http://wiki.nftables.org/wiki-nftables/index.php?title=Main_differences_with_iptables&feed=atom&action=historyMain differences with iptables - Revision history2024-03-29T05:51:10ZRevision history for this page on the wikiMediaWiki 1.36.4http://wiki.nftables.org/wiki-nftables/index.php?title=Main_differences_with_iptables&diff=747&oldid=prevFmyhr: linked nft update page2021-02-18T10:51:47Z<p>linked nft update page</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 10:51, 18 February 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l17">Line 17:</td>
<td colspan="2" class="diff-lineno">Line 17:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* '''Support for [[concatenations]].''' Since Linux kernel 4.1, you can concatenate several keys and combine them with [[maps]] and [[Verdict_Maps_(vmaps) | verdict maps]]. The idea is to build a tuple whose values are hashed to obtain the action to be performed nearly O(1).</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* '''Support for [[concatenations]].''' Since Linux kernel 4.1, you can concatenate several keys and combine them with [[maps]] and [[Verdict_Maps_(vmaps) | verdict maps]]. The idea is to build a tuple whose values are hashed to obtain the action to be performed nearly O(1).</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>* '''Support new protocols without a kernel upgrade'''. Kernel upgrades can be a time-consuming and daunting task, especially if you have to maintain more than a single firewall in your network. Distribution kernels usually lag the newest release. With the new nftables virtual machine approach, supporting a new protocol will often not require a new kernel, just a relatively simple ''nft'' userspace software update.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>* '''Support new protocols without a kernel upgrade'''. Kernel upgrades can be a time-consuming and daunting task, especially if you have to maintain more than a single firewall in your network. Distribution kernels usually lag the newest release. With the new nftables virtual machine approach, supporting a new protocol will often not require a new kernel, just a relatively simple <ins style="font-weight: bold; text-decoration: none;">[[List_of_updates_in_the_nft_command_line_tool|</ins>''nft'' userspace software update<ins style="font-weight: bold; text-decoration: none;">]]</ins>.</div></td></tr>
</table>Fmyhrhttp://wiki.nftables.org/wiki-nftables/index.php?title=Main_differences_with_iptables&diff=742&oldid=prevFmyhr: Edited for clarity.2021-02-17T17:53:01Z<p>Edited for clarity.</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 17:53, 17 February 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">The main </del>differences between <del style="font-weight: bold; text-decoration: none;">''</del>nftables<del style="font-weight: bold; text-decoration: none;">'' </del>and <del style="font-weight: bold; text-decoration: none;">''</del>iptables<del style="font-weight: bold; text-decoration: none;">'' </del>from the user point of view are:</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Some key </ins>differences between nftables and iptables from the user point of view are:</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>* <del style="font-weight: bold; text-decoration: none;">The </del>'''syntax'''. The ''iptables'' command line tool uses a getopt_long()-based parser where keys are always preceded by double minus, eg. ''--key'' or one single minus, eg. ''-p tcp''. In <del style="font-weight: bold; text-decoration: none;">that regard</del>, <del style="font-weight: bold; text-decoration: none;">''</del>nftables<del style="font-weight: bold; text-decoration: none;">'' </del>uses <del style="font-weight: bold; text-decoration: none;">nicer, more intuitive and more </del>compact syntax <del style="font-weight: bold; text-decoration: none;">which is </del>inspired by ''tcpdump''. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>* '''<ins style="font-weight: bold; text-decoration: none;">nftables uses a new </ins>syntax'''. The ''iptables'' command line tool uses a getopt_long()-based parser where keys are always preceded by double minus, eg. ''--key'' or one single minus, eg. ''-p tcp''. In <ins style="font-weight: bold; text-decoration: none;">contrast</ins>, nftables uses <ins style="font-weight: bold; text-decoration: none;">a </ins>compact syntax inspired by ''tcpdump''. