Documentation for a newer release is available. View Latest

网络

nftables replaces iptables as the default network packet filtering framework

The nftables framework provides packet classification facilities and it is the designated successor to the iptables, ip6tables, arptables, and ebtables tools. It offers numerous improvements in convenience, features, and performance over previous packet-filtering tools, most notably:

  • Lookup tables instead of linear processing.

  • A single framework for both the IPv4 and IPv6 protocols.

  • Rules all applied atomically instead of fetching, updating, and storing a complete ruleset.

  • Support for debugging and tracing in the ruleset (nftrace) and monitoring trace events (in the nft tool).

  • More consistent and compact syntax, no protocol-specific extensions.

  • A Netlink API for third-party applications.

Similarly to iptables, nftables use tables for storing chains. The chains contain individual rules for performing actions. The nft tool replaces all tools from the previous packet-filtering frameworks. The libnftables library can be used for low-level interaction with nftables Netlink API over the libmnl library.

The iptables, ip6tables, ebtables and arptables tools are replaced by nftables-based drop-in replacements with the same name. While external behavior is identical to their legacy counterparts, internally they use nftables with legacy netfilter kernel modules through a compatibility interface where required.

Effect of the modules on the nftables ruleset can be observed using the nft list ruleset command. Since these tools add tables, chains, and rules to the nftables ruleset, be aware that nftables rule-set operations, such as the nft flush ruleset command, might affect rule sets installed using the formerly separate legacy commands.

To quickly identify which variant of the tool is present, version information has been updated to include the back-end name. In Fedora 32, the nftables-based iptables tool prints the following version string:

$ iptables --version
iptables v1.8.4 (nf_tables)

For comparison, the following version information is printed if legacy iptables tool is present:

$ iptables --version
iptables v1.8.4 (legacy)