World Library  
Flag as Inappropriate
Email this Article

Nftables

Article Id: WHEBN0023458933
Reproduction Date:

Title: Nftables  
Author: World Heritage Encyclopedia
Language: English
Subject: Linux kernel, IP Virtual Server, Linux Virtual Server, Netfilter, L7-filter
Collection:
Publisher: World Heritage Encyclopedia
Publication
Date:
 

Nftables

Nftables
Original author(s) Patrick McHardy
Developer(s) Patrick McHardy/Pablo Neira
Stable release 0.3[1] / June 26, 2014 (2014-06-26)
Preview release Git repo
Development status In development
Written in C
Operating system Linux
Platform Netfilter
Type packet filtering
License GPL (version 2)
Website //nftables/projects.orgnetfilter

nftables is a project providing packet filtering and packet classification on Linux, and it is intended to replace existing iptables, ip6tables, arptables and ebtables frameworks. nftables is a combination of a Linux kernel engine, and a userspace utility.

It utilizes the building blocks of the Netfilter infrastructure, such as the existing hooks, connection tracking system, userspace queueing component, and logging subsystem. Also, there is a planned compatibility layer for the translation of already existing iptables firewall rules into their nftables equivalents.

History

The project was first publicly presented at Netfilter Workshop 2008, by Patrick McHardy from the Netfilter Core Team.[2] The first preview release of kernel and userspace implementation was given in March 2009.[3] Although the tool has been called, "...the biggest change to Linux firewalling since the introduction of iptables in 2001", it has received little press.[4] Notable hacker Fyodor Vaskovich (Gordon Lyon) said that he is "looking forward to its general release in the mainstream Linux kernel."[4]

The project stayed in alpha stage and the official website was removed in 2009. In March 2010, emails from the author on the project mailing lists showed the project was still active and approaching a beta release,[5][6] but the latter was never shipped officially. In October 2012, Pablo Neira Ayuso proposed a compatibility layer for iptables[7] and announced a possible inclusion of the project into mainstream kernel.

On 16 October 2013, Pablo Neira Ayuso submitted a nftables core pull request to the Linux kernel mainline tree.[8] It was merged into the kernel mainline on 19 January 2014, with the release of Linux kernel version 3.13.[9]

Overview

nftables kernel engine adds a simple virtual machine into the Linux kernel, which is able to execute bytecode to inspect a network packet and make decisions on how that packet should be handled. The operations implemented by this virtual machine are intentionally made basic. It can get data from the packet itself, have a look at the associated metadata (inbound interface, for example), and manage connection tracking data. Arithmetic, bitwise and comparison operators can be used for making decisions based on that data. The virtual machine is also capable of manipulating sets of data (typically IP addresses), allowing multiple comparison operations to be replaced with a single set lookup.[10]

That is contrary to the iptables firewalling code, which has protocol awareness built-in so deeply into the logic, that the code has had to be replicated four times—for IPv4, IPv6, ARP, and Ethernet bridging—as the firewall engines are too protocol-specific to be used in a generic manner.[10]

The main advantages over iptables are:

  • simplification of the Linux kernel ABI
  • reduction of code duplication
  • improved error reporting
  • more efficient execution, storage, and incremental changes of filtering rules.

The currently used , , , and (IPv4, IPv6, ARP, and Ethernet bridging) are intended to be replaced with as a single unified implementation, providing firewall configuration on top of the in-kernel virtual machine.

nftables also offers an improved userspace API that allows atomic replacements of one or more firewall rules within a single Netlink transaction. That speeds up firewall configuration changes for setups having large rulesets; it can also help in avoiding race conditions while the rule changes are being executed. Also, a planned compatibility layer is going to provide translation of already existing iptables firewall rules into their nftables equivalents.[10]

See also

References

  1. ^ "News of the netfilter/iptables project". netfilter/iptables project homepage. netfilter.org. 2014-06-26. Retrieved 2014-07-04. 
  2. ^ "User day program - NFWS2008". Workshop.netfilter.org. 2008-10-03. Retrieved 2014-02-22. 
  3. ^ initial release announcement
  4. ^ a b Gray, Patrick (March 26, 2009). "NEWS: Linux Gets New Firewall". Risky.biz. 
  5. ^ "Linux Netfilter Devel - Re: Current state of nftables". Spinics.net. Retrieved 2014-01-20. 
  6. ^ "Linux Netfilter Devel - Re: Current state of nftables". Spinics.net. Retrieved 2014-01-20. 
  7. ^ "Linux Netfilter Devel - [RFC] back on nf_tables (plus compatibility layer)". Spinics.net. Retrieved 2014-01-20. 
  8. ^ [PATCH 00/17] netfilter updates: nf_tables pull request' - MARC"'". Marc.info. Retrieved 2014-01-20. 
  9. ^ "nftables, the successor of iptables". Linux 3.13. kernelnewbies.org. 2014-01-19. Retrieved 2014-01-20. 
  10. ^ a b c Jonathan Corbet (2013-08-20). "The return of nftables".  

External links

This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and USA.gov, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for USA.gov and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
 
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
 
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.
 


Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.