nftables¶

Overview¶

nftables replace the existing iptables framework
provides a new packet filtering framework, new utility nft, a compatibility layer for ip/ip6tables (allows to run iptables/ip6tables over the nftables infrastructure)
build upon the netfilter infrastructure:
- the existing hooks
- the Connection Tracking Subsystem
- the userspace queueing component
- the logging subsystem

new cleaner syntax
tables and chains are fully configurable
no distinction between matches and targets anymore
several actions in one single rule can be specified (e.g. log drop)
no built-in counter per chain and rules \(\rightarrow\) counters can be enabled (per rule) on demand
generic set infrastructure (e.g. {ssh, http, https})
new protocols are supported without kernel upgrades

chains are used to store rules and are highly configurable
possible chain types are:
- filter: filter packets, supported by all table families
- route: reroute packages, supported by ip and ip6 family
- nat: perform NAT, supported by ip, ip6 and inet family
for every chain type, following chain kind exist: base chains and regular or non-base chains

base chains are registered into the Netfilter Hooks
a default policy of accept or drop can be specified for each chain
the priority value can be used to order the chains or to put them before or after some Netfilter internal operations

are not attached to any hook
not see any traffic at first
is very useful to arrange rule-sets in a tree of chains by using the jump or goto action
works like a user defined chain of iptables

modern technologies like container virtualization environments require highly dynamic changes and very fast processing of firewall rulesets
the packet filtering framework (netfilter/iptables/nftables) slows down when large rules sets are used because of sequential processing of the rules
if large rule sets are changed very often, the installation duration of the rule sets delays the processing
for this reason, a new filtering framework bpfilter is in development