Nftables: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
Fmyhr (talk | contribs)
153 edits
→‎Command-line syntax: Added references
Add link to somewhat proper documentation for the nft command line tool
 
(31 intermediate revisions by 24 users not shown)
Line 1: Line 1:
{{Short description|Userspace utility for Linux packet filtering}}
{{lowercase title}}
{{lowercase title}}

{{Infobox software
{{Infobox software
| name = nftables
| name = nftables
| title =
| title =
| logo = <!-- [[File: ]] -->
| logo = <!-- [[File: ]] -->
| screenshot = <!-- [[File: ]] -->
| screenshot = <!-- [[File: ]] -->
| caption =
| caption =
| collapsible =
| collapsible =
| author = The Netfilter Project
| author = The Netfilter Project
| developer = The Netfilter Project
| developer = The Netfilter Project
| released = <!-- {{Start date|YYYY|MM|DD}} -->
| released = <!-- {{Start date|YYYY|MM|DD}} -->
| discontinued =
| discontinued =
| latest release version = 0.9.3<ref>{{cite web
| latest release version = {{wikidata|property|preferred|references|edit|P348|P548=Q2804309}}
| latest release date = {{Start date and age|{{wikidata|qualifier|preferred|single|P348|P548=Q2804309|P577}}}}
| url = https://netfilter.org/news.html#2019-12-02-d
| title = News of the netfilter/iptables project
| website = netfilter.org
| date = 2019-12-02
| accessdate = 2020-01-18}}</ref>
| latest release date = {{Start date and age|2019|12|02}}
| latest preview version = [https://git.netfilter.org/ Git repo]
| latest preview version = [https://git.netfilter.org/ Git repo]
| latest preview date = <!-- {{Start date and age|YYYY|MM|DD}} -->
| latest preview date = <!-- {{Start date and age|YYYY|MM|DD}} -->
| programming language = [[C (programming language)|C]]
| programming language = [[C (programming language)|C]]
| operating system = [[Linux]]
| operating system = [[Linux]]
| platform = [[Netfilter]]
| platform = [[Netfilter]]
| size =
| size =
| language =
| language =
| genre = [[Firewall (computing)|packet filtering]]
| genre = [[Firewall (computing)|packet filtering]]
| license = [[GNU General Public License|GPL (version 2)]]
| license = [[GNU General Public License|GPLv2]]
| website = {{ubl
| website = {{ubl
| {{URL|https://netfilter.org/projects/nftables/}}
| {{URL|https://netfilter.org/projects/nftables/}}
| {{URL|https://wiki.nftables.org/wiki-nftables/index.php/Main_Page}}}}
| {{URL|https://wiki.nftables.org/wiki-nftables/index.php/Main_Page}}}}
}}
}}
'''nftables''' is a subsystem of the [[Linux kernel]] providing filtering and classification of [[network packet]]s/datagrams/frames. It has been available since Linux kernel 3.13 released on 19 January 2014.<ref name="nftables313">{{cite web |title=nftables, the successor of iptables |work=Linux 3.13 |url=https://kernelnewbies.org/Linux_3.13#head-f628a9c41d7ec091f7a62db6a49b8da50659ec88 |publisher=kernelnewbies.org |date=2014-01-19 |access-date=2016-03-04}}</ref>


nftables replaces the legacy [[iptables]] component of [[Netfilter]]. Among the advantages of nftables over iptables is less code duplication and easier extension to new protocols. Among the disadvantages of nftables is that [[Deep_packet_inspection|DPI]] that was provided by "iptables string match" like [[Server_Name_Indication|SNI]] filtering is not supported.<ref>{{Cite web|url=https://blog.cloudflare.com/programmable-packet-filtering-with-magic-firewall|title = How We Used eBPF to Build Programmable Packet Filtering in Magic Firewall}}</ref>
[[File:Simplified_Structure_of_the_Linux_Kernel.svg|thumb|<code>[[Tc (Linux)|tc]]</code> relates to the [[Linux kernel packet scheduler]] as <code>[[iptables]]</code> to [[Netfilter]] and <code>[[nft]]</code> to nftables. All are user-space [[Command-line interface|CLI]]-programs that are used to configure their respective Linux kernel subsystem.]]

