与 iptables 的主要区别

从用户的视角看,nftablesiptables 的主要区别是:

  • 语法iptables 命令使用 getopt_long() 解析器,参数之前总是双减号,比如 --key,或者单减号,比如 -p tcp。在这方面,nftablestcpdump 启发,使用了更好,更直观的并且更简洁的语法。
  • 表和链是完全可配置的。Tables and chains are fully configurable. In nftables, tables are container of chains with no specific semantics. Note that iptables comes with tables with a predefined number of base chains, you get them in an all or nothing fashion. Thus, all chains are registered even if you only need one of them. We got reports in the past that unused base chains are harming performance, even if you add no rules at all. With this new approach, you can just register the chains that you need depending on your setup. Moreover, you can also model your pipeline using the chain priorities in the way you need and select any name for your tables and chains.
  • 匹配和目标之间不再有区别。No distinction between matches and targets anymore. In nftables, the expressions are the basic building block of rule, thus, a rule is basically a composite of expressions that is linearly evaluated from left to right: if the first expression matches, then the next expression is evaluated and so on until we reach the last expression that is part of the rule. An expression can match some specific payload field, packet/flow metadata and any action.
  • 你可以在一个规则中指定多个行为。 In iptables you can only specify one single target. This has been a longstanding limitation that users resolve by jumping to custom chains at the cost of making the rule-set structure slightly more complex.
  • 每个链和规则都没有内建的计数器。在 nftables 中,这些是可选的,因此你可以按需求启用它。
  • 更好的动态规则集更新支持。在 nftables 中,如果你添加了一个新的规则,Better support for dynamic ruleset updates. In nftables, if you add a new rule, the remaining existing ones are left untouched since the ruleset is represented in a linked-list contrary to the monolithic blob representation in which the maintainance of the internal state information is complicated when performing ruleset updates.
  • Simplified dual stack IPv4/IPv6 administration, through the new inet family which allows you to register base chains that see both IPv4 and IPv6 traffic. Thus, you don't need to rely on scripts to duplicate your ruleset anymore.
  • Generic set and map infrastructure. This new infrastructure integrates tightly into the nftables core and it allows advanced configurations such as dictionaries, maps and intervals to achieve performance-oriented packet classification. The most important thing is that you can use any supported selector to classify traffic.
  • Support for concatenations. Since Linux kernel 4.1, you can concatenate several keys and combine them with dictionaries and maps. The idea is to build a tuple whose values are hashed to obtain the action to be performed nearly O(1).
  • New supported protocols without kernel upgrades. Kernel upgrades can be a timeconsuming and daunting task. Specifically if you have to maintain more than one single firewall in your network. Distributors usually include a bit older Linux kernel versions for stability reasons. With the new nftables virtual machine approach, you will most likely not need such upgrade to support a new protocol. A relatively simple nft userspace software update should be enough to support new protocols.