Arch Linux has announced that iptables now defaults to the nft backend, reflecting the broader transition in the Linux networking stack from the xtables framework to nftables. With this change, the iptables-nft package name is replaced by iptables, while the legacy backend remains available as iptables-legacy.
Users migrating between iptables-nft, iptables, and iptables-legacy should check for .pacsave files in /etc/iptables/ and restore saved rules if necessary. Arch notes that most configurations should continue to function as before, but systems using uncommon xtables extensions or legacy-specific features should be tested thoroughly.
iptables has long been a standard Linux tool for configuring firewall rules, network address translation, and packet filtering. It is part of the older xtables-based Netfilter framework, along with related tools such as ip6tables.
In contrast, nftables is the newer packet filtering framework intended to replace the legacy xtables stack as the modern successor to iptables. It addresses architectural limitations of the older system, particularly in dual-stack IPv4 and IPv6 environments.
Going forward, the standard iptables package in Arch points to the nft-backed implementation. iptables-legacy remains available for situations where the legacy backend is still needed.
For most Arch users, standard firewall setups are expected to continue working without modification. The primary consideration is preserving configurations when switching packages, especially regarding /etc/iptables/iptables.rules.pacsave and /etc/iptables/ip6tables.rules.pacsave.
Systems that rely on uncommon xtables extensions or backend-specific behavior may require additional testing. In such cases, Arch recommends reverting to iptables-legacy if necessary.
For more details, see the announcement.
