Linux3.13 introduce nftables for several reasons you may like

Linux3.13 brings many features. Nftables is also the first official release. Nftables is a project dedicated to replacing the existing {ip, ip6, arp, eb} tables framework (also known as iptables. However, the nftables version in Linux3.13 is incomplete.

Linux 3.13 has many features. Nftables is also the first official release. Nftables is a project dedicated to replacing the existing {ip, ip6, arp, eb} tables framework (also known as iptables. However, the nftables version in Linux3.13 is still incomplete and lacks some important features. These features will be released in later Linux versions. Nftables can be used in most scenarios, but the complete support (that is, nftables have a higher priority than iptables) should be in Linux 3.15.

Nftables introduces a new command line tool nft. Nft is a superset of iptables and its derivative commands (ip6tables, arptables. At the same time, nft has completely different syntaxes. Yes. if you are used to iptables, this is a bad message. However, there is a compatibility layer that allows you to use iptables, and filtering is done by nftables in the kernel.

So far, there are only a small number of documents. You can find my nftables to get started quickly, and some other preliminary documents will be published soon.

Command line examples

Multiple targets in a row

To use iptables to record and discard a packet, you must write two rules, one record and one discard:

 
 

  
  
iptables -A FORWARD -p tcp --dport 22 -j LOG 
  
  
iptables -A FORWARD -p tcp --dport 22 -j DROP 
 
 

 

With nft, you can combine the two targets:

 
 

  
  
nft add rule filter forward tcp dport 22 log drop 
 
 

 

Convenient collection creation

Suppose you want to allow packages for different ports and allow different icmpv6 types. To use iptables, you must use rules similar to the following:

 
 

  
  
ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT 
  
  
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT 
  
  
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT 
  
  
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT 
  
  
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT 
 
 

With nft, a set can be used as any element in the rule:

 
 

  
  
nft add rule ip6 filter input tcp dport {telnet, http, https} accept 
  
  
nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept 
 
 

 

This is easier to write and more efficient for the filter side, because you only need to add one rule for each protocol.

You can also name the set so that it can be used elsewhere:

 
 

  
  
# nft -i # use interactive mode 
  
  
nft> add set global ipv4_ad { type ipv4_address;} 
  
  
nft> add element global ipv4_ad { 192.168.1.4, 192.168.1.5 } 
  
  
nft> add rule ip global filter ip saddr @ipv4_ad drop 
 
 

 

Then, when a new destroyer is detected:

 
 

  
  
# nft -i 
  
  
nft> add element global ipv4_ad { 192.168.3.4 } 
 
 

Ing

An advanced feature of nftables is ING. You can use different types of data and map them. For example, you can map a network port to a dedicated rule set (the previously created rule is stored in a chain ). In this example, the chain names are low_sec and high_sec:

 
 

  
  
# nft -i 
  
  
nft> add map filter jump_map { type ifindex : verdict; } 
  
  
nft> add element filter jump_map { eth0 : jump low_sec; } 
  
  
nft> add element filter jump_map { eth1 : jump high_sec; } 
  
  
nft> add rule filter input iif vmap @jump_map 
 
 

 

Now, for example, if you have a new dynamic port ppp1, it is very easy to filter it, just add it to the jump_map ING.

 
 

  
  
nft> add element filter jump_map { ppp1 : jump low_sec; } 
 
 

O & M and kernel(Faster updates)

Adding a rule to iptables slows down as the number of rules increases. This explains why it takes a long time to call the iptables script. This situation does not exist for nftables. Nftables uses atomic quick operations to update rule sets.

Fewer kernel updates

When iptables is used, each matching or shipping request must be supported by the kernel module. Therefore, if you forget something or want to add new features, you need to re-compile the kernel. Nftables does not exist. In nftables, most of the work is done in the user state, and the kernel only knows some basic commands (filtering is implemented using a pseudo state machine ). For example, icmpv6 supports nft through a simple patch. In iptables, this type of change requires both kernel and iptables to be upgraded.