Differences between iptables and nftables explained
The seasoned Linux administrator will be familiar with iptables , the network traffic filter. If you ever configured a Linux system with an ethernet bridge configuration, you might even have worked with ebtables. Or possibly you wanted to filter ARP traffic and used arptables? Newcomer nftables has arrived, with the purpose to replace iptables, ip6tables, ebtables and arptables. As with every big upcoming change, it is good to know the differences. We explain what makes nftables different to iptables, and why you want to adopt it in the near future.
iptables VS nftables
Simplicity in syntax
The biggest change you might like is the simplicity. With iptables, we have to configure every single rule and use the syntax which can be compared with normal commands. So we run iptables with -A INPUT -s 192.168.1.20 etc. With nftables, we have a much simpler syntax, which looks like BPF (Berkeley Packet Filter). The syntax of nftables is inspired on the tcpdump syntax. This means shorter lines and less repetition.
Example:
nft add rule inet traffic-filter input tcp dport { 22, 80, 443 } accept
Combined rules
The example above includes another big improvement: combined rules. So instead of repeating lines for every single port, we can combine them. This is useful for UDP/TCP ports, and also ICMP types.
Examples:
Configure IPv6 table and input chain
nft add table ip6 traffic-filter nft add chain ip6 traffic-filter input
Allow several IPv6 ICMP packets
nft add rule ip6 traffic-filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
Multiple actions
One rule can hold multiple actions. With iptables, this would mean splitting rules, and jumping to different blocks.
nft add rule ip filter input ip protocol vmap { tcp : jump tcp-chain, udp : jump udp-chain, icmp : jump icmp-chain }
Protocols combined
Like the option to combine multiple actions, nftables allows defining one rule that will support both IPv4 and IPv6. Much better than using iptables and ip6tables and synchronizing rules between the two.
Built-in support for sets
To use lists or sets with iptables, you need to install ipset. Nftables has integrated set support and it can be used more naturally within the configuration.
Concatenated value pairs
Within sets and maps, fields can be combined for further evaluation. For example the combination of an IP address with a port number. Instead of making individual rules, this data can be put into data array and then later used.
nft add element traffic-filter dict { 192.168.0.1 : drop, 192.168.0.2 : accept }
More flexibility
With iptables you have several default base chains. With nftables you always start with a blank slate. Just add what you need, from chains to rules.
Improved performance
One of the important changes is that nftables is optimized for speed. This is achieved by using data structures, which help with quick lookups in memory. These data structures can directly be used within rules. For example, you can tell in your rule that you want to use a particular field, like an IPv4 address and take a particular action (verdict). This way nftables knows how to handle the fields and apply quicker lookups on them.
Intelligence and protocol support
The userland utility nft holds the intelligence on what is supported and passes it to the kernel. This means that when a new protocol needs to be supported, you don’t have to rebuild your kernel. Instead, extending the nft utility will in most cases be sufficient.
Easy data export
For those wanting to store the configuration, there is an export option available. Nftables supports exporting in XML and JSON output.
nft export json
Monitoring and logging
Optional counters
If you need log counters, nftables allows you to set them on-demand. They are optional, to keep overhead at a minimum.
nft add rule inet traffic-filter input tcp dport ssh counter accept
Live tracing support
Troubleshooting rules in iptables is not that easy. The nftables developers created a tracing option
that can be set on a rule. After it has been set, run the nft monitor trace command. You can optionally add one or more -n
flags for more details.
nft -nn monitor trace
Conclusion
The features of nftables and its usage, look very promising. Especially its simplicity brings it more in line with the way pf works on BSD systems.
Did you find any other major difference which was not mentioned? Share it in the comments.