Firewalld: The Future is nftables
Firewalld, the default firewall management tool in Red Hat Enterprise Linux and Fedora, has gained long sought support for nftables. This was announced in detail on firewalld’s project blog. The feature landed in the firewalld 0.6.0 release as the new default firewall backend.
The benefits of nftables have been outlined on the Red Hat Developer Blog:
- What comes after iptables? Its successor, of course: nftables
- Benchmarking nftables
- Migrating my iptables setup to nftables
There are many longstanding issues with firewalld that we can address with nftables that were not possible with the old iptables backend. The nftables backend allows the following improvements:
- all firewall information viewable with a single underlying tool, nft
- single rule for both IPv4 and IPv6 instead of duplicating rules
- does not assume complete control of firewall backend
- won’t delete firewall rules installed by other tools or users
- rule optimizations (log and deny in same rule)
Most important of all, the new backend is nearly 100% compatible with preexisting configurations. Most users won’t even notice something changed. This means even slower moving distributions should be able to pick up the new version.
You can get started with firewalld and nftables today! firewalld 0.6.0 is already available in Fedora rawhide and will be in the upcoming Fedora 29 release. Existing Fedora installs will automatically be upgraded to the nftables backend when they upgrade to Fedora 29.
Unfortunately firewalld’s nftables backend is unlikely to find it’s way to Red Hat Enterprise Linux 7. The good news is since Fedora is RHEL’s upstream it is likely that the nftables backend will eventually make it into some future RHEL release.