为什么选择 nftables
We like iptables after all, this tool has been serving us (and will likely keep serving still for a while in many deployments) to filter out traffic on both per-packet and per-flow basis, log suspicious traffic activity, perform NAT and many other things. It comes with more than a hundred of extensions that have been contributed along the last 15 years!. Nevertheless, the iptables framework suffers from limitations that cannot be easily worked around:
- Avoid code duplication and inconsistencies: Many of the iptables extensions are protocol specific, so there is no a consolidated way to match packet fields, instead we have one extension for each protocol that it supports. This bloats the codebase with very similar code to perform a similar task: payload matching.
- 通过通用的 set 和 map,实现了更快的数据包分类。
- Simplified dual stack IPv4/IPv6 administration, through the new inet family that allows you to register base chains that see both IPv4 and IPv6 traffic.
- 更好的动态规则集更新支持。
- 为第三方应用程序提供了 Netlink API,就像其它 Linux 网络和 Netfilter 子系统一样。
- 地址语法不一样,提供了更好更简洁的语法。
These, among other things not listed here, moved Patrick McHardy to start the nftables development which was originally presented to the Netfilter community in the 6th Netfilter Workshop in Paris (France)