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>* '''Tables and chains are fully configurable<del style="font-weight: bold; text-decoration: none;">'''</del>. <del style="font-weight: bold; text-decoration: none;">In </del>''<del style="font-weight: bold; text-decoration: none;">nftables</del>'<del style="font-weight: bold; text-decoration: none;">', tables are containers of chains (and other objects like sets, maps, flowtables and stateful objects) with no specific semantics. Note that </del>''iptables'' <del style="font-weight: bold; text-decoration: none;">comes with </del>tables <del style="font-weight: bold; text-decoration: none;">with a predefined number of </del>base chains<del style="font-weight: bold; text-decoration: none;">, you get them in an all or nothing fashion. Thus</del>, all <del style="font-weight: bold; text-decoration: none;">chains </del>are registered even if you only need one of them. <del style="font-weight: bold; text-decoration: none;">We got </del>reports <del style="font-weight: bold; text-decoration: none;">in the past that </del>unused base chains <del style="font-weight: bold; text-decoration: none;">are </del>harming performance, <del style="font-weight: bold; text-decoration: none;">even if </del>you add <del style="font-weight: bold; text-decoration: none;">no rules at all</del>. <del style="font-weight: bold; text-decoration: none;">With this new approach, </del>you <del style="font-weight: bold; text-decoration: none;">can just </del>register the chains that you need <del style="font-weight: bold; text-decoration: none;">depending on your setup</del>. <del style="font-weight: bold; text-decoration: none;">Moreover, you can also model your pipeline using the </del>chain priorities <del style="font-weight: bold; text-decoration: none;">in the way you need and select any name for </del>your <del style="font-weight: bold; text-decoration: none;">tables and chains</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>* '''Tables and chains are fully configurable.''' ''iptables'' <ins style="font-weight: bold; text-decoration: none;">has multiple pre-defined </ins>tables <ins style="font-weight: bold; text-decoration: none;">and </ins>base chains, all <ins style="font-weight: bold; text-decoration: none;">of which </ins>are registered even if you only need one of them. <ins style="font-weight: bold; text-decoration: none;">There have been </ins>reports <ins style="font-weight: bold; text-decoration: none;">of even </ins>unused base chains harming performance<ins style="font-weight: bold; text-decoration: none;">. With nftables there are no pre-defined tables or chains. Each table is explicitly defined, and contains only the objects (chains</ins>, <ins style="font-weight: bold; text-decoration: none;">sets, maps, flowtables and stateful objects) that </ins>you <ins style="font-weight: bold; text-decoration: none;">explicitly </ins>add <ins style="font-weight: bold; text-decoration: none;">to it</ins>. <ins style="font-weight: bold; text-decoration: none;">Now </ins>you register <ins style="font-weight: bold; text-decoration: none;">only </ins>the <ins style="font-weight: bold; text-decoration: none;">base </ins>chains that you need. <ins style="font-weight: bold; text-decoration: none;">You choose table and </ins>chain <ins style="font-weight: bold; text-decoration: none;">names and netfilter hook </ins>priorities <ins style="font-weight: bold; text-decoration: none;">that efficiently implement </ins>your <ins style="font-weight: bold; text-decoration: none;">specific packet processing pipeline</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>* '''<del style="font-weight: bold; text-decoration: none;">No distinction between matches and targets anymore'''</del>. <del style="font-weight: bold; text-decoration: none;">In </del>'<del style="font-weight: bold; text-decoration: none;">'nftables</del>'', <del style="font-weight: bold; text-decoration: none;">the ''</del>expressions<del style="font-weight: bold; text-decoration: none;">'' are the basic building block of rule, thus, </del>a <del style="font-weight: bold; text-decoration: none;">rule is basically </del>a <del style="font-weight: bold; text-decoration: none;">composite of </del>expressions <del style="font-weight: bold; text-decoration: none;">that is </del>linearly evaluated from left to right: if the first expression matches, then the next expression is evaluated and so on <del style="font-weight: bold; text-decoration: none;">until </del>we reach the <del style="font-weight: bold; text-decoration: none;">last </del>expression <del style="font-weight: bold; text-decoration: none;">that is part </del>of the rule. <del style="font-weight: