2 Using the nftables Framework
This chapter describes how to convert
iptables and ip6tables to
the nftables framework.
The nftables framework is the default network packet filtering framework in
Oracle Linux and replaces the iptables framework. The
nftables framework includes packet classification facilities, added
convenience, and improved performance over the iptables framework that was
used in previous releases. The nftables framework was first introduced in Oracle Linux 8. Information about this change is
described in Oracle Linux 8: Release Notes for Oracle Linux
8.
Converting iptables to nftables
If you query the system's iptables version, Oracle Linux 9 would clearly indicate that nftables is
used as the packet filtering framework:
sudo iptables --version
iptables v1.8.7 (nf_tables)
Otherwise, the output would be similar to the following example:
sudo iptables --version
iptables version (legacy)Note:
The iptables-nft and ipset packages that include
utilities such as iptables, ip6tables,
ebtables and arptables are deprecated in Oracle Linux 9.
Use the nftables framework to configure firewall rules directly or use the
firewalld service instead.
Utilities are available to convert filter rules in
iptables and ip6tables to
their equivalents in the nftables framework.
Choose from one of the following ways.
-
Use the iptables-translate or ip6tables-translate commands, depending on the type of tables you want to convert. If a rule can't be translated because of an unrecognized extension in the rule, the command prints the untranslated rule preceded by the
#sign.sudo iptables-translate -A INPUT -j CHECKSUM --checksum-fill
nft # -A INPUT -j CHECKSUM --checksum-fill
-
Save the rules to a dump file, then use the iptables-restore-translate or ip6tables-restore-translate command, depending on the type of tables you want to convert.
sudo iptables-save > /tmp/iptables.dump
sudo iptables-restore-translate -f /tmp/iptables.dump
translated-rules