'''nftables''' is a subsystem of the [[Linux kernel]] providing filtering and classification of [[network packet]]s/datagrams/frames. It has been available since Linux kernel 3.13 released on 19 January 2014.<ref name="nftables313">{{cite web |title=nftables, the successor of iptables |work=Linux 3.13 |url=https://kernelnewbies.org/Linux_3.13#head-f628a9c41d7ec091f7a62db6a49b8da50659ec88 |publisher=kernelnewbies.org |date=2014-01-19 |accessdate=2016-03-04}}</ref>


nftables is supposed to replace certain parts of [[Netfilter]], while keeping and reusing most of it. Among the advantages of nftables over iptables is less code duplication and easier extension to new protocols. nftables is configured via the [[user-space]] utility ''nft'', while legacy tools are configured via the utilities ''[[iptables]]'', ''ip6tables'', ''[[arptables]]'' and ''ebtables'' frameworks.
nftables is configured via the [[user-space]] utility ''nft'', while legacy tools are configured via the utilities ''[[iptables]]'', ''ip6tables'', ''[[arptables]]'' and ''ebtables'' frameworks.


nftables utilizes the building blocks of the [[Netfilter]] infrastructure, such as the existing hooks into the networking stack, connection tracking system, userspace queueing component, and logging subsystem.
nftables utilizes the building blocks of the [[Netfilter]] infrastructure, such as the existing hooks into the networking stack, connection tracking system, userspace queueing component, and logging subsystem.
Line 52: Line 46:
The new syntax can appear more verbose, but it is also far more flexible. nftables incorporates [https://wiki.nftables.org/wiki-nftables/index.php/Main_Page#Advanced_data_structures_for_performance_packet_classification advanced data structures] such as dictionaries, maps and concatenations that do not exist with iptables. Making use of these can significantly reduce the number of chains and rules needed to express a given packet filtering design.
The new syntax can appear more verbose, but it is also far more flexible. nftables incorporates [https://wiki.nftables.org/wiki-nftables/index.php/Main_Page#Advanced_data_structures_for_performance_packet_classification advanced data structures] such as dictionaries, maps and concatenations that do not exist with iptables. Making use of these can significantly reduce the number of chains and rules needed to express a given packet filtering design.


The <code>iptables-translate</code> tool can be used to translate many existing iptables rules to equivalent nftables rules.<ref>https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables</ref><ref>https://wiki.nftables.org/wiki-nftables/index.php/List_of_available_translations_via_iptables-translate_tool</ref> Debian 10 buster, among other Linux distributions, uses nftables along with <code>iptables-translate</code> as the default firewall backend.<ref>https://wiki.debian.org/nftables</ref>
The <code>iptables-translate</code> tool can be used to translate many existing iptables rules to equivalent nftables rules.<ref>{{Cite web|url=https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables|title = Moving from iptables to nftables - nftables wiki}}</ref><ref>{{Cite web|url=https://wiki.nftables.org/wiki-nftables/index.php/List_of_available_translations_via_iptables-translate_tool|title=List of available translations via iptables-translate tool - nftables wiki}}</ref> [[Debian_version_history#Debian_10_(Buster)|Debian 10 (Buster)]], among other [[Linux_distribution|Linux distributions]], uses nftables along with <code>iptables-translate</code> as the default packet filtering backend.<ref>{{Cite web|url=https://wiki.debian.org/nftables|title = Nftables - Debian Wiki}}</ref>


