|
Size: 3792
Comment: add more details on the differences between nftables and iptables
|
Size: 3792
Comment: pointer to linux 3.18
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = nftables = | |
| Line 24: | Line 23: |
| nftables requires a linux '''kernel >= 3.13''', but running a newer kernel is recommended. | nftables requires a linux '''kernel >= 3.13''', but running a newer '''kernel >= 3.18''' is recommended. |
nftables is a framework by the Netfilter Project that provides packet filtering, network address translation (NAT) and other packet mangling.
Two of the most common uses of nftables is to provide firewall support and NAT.
nftables is meant to replace the iptables framework.
Current status
nftables is under heavy development.
For a production firewall, you should keep using iptables.
However, you would like to start testing nftables:
- the new syntax and engine
- get in touch with new workflows
- report bug and request features
Currently, lots of bugs-fixes and features are added in each new release.
Requirements
nftables requires a linux kernel >= 3.13, but running a newer kernel >= 3.18 is recommended.
Also, nftables requires libnftnl, a public library which provides a low level interface to the kernel subsystem.
Aptitude will take care of all dependencies.
FAQ
What is nftables?
Is the new framework by the Netfilter Project, allowing you to perform packet filtering (firewalling), NAT, mangling and packet classification.
Why a new framework?
The previous framework (iptables) has several problems hard to address, regarding scalability, performance, code maintenance, etc..
Should I stop working with iptables to build a firewall?
No. Currently, nftables is in an early development state. Nowadays, iptables is more stable.
Then, Why should I use nftables?
You can start testing what is meant to become the future of firewalls on Linux. Report bugs, request features and get in touch with the latest in this technology.
I knew the iptables syntax. Is there a new syntax is nftables?
Yes, but the nftables is better 
What are the major differences?
In iptables there are several tables (filter, nat) and chains (FORWARD, INPUT...) by default. In nftables, there are no default tables/chains.
Also, in iptables you only have one target per rule (-j ACCEPT, -j LOG ...). In nftables, you can perform several actions in one single rule.
nftables includes built-in data sets capabilities. In iptables, this is not possible, and there are a separated tool: ?ipset.
In the iptables framework there are tools per family: iptables, ip6tables, arptables, ebtables. Now, nftables allows you to manage all families in one single CLI tool.
new syntax
Create a basic IPv4 table:
# nft add table filter
Create a chain for input traffic IPv4:
# nft add chain filter input { type filter hook input priority 0; }A rule to check that all is fine (IPv4):
# nft add rule filter input counter accept
Show all the previous:
# nft list table filter
Flush rules in chain filter/input:
# nft flush chain filter input
Delete the chain filter/input:
# nft delete chain filter input
Delete the table filter:
# nft delete table filter
The family parameter is optional. The default is 'ip':
# nft add table ip6 filter # nft add chain ip6 filter input # nft add rule ip6 filter input counter accept
Debian ships an example configuration:
# nft -f /usr/share/doc/nftables/examples/basic.nft
Count traffic on destination port tcp/22:
# nft add rule filter input tcp dport 22 counter
Count and accept traffic in 80/tcp and 443/tcp in new an establised state:
# nft add rule filter input tcp dport {80, 443} ct state new,established counter acceptExport the ruleset in XML format (importing not yet supported):
nft export xml
external resources
Check out the official nftables wiki: http://wiki.nftables.org/