bold; text-decoration: none;">An expression can match some specific payload field</del>, packet<del style="font-weight: bold; text-decoration: none;">/flow metadata and any action</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>* '''<ins style="font-weight: bold; text-decoration: none;">A single nftables rule can take multiple actions</ins>.''' <ins style="font-weight: bold; text-decoration: none;">Instead of the matches and single target action used in iptables</ins>, <ins style="font-weight: bold; text-decoration: none;">an nftables rule consists of zero or more </ins>expressions <ins style="font-weight: bold; text-decoration: none;">followed by one or more statements. Each expression tests whether </ins>a <ins style="font-weight: bold; text-decoration: none;">packet matches </ins>a <ins style="font-weight: bold; text-decoration: none;">specific payload field or packet/flow metadata. Multiple </ins>expressions <ins style="font-weight: bold; text-decoration: none;">are </ins>linearly evaluated from left to right: if the first expression matches, then the next expression is evaluated and so on<ins style="font-weight: bold; text-decoration: none;">. If </ins>we reach the <ins style="font-weight: bold; text-decoration: none;">final </ins>expression<ins style="font-weight: bold; text-decoration: none;">, then the packet matches all </ins>of <ins style="font-weight: bold; text-decoration: none;">the expressions in </ins>the rule<ins style="font-weight: bold; text-decoration: none;">, and the rule's statements are executed</ins>. <ins style="font-weight: bold; text-decoration: none;">Each statement takes an action, such as setting the netfilter mark, counting the packet, logging the packet</ins>, <ins style="font-weight: bold; text-decoration: none;">or rendering a verdict such as accepting or dropping the </ins>packet <ins style="font-weight: bold; text-decoration: none;">or jumping to another chain. As with expressions, multiple statements are linearly evaluated from left to right: a single rule can take multiple actions by using multiple statements. Do note that a verdict statement by its nature ends the rule</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>* '''<del style="font-weight: bold; text-decoration: none;">You can specify several actions </del>in <del style="font-weight: bold; text-decoration: none;">one single </del>rule'''<del style="font-weight: bold; text-decoration: none;">. </del>In <del style="font-weight: bold; text-decoration: none;">''iptables'' </del>you can <del style="font-weight: bold; text-decoration: none;">only specify one single target. This has been a longstanding limitation that users resolve by jumping to custom chains at the cost of making the rule-set structure slightly more complex</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>* '''<ins style="font-weight: bold; text-decoration: none;">No built-</ins>in <ins style="font-weight: bold; text-decoration: none;">counter per chain and </ins>rule<ins style="font-weight: bold; text-decoration: none;">.</ins>''' In <ins style="font-weight: bold; text-decoration: none;">nftables counters are optional, </ins>you can <ins style="font-weight: bold; text-decoration: none;">enable them as needed</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>* '''<del style="font-weight: bold; text-decoration: none;">No built-in counter per chain and rules</del>'''<del style="font-weight: bold; text-decoration: none;">. </del>In <del style="font-weight: bold; text-decoration: none;">''</del>nftables<del style="font-weight: bold; text-decoration: none;">''</del>, <del style="font-weight: bold; text-decoration: none;">these are optional so you can enable counters on demand</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>* '''<ins style="font-weight: bold; text-decoration: none;">Better support for dynamic ruleset updates.</ins>''' In <ins style="font-weight: bold; text-decoration: none;">contrast to the monolithic blob used by iptables, </ins>nftables <ins style="font-weight: bold; text-decoration: none;">rulesets are represented internally in a linked list. Now adding or deleting a rule leaves the rest of the ruleset untouched</ins>, <ins style="font-weight: bold; text-decoration: none;">simplifying maintenance of internal state information</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>* '''<del style="font-weight: bold; text-decoration: none;">Better support for dynamic ruleset updates</del>'''<del style="font-weight: bold; text-decoration: none;">. In </del>''<del style="font-weight: bold; text-decoration: