IPtables vs. nftables

What is nftables, and how is it different from IPtables?

Posted on Aug. 19, 2018

Hello everyone! We thought Sunday morning is a good time for some geek talks. Today's topic: IPtables VS. nftables. Ready for some tables talk? I think you are, if you're working around servers like filtering network traffic. So here we go.

tabletimes.jpg

What is IPtables?

Many of you might already know well about IPtables: IPtables is a command line utility that is used for configuring firewall rules usually in combination with a frontend. IPtables is able to inspect, modify or drop network packets. The "tables" consist of "chains" which contain "rules" that are processed in the defined order. The rules are basically conditions that have to be true respectively to match a defined action to be executed. All incoming packets, regardless the source (internal/internet), are being processed by the very same rules. IPtables contain 5 standard tables (raw, filter, NAT, mangle, security), and among them 2 (NAT and especially filter) are the most common, and the most important ones. The filter table, as its title indicates, is the default table where you can define the usual firewall filtering rules. 

Okay, that's IPtables. But what is nftables? Nftables (developed by netfilter/IPtables) is a package filtering framework. It was basically built to replace the old IPtables, because IPtables had several problems in terms of performance and scalability. It was merged into the Linux kernel in 2014, so it's a part of it since version 3.13. You can already sense our tone from the choice of words like "old" "problems" and "replace." You got that right. We like nftables. 

 

What are the differences?

Nftables is easier to use and combines all tools of the IPtables framework (e. g. iptables, ip6tables, arptables, etc.) in a single tool. The syntax has also become better and easier, but there is a compatibility layer so you could still use the old IPtables syntax even if filtering is internally done with nftables. Although it basically does the same job as IPtables, its architecture is different. Unlike IPtables, there are no predefined default tables and chains (like filter/NAT or FORWARD/INPUT) in nftables. You can also perform multiple actions in a single rule.

Here is an example for the simple task of dropping any packets to the destination IP address 1.2.3.4.

nft add rule ip filter output ip daddr 1.2.3.4 drop

For the old IPtables this would've been:

iptables -A OUTPUT -d 1.2.3.4 -j DROP

 

nftables is efficient.

nftables simplifies (Yay! One word we geeks love : simple) a lot. It speeds up firewall configuration and it's much easier to use. As a strong supporter of IPv6 (we even offer IPv6 only VMs) we like that the extra IP6tables is not necessary anymore because it is implemented within the nft-set per default, the same for arptables and ebtables. So the complexity has significantly shrinked and code duplication got less.

nftables is not only easier to write, but filtering is more efficient internally in the kernel as well. When we did some changes to our iptables, we had to recompile the kernel, because every match or target was requiring a kernel module. This changed with nftables and lowered our administrative work.


Another example for the creation of a ruleset that allows packets to use different ports and allows different icmpv6 types:

nft add rule ip6 filter input tcp dport {telnet, http, https} accept

nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

That's it. Small and simple.

Just to give you an idea, with the old IPtables this would've been something like:

ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT

ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT

ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT

ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT

ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT

See the difference? 

nftables is easier to write and to maintain.

So whenever setting up a new server, using nftables over IPtables could bring a lot of opportunities and advantages. In case you have a default IPtables configuration you usually apply there is also a tool called "iptables-translate" which helps migrating from IPtables to nftables: it generates the nftables-equivalent for a given IPtables rule or ruleset.

So that was a kind of a brief introduction, and we'll talk more in depth about nftables in the following days as separate postings. What do you think? What are your thoughts on this topic? Are you a fan of IPtables? Let us know and share your thoughts with us by contacting us via mail or social media