Differences between revisions 2 and 21 (spanning 19 versions)
Revision 2 as of 2014-09-15 09:40:01
Size: 3792
Comment: add more details on the differences between nftables and iptables
Revision 21 as of 2016-12-24 13:59:39
Size: 4072
Comment: add link to nftables wiki about moving from iptables to nftables
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= nftables =
Line 8: Line 7:
<<TableOfContents>>
Line 10: Line 11:
nftables is under heavy development. Current version is v0.6. The Debian packages are up-to-date, also in stable-backports.
Line 12: Line 13:
For a production firewall, you should keep using [[iptables]]. After years of heavy development, the nftables framework is ready to use
in production environments. You are encouraged to migrate from iptables to nftables.
Line 14: Line 16:
However, you would like to start testing nftables:

 * the new syntax and engine
 * get in touch with new workflows
 * report bug and request features

Currently, lots of bugs-fixes and features are added in each new release.
Use it!
Line 24: Line 20:
nftables requires a linux '''kernel >= 3.13''', but running a newer kernel is recommended. nftables requires a linux '''kernel >= 3.13''', but running a newer '''kernel >= 4.7''' is recommended.
Line 26: Line 22:
Also, nftables requires libnftnl, a public library which provides a low level interface to the kernel subsystem.

Aptitude will take care of all dependencies.
Not a requirement, but an advice: don't mix nftables and iptables rulesets.
Line 32: Line 26:
=== What is nftables? === == What is nftables? ==
Line 35: Line 29:
=== Why a new framework? === == Should I build a firewall using a nftables? ==

Yes, the software is now stable enough for that.

== Should I replace an iptables firewall with a nftables one? ==

That is a tough task. You should know what you are doing.
Translation utilities hadn't been released so far, however they are in the roadmap.
Migrating all depends on your concrete situation, ask for advice.

== Why is nftables not in Debian Jessie? ==

You can find nftables in jessie-backports :-) At the time of jessie release, the software was not stable.


== Why a new framework? ==
Line 38: Line 47:
=== Should I stop working with iptables to build a firewall? ===
No. Currently, nftables is in an early development state. Nowadays, iptables is more stable.

=== Then, Why should I use nftables? ===
You can start testing what is meant to become the future of firewalls on Linux. Report bugs, request features and get in touch with the latest in this technology.

=== I knew the iptables syntax. Is there a new syntax is nftables? ===
Yes, but the nftables is better :-)

=== What are the major differences? ===
== What are the major differences? ==
Line 52: Line 52:
nftables includes built-in data sets capabilities. In iptables, this is not possible, and there are a separated tool: [[ipset|ipset]]. nftables includes built-in data sets capabilities. In iptables this is not possible, and there is a separated tool: [[ipset|ipset]].
Line 55: Line 55:

This new framework features a new linux kernel subsystem, known as nf_tables.
The new engine mechanism is inspired by BPF-like systems, with a set of basic expressions, which can be combined to build complex filtering rules.

== I knew the iptables syntax. Is there a new syntax is nftables? ==
Yes, but the nftables one is better :-)

Help in migrating to nftables: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
Line 114: Line 122:
Export the ruleset in XML format (importing not yet supported):
{{{
nft export xml
}}}

nftables is a framework by the Netfilter Project that provides packet filtering, network address translation (NAT) and other packet mangling.

Two of the most common uses of nftables is to provide firewall support and NAT.

nftables is meant to replace the iptables framework.

Current status

Current version is v0.6. The Debian packages are up-to-date, also in stable-backports.

After years of heavy development, the nftables framework is ready to use in production environments. You are encouraged to migrate from iptables to nftables.

Use it!

Requirements

nftables requires a linux kernel >= 3.13, but running a newer kernel >= 4.7 is recommended.

Not a requirement, but an advice: don't mix nftables and iptables rulesets.

FAQ

What is nftables?

Is the new framework by the Netfilter Project, allowing you to perform packet filtering (firewalling), NAT, mangling and packet classification.

Should I build a firewall using a nftables?

Yes, the software is now stable enough for that.

Should I replace an iptables firewall with a nftables one?

That is a tough task. You should know what you are doing. Translation utilities hadn't been released so far, however they are in the roadmap. Migrating all depends on your concrete situation, ask for advice.

Why is nftables not in Debian Jessie?

You can find nftables in jessie-backports :-) At the time of jessie release, the software was not stable.

Why a new framework?

The previous framework (iptables) has several problems hard to address, regarding scalability, performance, code maintenance, etc..

What are the major differences?

In iptables there are several tables (filter, nat) and chains (FORWARD, INPUT...) by default. In nftables, there are no default tables/chains.

Also, in iptables you only have one target per rule (-j ACCEPT, -j LOG ...). In nftables, you can perform several actions in one single rule.

nftables includes built-in data sets capabilities. In iptables this is not possible, and there is a separated tool: ?ipset.

In the iptables framework there are tools per family: iptables, ip6tables, arptables, ebtables. Now, nftables allows you to manage all families in one single CLI tool.

This new framework features a new linux kernel subsystem, known as nf_tables. The new engine mechanism is inspired by BPF-like systems, with a set of basic expressions, which can be combined to build complex filtering rules.

I knew the iptables syntax. Is there a new syntax is nftables?

Yes, but the nftables one is better :-)

Help in migrating to nftables: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

new syntax

Create a basic IPv4 table:

# nft add table filter

Create a chain for input traffic IPv4:

# nft add chain filter input { type filter hook input priority 0; }

A rule to check that all is fine (IPv4):

# nft add rule filter input counter accept

Show all the previous:

# nft list table filter

Flush rules in chain filter/input:

# nft flush chain filter input

Delete the chain filter/input:

# nft delete chain filter input

Delete the table filter:

# nft delete table filter

The family parameter is optional. The default is 'ip':

# nft add table ip6 filter
# nft add chain ip6 filter input
# nft add rule ip6 filter input counter accept

Debian ships an example configuration:

# nft -f /usr/share/doc/nftables/examples/basic.nft

Count traffic on destination port tcp/22:

# nft add rule filter input tcp dport 22 counter

Count and accept traffic in 80/tcp and 443/tcp in new an establised state:

# nft add rule filter input tcp dport {80, 443} ct state new,established counter accept

external resources

Check out the official nftables wiki: http://wiki.nftables.org/


CategorySystemAdministration