none;">nftables</del>''<del style="font-weight: bold; text-decoration: none;">, if </del>you <del style="font-weight: bold; text-decoration: none;">add a new rule, the remaining existing ones are left untouched since the ruleset </del>is <del style="font-weight: bold; text-decoration: none;">represented in a linked-list contrary </del>to <del style="font-weight: bold; text-decoration: none;">the monolithic blob representation in which the maintainance of the internal state information is complicated when performing </del>ruleset <del style="font-weight: bold; text-decoration: none;">updates</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>* '''<ins style="font-weight: bold; text-decoration: none;">Simplified dual stack IPv4/IPv6 administration.</ins>''' <ins style="font-weight: bold; text-decoration: none;">The nftables </ins>''<ins style="font-weight: bold; text-decoration: none;">inet</ins>'' <ins style="font-weight: bold; text-decoration: none;">family allows </ins>you <ins style="font-weight: bold; text-decoration: none;">to register base chains that see both IPv4 and IPv6 traffic. It </ins>is <ins style="font-weight: bold; text-decoration: none;">no longer necessary </ins>to <ins style="font-weight: bold; text-decoration: none;">rely on scripts to duplicate your </ins>ruleset.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>* '''<del style="font-weight: bold; text-decoration: none;">Simplified dual stack IPv4/IPv6 administration</del>''', <del style="font-weight: bold; text-decoration: none;">through the new </del>''<del style="font-weight: bold; text-decoration: none;">inet</del>'' <del style="font-weight: bold; text-decoration: none;">family which allows you </del>to <del style="font-weight: bold; text-decoration: none;">register base chains that see both IPv4 and IPv6 </del>traffic<del style="font-weight: bold; text-decoration: none;">. Thus, you don't need to rely on scripts to duplicate your ruleset anymore</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>* '''<ins style="font-weight: bold; text-decoration: none;">New generic [[sets|set]] infrastructure</ins>'''<ins style="font-weight: bold; text-decoration: none;">. This infrastructure integrates tightly into the nftables core and allows advanced configurations such as [[maps]]</ins>, <ins style="font-weight: bold; text-decoration: none;">[[Verdict_Maps_(vmaps) | verdict&nbsp;maps]] and [[intervals]] to achieve performance-oriented packet classification. The most important thing is that you can use </ins>''<ins style="font-weight: bold; text-decoration: none;">any</ins>'' <ins style="font-weight: bold; text-decoration: none;">supported selector </ins>to <ins style="font-weight: bold; text-decoration: none;">classify </ins>traffic.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>* '''<del style="font-weight: bold; text-decoration: none;">Generic </del>[[<del style="font-weight: bold; text-decoration: none;">sets|set</del>]] <del style="font-weight: bold; text-decoration: none;">and [[maps|map]] infrastructure</del>'''. <del style="font-weight: bold; text-decoration: none;">This new infrastructure integrates tightly into the nftables core </del>and <del style="font-weight: bold; text-decoration: none;">it allows advanced configurations such as </del>[[maps]]<del style="font-weight: bold; text-decoration: none;">, </del>[[Verdict_Maps_(vmaps) | verdict<del style="font-weight: bold; text-decoration: none;">&nbsp;</del>maps]] <del style="font-weight: bold; text-decoration: none;">and [[intervals]] to achieve performance-oriented packet classification</del>. The <del style="font-weight: bold; text-decoration: none;">most important thing </del>is <del style="font-weight: bold; text-decoration: none;">that you can use ''any'' supported selector </del>to <del style="font-weight: bold; text-decoration: none;">classify traffic</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>* '''<ins style="font-weight: bold; text-decoration: none;">Support for </ins>[[<ins style="font-weight: bold; text-decoration: none;">concatenations</ins>]]<ins style="font-weight: bold; text-decoration: none;">.</ins>''' <ins style="font-weight: bold; text-decoration: none;">Since Linux kernel 4</ins>.