Replace iptables with nftables
-
It seems that iptables is being replaced with nftables (it's standard in Debian 10)
https://wiki.debian.org/nftables
Should I replace an iptables firewall with a nftables one?
Yes, nftables is the replacement for iptables. There are some tools in place to ease in this task.
Please read: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
Why a new framework?
The previous framework (iptables) has several problems hard to address, regarding scalability, performance, code maintenance, etc..
What are the major differences?- In iptables there are several tables (filter, nat) and chains (FORWARD, INPUT...) by default. In nftables, there are no default tables/chains.
- Also, in iptables you only have one target per rule (-j ACCEPT, -j LOG ...). In nftables, you can perform several actions in one single rule.
- nftables includes built-in data sets capabilities. In iptables this is not possible, and there is a separated tool: ?ipset.
- In the iptables framework there are tools per family: iptables, ip6tables, arptables, ebtables. Now, nftables allows you to manage all families in one single CLI tool.
- This new framework features a new linux kernel subsystem, known as nf_tables. The new engine mechanism is inspired by BPF-like systems, with a set of basic expressions, which can be combined to build complex filtering rules.
-
Thanks for the info. We in fact want to move to ufw instead. It seems most users are more comfortable with ufw and not iptables which is too low level.
-
@girish I don't expect that to take too much time too, UFW's backend is iptables so really just sorting out the UFW cli / api should be relatively simple****
-
@girish Is it happening? Was looking to customize some settings but I'm not touching iptables.
-
Glad to know about it.
-
@girish UFW isn't really its own firewall, its a front end for iptables, and probably nftables.
