Switching iptables to use the nftables backend (again) on Sept 3
balint.reczey at canonical.com
Wed Aug 26 18:19:15 UTC 2020
Switching iptables to use the nftables backend already happened before
once, but was reverted later due to LXD and possibly other parts of
the Ubuntu software ecosystem were not ready . The 20.04 LTS
release cycle was not an ideal time to perform the switch either, but
Groovy Gorilla, the 20.10 interim release can use nftables as the
default and let us fix any surfacing issue for the next LTS release.
Debian already made the switch in Buster thus the packages in the
archive should be generally ready for the switch. Going through the
packages I found only sshguard that needs to be modified, dropping the
The switch is simply swapping the two alternative backends' priority
and prefer nftables backend over legacy, without promoting the
nftables package to be recommended by the iptables package in this
No regression showed up while testing the changes in Bileto , nor
while performing a release-upgrade to the changed packages.
LXD have added nftables support  and I've tried the microk8s snap
and it worked with the switched default but created legacy tables .
It will still be possible to change
iptables/ip6tables/arptables/ebtables back to use the legacy backend
 after the switch, but ideally software projects should already
have nftables support or have a plan to implement it in the near
If you have concerns regarding the planned switch please raise them here.
The September 3 target date is after Feature Freeze and I'll formally
ask for a Feature Freeze Exception.
Ubuntu & Debian Developer
More information about the ubuntu-devel