<ins style="font-weight: bold; text-decoration: none;">1, you can concatenate several keys </ins>and <ins style="font-weight: bold; text-decoration: none;">combine them with </ins>[[maps]] <ins style="font-weight: bold; text-decoration: none;">and </ins>[[Verdict_Maps_(vmaps) | verdict maps]]. The <ins style="font-weight: bold; text-decoration: none;">idea </ins>is to <ins style="font-weight: bold; text-decoration: none;">build a tuple whose values are hashed to obtain the action to be performed nearly O(1)</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>* '''Support <del style="font-weight: bold; text-decoration: none;">for [[concatenations]]'''. Since Linux kernel 4.1, you can concatenate several keys and combine them with [[maps]] and [[Verdict_Maps_(vmaps) | verdict maps]]. The idea is to build a tuple whose values are hashed to obtain the action to be performed nearly O(1).</del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>* '''Support <ins style="font-weight: bold; text-decoration: none;">new </ins>protocols without <ins style="font-weight: bold; text-decoration: none;">a </ins>kernel <ins style="font-weight: bold; text-decoration: none;">upgrade</ins>'''. Kernel upgrades can be a <ins style="font-weight: bold; text-decoration: none;">time-consuming </ins>and daunting task<ins style="font-weight: bold; text-decoration: none;">, especially </ins>if you have to maintain more than <ins style="font-weight: bold; text-decoration: none;">a </ins>single firewall in your network. <ins style="font-weight: bold; text-decoration: none;">Distribution kernels </ins>usually <ins style="font-weight: bold; text-decoration: none;">lag the newest release</ins>. With the new nftables virtual machine approach, <ins style="font-weight: bold; text-decoration: none;">supporting a new protocol </ins>will <ins style="font-weight: bold; text-decoration: none;">often </ins>not <ins style="font-weight: bold; text-decoration: none;">require </ins>a new <ins style="font-weight: bold; text-decoration: none;">kernel, just a </ins>relatively simple ''nft'' userspace software update.</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">* '''New supported </del>protocols without kernel <del style="font-weight: bold; text-decoration: none;">upgrades</del>'''. Kernel upgrades can be a <del style="font-weight: bold; text-decoration: none;">timeconsuming </del>and daunting task<del style="font-weight: bold; text-decoration: none;">. Specifically </del>if you have to maintain more than <del style="font-weight: bold; text-decoration: none;">one </del>single firewall in your network. <del style="font-weight: bold; text-decoration: none;">Distributors </del>usually <del style="font-weight: bold; text-decoration: none;">include a bit older Linux kernel versions for stability reasons</del>. With the new nftables virtual machine approach, <del style="font-weight: bold; text-decoration: none;">you </del>will <del style="font-weight: bold; text-decoration: none;">most likely </del>not <del style="font-weight: bold; text-decoration: none;">need such upgrade to support </del>a new <del style="font-weight: bold; text-decoration: none;">protocol. A </del>relatively simple ''nft'' userspace software update <del style="font-weight: bold; text-decoration: none;">should be enough to support new protocols</del>.</div></td><td colspan="2"></td></tr>
</table>Fmyhrhttp://wiki.nftables.org/wiki-nftables/index.php?title=Main_differences_with_iptables&diff=741&oldid=prevFmyhr: parenthetical note that tables contain objects other than just chains2021-02-17T16:26:07Z<p>parenthetical note that tables contain objects other than just chains</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 16:26, 17 February 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l3">Line 3:</td>
<td colspan="2" class="diff-lineno">Line 3:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* The '''syntax'''. The ''iptables'' command line tool uses a getopt_long()-based parser where keys are always preceded by double minus, eg. ''--key'' or one single minus, eg. ''-p tcp''. In that regard, ''nftables'' uses nicer, more intuitive and more compact syntax which is inspired by ''tcpdump''. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* The '''syntax'''. The ''iptables'' command line tool uses a getopt_long()-based parser where keys are always preceded by double minus, eg. ''--key'' or one single minus, eg. ''-p tcp''. In that regard, ''nftables'' uses nicer, more intuitive and more compact syntax which is inspired by ''tcpdump''. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>* '''Tables and chains are fully configurable'''. In ''nftables'', tables are <del style="font-weight: bold; text-decoration: none;">container </del>of chains with no specific semantics. Note that ''iptables'' comes with tables with a predefined number of base chains, you get them in an all or nothing fashion. Thus, all chains are registered even if you only need one of them. We got reports in the past that unused base chains are harming performance, even if you add no rules at all. With this new approach, you can just register the chains that you need depending on your setup. Moreover, you can also model your pipeline using the chain priorities in the way you need and select any name for your tables and chains.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>* '''Tables and chains are fully configurable'''. In ''nftables'', tables are <ins style="font-weight: bold; text-decoration: none;">containers </ins>of chains <ins style="font-weight: bold; text-decoration: none;">(and other objects like sets, maps, flowtables and stateful objects) </ins>with no specific semantics. Note that ''iptables'' comes with tables with a predefined number of base chains, you get them in an all or nothing fashion. Thus, all chains are registered even if you only need one of them. We got reports in the past that unused base chains are harming performance, even if you add no rules at all. With this new approach, you can just register the chains that you need depending on your setup. Moreover, you can also model your pipeline using the chain priorities in the way you need and select any name for your tables and chains.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* '''No distinction between matches and targets anymore'''. In ''nftables'', the ''expressions'' are the basic building block of rule, thus, a rule is basically a composite of expressions that is linearly evaluated from left to right: if the first expression matches, then the next expression is evaluated and so on until we reach the last expression that is part of the rule. An expression can match some specific payload field, packet/flow metadata and any action.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* '''No distinction between matches and targets anymore'''. In ''nftables'', the ''expressions'' are the basic building block of rule, thus, a rule is basically a composite of expressions that is linearly evaluated from left to right: if the first expression matches, then the next expression is evaluated and so on until we reach the last expression that is part of the rule. An expression can match some specific payload field, packet/flow metadata and any action.</div></td></tr>
<!-- diff cache key wikidb_nftables:diff::1.12:old-674:rev-741 -->
</table>Fmyhrhttp://wiki.nftables.org/wiki-nftables/index.php?title=Main_differences_with_iptables&diff=674&oldid=prevFmyhr: another dictionary -> vmap2021-02-12T10:49:30Z<p>another dictionary -> vmap</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 10:49, 12 February 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l17">Line 17:</td>
<td colspan="2" class="diff-lineno">Line 17:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* '''Generic [[sets|set]] and [[maps|map]] infrastructure'''. This new infrastructure integrates tightly into the nftables core and it allows advanced configurations such as [[maps]], [[Verdict_Maps_(vmaps) | verdict&nbsp;maps]] and [[intervals]] to achieve performance-oriented packet classification. The most important thing is that you can use ''any'' supported selector to classify traffic.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* '''Generic [[sets|set]] and [[maps|map]] infrastructure'''. This new infrastructure integrates tightly into the nftables core and it allows advanced configurations such as [[maps]], [[Verdict_Maps_(vmaps) | verdict&nbsp;maps]] and [[intervals]] to achieve performance-oriented packet classification. The most important thing is that you can use ''any'' supported selector to classify traffic.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>* '''Support for [[concatenations]]'''. Since Linux kernel 4.1, you can concatenate several keys and combine them with [[<del style="font-weight: bold; text-decoration: none;">dictionaries</del>]] and [[maps]]. The idea is to build a tuple whose values are hashed to obtain the action to be performed nearly O(1).</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>* '''Support for [[concatenations]]'''. Since Linux kernel 4.1, you can concatenate several keys and combine them with [[<ins style="font-weight: bold; text-decoration: none;">maps</ins>]] and [[<ins style="font-weight: bold; text-decoration: none;">Verdict_Maps_(vmaps) | verdict </ins>maps]]. The idea is to build a tuple whose values are hashed to obtain the action to be performed nearly O(1).