==History==
==History==
The project was first publicly presented at Netfilter Workshop 2008 by Patrick McHardy from the Netfilter Core Team.<ref>{{cite web|url=https://workshop.netfilter.org/2008/User-day-program.html |title=User day program – NFWS2008 |publisher=workshop.netfilter.org |date=2008-10-03 |accessdate=2014-02-22}}</ref> The first preview release of kernel and userspace implementation was given in March 2009.<ref>[https://marc.info/?l=linux-netdev&m=123735060618579 initial release announcement].</ref> Although the tool has been called "the biggest change to Linux firewalling since the introduction of iptables in 2001", it has received little press attention.<ref name="risky.biz">{{cite news |last=Gray |first=Patrick |title=NEWS: Linux Gets New Firewall |url=https://risky.biz/news_and_opinion/patrick-gray/2009-03-26/news-linux-gets-new-firewall |publisher=Risky.biz |date=March 26, 2009}}</ref> Notable hacker [[Fyodor Vaskovich]] (Gordon Lyon) said that he is "looking forward to its general release in the mainstream [[Linux kernel]]".<ref name="risky.biz" />
The project was first publicly presented at Netfilter Workshop 2008 by Patrick McHardy from the Netfilter Core Team.<ref>{{cite web|url=https://workshop.netfilter.org/2008/User-day-program.html |title=User day program – NFWS2008 |publisher=workshop.netfilter.org |date=2008-10-03 |access-date=2014-02-22}}</ref> The first preview release of kernel and userspace implementation was given in March 2009.<ref>[https://marc.info/?l=linux-netdev&m=123735060618579 initial release announcement].</ref> Although the tool has been called "the biggest change to Linux firewalling since the introduction of iptables in 2001", it has received little press attention.<ref name="risky.biz">{{cite news |last=Gray |first=Patrick |title=NEWS: Linux Gets New Firewall |url=https://risky.biz/news_and_opinion/patrick-gray/2009-03-26/news-linux-gets-new-firewall |publisher=Risky.biz |date=March 26, 2009}}</ref> Notable hacker [[Fyodor Vaskovich]] (Gordon Lyon) said that he is "looking forward to its general release in the mainstream [[Linux kernel]]".<ref name="risky.biz" />


The project stayed in alpha stage, and the official website was removed in 2009. In March 2010, emails from the author on the project mailing lists showed the project was still active and approaching a beta release,<ref>{{cite web |url=https://www.spinics.net/lists/netfilter-devel/msg12409.html |title=Linux Netfilter Devel – Re: Current state of nftables |publisher=Spinics.net |date= |accessdate=2014-01-20}}</ref><ref>{{cite web|url=https://www.spinics.net/lists/netfilter-devel/msg15690.html |title=Linux Netfilter Devel – Re: Current state of nftables |publisher=Spinics.net |date= |accessdate=2014-01-20}}</ref> but the latter was never shipped officially. In October 2012, Pablo Neira Ayuso proposed a compatibility layer for iptables<ref>{{cite web |url=https://www.spinics.net/lists/netfilter-devel/msg23831.html |title=Linux Netfilter Devel – [RFC&#93; back on nf_tables (plus compatibility layer) |publisher=Spinics.net |date= |accessdate=2014-01-20}}</ref> and announced a possible inclusion of the project into mainstream kernel.
The project stayed in alpha stage, and the official website was removed in 2009. In March 2010, emails from the author on the project mailing lists showed the project was still active and approaching a beta release,<ref>{{cite web |url=https://www.spinics.net/lists/netfilter-devel/msg12409.html |title=Linux Netfilter Devel – Re: Current state of nftables |publisher=Spinics.net |access-date=2014-01-20}}</ref><ref>{{cite web|url=https://www.spinics.net/lists/netfilter-devel/msg15690.html |title=Linux Netfilter Devel – Re: Current state of nftables |publisher=Spinics.net |access-date=2014-01-20}}</ref> but the latter was never shipped officially. In October 2012, Pablo Neira Ayuso proposed a compatibility layer for iptables<ref>{{cite web |url=https://www.spinics.net/lists/netfilter-devel/msg23831.html |title=Linux Netfilter Devel – [RFC&#93; back on nf_tables (plus compatibility layer) |publisher=Spinics.net |access-date=2014-01-20}}</ref> and announced a possible inclusion of the project into mainstream kernel.


