We like iptables after all, this tool has been serving us (and will likely keep serving still for a while in many deployments) to filter out traffic on both per-packet and per-flow basis, log suspicious traffic activity, perform NAT and many other things. It comes with more than a hundred of extensions that have been contributed along the last 15 years!. Nevertheless, the iptables framework suffers from limitations that cannot be easily worked around:
- Avoid code duplication and inconsistencies: Many of the iptables extensions are protocol specific, so there is no a consolidated way to match packet fields, instead we have one extension for each protocol that it supports. This bloats the codebase with very similar code to perform a similar task: payload matching.
- 通过通用的 set 和 map，实现了更快的数据包分类。
- Simplified dual stack IPv4/IPv6 administration, through the new inet family that allows you to register base chains that see both IPv4 and IPv6 traffic.
- 为第三方应用程序提供了 Netlink API，就像其它 Linux 网络和 Netfilter 子系统一样。
These, among other things not listed here, moved Patrick McHardy to start the nftables development which was originally presented to the Netfilter community in the 6th Netfilter Workshop in Paris (France)