Firewalling under Linux gets revamped.
Yep, you read it right. The firewalling tool that has been either hated or loved, ever since Kernel 2.4 is being phased out from kernel v4.9 onwards in favour of nftables.
Iptables will still be available for the forseeable future, however now is the time to learn the new syntax of nftables. Nftables, which stands for netfilter tables. Nftables is part of the netfilter suite, which is a team of kernel contributors specifically tasked at doing “NAT, Firewalling and packet mangling for Linux”. The netfilter team are the same authors that brought us iptables, so they are arguably best placed to replace iptables, just like ipchains and ipfw before it.
New functionality
Nftables offers new functionality unavailable in iptables, and has been available (although not fully stable) since Kernel 3.13. Ontop of the kernel module itself, three other components comprise nftables. These are:
- libmnl: the minimalistic Netlink library
- libnftnl: low level netlink userspace library
- nft: command line tool.
The new toolset offers the following advantages over iptables:
- High performance through maps and concatenations: Linear ruleset inspection doesn’t scale up. Using maps and concatenations, you can structure your ruleset to reduce the number of rule inspections to find the final action on the packet to the bare minimum.
- Unified and consistent syntax for every support protocol family, contrary to xtables utilities, that are well-known to be full of inconsistencies.
- Network-specific Virtual Machine: the nft command line tool compiles the ruleset into the VM bytecode in netlink format, then it pushes this into the kernel via the nftables Netlink API. When retrieving the ruleset, the VM bytecode in netlink format is decompiled back to its original ruleset representation. So nft behaves both as compiler and decompiler.
- No need for kernel updates & a smaller kernel codebase: The intelligence is placed in userspace nft command line tool, which is considerably more complex than iptables in terms of codebase, however, in the midrun, this will potentially allow us to deliver new features by upgrading the userspace command line tool, with no need of kernel upgrades.
Can I convert my iptables rules to nft easily?
Fairly easily. There is a conversion tool which works as following:
% iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
nft add rule ip filter INPUT tcp dport 22 ct state new counter accept
% ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT
nft add rule ip6 filter FORWARD iifname eth0 oifname eth3 meta l4proto udp udp dport {111,222} counter accept
- For more information on moving from iptables to nftables, check out this helpful wiki page by the netfilter team.
When is it coming to my Linux distribution?
Starting with Debian 9 stable, the nftables framework is installed, ready to use. It is available through package installation in Debian development (Stretch) right now, simply type aptitude install nftables.
A release to Debian stable will almost certainly trickle the release downstream to all of the other major Debian based distributions such as Ubuntu in the near future. CentOS 7/RHEL 7 users can install nftables from the official Red Hat EPEL repo using yum today. At the time of writing CentOS ships version 0.6 and Debian 0.7. Ubuntu 16.04 LTS does have an older version (0.5), however I’d recommend waiting for a later version.
More information
To get further information, head over to the netfilter website, they have some really good documentation:
I don’t like Nftables because we don’t have an autocomplete syntax. By far firewalld has one. Just press Tab key and you will know what to do next. Another issue is related to CIDR notation. For example you cannot use CIDR notation in ipset’s. Even Nftables is solving some IPtables issues is far from being considered a replacement. The syntax is not intuitive. Why using ip for ipv4? Firewalld has a clear syntax ipv4 and ipv6. Using just ip is confusing