Replace iptables with nftables
necrevistonnezr last edited by girish
It seems that iptables is being replaced with nftables (it's standard in Debian 10)
Should I replace an iptables firewall with a nftables one?
Yes, nftables is the replacement for iptables. There are some tools in place to ease in this task.
Please read: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
Why a new framework?
The previous framework (iptables) has several problems hard to address, regarding scalability, performance, code maintenance, etc..
What are the major differences?
- In iptables there are several tables (filter, nat) and chains (FORWARD, INPUT...) by default. In nftables, there are no default tables/chains.
- Also, in iptables you only have one target per rule (-j ACCEPT, -j LOG ...). In nftables, you can perform several actions in one single rule.
- nftables includes built-in data sets capabilities. In iptables this is not possible, and there is a separated tool: ?ipset.
- In the iptables framework there are tools per family: iptables, ip6tables, arptables, ebtables. Now, nftables allows you to manage all families in one single CLI tool.
- This new framework features a new linux kernel subsystem, known as nf_tables. The new engine mechanism is inspired by BPF-like systems, with a set of basic expressions, which can be combined to build complex filtering rules.
girish last edited by
Thanks for the info. We in fact want to move to ufw instead. It seems most users are more comfortable with ufw and not iptables which is too low level.
@girish I don't expect that to take too much time too, UFW's backend is iptables so really just sorting out the UFW cli / api should be relatively simple****