nftables framework provides packet classification facilities and it is
the designated successor to the
ebtables tools. It offers numerous improvements in convenience, features,
and performance over previous packet-filtering tools, most notably:
Lookup tables instead of linear processing.
A single framework for both the IPv4 and IPv6 protocols.
Rules all applied atomically instead of fetching, updating, and storing a complete ruleset.
Support for debugging and tracing in the ruleset (
nftrace) and monitoring trace events (in the
More consistent and compact syntax, no protocol-specific extensions.
A Netlink API for third-party applications.
nftables use tables for storing chains. The
chains contain individual rules for performing actions. The
replaces all tools from the previous packet-filtering frameworks. The
libnftables library can be used for low-level interaction with
Netlink API over the
arptables tools are replaced
by nftables-based drop-in replacements with the same name. While external
behavior is identical to their legacy counterparts, internally they use
nftables with legacy
netfilter kernel modules through a compatibility
interface where required.
Effect of the modules on the
nftables ruleset can be observed using the
nft list ruleset command. Since these tools add tables, chains, and rules
nftables ruleset, be aware that
nftables rule-set operations,
such as the
nft flush ruleset command, might affect rule sets installed
using the formerly separate legacy commands.
To quickly identify which variant of the tool is present, version
information has been updated to include the back-end name. In Fedora 32,
iptables tool prints the following version string:
$ iptables --version iptables v1.8.4 (nf_tables)
For comparison, the following version information is printed if legacy
iptables tool is present:
$ iptables --version iptables v1.8.4 (legacy)