What is nftables?

From nftables wiki

Revision as of 12:40, 12 February 2021 by Fmyhr (talk | contribs) (clarify that xtables is legacy; some minor grammar changes)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

nftables is the new packet classification framework that replaces the legacy {ip,ip6,arp,eb}_tables (xtables) infrastructure. In a nutshell:

It is available in Linux kernels >= 3.13.

It comes with a new command line utility nft whose syntax is different to iptables.

It also comes with a compatibility layer that allows you to run iptables commands over the new nftables kernel framework.

It provides a generic set infrastructure that allows you to construct maps and concatenations. You can use these new structures to arrange your ruleset in a multidimensional tree which drastically reduces the number of rules that need to be inspected until reaching the final action on a packet.

Retrieved from "http://wiki.nftables.org/wiki-nftables/index.php?title=What_is_nftables%3F&oldid=680"