English Czech
nftables replaces iptables as the default network packet filtering framework
The `nftables` framework provides packet classification facilities and it is the designated successor to the `iptables`, `ip6tables`, `arptables`, and `ebtables` tools. It offers numerous improvements in convenience, features, and performance over previous packet-filtering tools, most notably:
Lookup tables instead of linear processing.
A single framework for both the IPv4 and IPv6 protocols.
Rules all applied atomically instead of fetching, updating, and storing a complete ruleset.
Support for debugging and tracing in the ruleset (`nftrace`) and monitoring trace events (in the `nft` tool).
More consistent and compact syntax, no protocol-specific extensions.
A Netlink API for third-party applications.
Similarly to `iptables`, `nftables` use tables for storing chains. The chains contain individual rules for performing actions. The `nft` tool replaces all tools from the previous packet-filtering frameworks. The `libnftables` library can be used for low-level interaction with `nftables` Netlink API over the `libmnl` library.
The `iptables`, `ip6tables`, `ebtables` and `arptables` tools are replaced by nftables-based drop-in replacements with the same name. While external behavior is identical to their legacy counterparts, internally they use `nftables` with legacy `netfilter` kernel modules through a compatibility interface where required.
Effect of the modules on the `nftables` ruleset can be observed using the `nft list ruleset` command. Since these tools add tables, chains, and rules to the `nftables` ruleset, be aware that `nftables` rule-set operations, such as the `nft flush ruleset` command, might affect rule sets installed using the formerly separate legacy commands.
To quickly identify which variant of the tool is present, version information has been updated to include the back-end name. In Fedora 32, the nftables-based `iptables` tool prints the following version string:
$ iptables --version
iptables v1.8.4 (nf_tables)
For comparison, the following version information is printed if legacy `iptables` tool is present:
$ iptables --version
iptables v1.8.4 (legacy)
For more information, see link:https://fedoraproject.org/wiki/Changes/iptables-nft-default[] and link:https://wiki.nftables.org/wiki-nftables/index.php/Legacy_xtables_tools[].