Next
Previous
Contents
-  Firstly, the names of the built-in chains have changed from
lower case to UPPER case, because the INPUT and OUTPUT chains now only
get locally-destined and locally-generated packets.  They used to see
all incoming and all outgoing packets respectively.
-  The `-i' flag now means the incoming interface, and only works
in the INPUT and FORWARD chains.  Rules in the FORWARD or OUTPUT
chains that used `-i' should be changed to `-o'.
-  TCP and UDP ports now need to be spelled out with the
--source-port or --sport (or --destination-port/--dport) options, and
must be placed after the `-p tcp' or `-p udp' options, as this loads
the TCP or UDP extensions respectively.
-  The TCP -y flag is now --syn, and must be after `-p tcp'.
-  The DENY target is now DROP, finally.
-  Zeroing single chains while listing them works.
-  Zeroing built-in chains also clears policy counters.
-  Listing chains gives you the counters as an atomic snapshot.
-  REJECT and LOG are now extended targets, meaning they are
separate kernel modules.
-  Chain names can be up to 31 characters.
-  MASQ is now MASQUERADE and uses a different syntax.  REDIRECT,
while keeping the same name, has also undergone a syntax change.  See
the NAT-HOWTO for more information on how to configure both of these.
-  The -o option is no longer used to direct packets to the userspace
device (see -i above).  Packets are now sent to userspace via the QUEUE
target.
-  Probably heaps of other things I forgot.
Next
Previous
Contents