2 Using the nftables Framework
This chapter describes how to convert
iptables
and ip6tables
to
the nftables
framework.
The nftables
framework is the default network packet filtering framework in
Oracle Linux and replaces the iptables
framework. The
nftables
framework includes packet classification facilities, added
convenience, and improved performance over the iptables
framework that was
used in previous releases. The nftables
framework was first introduced in Oracle Linux 8. Information about this change is
described in Oracle Linux 8: Release Notes for Oracle Linux
8.
Converting iptables to nftables
If you query the system's iptables
version, Oracle Linux 8 would clearly indicate that nftables
is
used as the packet filtering framework:
sudo iptables --version
iptables v1.8.2 (nf_tables)
Otherwise, the output would be similar to the following example:
sudo iptables --version
iptables version (legacy)
Utilities are available to convert filter rules in
iptables
and ip6tables
to
their equivalents in the nftables
framework.
Choose from one of the following ways.
-
Use the iptables-translate or ip6tables-translate commands, depending on the type of tables you want to convert. If a rule can't be translated because of an unrecognized extension in the rule, the command prints the untranslated rule preceded by the
#
sign.sudo iptables-translate -A INPUT -j CHECKSUM --checksum-fill
nft # -A INPUT -j CHECKSUM --checksum-fill
-
Save the rules to a dump file, then use the iptables-restore-translate or ip6tables-restore-translate command, depending on the type of tables you want to convert.
sudo iptables-save > /tmp/iptables.dump
sudo iptables-restore-translate -f /tmp/iptables.dump
translated-rules