What advantages does nftables provide over iptables?

V

Valentine2021-09-28 23:44:31

linux

Valentine, 2021-09-28 23:44:31

I haven’t set up Linux for a long time, but then I had to get into the console. I found that instead of the usual iptables, people are now actively using nftables. The Internet writes mainly that it is easier to use in terms of syntax.

What are the advantages of the new utility besides syntactic sugar and combining utilities like xtables into one? Maybe she is somehow more productive there (someone measured it) or does she have any uber features there? Or is it another construction like ufw, shorewall, etc. for those who have not mastered the classic utility?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Alexander Karabanov, 2021-09-29
@vvpoloskin

The new syntax is not required to be learned, it is compatible with the iptables syntax.
The main feature is that the rules are executed in the eBPF bytecode interpreter built into the Linux kernel, at a low level and quickly.
The main problem is not to accidentally configure both firewalls (both netfilter and nft).
Check what is possible sudo iptables-legacy -Sand sudo iptables-nft -Saccordingly.
If you really want to, you can replace the symlink (if we are talking about Debian) and continue using netfilter instead of nft.

V

Valentine, 2021-10-07
@ProFfeSsoRr

Or is it another construction like ufw, shorewall, etc. for those who have not mastered the classic utility?

ufw and others are still iptables, these are add-ons above it. And nftables inside the kernel is different. And there is already a version of the iptables command that works with nftables inside the kernel (so as not to learn a new syntax). Well, i.e. developers in the core rewrote the functionality, without backward compatibility with the old one, hence the new name. Backward compatibility was later made at the level of the iptables command for the user