Nftables
| Original author(s) | Patrick McHardy |
|---|---|
| Developer(s) | Pablo Neira Ayuso, Florian Westphal |
| Stable release |
0.7 / December 20, 2016
|
| Preview release | |
| Development status | In development |
| Written in | C |
| Operating system | Linux |
| Platform | Netfilter |
| Type | packet filtering |
| License | GPL (version 2) |
| Website | |
nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. It has been available since Linux kernel 3.13 released on 19 January 2014.
nftables is supposed to replace netfilter. Both subsystems have been co-authored by Patrick McHardy. Among the advantages of nftables over netfilter is less code duplication and more throughput. nftables is configured via the user-space utility nft while netfilter is configured via the utilities iptables, ip6tables, arptables and ebtables frameworks.
nftables utilizes the building blocks of the Netfilter infrastructure, such as the existing hooks into the networking stack, connection tracking system, userspace queueing component, and logging subsystem.
A command to drop any packets with the destination IP address 1.2.3.4
The syntax of iptables is different:
Also, there is a planned compatibility layer for the translation of already existing iptables firewall rules into their nftables equivalents.
The project was first publicly presented at Netfilter Workshop 2008 by Patrick McHardy from the Netfilter Core Team. The first preview release of kernel and userspace implementation was given in March 2009. Although the tool has been called, "...the biggest change to Linux firewalling since the introduction of iptables in 2001", it has received little press. Notable hacker Fyodor Vaskovich (Gordon Lyon) said that he is "looking forward to its general release in the mainstream Linux kernel."
The project stayed in alpha stage and the official website was removed in 2009. In March 2010, emails from the author on the project mailing lists showed the project was still active and approaching a beta release, but the latter was never shipped officially. In October 2012, Pablo Neira Ayuso proposed a compatibility layer for iptables and announced a possible inclusion of the project into mainstream kernel.
On 16 October 2013, Pablo Neira Ayuso submitted a nftables core pull request to the Linux kernel mainline tree. It was merged into the kernel mainline on 19 January 2014, with the release of Linux kernel version 3.13.
...
Wikipedia