What is nftables?: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
(clarify that xtables is legacy; some minor grammar changes) |
||
| Line 1: | Line 1: | ||
'''nftables''' is the new packet classification framework that | '''nftables''' is the new packet classification framework that replaces the legacy {ip,ip6,arp,eb}_tables (xtables) infrastructure. In a nutshell: | ||
* It is available in Linux kernels >= 3.13. | * It is available in Linux kernels >= 3.13. | ||
| Line 7: | Line 7: | ||
* It also comes with a compatibility layer that allows you to run iptables commands over the new nftables kernel framework. | * It also comes with a compatibility layer that allows you to run iptables commands over the new nftables kernel framework. | ||
* It provides generic set infrastructure that allows you to construct maps and | * It provides a generic set infrastructure that allows you to construct maps and concatenations. You can use these new structures to arrange your ruleset in a multidimensional tree which '''drastically''' reduces the number of rules that need to be inspected until reaching the final action on a packet. | ||
Revision as of 12:40, 12 February 2021
nftables is the new packet classification framework that replaces the legacy {ip,ip6,arp,eb}_tables (xtables) infrastructure. In a nutshell:
- It is available in Linux kernels >= 3.13.
- It comes with a new command line utility nft whose syntax is different to iptables.
- It also comes with a compatibility layer that allows you to run iptables commands over the new nftables kernel framework.
- It provides a generic set infrastructure that allows you to construct maps and concatenations. You can use these new structures to arrange your ruleset in a multidimensional tree which drastically reduces the number of rules that need to be inspected until reaching the final action on a packet.