On Wed, 2021-02-24 at 18:58 +0100, Adam Borowski wrote:
> On Wed, Feb 24, 2021 at 07:26:35AM -0700, Gabe Stanton via Dng wrote:
> > If I understand correctly, the iptables cli that we use now is just
> > a
> > wrapper around nftables.
>
> Actually, there are two independent subsystems. They're managed by
> two
> userspace tools:
> * iptables-legacy
> * iptables-nft
>
> Rules set by one of them are not visible by the other. This may give
> a
> nasty surprise if some tool sets a rule some other way.
>
> /usr/sbin/iptables is an alternatives link to one of the two, you can
> check
> update-alternatives --display iptables
> to see which subsystem you're using by default.
>
>
> Meow!
Interesting, so I just checked and when I call iptables, that calls
/usr/sbin/iptables, which calls /etc/alternatives/iptables, which calls
/usr/sbin/iptables-nft.
Gabe