On 16 October 2013, Pablo Neira Ayuso submitted a nftables core [[pull request]] to the [[Linux kernel mainline]] tree.<ref>{{cite web |url=https://marc.info/?l=netfilter-devel&m=138176887917614&w=2 |title=[PATCH 00/17&#93; netfilter updates: nf_tables pull request |publisher=Marc.info |date= |accessdate=2014-01-20}}</ref> It was merged into the kernel mainline on 19 January 2014, with the release of Linux kernel version 3.13.<ref name="nftables313" />
On 16 October 2013, Pablo Neira Ayuso submitted a nftables core [[pull request]] to the [[Linux kernel mainline]] tree.<ref>{{cite web |url=https://marc.info/?l=netfilter-devel&m=138176887917614&w=2 |title=[PATCH 00/17&#93; netfilter updates: nf_tables pull request |publisher=Marc.info |access-date=2014-01-20}}</ref> It was merged into the kernel mainline on 19 January 2014, with the release of Linux kernel version 3.13.<ref name="nftables313" />


==Overview==
==Overview==
The nftables kernel engine adds a simple [[virtual machine]] into the Linux kernel, which is able to execute bytecode to inspect a network packet and make decisions on how that packet should be handled. The operations implemented by this virtual machine are intentionally made basic. It can get data from the packet itself, have a look at the associated metadata (inbound interface, for example), and manage connection-tracking data. Arithmetic, bitwise and comparison operators can be used for making decisions based on that data. The virtual machine is also capable of manipulating sets of data (typically, IP addresses), allowing multiple comparison operations to be replaced with a single set lookup.<ref name="lwn-nftables">{{cite web
The nftables kernel engine adds a simple [[virtual machine]] to the Linux kernel which is able to execute bytecode to inspect a network packet and make decisions on how that packet should be handled. The operations implemented by this virtual machine are intentionally made basic. It can get data from the packet itself, have a look at the associated metadata (inbound interface, for example), and manage connection-tracking data. Arithmetic, bitwise and comparison operators can be used for making decisions based on that data. The virtual machine is also capable of manipulating sets of data (typically, IP addresses), allowing multiple comparison operations to be replaced with a single set lookup.<ref name="lwn-nftables">{{cite web
| url = https://lwn.net/Articles/564095/
| url = https://lwn.net/Articles/564095/
| title = The return of nftables
| title = The return of nftables
| date = 2013-08-20
| date = 2013-08-20
| accessdate = 2013-10-22
| access-date = 2013-10-22
| author = Jonathan Corbet
| author = Jonathan Corbet
| publisher = [[LWN.net]]}}</ref>
| publisher = [[LWN.net]]}}</ref>
Line 72: Line 66:
The above-described organization is contrary to the iptables firewalling code, which has protocol awareness built-in so deeply into the logic that the code has had to be replicated four times&mdash;for [[IPv4]], [[IPv6]], [[Address Resolution Protocol|ARP]], and Ethernet [[Bridging (networking)|bridging]]&mdash;as the firewall engines are too protocol-specific to be used in a generic manner.<ref name="lwn-nftables" />
The above-described organization is contrary to the iptables firewalling code, which has protocol awareness built-in so deeply into the logic that the code has had to be replicated four times&mdash;for [[IPv4]], [[IPv6]], [[Address Resolution Protocol|ARP]], and Ethernet [[Bridging (networking)|bridging]]&mdash;as the firewall engines are too protocol-specific to be used in a generic manner.<ref name="lwn-nftables" />


The main advantages of nftables over iptables are the simplification of the Linux kernel [[Application binary interface|ABI]], reduction of [[duplicate code|code duplication]], improved [[error message|error reporting]], and more efficient execution, storage and incremental changes of filtering rules. Traditionally used {{man|8|iptables|man.cx||inline}}, {{man|8|ip6tables|man.cx||inline}}, {{man|8|arptables|man.cx||inline}} and {{man|8|ebtables|man.cx||inline}} (for IPv4, IPv6, ARP and Ethernet bridging, respectively) are intended to be replaced with {{man|8|nft|ManKier||inline}} as a single unified implementation, providing firewall configuration on top of the in-kernel virtual machine.
The main advantages of nftables over iptables are the simplification of the Linux kernel [[Application binary interface|ABI]], reduction of [[duplicate code|code duplication]], improved [[error message|error reporting]], and more efficient execution, storage and incremental changes of filtering rules. Traditionally used {{man|8|iptables|man.cx||inline}}, {{man|8|ip6tables|man.cx||inline}}, {{man|8|arptables|man.cx||inline}} and {{man|8|ebtables|man.cx||inline}} (for IPv4, IPv6, ARP and Ethernet bridging, respectively) are intended to be replaced with {{man|8|nft|ManKier||inline}} as a single unified implementation, providing firewall configuration on top of the [[in-kernel virtual machine]].


