Home

nftables

nftables is a framework within the Linux kernel's Netfilter subsystem that provides packet filtering, classification, and Network Address Translation via a unified interface. It replaces the older pair of tools and families (iptables, ip6tables, arptables, and ebtables) with a single framework and a modern rule language, aiming for simpler administration, improved performance, and easier extensibility.

The core concept in nftables is the ruleset, which is organized into tables, chains, and rules. Tables

Configuration is performed from user space via the nft command-line tool, which communicates with the kernel

nftables has been adopted as the recommended firewall framework in many Linux distributions, offering a consolidated,

are
associated
with
a
family,
such
as
inet
(which
covers
both
IPv4
and
IPv6),
ip,
ip6,
or
arp.
Each
table
contains
one
or
more
chains,
and
each
chain
contains
one
or
more
rules.
The
rule
language
supports
sets
and
maps
for
scalable
rule
definitions,
and
it
uses
expressions
and
actions
to
perform
filtering,
modification,
or
routing
decisions.
Updates
to
the
ruleset
can
be
applied
atomically,
allowing
changes
to
take
effect
without
disrupting
ongoing
traffic.
through
the
Netlink
interface.
The
framework
supports
stateful
filtering
using
connection
tracking,
NAT
functionality
within
appropriate
tables,
and
integration
with
standard
Netfilter
hooks.
It
also
provides
a
more
expressive
syntax
and
the
ability
to
manage
large
rule
sets
with
dynamic
elements
such
as
sets
that
can
be
updated
at
runtime.
extensible
alternative
to
the
legacy
iptables-based
tooling.
It
is
designed
to
be
backward-compatible
in
practice
while
enabling
more
scalable
and
maintainable
firewall
configurations.