Hi Ryan, On Tue, Aug 05, 2025 at 04:43:06PM +0100, Ryan Roberts wrote: [...] > > +config NETFILTER_XTABLES_LEGACY > > + bool "Netfilter legacy tables support" > > + depends on !PREEMPT_RT > > + help > > + Say Y here if you still require support for legacy tables. This is > > + required by the legacy tools (iptables-legacy) and is not needed if > > + you use iptables over nftables (iptables-nft). > > + Legacy support is not limited to IP, it also includes EBTABLES and > > + ARPTABLES. > > + > > This has caused some minor pain for me using Docker on Ubuntu 22.04, which I > guess is still using iptables-legacy. I've had to debug why Docker has stopped > working and eventually ended here. Explcitly enabling NETFILTER_XTABLES_LEGACY > solved the problem. I apologize for the inconvenience. Using iptables-nft should fix it, if you encounter any issue with iptables-nft in Ubuntu 22.04, it should be straight forward to compile lastest iptables version, given you compile your own kernels for such distro version. > I thought I'd try my luck at convincing you to default this to enabled for > !PREEMPT_RT to save others from such issues? Not so easy as removing PREEMPT_RT dependency, x_tables need to be fixed in order to support it, last time we discussed this there was a way to address it by making the counters more unreliable in turn. No objections if anyone wants to fix x_tables to make it work with PREEMPT_RT from my side.