nftables also offers an improved userspace API that allows [[Atomic operation|atomic]] replacements of one or more firewall rules within a single [[Netlink]] transaction. This speeds up firewall configuration changes for setups having large rulesets; it can also help in avoiding race conditions while the rule changes are being executed. nftables also includes compatibility features to ease transition from previous firewalls, command-line utilities to convert rules in the iptables format,<ref>{{cite web |last1=Neira Ayuso |first1=Pablo |title=nftables – nft command line tool |url=https://git.netfilter.org/nftables/commit/?id=b65a70131d0d38844be12235270eebaa9d2f5a4d |website=git.netfilter.org |accessdate=24 January 2019}}</ref> and syntax-compatible versions of iptables commands that use the nftables backend.<ref>{{cite web |last1=Arturo |first1=Ral |title=Netfilter Workshop 2018 Berlin summary |url=https://ral-arturo.org/2018/06/16/nfws2018.html |website=ral-arturo.org |accessdate=24 January 2019}}</ref>
nftables also offers an improved userspace API that allows [[Atomic operation|atomic]] replacements of one or more firewall rules within a single [[Netlink]] transaction. This speeds up firewall configuration changes for setups having large rulesets; it can also help in avoiding race conditions while the rule changes are being executed. nftables also includes compatibility features to ease transition from previous firewalls, command-line utilities to convert rules in the iptables format,<ref>{{cite web |last1=Neira Ayuso |first1=Pablo |title=nftables – nft command line tool |url=https://git.netfilter.org/nftables/commit/?id=b65a70131d0d38844be12235270eebaa9d2f5a4d |website=git.netfilter.org |access-date=24 January 2019}}</ref> and syntax-compatible versions of iptables commands that use the nftables backend.<ref>{{cite web |last1=Arturo |first1=Ral |title=Netfilter Workshop 2018 Berlin summary |url=https://ral-arturo.org/2018/06/16/nfws2018.html |website=ral-arturo.org |access-date=24 January 2019}}</ref>


