Replace iptables with nftables

  • It seems that iptables is being replaced with nftables (it's standard in Debian 10)

    Should I replace an iptables firewall with a nftables one?
    Yes, nftables is the replacement for iptables. There are some tools in place to ease in this task.
    Please read:
    Why a new framework?
    The previous framework (iptables) has several problems hard to address, regarding scalability, performance, code maintenance, etc..
    What are the major differences?

    • In iptables there are several tables (filter, nat) and chains (FORWARD, INPUT...) by default. In nftables, there are no default tables/chains.
    • Also, in iptables you only have one target per rule (-j ACCEPT, -j LOG ...). In nftables, you can perform several actions in one single rule.
    • nftables includes built-in data sets capabilities. In iptables this is not possible, and there is a separated tool: ?ipset.
    • In the iptables framework there are tools per family: iptables, ip6tables, arptables, ebtables. Now, nftables allows you to manage all families in one single CLI tool.
    • This new framework features a new linux kernel subsystem, known as nf_tables. The new engine mechanism is inspired by BPF-like systems, with a set of basic expressions, which can be combined to build complex filtering rules.

  • Thanks for the info. We in fact want to move to ufw instead. It seems most users are more comfortable with ufw and not iptables which is too low level.

  • @girish I don't expect that to take too much time too, UFW's backend is iptables so really just sorting out the UFW cli / api should be relatively simple****

  • @girish Is it happening? Was looking to customize some settings but I'm not touching iptables.

  • Glad to know about it.

  • @girish UFW isn't really its own firewall, its a front end for iptables, and probably nftables.

Log in to reply