Nftables
Encyclopedia
nftables was an engine and administration tool for packet filtering and classification for Linux
, intended to replace iptables
. The project stayed in alpha stage and seemed to be abandoned (no new development since July 2010) and the official website was removed in 2009. In March 2010, emails from the author on the project mailing lists showed the project was still active and approaching a beta release, but the latter was never shipped officially.
The author of nftables is Patrick McHardy, who is also the maintainer of netfilter.
The project aims included:
The currently used iptables, ip6tables, arptables, and ebtables (IPv4
, IPv6
, ARP
, and Ethernet bridging
) were to be replaced with a single unified implementation, nftables, implemented at the top of a custom virtual machine
.
The project was first publicly presented on Netfilter Workshop in September 2008 in Paris
. The first preview release of kernel and userspace implementation was given in March 2009. Although the tool has been called, "...the biggest change to Linux firewalling since the introduction of iptables in 2001", it has received little press. Notable hacker Fyodor Vaskovich (Gordon Lyon) said that he is "looking forward to its general release in the mainstream Linux kernel."
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
, intended to replace iptables
Iptables
iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores...
. The project stayed in alpha stage and seemed to be abandoned (no new development since July 2010) and the official website was removed in 2009. In March 2010, emails from the author on the project mailing lists showed the project was still active and approaching a beta release, but the latter was never shipped officially.
The author of nftables is Patrick McHardy, who is also the maintainer of netfilter.
The project aims included:
- simplification of the kernel ABIApplication binary interfaceIn computer software, an application binary interface describes the low-level interface between an application program and the operating system or another application.- Description :...
- reduction of code duplicationDuplicate codeDuplicate code is a computer programming term for a sequence of source code that occurs more than once, either within a program or across different programs owned or maintained by the same entity. Duplicate code is generally considered undesirable for a number of reasons...
- improved error reportingError messageAn error message is information displayed when an unexpected condition occurs, usually on a computer or other device. On modern operating systems with graphical user interfaces, error messages are often displayed using dialog boxes...
- more efficient execution, storage, and incremental changes of filtering rules
The currently used iptables, ip6tables, arptables, and ebtables (IPv4
IPv4
Internet Protocol version 4 is the fourth revision in the development of the Internet Protocol and the first version of the protocol to be widely deployed. Together with IPv6, it is at the core of standards-based internetworking methods of the Internet...
, IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
, ARP
Address Resolution Protocol
Address Resolution Protocol is a telecommunications protocol used for resolution of network layer addresses into link layer addresses, a critical function in multiple-access networks. ARP was defined by RFC 826 in 1982. It is Internet Standard STD 37...
, and Ethernet bridging
Bridging (networking)
Bridging is a forwarding technique used in packet-switched computer networks. Unlike routing, bridging makes no assumptions about where in a network a particular address is located. Instead, it depends on flooding and examination of source addresses in received packet headers to locate unknown...
) were to be replaced with a single unified implementation, nftables, implemented at the top of a custom virtual machine
Virtual machine
A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software emulation or hardware virtualization or both together.-VM Definitions:A virtual machine is a software...
.
The project was first publicly presented on Netfilter Workshop in September 2008 in Paris
Paris
Paris is the capital and largest city in France, situated on the river Seine, in northern France, at the heart of the Île-de-France region...
. The first preview release of kernel and userspace implementation was given in March 2009. Although the tool has been called, "...the biggest change to Linux firewalling since the introduction of iptables in 2001", it has received little press. Notable hacker Fyodor Vaskovich (Gordon Lyon) said that he is "looking forward to its general release in the mainstream Linux kernel."