==References==
==References==
Line 84: Line 78:
* [https://git.netfilter.org/ nftables Git source code repository]
* [https://git.netfilter.org/ nftables Git source code repository]
* [https://wiki.nftables.org/wiki-nftables/index.php/Main_Page nftables HOWTO documentation]
* [https://wiki.nftables.org/wiki-nftables/index.php/Main_Page nftables HOWTO documentation]
* [http://article.gmane.org/gmane.comp.security.firewalls.netfilter.devel/28922 First release of nftables (2009-03-18)]
* [https://lore.kernel.org/netdev/49C078B6.4020603@trash.net/ First release of nftables (2009-03-18)]
* [http://article.gmane.org/gmane.comp.security.firewalls.netfilter.devel/44685 Pablo Neira Ayuso: &#91;RFC&#93; back on nf_tables (plus compatibility layer)]
* [https://lore.kernel.org/netdev/20121025170632.GA4890@1984/ Pablo Neira Ayuso: &#91;RFC&#93; back on nf_tables (plus compatibility layer)]
* [https://home.regit.org/netfilter-en/nftables-quick-howto/ nftables quick HOWTO]
* [https://home.regit.org/netfilter-en/nftables-quick-howto/ nftables quick HOWTO]
* nftables sections in [https://wiki.archlinux.org/index.php/Nftables ArchWiki] and [https://wiki.gentoo.org/wiki/Nftables Gentoo Wiki]
* nftables sections in [https://wiki.archlinux.org/index.php/Nftables ArchWiki] and [https://wiki.gentoo.org/wiki/Nftables Gentoo Wiki]
* {{cite web|title=nftables: a new packet filtering engine|last=Corbet|first=Jonathan|url=https://lwn.net/Articles/324989/|publisher=[[LWN.net]]|date=2009-03-24}}
* {{cite web|title=nftables: a new packet filtering engine|last=Corbet|first=Jonathan|url=https://lwn.net/Articles/324989/|publisher=[[LWN.net]]|date=2009-03-24}}
* {{cite conference|title=nftables – a successor to iptables, ip6tables, ebtables and arptables|last=McHardy|first=Patrick|url=http://people.netfilter.org/kaber/nfws2008/nftables.odp|format=[[OpenDocument|ODP]]|conference=Netfilter Workshop 2008|conferenceurl=https://workshop.netfilter.org/|date=2008-09-30}}
* {{cite conference|title=nftables – a successor to iptables, ip6tables, ebtables and arptables|last=McHardy|first=Patrick|url=http://people.netfilter.org/kaber/nfws2008/nftables.odp|format=[[OpenDocument|ODP]]|conference=Netfilter Workshop 2008|conference-url=https://workshop.netfilter.org/|date=2008-09-30|archive-url=https://web.archive.org/web/20090322124123/https://people.netfilter.org/kaber/nfws2008/nftables.odp|archive-date=2009-03-22}}
* [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5191f4d82daf22b7ee9446f83527d2795e225974 nft_compat extended to support ebtables extensions] (merged in Linux kernel 4.0)
* [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5191f4d82daf22b7ee9446f83527d2795e225974 nft_compat extended to support ebtables extensions] (merged in Linux kernel 4.0)
* [https://www.mankier.com/8/nft Extended and enhanced manual for the nft command line tool]


{{Firewall software}}
{{Firewall software}}

Latest revision as of 05:18, 30 April 2024

Original author(s)The Netfilter Project
Developer(s)The Netfilter Project
Stable release
1.0.9[1] Edit this on Wikidata / 19 October 2023; 7 months ago (19 October 2023)
Preview release
Repository
Written inC
Operating systemLinux
PlatformNetfilter
Typepacket filtering
LicenseGPLv2
Website

nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. It has been available since Linux kernel 3.13 released on 19 January 2014.[2]

nftables replaces the legacy iptables component of Netfilter. Among the advantages of nftables over iptables is less code duplication and easier extension to new protocols. Among the disadvantages of nftables is that DPI that was provided by "iptables string match" like SNI filtering is not supported.[3]

nftables is configured via the user-space utility nft, while legacy tools are configured via the utilities iptables, ip6tables, arptables and ebtables frameworks.

nftables utilizes the building blocks of the Netfilter infrastructure, such as the existing hooks into the networking stack, connection tracking system, userspace queueing component, and logging subsystem.

nft[edit]

Command-line syntax[edit]

A command to drop any packets with destination IP address 1.2.3.4: 

nft add rule ip filter output ip daddr 1.2.3.4 drop

Note that the new syntax differs significantly from that of iptables, in which the same rule would be written: 

iptables -A OUTPUT -d 1.2.3.4 -j DROP

The new syntax can appear more verbose, but it is also far more flexible. nftables incorporates advanced data structures such as dictionaries, maps and concatenations that do not exist with iptables. Making use of these can significantly reduce the number of chains and rules needed to express a given packet filtering design.

The iptables-translate tool can be used to translate many existing iptables rules to equivalent nftables rules.[4][5] Debian 10 (Buster), among other Linux distributions, uses nftables along with iptables-translate as the default packet filtering backend.[6]

History[edit]

The project was first publicly presented at Netfilter Workshop 2008 by Patrick McHardy from the Netfilter Core Team.[7] The first preview release of kernel and userspace implementation was given in March 2009.[8] Although the tool has been called "the biggest change to Linux firewalling since the introduction of iptables in 2001", it has received little press attention.[9] Notable hacker Fyodor Vaskovich (Gordon Lyon) said that he is "looking forward to its general release in the mainstream Linux kernel".[9]

The project stayed in alpha stage, and the official website was removed in 2009. In March 2010, emails from the author on the project mailing lists showed the project was still active and approaching a beta release,[10][11] but the latter was never shipped officially. In October 2012, Pablo Neira Ayuso proposed a compatibility layer for iptables[12] and announced a possible inclusion of the project into mainstream kernel.

