en 

eric-leblond-petitIptables and Netfilter were introduced in 2001 along with Linux 2.4 as  the full  layer for firewall. The functionalities and the codes changed quite a lot during this decade, but nothing like what has been done with nftables.

The motivation for this change is to overcome the limitations of iptables that was beginning to date both foncionnal level and in the code design: problem with the system update rules (very expensive when the number of rules increases  which has become a problem to manage  not static rules), code duplication, problematic for code maintenance and users.

Nftables  is a replacement for iptables that has been developed since 2008 by Patri ck McHardy who is the head of the Netfilter project. After a period of sleep, the developments around the project resumed in 2012 and a team of developers was formed and is working on the project.

Nftables solves the problem of updates performance using a communication message between the kernel and user space. Infrastructure Netlink was used because it is the basis of the latest major Netfilter developments.

The most notable changes:

  • incremental update and atomic rules guaranteeing the performance and consistency of the set of rules
  • expression of the rules using a pseudo machine for avoiding complex operations of writing core modules and additional extensions

Nftables exceeds the limitations of iptables and brings news that should resolve elegant and efficient way many problems. The work is already significant and only the high-level library has not yet been developed. Given the remaining work, the first official release is planned for late 2013.

Eric Leblond

Leave a Reply