Differences between iptables and nftables explained

The seasoned Linux administrator will be familiar with iptables, the network traffic filter. If you ever configured a Linux system with an ethernet bridge configuration, you might even have worked with ebtables. Or possibly you wanted to filter ARP traffic and used arptables? Newcomer nftables has arrived, with the purpose to replace iptables, ip6tables, ebtables and arptables. As with every big upcoming change, it is good to know the differences. We explain what makes nftables different to iptables, and why you want to adopt it in the near future.

iptables VS nftables

Simplicity in syntax

The biggest change you might like is the simplicity. With iptables, we have to configure every single rule and use the syntax which can be compared with normal commands. So we run iptables with -A INPUT -s 192.168.1.20 etc. With nftables, we have a much simpler syntax, which looks like BPF (Berkely Packet Filter). The syntax of nftables is inspired on the tcpdump syntax. This means shorter lines and less repetition.

Example:

nft add rule inet traffic-filter input tcp dport { 22, 80, 443 } accept

Combined rules

The example above includes another big improvement: combined rules. So instead of repeating lines for every single port, we can combine them. This is useful for UDP/TCP ports, and also ICMP types.

Examples:

Configure IPv6 table and input chain

nft add table ip6 traffic-filter nft add chain ip6 traffic-filter input

Allow several IPv6 ICMP packets

nft add rule ip6 traffic-filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

Multiple actions

One rule can hold multiple actions. With iptables, this would mean splitting rules, and jumping to different blocks.

nft add rule ip filter input ip protocol vmap { tcp : jump tcp-chain, udp : jump udp-chain, icmp : jump icmp-chain }

Protocols combined

Like the option to combine multiple actions, nftables allows defining one rule that will support both IPv4 and IPv6. Much better than using iptables and ip6tables and synchronizing rules between the two.

Built-in support for sets

To use lists or sets with iptables, you need to install ipset. Nftables has integrated set support and it can be used more naturally within the configuration.

Concatenated value pairs

Within sets and maps, fields can be combined for further evaluation. For example the combination of an IP address with a port number. Instead of making individual rules, this data can be put into data array and then later used.

nft add element traffic-filter dict { 192.168.0.1 : drop, 192.168.0.2 : accept }

More flexibility

With iptables you have several default base chains. With nftables you always start with a blank slate. Just add what you need, from chains to rules.

Improved performance

One of the important changes is that nftables is optimized for speed. This is achieved by using data structures, which help with quick lookups in memory. These data structures can directly be used within rules. For example, you can tell in your rule that you want to use a particular field, like an IPv4 address and take a particular action (verdict). This way nftables knows how to handle the fields and apply quicker lookups on them.

Intelligence and protocol support

The userland utility nft holds the intelligence on what is supported and passes it to the kernel. This means that when a new protocol needs to be supported, you don’t have to rebuild your kernel. Instead, extending the nft utility will in most cases be sufficient.

Easy data export

For those wanting to store the configuration, there is an export option available. Nftables supports exporting in XML and JSON output.

nft export json

Monitoring and logging

Optional counters

If you need log counters, nftables allows you to set them on-demand. They are optional, to keep overhead at a minimum.

nft add rule inet traffic-filter input tcp dport ssh counter accept

Live tracing support

Troubleshooting rules in iptables is not that easy. The nftables developers created a tracing option that can be set on a rule. After it has been set, run the nft monitor trace command. You can optionally add one or more -n flags for more details.

nft -nn monitor trace

Conclusion

The features of nftables and its usage, look very promising. Especially its simplicity brings it more in line with the way pf works on BSD systems.

Did you find any other major difference which was not mentioned? Share it in the comments.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution.

Mastodon icon