3.12.1 Replacement of iptables With nftables

In Oracle Linux 8, the default iptables network packet filtering framework been replaced with the nftables framework. As the designated successor to iptables, ip6tables, arptables, and ebtables, the nftables framework includes packet classification facilities and several improvements, which provide added convenience and improved performance over the previously used packet-filtering tools.

The nftables implementation provides the following improvements:

  • Replacement of linear processing with lookup tables

  • Single framework for both the IPv4 and IPv6 protocols

  • More consistent and compact syntax

  • Support for debugging and tracing in the ruleset with nftrace

  • Netlink API for third-party applications

Note the following additional information about the nftables implementation:

  • The nftables framework uses tables for storing chains, similarly to iptables. Chains contain individual rules for performing actions.

  • The nft tool replaces all of the previously used packet-filtering framework tools.

  • You can use the libnftables library for low-level interaction with the nftables Netlink API over the libmnl library.

  • The iptables, ip6tables, ebtables and arptables tools are replaced by drop-in replacements that are nftables-based and use the same name.

    Although these tools behave identically to their legacy counterparts, internally, they use nftables with legacy netfilter kernel modules through a compatibility interface, as required.

    You can use the nft list ruleset command to observe the effect of the modules on the nftables ruleset. It is worth noting, however, that these tools add tables, chains, and rules to the nftables ruleset; and as such, some nftables ruleset operations, for example, the nft flush ruleset command, might affect rulesets that were installed by using legacy commands, as these were formerly separate.

    To determine which version of the tool is currently running, use the iptables --version command, as version information has been updated to include the back-end name. For example, if you are running Oracle Linux 8, the nftables-based iptables tool displays the following information:

    # iptables --version
    iptables v1.8.2 (nf_tables)

    If the legacy version of the iptables tool is installed, the output would be as follows:

    # iptables --version
    iptables v1.8.0 (legacy)