Florian Westphal

Recent Posts

What comes after ‘iptables’? Its successor, of course: `nftables`

Nftables is a new packet classification framework that aims to replace the existing iptables, ip6tables, arptables and ebtables facilities. It aims to resolve a lot of limitations that exist in the venerable ip/ip6tables tools. The most notable capabilities that nftables offers over the old iptables are:


  • Support for lookup tables – no linear rule evaluation required
  • No longer enforces overhead of implicit rule counters and address/interface matching


  • Transactional rule updates – all rules are applied atomically
  • Applications can subscribe to nfnetlink notifications to receive rule updates when new rules get added or removed
  • nft command-line tool can display a live-log of rules that are being matched for easier ruleset debugging

Continue reading “What comes after ‘iptables’? Its successor, of course: `nftables`”