The release of the classic iptables 1.8.8 packet filter management toolkit has been published, the development of which has lately been focused on components to maintain backward compatibility - iptables-nft and ebtables-nft, which provide utilities with the same command line syntax as in iptables and ebtables, but translating the resulting rules into the nf_tables bytecode. The original iptables software suite, including ip6tables, arptables, and ebtables, was deprecated in 2018 and has already been replaced by nftables in most distributions.
In the new version:
- Support for connlimit and tcpmss expressions has been added to the iptables-translate utility, which converts iptables rules to nftables rule sets, and the ability to use the "--chunk-types" and "--ports" options has been implemented for sctp and multiport blocks.
- Simplified translation of conntrack blocks and "--tcp-flags" options into nftables rules.
- libxtables does not allow operation when called from executables with the setuid flag.
- The iptables-nft utility allows deletion of built-in chains.
- Added rules parser from arptables-nft utility to iptables-nft.
- Added support for '-C' and '-S' commands to the arptables-nft utility, implemented rules indexing for '-I' and '-R' commands, added support for counter syntax '-c N,M'.
- *NAT tables no longer support specifying multiple IPv4 address ranges at once.
- Implemented the ability to enable debug output in iptables-restore, iptables-nft and ebtables-nft by specifying the '-v' option again.
- Improved performance of iptables-save and iptables-restore utilities.
Source: opennet.ru