11 comments

[ 11.5 ms ] story [ 893 ms ] thread
Personally, I think that if you aren't already familiar with iptables, nftables is easier to learn and understand, with the caveat that there is a lot existing documentation, tutorials, etc. for iptables, and significantly less for nftables.
Also google will sometimes treat iptables as a synonym for nftables which is extremely frustrating
I also had my first encounter recently because I bought a new home router and the OpenWRT 22.xx beta now uses nft. Fortunately, the web interface works fine, but I had trouble with IPv6 forwarding, for some reason (I think the default just does not enable it), so had to debug a bit on the command line.

I was annoyed at first, but the transition is easy:

- iptables-translate can help convert rules

- nft avoids having to duplicate ipv4/ipv6 rules

- using the pf syntax and reloading the entire file will avoid reloading if there is a syntax error in a rule (iptables would run as a bash script and have unpredictable results)

- the syntax is fairly similar, but less ugly, similar to tcpdump

> nft avoids having to duplicate ipv4/ipv6 rules

Sometimes.

    # IPv4 TCP traffic
    ip protocol tcp         reject with tcp reset
    # IPv6 TCP traffic (note: "6" is TCP protocol, not IPv6)
    meta l4proto 6          reject with tcp reset
nftables has some rough API, and to my mind design, edges. It strikes me as being very bottom-up driven--specific kernel rountines and data structures were targetted, and then some kind of API was figured out. The documentation kind of reflects that, too; much more "this is what changed, this is how the flow changes", than "here's how this general goal should be approached."

That said, it works, its an improvement on iptables, and the configuration isn't any worse than iptables. Kernel maintainers really do prefer bottom-up; green-field replacements are frowned on because they're hard to digest and vet.

> using the pf syntax and reloading the entire file will avoid reloading if there is a syntax error in a rule (iptables would run as a bash script and have unpredictable results)

False. iptables-save and iptables-restore does exactly that.

> - the syntax is fairly similar, but less ugly, similar to tcpdump

Also false and especially false and ignorant given the syntax complexity and non-friendliness has been a major complaint of the userbase since NFT's inception. But this isn't a suprise: nft syntax was purposefully designed to be better for computers at the expense of humans. It just happens to be that it's more difficult to write rules for humans, but easier for the interpreter and tools to work with them.

As a debian boomer who fears change I'm still confused about whether nftables is the new firewall to use or bpf is now shiny new thing.

Been putting off learning either but I guess if it's in Ubuntu 22 I should probably jump in and give it a try.

The demise of iptables is long overdue, such terrible UX and non-intuitive cli options.

Compared to working with iptables, nftables is like this haiku:

  Multiple IP protocols
  Service names for ports
  Chains happy

  Sacred connection tracking
  Automatically available for me
  Configuration bliss
  
  BPF may be future
  But time is only now
  lo accept
That is to say, I don't think bpfilter is ready yet, but nftables is already great compared to most firewalls short of PF.

(With apologies to Jason Dixon and his PF haiku: https://marc.info/?l=openbsd-pf&m=108507584013046&w=2 )

nftables is the current choice.

bpfilter may be the future, but it isn't moving fast.

One of the nicest things about nftables is the way most distros has packaged it: with a service named "nftables" that runs a base config file from a standard location (usually /etc/nftables.conf or /etc/sysconfig/nftables.conf). With iptables, it seemed like every distro had a different "standard" way of configuring the base ruleset (through various services and init scripts) -- and changed it up every few years.
> This experience is much better than the traditional iptables approach, where the 'load from file' and 'save to file' operations have the feel of a hack rather than a designed format and it can be easier to automate your rule setup with a script.

I found that statement to be weird given the existence of iptables-save and iptables-restore.

Anyway.

I manage a large fleet of OpenWRT devices with some crazy iptables stuff.

I have played with NFT multiple times over the last decade. It's never gone well. Like systemd and wayland it's being over-hyped by influenced teenagers that don't know what they are talking about and distro-paid bloggers.

NFT has a lot of problems and there's still a few things that it can't do, mostly because of missing modules.

I hope some day NFT becomes a good proper successor to iptables, but unfortunately the transition has been really slow, drawn out, and it's being pushed as a solid solution when it's just not ready.