Red
nftables replaces iptables as the default network packet filtering framework
The nftables
framework provides packet classification facilities and it is the designated successor to the iptables
, ip6tables
, arptables
, and ebtables
tools. It offers numerous improvements in convenience, features, and performance over previous packet-filtering tools, most notably:
-
Lookup tables instead of linear processing.
-
A single framework for both the IPv4 and IPv6 protocols.
-
Rules all applied atomically instead of fetching, updating, and storing a complete ruleset.
-
Support for debugging and tracing in the ruleset (
nftrace
) and monitoring trace events (in thenft
tool). -
More consistent and compact syntax, no protocol-specific extensions.
-
A Netlink API for third-party applications.
Similarly to iptables
, nftables
use tables for storing chains. The chains contain individual rules for performing actions. The nft
tool replaces all tools from the previous packet-filtering frameworks. The libnftables
library can be used for low-level interaction with nftables
Netlink API over the libmnl
library.
The iptables
, ip6tables
, ebtables
and arptables
tools are replaced by nftables-based drop-in replacements with the same name. While external behavior is identical to their legacy counterparts, internally they use nftables
with legacy netfilter
kernel modules through a compatibility interface where required.
Effect of the modules on the nftables
ruleset can be observed using the nft list ruleset
command. Since these tools add tables, chains, and rules to the nftables
ruleset, be aware that nftables
rule-set operations, such as the nft flush ruleset
command, might affect rule sets installed using the formerly separate legacy commands.
To quickly identify which variant of the tool is present, version information has been updated to include the back-end name. In Fedora 32, the nftables-based iptables
tool prints the following version string:
$ iptables --version
iptables v1.8.4 (nf_tables)
For comparison, the following version information is printed if legacy iptables
tool is present:
$ iptables --version
iptables v1.8.4 (legacy)
Want to help? Learn how to contribute to Fedora Docs ›