</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* '''New supported protocols without kernel upgrades'''. Kernel upgrades can be a timeconsuming and daunting task. Specifically if you have to maintain more than one single firewall in your network. Distributors usually include a bit older Linux kernel versions for stability reasons. With the new nftables virtual machine approach, you will most likely not need such upgrade to support a new protocol. A relatively simple ''nft'' userspace software update should be enough to support new protocols.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* '''New supported protocols without kernel upgrades'''. Kernel upgrades can be a timeconsuming and daunting task. Specifically if you have to maintain more than one single firewall in your network. Distributors usually include a bit older Linux kernel versions for stability reasons. With the new nftables virtual machine approach, you will most likely not need such upgrade to support a new protocol. A relatively simple ''nft'' userspace software update should be enough to support new protocols.</div></td></tr>
</table>Fmyhrhttp://wiki.nftables.org/wiki-nftables/index.php?title=Main_differences_with_iptables&diff=673&oldid=prevFmyhr: dictionaries -> verdict maps2021-02-12T10:47:25Z<p>dictionaries -> verdict maps</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 10:47, 12 February 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l15">Line 15:</td>
<td colspan="2" class="diff-lineno">Line 15:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* '''Simplified dual stack IPv4/IPv6 administration''', through the new ''inet'' family which allows you to register base chains that see both IPv4 and IPv6 traffic. Thus, you don't need to rely on scripts to duplicate your ruleset anymore.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* '''Simplified dual stack IPv4/IPv6 administration''', through the new ''inet'' family which allows you to register base chains that see both IPv4 and IPv6 traffic. Thus, you don't need to rely on scripts to duplicate your ruleset anymore.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>* '''Generic [[sets|set]] and [[maps|map]] infrastructure'''. This new infrastructure integrates tightly into the nftables core and it allows advanced configurations such as [[<del style="font-weight: bold; text-decoration: none;">dictionaries</del>]], [[maps]] and [[intervals]] to achieve performance-oriented packet classification. The most important thing is that you can use ''any'' supported selector to classify traffic.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>* '''Generic [[sets|set]] and [[maps|map]] infrastructure'''. This new infrastructure integrates tightly into the nftables core and it allows advanced configurations such as [[<ins style="font-weight: bold; text-decoration: none;">maps</ins>]], [[<ins style="font-weight: bold; text-decoration: none;">Verdict_Maps_(vmaps) | verdict&nbsp;</ins>maps]] and [[intervals]] to achieve performance-oriented packet classification. The most important thing is that you can use ''any'' supported selector to classify traffic.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* '''Support for [[concatenations]]'''. Since Linux kernel 4.1, you can concatenate several keys and combine them with [[dictionaries]] and [[maps]]. The idea is to build a tuple whose values are hashed to obtain the action to be performed nearly O(1).</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* '''Support for [[concatenations]]'''. Since Linux kernel 4.1, you can concatenate several keys and combine them with [[dictionaries]] and [[maps]]. The idea is to build a tuple whose values are hashed to obtain the action to be performed nearly O(1).</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* '''New supported protocols without kernel upgrades'''. Kernel upgrades can be a timeconsuming and daunting task. Specifically if you have to maintain more than one single firewall in your network. Distributors usually include a bit older Linux kernel versions for stability reasons. With the new nftables virtual machine approach, you will most likely not need such upgrade to support a new protocol. A relatively simple ''nft'' userspace software update should be enough to support new protocols.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* '''New supported protocols without kernel upgrades'''. Kernel upgrades can be a timeconsuming and daunting task. Specifically if you have to maintain more than one single firewall in your network. Distributors usually include a bit older Linux kernel versions for stability reasons. With the new nftables virtual machine approach, you will most likely not need such upgrade to support a new protocol. A relatively simple ''nft'' userspace software update should be enough to support new protocols.</div></td></tr>
