What is nftables?

From nftables wiki
Revision as of 18:31, 13 July 2016 by Pablo (talk | contribs) (initial page)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

nftables is the new packet classification framework that intends to replace the existing {ip,ip6,arp,eb}_tables infrastructure. In a nutshell:

  • It is available in Linux kernels >= 3.13.
  • It comes with a new command line utility nft whose syntax is different to iptables.
  • It also comes with a compatibility layer that allows you to run iptables commands over the new nftables kernel framework.
  • It provides generic set infrastructure that allows you to construct maps and concatenation. You can use this new feature to arrange your ruleset in multidimensional tree which drastically reduces the number of rules that need to be inspected until you find the final action on the packet.