Why you will love nftables

Linux 3.13 is out

Linux 3.13 is out bringing among other thing the first official release of nftables. nftables is the project that aims to replace the existing {ip,ip6,arp,eb}tables framework aka iptables.
nftables version in Linux 3.13 is not yet complete. Some important features are missing and will be introduced in the following Linux versions.
It is already usable in most cases but a complete support (read nftables at a better level than iptables) should be available in Linux 3.15.

nftables comes with a new command line tool named nft. nft is the successor of iptables and derivatives (ip6tables, arptables). And it has a completely different syntax.
Yes, if you are used to iptables, that’s a shock. But there is a compatibility layer that allow you to use iptables even if filtering is done with nftables in kernel.

There is only really few documentation available for now. You can find my nftables quick howto and there is some other initiatives that should be made public soon.

Some command line examples

Multiple targets on one line

Suppose you want to log and drop a packet with iptables, you had to write two rules. One for drop and one for logging:

iptables -A FORWARD -p tcp --dport 22 -j LOG
iptables -A FORWARD -p tcp --dport 22 -j DROP

With nft, you can combined both targets:

nft add rule filter forward tcp dport 22 log drop
Easy set creation

Suppose you want to allow packets for different ports and allow different icmpv6 types. With iptables, you need to use something like:

ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT

With nft, sets can be use on any element in a rule:

nft add rule ip6 filter input tcp dport {telnet, http, https} accept
nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

It is easier to write and it is more efficient on filtering side as there is only one rule added for each protocol.

You can also use named set to be able to make them evolve other time:

# nft -i # use interactive mode
nft> add set global ipv4_ad { type ipv4_address;}
nft> add element global ipv4_ad {, }
nft> add rule ip global filter ip saddr @ipv4_ad drop

And later when a new bad boy is detected:

# nft -i
nft> add element global ipv4_ad { }

One advanced feature of nftables is mapping. It is possible to use to different type of data and to link them.
For example, we can associate iface and a dedicated rule set (stored in a chain and created before). In the example, the chains are named low_sec and high_sec:

# nft -i
nft> add map filter jump_map { type ifindex : verdict; }
nft> add element filter jump_map { eth0 : jump low_sec; }
nft> add element filter jump_map { eth1 : jump high_sec; }
nft> add rule filter input iif vmap @jump_map

Now, let’s say you have a new dynamic interface ppp1, it is easy to setup filtering for it. Simply add it in the jump_map mapping:

nft> add element filter jump_map { ppp1 : jump low_sec; }

On administration and kernel side

More speed at update

Adding a rule in iptables was getting dramatically slower with the number of rules and that’s explained why script using iptables call are taking a long time to complete. This is not anymore with nftables which is using atomic and fast operation to update rule sets.

Less kernel update

With iptables, each match or target was requiring a kernel module. So, you had to recompile kernel in case you forgot something or want to use something new.
this is not anymore the case with nftables. In nftables, most work is done in userspace and kernel only knows some basic instruction (filtering is implemented in a pseudo-state machine).
For example, icmpv6 support has been achieved via a simple patch of the nft tool.
This type of modification in iptables would have required kernel and iptables upgrade.

67 thoughts on “Why you will love nftables”

  1. Hmm it seems like your website ate my first
    comment (it was super long) so I guess I’ll just sum it up what I wrote and
    say, I’m thoroughly enjoying your blog. I as well am an aspiring blog blogger
    but I’m still new to everything. Do you have any points for rookie blog writers?
    I’d definitely appreciate it.

  2. It’s an awesome post in support of all the web users; they will obtain advantage from it I am sure.

  3. Good post. I learn something totally new and challenging on websites I
    stumbleupon every day. It will always be exciting to read
    articles from other authors and use a little something from their sites.

  4. you are really a excellent webmaster. The site loading speed is incredible.
    It seems that you’re doing any unique trick. Also,
    The contents are masterwork. you have performed a wonderful task in this matter!

  5. I was curious if you ever thought of changing the structure of your website?

    Its very well written; I love what youve got to
    say. But maybe you could a little more in the way of content so people could connect with it better.
    Youve got an awful lot of text for only having 1 or two pictures.
    Maybe you could space it out better?


    Agen-338a is an online bookie that works officially with the sbobet provider.

    Agen-338a has served gambling members from the year 2010 until now and contains never given frustration in conditions of sbobet login. We
    have been also one of the sbobet providers who have received several awards and have now become the number one site in Dalam negri.

    We are also a site that is visited straight from the official sbobet provider to be vested with marketing football gambling products, internet
    casinos, slots, shooting fish, etc. for the Indonesian community.
    Every day there are more than 10, 1000 members who definitely play on our
    official site and supply reviews that are very satisfied choosing us as the companion agent.
    Our brand searches also exceed 10, 000 searches
    per day and we are a 24/7 service site.

    How to Register a Sbobet Account
    We offer official sbobet accounts registration for all members who want to join with no fees or requirements.
    We also confirm the simplicity in the sbobet list, because to complete the sbobet account registration process, only affirmation is required that you are 18+ and have a local financial institution to
    make dealings. Sign up for sbobet can be through the registration form on the official website of Agen-338a or through our customer service who is prepared to
    help you anytime. After filling in the registration form, the
    member just needs to activate the ID with affirmation via our cs.

  7. MBO99 MPO Slot Online Terbaru dan Terpercaya bagi setiap member yang bergabung bersama kami dengan memberikan dukungan slot bonus new member.

  8. MBO99 Situs Slot Bet Kecil di Indonesia yang memberikan dukungan permainan mpo99 dengan slot bonus new member terlengkap di Indonesia

  9. Wow! This is a _GREAT_ initiative, really. Big step for consumer protection. I’d like to see it implemented. Hopefully the merchants won’t find an easy way around this restriction.

  10. It’s an amazing Article in favor of all the web visitors;
    they will get advantage from it I am sure.

  11. I have a question though, how can we perform a packet filter based on a pattern e.g. In the IPTables, I could do a packet filter to block any line that contains

    -A INPUT -p udp -m udp –dport 1514 -m string –string “some.exe” –algo bm -j DROP

Leave a Reply

Your email address will not be published. Required fields are marked *