Nftables

nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. It has been available since Linux kernel 3.13 released on 19 January 2014.

nftables replaces the legacy iptables component of Netfilter. Among the advantages of nftables over iptables is less code duplication and easier extension to new protocols. Among the disadvantages of nftables is that DPI that was provided by "iptables string match" like SNI filtering is not supported.

nftables is configured via the user-space utility ''nft'', while legacy tools are configured via the utilities ''iptables'', ''ip6tables'', '' arptables'' and ''ebtables'' frameworks.

nftables utilizes the building blocks of the Netfilter infrastructure, such as the existing hooks into the networking stack, connection tracking system, userspace queueing component, and logging subsystem.

nft

Command-line syntax

A command to drop any packets with destination IP address 1.2.3.4:

nft add rule ip filter output ip daddr 1.2.3.4 drop

Note that the new syntax differs significantly from that of iptables, in which the same rule would be written:

iptables -A OUTPUT -d 1.2.3.4 -j DROP

The new syntax can appear more verbose, but it is also far more flexible. nftables incorporate
advanced data structures
such as dictionaries, maps and concatenations that do not exist with iptables. Making use of these can significantly reduce the number of chains and rules needed to express a given packet filtering design.

The iptables-translate tool can be used to translate many existing iptables rules to equivalent nftables rules. Debian 10 (Buster), among other Linux distributions, uses nftables along with iptables-translate as the default packet filtering backend.

History

The project was first publicly presented at Netfilter Workshop 2008 by Patrick McHardy from the Netfilter Core Team. The first preview release of kernel and userspace implementation was given in March 2009. Although the tool has been called "the biggest change to Linux firewalling since the introduction of iptables in 2001", it has received little press attention. Notable hacker Fyodor Vaskovich (Gordon Lyon) said that he is "looking forward to its general release in the mainstream Linux kernel".

The project stayed in alpha stage, and the official website was removed in 2009. In March 2010, emails from the author on the project mailing lists showed the project was still active and approaching a beta release, but the latter was never shipped officially. In October 2012, Pablo Neira Ayuso proposed a compatibility layer for iptables and announced a possible inclusion of the project into mainstream kernel.

On 16 October 2013, Pablo Neira Ayuso submitted a nftables core pull request to the Linux kernel mainline tree. It was merged into the kernel mainline on 19 January 2014, with the release of Linux kernel version 3.13.

Overview

The nftables kernel engine adds a simple virtual machine to the Linux kernel which is able to execute bytecode to inspect a network packet and make decisions on how that packet should be handled. The operations implemented by this virtual machine are intentionally made basic. It can get data from the packet itself, have a look at the associated metadata (inbound interface, for example), and manage connection-tracking data. Arithmetic, bitwise and comparison operators can be used for making decisions based on that data. The virtual machine is also capable of manipulating sets of data (typically, IP addresses), allowing multiple comparison operations to be replaced with a single set lookup.

The above-described organization is contrary to the iptables firewalling code, which has protocol awareness built-in so deeply into the logic that the code has had to be replicated four times—for IPv4, IPv6, ARP, and Ethernet bridging—as the firewall engines are too protocol-specific to be used in a generic manner.

The main advantages of nftables over iptables are the simplification of the Linux kernel ABI, reduction of code duplication, improved error reporting, and more efficient execution, storage and incremental changes of filtering rules. Traditionally used , , and (for IPv4, IPv6, ARP and Ethernet bridging, respectively) are intended to be replaced with as a single unified implementation, providing firewall configuration on top of the in-kernel virtual machine.

nftables also offers an improved userspace API that allows atomic replacements of one or more firewall rules within a single Netlink transaction. This speeds up firewall configuration changes for setups having large rulesets; it can also help in avoiding race conditions while the rule changes are being executed. nftables also includes compatibility features to ease transition from previous firewalls, command-line utilities to convert rules in the iptables format, and syntax-compatible versions of iptables commands that use the nftables backend.

References

External links

First release of nftables (2009-03-18)

Pablo Neira Ayuso: [RFC] back on nf_tables (plus compatibility layer)

nftables quick HOWTO
* nftables sections i
ArchWiki
an
Gentoo Wiki
*
*

nft_compat extended to support ebtables extensions
(merged in Linux kernel 4.0)

Extended and enhanced manual for the nft command line tool

{{Linux kernel

Firewall software
Linux security software
Linux kernel features