently, one of the updates might
be lost. This can be worked around partially with the --wait option.
There is also no method to monitor changes to the ruleset, except peri-
odically calling iptables-legacy-save and checking for any differences
in output. xtables-monitor(8) will need the xtables-nft(8) versions to
work, it cannot display changes made using the iptables-legacy tools.
SEE ALSO
xtables-nft(8), xtables-translate(8)
AUTHORS
Rusty Russell originally wrote iptables, in early consultation with
Michael Neuling.
June 2018 XTABLES-LEGACY(8)
Generated by dwww version 1.16 on Tue Dec 16 05:44:24 CET 2025.