Skip to main content
Redhat Developers  Logo
  • Products

    Featured

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat OpenShift AI
      Red Hat OpenShift AI
    • Red Hat Enterprise Linux AI
      Linux icon inside of a brain
    • Image mode for Red Hat Enterprise Linux
      RHEL image mode
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • Red Hat Developer Hub
      Developer Hub
    • View All Red Hat Products
    • Linux

      • Red Hat Enterprise Linux
      • Image mode for Red Hat Enterprise Linux
      • Red Hat Universal Base Images (UBI)
    • Java runtimes & frameworks

      • JBoss Enterprise Application Platform
      • Red Hat build of OpenJDK
    • Kubernetes

      • Red Hat OpenShift
      • Microsoft Azure Red Hat OpenShift
      • Red Hat OpenShift Virtualization
      • Red Hat OpenShift Lightspeed
    • Integration & App Connectivity

      • Red Hat Build of Apache Camel
      • Red Hat Service Interconnect
      • Red Hat Connectivity Link
    • AI/ML

      • Red Hat OpenShift AI
      • Red Hat Enterprise Linux AI
    • Automation

      • Red Hat Ansible Automation Platform
      • Red Hat Ansible Lightspeed
    • Developer tools

      • Red Hat Trusted Software Supply Chain
      • Podman Desktop
      • Red Hat OpenShift Dev Spaces
    • Developer Sandbox

      Developer Sandbox
      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Secure Development & Architectures

      • Security
      • Secure coding
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
      • View All Technologies
    • Start exploring in the Developer Sandbox for free

      sandbox graphic
      Try Red Hat's products and technologies without setup or configuration.
    • Try at no cost
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • Java
      Java icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • API Catalog
    • Product Documentation
    • Legacy Documentation
    • Red Hat Learning

      Learning image
      Boost your technical skills to expert-level with the help of interactive lessons offered by various Red Hat Learning programs.
    • Explore Red Hat Learning
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

iptables: The two variants and their relationship with nftables

August 18, 2020
Eric Garver
Related topics:
LinuxOpen sourceSecurity
Related products:
Red Hat Enterprise Linux

Share:

    In Red Hat Enterprise Linux (RHEL) 8, the userspace utility program iptables has a close relationship to its successor, nftables. The association between the two utilities is subtle, which has led to confusion among Linux users and developers. In this article, I attempt to clarify the relationship between the two variants of iptables and its successor program, nftables.

    The kernel API

    In the beginning, there was only iptables. It lived a good, long life in Linux history, but it wasn't without pain points. Later, nftables appeared. It presented an opportunity to learn from the mistakes made with iptables and improve on them.

    The most important nftables improvement, in the context of this article, is the kernel API. The kernel API is how user space programs the kernel. You can use either the nft command or a variant of the iptables command to access the kernel API. We'll focus on the iptables variant.

    Two variants of the iptables command

    The two variants of the iptables command are:

    • legacy: Often referred to as iptables-legacy.
    • nf_tables: Often referred to as iptables-nft.

    The newer iptables-nft command provides a bridge to the nftables kernel API and infrastructure. You can find out which variant is in use by looking up the iptables version. For iptables-nft, the variant will be shown in parentheses after the version number, denoted as nf_tables:

    root@rhel-8 # iptables -V
    iptables v1.8.4 (nf_tables)
    

    For iptables-legacy, the variant will either be absent, or it will show legacy in parentheses:

    root@rhel-7 # iptables -V
    iptables v1.4.21
    

    You can also identify iptables-nft by checking whether the iptables binary is a symbolic link to xtables-nft-multi:

    root@rhel-8 # ls -al /usr/sbin/iptables
    lrwxrwxrwx. 1 root root 17 Mar 17 10:22 /usr/sbin/iptables -> xtables-nft-multi
    

    Using iptables-nft

    As I noted earlier, the nftables utility improves the kernel API. The iptables-nft command allows iptables users to take advantage of the improvements. The iptables-nft command uses the newer nftables kernel API but reuses the legacy packet-matching code. As a result, you get the following benefits while using the familiar iptables command:

    • Atomic rules updates.
    • Per-network namespace locking.
    • No file-based locking (for example: /run/xtables.lock).
    • Fast updates to the incremental ruleset.

    These benefits are mostly transparent to the user.

    Note: The userspace command for nftables is nft. It has its own syntax and grammar.

    Packet matching is the same

    It's important to understand that while there are two variants of iptables, packet matching utilizes the same code. Regardless of the variant that you are using, the same packet-matching features are available and behave identically. Another term for the packet matching code in the kernel is xtables.  Both variants, iptables-legacy and iptables-nft, use the same xtables code. This diagram provides a visual aid. I included nft for completeness:

    +--------------+     +--------------+     +--------------+
    |   iptables   |     |   iptables   |     |     nft      |   USER
    |    legacy    |     |     nft      |     |  (nftables)  |   SPACE
    +--------------+     +--------------+     +--------------+
           |                          |         |
    ====== | ===== KERNEL API ======= | ======= | =====================
           |                          |         |
    +--------------+               +--------------+
    |   iptables   |               |   nftables   |              KERNEL
    |      API     |               |     API      |              SPACE
    +--------------+               +--------------+
                 |                    |         |
                 |                    |         |
              +--------------+        |         |     +--------------+
              |   xtables    |--------+         +-----|   nftables   |
              |    match     |                        |    match     |
              +--------------+                        +--------------+
    

    The iptables rules appear in the nftables rule listing

    An interesting consequence of iptables-nft using nftables infrastructure is that the iptables ruleset appears in the nftables rule listing. Let's consider an example based on a simple rule:

    root@rhel-8 # iptables -A INPUT -s 10.10.10.0/24 -j ACCEPT
    

    Showing this rule through the iptables command yields what we might expect:

    root@rhel-8 # iptables -nL INPUT
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     all  --  10.10.10.0/24        0.0.0.0/0
    

    But it will also be shown in the nft ruleset:

    root@rhel-8 # nft list ruleset
    table ip filter {
        chain INPUT {
            type filter hook input priority filter; policy accept;
            ip saddr 10.10.10.0/24 counter packets 0 bytes 0 accept
        }
    }
    

    Note how the iptables rule was automatically translated into the nft syntax. Studying the automatic translation is one way to discover the nft equivalents of the iptables rules. In some cases, however, there isn't a direct equivalent. In those cases, nft will let you know by showing a comment like this one:

    table ip nat {
        chain PREROUTING {
            meta l4proto tcp counter packets 0 bytes 0 # xt_REDIRECT
        }
    }
    

    Summary

    To summarize, the iptables-nft variant utilizes the newer nftables kernel infrastructure. This gives the variant some benefits over iptables-legacy while allowing it to remain a 100% compatible drop-in replacement for the legacy command. Note, however, that iptables-nft and nftables are not equivalent. They merely share infrastructure.

    It is also important to note that while iptables-nft can supplant iptables-legacy, you should never use them simultaneously.

    Last updated: April 7, 2022

    Recent Posts

    • Storage considerations for OpenShift Virtualization

    • Upgrade from OpenShift Service Mesh 2.6 to 3.0 with Kiali

    • EE Builder with Ansible Automation Platform on OpenShift

    • How to debug confidential containers securely

    • Announcing self-service access to Red Hat Enterprise Linux for Business Developers

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit
    © 2025 Red Hat

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue