nftables framework provides packet classification facilities and it is the designated successor to the
It offers numerous improvements in convenience, features, and performance over previous packet-filtering tools, most notably:
Lookup tables instead of linear processing.
A single framework for both the IPv4 and IPv6 protocols.
Rules all applied atomically instead of fetching, updating, and storing a complete ruleset.
Support for debugging and tracing in the ruleset (
nftrace) and monitoring trace events (in the
More consistent and compact syntax, no protocol-specific extensions.
A Netlink API for third-party applications.
nftables use tables for storing chains.
The chains contain individual rules for performing actions.
nft tool replaces all tools from the previous packet-filtering frameworks.
libnftables library can be used for low-level interaction with
nftables Netlink API over the
arptables tools are replaced by nftables-based drop-in replacements with the same name.
While external behavior is identical to their legacy counterparts, internally they use
nftables with legacy
netfilter kernel modules through a compatibility interface where required.
Effect of the modules on the
nftables ruleset can be observed using the
nft list ruleset command.
Since these tools add tables, chains, and rules to the
nftables ruleset, be aware that
nftables rule-set operations, such as the
nft flush ruleset command, might affect rule sets installed using the formerly separate legacy commands.
To quickly identify which variant of the tool is present, version information has been updated to include the back-end name.
In Fedora 32, the nftables-based
iptables tool prints the following version string:
$ iptables --version iptables v1.8.4 (nf_tables)
For comparison, the following version information is printed if legacy
iptables tool is present:
$ iptables --version iptables v1.8.4 (legacy)