Arch Linux Makes nft the Default Backend for iptables

Arch Linux has announced that iptables now uses the nft backend by default, marking a continued shift in the Linux networking stack from the legacy xtables framework to the modern nftables system. As part of this transition, the former iptables-nft package has been renamed to simply iptables, while the older implementation is still available as iptables-legacy.

Users switching between iptables, iptables-nft, and iptables-legacy should review the /etc/iptables/ directory for any .pacsave files and restore existing firewall rules if needed. While most setups are expected to continue working without changes, systems that rely on uncommon xtables extensions or legacy-specific behavior should be carefully tested.

Traditionally, iptables has been the standard tool for managing firewall rules, NAT, and packet filtering in Linux, built on the xtables-based Netfilter framework, alongside tools like ip6tables. However, nftables is now the modern replacement, designed to overcome architectural limitations especially in environments handling both IPv4 and IPv6.

Going forward, the default iptables package in Arch points to the nft-backed version, with iptables-legacy remaining available for compatibility when required.

For most users, existing firewall configurations should continue to function as expected. The key step during migration is ensuring rule files—such as /etc/iptables/iptables.rules.pacsave and /etc/iptables/ip6tables.rules.pacsave—are preserved and properly restored.

If your system depends on specialized xtables modules or backend-specific features, additional testing may be necessary. In such cases, reverting to iptables-legacy is recommended.

For more details, see the announcement.