Redes
nftables replaces iptables as the default network packet filtering framework
The nftables
framework provides packet classification facilities and it is
the designated successor to the iptables
, ip6tables
, arptables
, and
ebtables
tools. It offers numerous improvements in convenience, features,
and performance over previous packet-filtering tools, most notably:
-
Lookup tables instead of linear processing.
-
A single framework for both the IPv4 and IPv6 protocols.
-
Rules all applied atomically instead of fetching, updating, and storing a complete ruleset.
-
Support for debugging and tracing in the ruleset (
nftrace
) and monitoring trace events (in thenft
tool). -
More consistent and compact syntax, no protocol-specific extensions.
-
A Netlink API for third-party applications.
Similarly to iptables
, nftables
use tables for storing chains. The
chains contain individual rules for performing actions. The nft
tool
replaces all tools from the previous packet-filtering frameworks. The
libnftables
library can be used for low-level interaction with nftables
Netlink API over the libmnl
library.
The iptables
, ip6tables
, ebtables
and arptables
tools are replaced
by nftables-based drop-in replacements with the same name. While external
behavior is identical to their legacy counterparts, internally they use
nftables
with legacy netfilter
kernel modules through a compatibility
interface where required.
Effect of the modules on the nftables
ruleset can be observed using the
nft list ruleset
command. Since these tools add tables, chains, and rules
to the nftables
ruleset, be aware that nftables
rule-set operations,
such as the nft flush ruleset
command, might affect rule sets installed
using the formerly separate legacy commands.
To quickly identify which variant of the tool is present, version
information has been updated to include the back-end name. In Fedora 32,
the nftables-based iptables
tool prints the following version string:
$ iptables --version
iptables v1.8.4 (nf_tables)
For comparison, the following version information is printed if legacy
iptables
tool is present:
$ iptables --version
iptables v1.8.4 (legacy)