</table>Fmyhrhttp://wiki.nftables.org/wiki-nftables/index.php?title=Main_differences_with_iptables&diff=11&oldid=prevPablo: Created page with "The main differences between ''nftables'' and ''iptables'' from the user point of view are: * The '''syntax'''. The ''iptables'' command line tool uses a getopt_long()-based..."2016-07-13T17:38:38Z<p>Created page with "The main differences between ''nftables'' and ''iptables'' from the user point of view are: * The '''syntax'''. The ''iptables'' command line tool uses a getopt_long()-based..."</p>
<p><b>New page</b></p><div>The main differences between ''nftables'' and ''iptables'' from the user point of view are:<br />
<br />
* The '''syntax'''. The ''iptables'' command line tool uses a getopt_long()-based parser where keys are always preceded by double minus, eg. ''--key'' or one single minus, eg. ''-p tcp''. In that regard, ''nftables'' uses nicer, more intuitive and more compact syntax which is inspired by ''tcpdump''. <br />
<br />
* '''Tables and chains are fully configurable'''. In ''nftables'', tables are container of chains with no specific semantics. Note that ''iptables'' comes with tables with a predefined number of base chains, you get them in an all or nothing fashion. Thus, all chains are registered even if you only need one of them. We got reports in the past that unused base chains are harming performance, even if you add no rules at all. With this new approach, you can just register the chains that you need depending on your setup. Moreover, you can also model your pipeline using the chain priorities in the way you need and select any name for your tables and chains.<br />
<br />
* '''No distinction between matches and targets anymore'''. In ''nftables'', the ''expressions'' are the basic building block of rule, thus, a rule is basically a composite of expressions that is linearly evaluated from left to right: if the first expression matches, then the next expression is evaluated and so on until we reach the last expression that is part of the rule. An expression can match some specific payload field, packet/flow metadata and any action.<br />
<br />
* '''You can specify several actions in one single rule'''. In ''iptables'' you can only specify one single target. This has been a longstanding limitation that users resolve by jumping to custom chains at the cost of making the rule-set structure slightly more complex.<br />
<br />
* '''No built-in counter per chain and rules'''. In ''nftables'', these are optional so you can enable counters on demand.<br />
<br />
* '''Better support for dynamic ruleset updates'''. In ''nftables'', if you add a new rule, the remaining existing ones are left untouched since the ruleset is represented in a linked-list contrary to the monolithic blob representation in which the maintainance of the internal state information is complicated when performing ruleset updates.<br />
<br />
* '''Simplified dual stack IPv4/IPv6 administration''', through the new ''inet'' family which allows you to register base chains that see both IPv4 and IPv6 traffic. Thus, you don't need to rely on scripts to duplicate your ruleset anymore.<br />
<br />
* '''Generic [[sets|set]] and [[maps|map]] infrastructure'''. This new infrastructure integrates tightly into the nftables core and it allows advanced configurations such as [[dictionaries]], [[maps]] and [[intervals]] to achieve performance-oriented packet classification. The most important thing is that you can use ''any'' supported selector to classify traffic.<br />
<br />
* '''Support for [[concatenations]]'''. Since Linux kernel 4.1, you can concatenate several keys and combine them with [[dictionaries]] and [[maps]]. The idea is to build a tuple whose values are hashed to obtain the action to be performed nearly O(1).<br />
<br />
* '''New supported protocols without kernel upgrades'''. Kernel upgrades can be a timeconsuming and daunting task. Specifically if you have to maintain more than one single firewall in your network. Distributors usually include a bit older Linux kernel versions for stability reasons. With the new nftables virtual machine approach, you will most likely not need such upgrade to support a new protocol. A relatively simple ''nft'' userspace software update should be enough to support new protocols.</div>Pablo