http://wiki.nftables.org/wiki-nftables/api.php?action=feedcontributions&feedformat=atom&user=Rmartinnftables wiki - User contributions [en]2026-05-21T17:17:56ZUser contributionsMediaWiki 1.43.6http://wiki.nftables.org/wiki-nftables/index.php?title=Adoption&diff=584Adoption2020-12-02T22:56:28Z<p>Rmartin: /* Supporting nftables */ add keepalive</p>
<hr />
<div>This page offers some light and data about current '''nftables adoption''' in the wider community.<br />
As you probably know, the focus of the Netfilter project and community is in replacing the iptables framework with nftables, adding brand new features and refreshing some workflows along the way.<br />
<br />
Lots of upstream projects use iptables to handle NAT, filtering, mangling or other networking stuff.<br />
Here, the info we know about them, their relationship with nftables and the possibilities for them to migrate to nftables.<br />
<br />
= Cases =<br />
<br />
Known cases and examples we could heard of. '''TODO: extend with more current data'''.<br />
<br />
All major Linux distributions contains the nftables framework ready to use. Check [[Nftables from distributions]].<br />
<br />
== system / firewalling / management ==<br />
<br />
=== Supporting nftables ===<br />
<br />
The following projects are known to either directly support nftables or have authors actively working on nftables integration.<br />
<br />
* https://www.fail2ban.org/ -- the fail2ban tool already includes native support for nftables.<br />
* https://firewalld.org/ -- firewalld by RedHat is currently developing a native integration with nftables.<br />
* https://suricata-ids.org/ -- suricata can work natively with nftables ([https://home.regit.org/2014/02/suricata-and-nftables/ link])<br />
* https://keepalived.org/ -- keepalived works natively with nftables ([https://github.com/acassen/keepalived/issues/924])<br />
<br />
=== Supporting iptables only ===<br />
<br />
The following projects are known to only support iptables/iptables-nft, with no plans to support nftables in the future.<br />
<br />
* http://ferm.foo-projects.org/ -- [https://github.com/MaxKellermann/ferm/issues/35#issuecomment-386091563 citation]<br />
* https://shorewall.org/ -- [https://sourceforge.net/p/shorewall/mailman/message/35458915/ citation]<br />
<br />
== virtualization / cloud / infrastructure ==<br />
<br />
* https://github.com/zevenet/nftlb -- nftlb by Zevenet is a nftables-based loadbalancer which can outperform LVS by 10x<br />
* https://www.docker.com/ -- Some discussion happened in the Docker community regarding a native integration with nftables, which could ease some of their use cases ([https://github.com/moby/moby/issues/26824 link]) ([https://github.com/robbertkl/docker-ipv6nat/issues/17 link]) ([https://stephank.nl/p/2017-06-05-ipv6-on-production-docker.html running docker with IPv6 using nftables])<br />
* https://kubernetes.io/ -- Kubernetes does not support nftables yes, but some discussion happened already ([https://github.com/kubernetes/kubernetes/issues/45385 link]). Compat tools may be used to trick kubernetes into using nftables transparently.<br />
* http://openstack.org/ -- Openstack does not support nftables yet. Compat tools may be used to trick neutron and other components into using nftables transparently.<br />
* https://libvirt.org/ -- there are reports of people running libvirt with nftables for bridge filtering for virtual machines<br />
* https://saltstack.com/ -- SaltStack includes native support for nftables ([https://docs.saltstack.com/en/latest/ref/states/all/salt.states.nftables.html link]).<br />
* https://coreos.com/ -- the CoreOS ecosystem includes native support for nftables ([https://github.com/coreos/coreos-overlay/pull/2662 link])<br />
<br />
== others ==<br />
<br />
* https://openwrt.org/ -- there are reports of people running nftables rather than iptables in openwrt systems<br />
* https://www.cica.es/ -- this regional [https://en.wikipedia.org/wiki/National_research_and_education_network NREN] uses nftables in the datacenter for their perimetral firewalls ([http://workshop.netfilter.org/2017/wiki/index.php/Developer_days.html#nftables_at_CICA.2C_our_experience slides])<br />
* [[Nftables from distributions]] -- all major Linux distribution already include nftables ready to use<br />
* https://www.nano-editor.org/ -- The nano editor includes syntax highlighting for nftables in files with .nft name extension or nft shebang<br />
* https://github.com/nfnty/vim-nftables -- the VIM editor includes syntax highlighting for nftables<br />
* [https://github.com/ipr-cnrs Institut de Physique de Rennes] -- this french research entity seems to be using nftables with ansible ([https://github.com/ipr-cnrs/nftables link])<br />
* VPN -- nftables can be combined with other software packages like OpenVPN to build great VPN solutions ([http://ral-arturo.org/2017/04/07/openvpn-debian-stretch.html link])<br />
* [https://github.com/mdlayher/netlink netlink golang package] -- the Golang Netlink package got batching support to be able to work with nftables ([https://github.com/mdlayher/netlink/issues/81 link])<br />
* [https://github.com/google/nftables nftables golang library] -- This nftables golang integration library was made by Google<br />
<br />
= See also =<br />
<br />
* [[Moving from iptables to nftables]]<br />
* [[Moving from ipset to nftables]]<br />
* [[List of updates since Linux kernel 3.13]]<br />
* [[Supported features compared to xtables]]<br />
* [[List of available translations via iptables-translate tool]]</div>Rmartin