为什么选择 nftables

We like iptables after all, this tool has been serving us (and will likely keep serving still for a while in many deployments) to filter out traffic on both per-packet and per-flow basis, log suspicious traffic activity, perform NAT and many other things. It comes with more than a hundred of extensions that have been contributed along the last 15 years!. Nevertheless, the iptables framework suffers from limitations that cannot be easily worked around:

• Avoid code duplication and inconsistencies: Many of the iptables extensions are protocol specific, so there is no a consolidated way to match packet fields, instead we have one extension for each protocol that it supports. This bloats the codebase with very similar code to perform a similar task: payload matching.
• 通过通用的 set 和 map，实现了更快的数据包分类。
• Simplified dual stack IPv4/IPv6 administration, through the new inet family that allows you to register base chains that see both IPv4 and IPv6 traffic.
• 更好的动态规则集更新支持。
• 为第三方应用程序提供了 Netlink API，就像其它 Linux 网络和 Netfilter 子系统一样。
• 地址语法不一样，提供了更好更简洁的语法。

These, among other things not listed here, moved Patrick McHardy to start the nftables development which was originally presented to the Netfilter community in the 6th Netfilter Workshop in Paris (France)