Linux Nftables Introduction and basic operations

First, what is Nftables?

Nftables is the new packet classification framework, a new Linux firewall management program designed to replace the existing {ip,ip6,arp,eb}_tables. Nutshell:

• It is available when the Linux kernel version is above 3.13.

• It has a new command-line tool, NTF, whose syntax differs from iptables.

• It also contains a compatibility layer that lets you run the iptables command on top of the new Nftables kernel framework.

• It provides a common set base that allows you to build mappings and associations. You can use this new feature to classify your rule set into a multidimensional tree, which greatly reduces the number of rules that need to be checked before the packet's final behavior is found.

Ii. Characteristics of Nftables

• The ability to have some advanced programming languages, such as defining variables and including external files, has the ability to use additional scripts. Nftables can also be used for filtering and processing multiple address clusters.

• Unlike iptables, Nftables does not contain any built-in tables. The administrator decides which tables are needed and adds processing rules for those tables.

• The table contains the rule chain, and the rule chain contains the rules.

Third, compared to the advantages of iptables

• Update faster. Adding a rule to the iptables becomes very slow as the number of rules increases, which explains why it takes a long time to complete a script that calls Iptables. This situation does not exist for nftables. The nftables uses atomic quick actions to update the rule collection.

• Fewer kernel updates. With Iptables, each match or delivery requires the support of the kernel module. Therefore, if you forget something or want to add a new feature, you need to recompile the kernel. There is no such situation in nftables. In Nftables, most of the work is done in the user state, the kernel only knows some basic instructions (filtering is implemented by pseudo-state machine). For example, ICMPv6 support is implemented through a simple patch of the NFT tool. This type of change in iptables requires both the kernel and the iptables to be upgraded.

Iv. Basic Operation

1, increase

Add Table: NFT Add Table Fillter

Add Chain: NFT Add chain filter Input {Type filter hook input priority 0 \;} # to Hook (hook) connection

Add rule: nft Add rule filter Input TCP Dport

2. By deleting

Just change the above add to delete

3, change

Change the chain name with rename

Change rule with replace

4. Check

NFT List ruleset # list all rules

NFT List Tables # list all tables

NFT List Table Filter # Lists the filter table

NFT Chain Filter Input # Lists the filter table input chain

The above command can also be added-nn to not resolve the IP address and port

Plus-A for displaying handles

Operating manuals refer to Nftables-wiki and nftables-manpage

Linux Nftables Introduction and basic operations