Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×
Networking Linux

NFTables To Replace iptables In the Linux Kernel 235

An anonymous reader writes "NFTables is queued up for merging into the Linux 3.13 kernel. NFTables is a four-year-old project by the creators of Netfilter to write a new packet filtering / firewall engine for the Linux kernel to deprecate iptables (though it now offers an iptables compatibility layer too). NFTables promises to be more powerful, simpler, reduce code complication, improve error reporting, and provide more efficient handling of packet filter rules. The code was merged into net-next for the Linux 3.13 kernel. Iptables will still be present until NFTables is finished, but it is possible to try it out now. LWN also has a writeup on NFTables."
This discussion has been archived. No new comments can be posted.

NFTables To Replace iptables In the Linux Kernel

Comments Filter:
  • again? (Score:5, Interesting)

    by Leroy Brown ( 71070 ) <leroy@yoyoyo.net> on Saturday October 19, 2013 @07:14PM (#45177545) Homepage

    ipfwadm.. ipchains.. iptables.. nftables... progress sucks. :(

    • Re:again? (Score:5, Interesting)

      by Anonymous Coward on Saturday October 19, 2013 @07:22PM (#45177583)

      And the iptables docs haven't even been finished yet. I was at the North Carolina Biotechnology Center at the Linux Expo in 1997 when one of the speakers that was talking about iptables promised they would write docs for it. I think I was the only teen girl and only black female there, so if you were there, you'll probably remember me. How about finishing what you start rather than screwing the users with half-ass unfinished projects?

      • Re:again? (Score:5, Insightful)

        by jamesh ( 87723 ) on Saturday October 19, 2013 @07:40PM (#45177723)

        Documentation: There is a quick howto available at Eric Leblond's website.

        Yeah I guess a "quick howto" isn't quite going to cut it. I wonder if Linus would ever put his foot down and say "no docs = no patch accept".

        • Re:again? (Score:5, Funny)

          by Anonymous Coward on Saturday October 19, 2013 @09:25PM (#45178229)

          Don't you know? Open-source software doesn't need docs, because the best docs available are the sources.

      • I've always found the iptables tutorial from frozentux to be reasonablly comprehensive, maybe it's missing some really fancy stuff but the important stuff about the theory of operation and what the targets do is all there.

      • I learned iptables from the data available online pretty quickly. There are lots of good guides and a decent man page too.

        Granted, I already understood ipchains very well at the time it was released but I don't see the need for much more extensive documentation.

      • Well, there's a point in abandonning a project that can't even document itself.

        But I'd disagree. Iptables was a huge success, and the fact that the official docs isn't that good was eclipsed by how powerfull the software is. But there's a point when you can't simply add features to an old software anymore, and needs to start from scratch. Looks like we are at that point.

      • Re:again? (Score:5, Interesting)

        by ras ( 84108 ) <russell-slashdot@stuar t . id.au> on Sunday October 20, 2013 @09:10PM (#45184693) Homepage

        Hear hear! A bit of background to the politics of this:

        NFTables is brought to you by a group of codes created when Alexey Kuznetsov decided to replaced the low level linux network stack for Linux 2.2 to make it more like what Cisco provided in IOS. The result added whole pile of new functionality to Linux (eg routing rules), and a shiny new highly module traffic control engine. Alexey produced a beautifully written postscript documentation [smc.edu] for the new user land routing tools (the "ip" command), and 100 line howto [columbia.edu] for the far more complex traffic control engine tools (the "tc" command).

        Technically it was a was tour de force. But to end users it could at best be called a modest success. Alexey re-wrote the net-utils tools ("ifconfig", "route" and friends) to use the new system, and did such a good job very few bothered to learn the new "ip" command even though the documentation was good and it introduced a modest amount of new features. But real innovation was the traffic control engine, and to this day bugger all people know how to use it.

        At this point it could have gone two ways. Someone could have brought tc's documentation up to the same standard Alexey provided for ip, or they could ignore the fact that almost no one used the code already written and add more of the same. They did the latter.

        It was also at this time the network code wars started in the kernel. Not many people know that a modest amount of NAT, filtering and so on can be done by Alexey's new ip command. But rather than build on that Rusty Russell just ported the old ipfwadm infrastructure, called it ipchains (and later replaced it with iptables). There was some overlap between Rusty's work and tc, and this has grown over time. For example the tc U32 filter could do most of the packet tests ipchain's introduced over time on day 1. Technically the modular framework provided by tc was more powerful than ipchains, and inherently faster. Tc was however near impossible for mere mortals to use even if they had good documentation. There were some outside efforts to fix this - tcng [sourceforge.net] was an excellent out-of-tree attempt to fix the complexity problems of tc. But in what seems like a recurring theme, it was out of tree and ignored. In contrast, Rusty provided ipchains with the some best documentation on the planet. In the real world the result of these two efforts are plain to see - while man + dog uses iptables, there maybe 100 people on the planet who can use tc.

