nftables

ROAM_REFS: https://netfilter.org/projects/nftables/

• The netfilter.org "nftables" project

** What is nftables?

nftables replaces the popular {ip,ip6,arp,eb}tables. This software provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queueing and logging subsystem.

This software also provides libnftables, the high-level userspace library that includes support for JSON, see man (3)libnftables for more information.

** What is the status of nftables?

This software is available upstream since Linux kernel 3.13.

** Running nftables

You require the following software in order to run the nft command line tool:

• Linux kernel since 3.13, although newer kernel versions are recommended.
• libmnl: the minimalistic Netlink library
• libnftnl: low level netlink userspace library
• nft: command line tool

nft syntax differs from {ip,ip6,eb,arp}tables. Moreover, there is a backward compatibility layer that allows you run iptables/ip6tables, using the same syntax, over the nftables infrastructure.

** Main Features

• Network-specific VM: the nft command line tool compiles the ruleset into the VM bytecode in netlink format, then it pushes this into the kernel via the nftables Netlink API. When retrieving the ruleset, the VM bytecode in netlink format is decompiled back to its original ruleset representation. So nft behaves both as compiler and decompiler.
• High performance through maps and concatenations: Linear ruleset inspection doesn't scale up. Using maps and concatenations, you can structure your ruleset to reduce the number of rule inspections to find the final action on the packet to the bare minimum.
• Smaller kernel codebase. The intelligence resides in the userspace nft command line tool, which is considerably more complex than iptables in terms of codebase, however, in the midrun, this will potentially allow us to deliver new features by upgrading the userspace command line tool, with no need of kernel upgrades.
• Unified and consistent syntax for every support protocol family, contrary to xtables utilities, that are well-known to be full of inconsistencies.

** Git trees

• nftables is available as of Linux kernel 3.13, although recent versions are recommended. The development git tree is available at: https://git.kernel.org/cgit/linux/kernel/git/netfilter/nf-next.git
• libmnl userspace library at: https://git.netfilter.org/libmnl/
• libnftnl userspace library at: https://git.netfilter.org/libnftnl/
• nftables user-space utility at: https://git.netfilter.org/nftables/
• backward compatibility iptables/ip6tables user-space utility at: https://git.netfilter.org/iptables/

** Documentation

You can check out the nftables HOWTO documentation, there is also a manpage.

ROAM_REFS: https://wiki.nftables.org/wiki-nftables/index.php/Main_Page

• Main Page

From nftables wiki

Jump to navigation Jump to search

Welcome to the nftables HOWTO documentation page. Here you will find documentation on how to build, install, configure and use nftables.

If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>.

ROAM_REFS: https://en.wikipedia.org/wiki/Nftables

nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. It has been available since Linux kernel 3.13 released on 19 January 2014.

nftables replaces the legacy iptables component of Netfilter. Among the advantages of nftables over iptables is less code duplication and easier extension to new protocols. Among the disadvantages of nftables is that DPI that was provided by "iptables string match" like SNI filtering is not supported.

nftables is configured via the user-space utility nft, while legacy tools are configured via the utilities iptables, ip6tables, arptables and ebtables frameworks.

nftables utilizes the building blocks of the Netfilter infrastructure, such as the existing hooks into the networking stack, connection tracking system, userspace queueing component, and logging subsystem.