nftables is the modern Linux kernel subsystem for packet filtering and traffic classification. It replaces the legacy {ip,ip6,arp,eb}tables infrastructure with a unified framework. The system utilizes a stateful virtual machine within the kernel that executes bytecode to process network packets, providing greater flexibility and lower overhead than its predecessors.
Unlike iptables, where protocol logic is hardcoded into kernel modules, nftables uses a generic evaluation engine. It leverages advanced data structures like sets, maps, and concatenations to optimize rule lookups. This allows the system to handle complex rulesets with thousands of entries while maintaining high throughput and low CPU utilization.
How it works
- Atomic Operations: Ruleset updates are performed in a single transaction, preventing inconsistent firewall states during configuration changes.
- Unified Syntax: A single utility,
nft, manages IPv4, IPv6, ARP, and bridging rules. - Efficiency: Reduced kernel code duplication results in a smaller memory footprint and faster execution.
It is used for building high-performance firewalls, configuring NAT, and implementing rate limiting. For example, to drop traffic from a specific subnet: nft add rule ip filter input ip saddr 192.168.1.0/24 drop. Performance benchmarks show that nftables outperforms iptables significantly when dealing with large, dynamic blacklists.