On 16 October 2013, Pablo Neira Ayuso submitted a nftables core pull request to the Linux kernel mainline tree.[13] It was merged into the kernel mainline on 19 January 2014, with the release of Linux kernel version 3.13.[2]

Overview[edit]

The nftables kernel engine adds a simple virtual machine to the Linux kernel which is able to execute bytecode to inspect a network packet and make decisions on how that packet should be handled. The operations implemented by this virtual machine are intentionally made basic. It can get data from the packet itself, have a look at the associated metadata (inbound interface, for example), and manage connection-tracking data. Arithmetic, bitwise and comparison operators can be used for making decisions based on that data. The virtual machine is also capable of manipulating sets of data (typically, IP addresses), allowing multiple comparison operations to be replaced with a single set lookup.[14]

The above-described organization is contrary to the iptables firewalling code, which has protocol awareness built-in so deeply into the logic that the code has had to be replicated four times—for IPv4, IPv6, ARP, and Ethernet bridging—as the firewall engines are too protocol-specific to be used in a generic manner.[14]

The main advantages of nftables over iptables are the simplification of the Linux kernel ABI, reduction of code duplication, improved error reporting, and more efficient execution, storage and incremental changes of filtering rules. Traditionally used iptables(8), ip6tables(8), arptables(8) and ebtables(8) (for IPv4, IPv6, ARP and Ethernet bridging, respectively) are intended to be replaced with nft(8) as a single unified implementation, providing firewall configuration on top of the in-kernel virtual machine.

nftables also offers an improved userspace API that allows atomic replacements of one or more firewall rules within a single Netlink transaction. This speeds up firewall configuration changes for setups having large rulesets; it can also help in avoiding race conditions while the rule changes are being executed. nftables also includes compatibility features to ease transition from previous firewalls, command-line utilities to convert rules in the iptables format,[15] and syntax-compatible versions of iptables commands that use the nftables backend.[16]

References[edit]

  1. ^ Pablo Neira Ayuso (19 October 2023). "nftables 1.0.9 release". Retrieved 19 October 2023.
  2. ^ a b "nftables, the successor of iptables". Linux 3.13. kernelnewbies.org. 2014-01-19. Retrieved 2016-03-04.
  3. ^ "How We Used eBPF to Build Programmable Packet Filtering in Magic Firewall".
  4. ^ "Moving from iptables to nftables - nftables wiki".
  5. ^ "List of available translations via iptables-translate tool - nftables wiki".
  6. ^ "Nftables - Debian Wiki".
  7. ^ "User day program – NFWS2008". workshop.netfilter.org. 2008-10-03. Retrieved 2014-02-22.
  8. ^ initial release announcement.
  9. ^ a b Gray, Patrick (March 26, 2009). "NEWS: Linux Gets New Firewall". Risky.biz.
  10. ^ "Linux Netfilter Devel – Re: Current state of nftables". Spinics.net. Retrieved 2014-01-20.
  11. ^ "Linux Netfilter Devel – Re: Current state of nftables". Spinics.net. Retrieved 2014-01-20.
  12. ^ "Linux Netfilter Devel – [RFC] back on nf_tables (plus compatibility layer)". Spinics.net. Retrieved 2014-01-20.
  13. ^ "[PATCH 00/17] netfilter updates: nf_tables pull request". Marc.info. Retrieved 2014-01-20.
  14. ^ a b Jonathan Corbet (2013-08-20). "The return of nftables". LWN.net. Retrieved 2013-10-22.
  15. ^ Neira Ayuso, Pablo. "nftables – nft command line tool". git.netfilter.org. Retrieved 24 January 2019.
  16. ^ Arturo, Ral. "Netfilter Workshop 2018 Berlin summary". ral-arturo.org. Retrieved 24 January 2019.

External links[edit]

Retrieved from "https://en.wikipedia.org/w/index.php?title=Nftables&oldid=1221479454"