Differences Between iptables and nftables Explained

iptables VS nftables

The seasoned Linux administrator will be familiar with iptables, the network traffic filter. If you ever configured a Linux system with an ethernet bridge configuration, you might even have worked with ebtables. Or possibly you wanted to filter ARP traffic and used arptables? Newcomer nftables has arrived, with the purpose to replace iptables, ip6tables, ebtables and arptables. As with every big upcoming change, it is good to know the differences. We explain what makes nftables different to iptables, and why you want to adopt it in the near future.

Comparison Overview

Simplicity in Syntax

The biggest change you might like is the simplicity. With iptables, we have to configure every single rule and use the syntax which can be compared with normal commands. So we run iptables with -A INPUT -s 192.168.1.20 etc. With nftables we have a much simpler syntax, which looks like BPF (Berkely Packet Filter) and inspired on the tcpdump syntax. This means shorter lines and less repetition.

Example:

nft add rule inet traffic-filter input tcp dport { 22, 80, 443 } accept

Combined Rules

The example above includes another big improvement: combined rules. So instead of repeating lines for every single port, we can combine them. This is useful for UDP/TCP ports, and also ICMP types.

Example:

# Configure IPv6 table and input chain
nft add table ip6 traffic-filter
nft add chain ip6 traffic-filter input
# Allow several IPv6 ICMP packets
nft add rule ip6 traffic-filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

Multiple Actions

One rule can hold multiple actions. With iptables, this would mean splitting rules, and jumping to different blocks.

nft add rule ip filter input ip protocol vmap { tcp : jump tcp-chain, udp : jump udp-chain, icmp : jump icmp-chain }

More Flexibility

With iptables you have several default base chains. With nftables you always start with a blank slate. Just add what you need, from chains to rules.

Improved Performance

One of the important changes is that nftables is optimized for speed. This is achieved by using data structures, which help with quick lookups in memory. These data structures can directly be used within rules. For example, you can tell in your rule that you want to use a particular field, like an IPv4 address and take a particular action (verdict). This way nftables knows how to handle the fields and apply quicker lookups on them.

Optional Counters

If you need log counters, nftables allows you to set them on-demand. They are optional, to keep overhead at a minimum.

nft add rule inet traffic-filter input tcp dport ssh counter accept

Concatenated Value Pairs

Within sets and maps, fields can be combined for further evaluation. For example the combination of an IP address with a port number. Instead of making individual rules, this data can be put into data array and then later used.

nft add element traffic-filter dict { 192.168.0.1 : drop, 192.168.0.2 : accept }

Intelligence and Protocol Support

The userland utility nft holds the intelligence on what is supported and passes it to the kernel. This means that when a new protocol needs to be supported, you don’t have to rebuild your kernel. Instead, extending the nft utility will in most cases be sufficient.

Easy Data Export

For those wanting to store the configuration, there is an export option available. XML and JSON output are currently supported formats.

nft export json

Conclusion

The features of nftables and its usage, look very promising. Especially its simplicity brings it more in line with the way pf works on BSD systems.

Did you find any other major difference which was not mentioned? Share it in the comments.

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)


Leave a Reply

Your email address will not be published. Required fields are marked *