        Another example of the same thing is IMQ [linuximq.net]. IMQ lets you unleash the full power of the traffic control engine on incoming traffic. (Natively the traffic control engine only deals with packets being sent, not incoming packets - a limitation introduced for purely philosophical reasons). IMQ was very well documented, and heavily used. The people who brought you tc had a list of technical objections to IMQ. I don't know whether they were real or just a case of Not Invented Here, but I'd give them the benefit of the doubt - they are pretty bright guys. So they replaced it with their own in-kernel-tree concoction. (For those of you who don't follow the kernel "in-tree" means it comes with the Linux Kernel. An out-of-tree module like IMQ means at the very least you have to compile the module source, and possibly the entire kernel.) For a while this discouraged the developers of IMQ so much they stopped working on it. If you follow that link, you will see it's back now. Why? Because the thing that replaced it had absolutely no documentation. They never do. So no one could use the replacement. Again, in the end, the thing code that was documented won the day.

        By now you might be guess where this is heading. We have two groups in the kernel competing to provide the

    • Re: (Score:2, Insightful)

      by mcgrew ( 92797 ) *

      ipfwadm.. ipchains.. iptables.. nftables... progress sucks. :(

      Go to bed, grandpa. It will be transparent to the end user. I'm looking forward to it.

    • Re:again? (Score:5, Insightful)

      by evilviper ( 135110 ) on Sunday October 20, 2013 @12:46AM (#45178951) Journal

      ipfwadm.. ipchains.. iptables.. nftables... progress sucks. :(

      Not trying to troll or flame here, BUT...

      That's not the fault of "progress", it's just a Linux thing... Same thing happened with audio, file systems, and much more.

      The BSDs:

      * haven't changed their audio systems since their inception.

      * Kept their file systems backwards-compatible for decades, and did not have a flood of XFS/JFS/ReiserFS/etc. options. There have been changes recently, but incredibly few by comparison.

      * Used the powerful and simple IPF as their stateful firewall dating back before many /.ers were born... at least 1993 or so. Only changed to PF (with very similar syntax) after IPF's license was changed, and all the BSD still use it. There are some alternative projects, but again, even with several BSDs, there's still less churn than with Linux.

      • Re:again? (Score:4, Informative)

        by Kjella ( 173770 ) on Sunday October 20, 2013 @06:59AM (#45179727) Homepage

        And they're down to 1.1% [w3techs.com] of all web servers, all FreeBSD. From the list of "Popular websites using FreeBSD" only one is in Alexa's top 500 and that's php.net [alexa.com]. The Alexa rankings:

        php.net: 229
        turbobit.net: 557
        jvzoo.com: 771
        cpanel.net: 1096
        neoseeker.com: 5488
        starpulse.co: 5818
        salespider.com: 4710
        weblancer.net: 5125
        extranetinvestment.com: 5834
        msi.com: 6702

        It is literally less than a handful (the top four) that means BSD even still has a presence and 80% of that is probably just one site. I guess BSD code is lots of places like in OS X and embedded and routers and whatnot but BSD is practically dead as a server (cue and queue the Netcraft and Monty Python jokes, please take a number). Who, at this point, would be interested in building a new network stack for BSD? I guess Juniper would since they use it for Junos, but honestly not that many others...

        • by pnutjam ( 523990 )
          BSD is interesting to me. I tried to use it for an internal netdisco install. I've been using Linux for at least a decade and I've built plenty of LAMP servers.
          Sure enough, I got NetDisco working and everything seemed great, until I decided to run and update on the system...

          Still can't get apache to load... probably going back to openSUSE...
        • Re:again? (Score:4, Informative)

          by rmadmin ( 532701 ) <rmalek@@@homecode...org> on Sunday October 20, 2013 @10:18AM (#45180361) Homepage
          http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/nutshell.html#introduction-nutshell-users [freebsd.org] You also forgot some biggies, like Netflix, oh and Apache themselves. Sampling an OS's usage numbers off of how many public facing web servers are out there will give you very biased results. I have two FreeBSD servers running OpenBGPd and OpenOSPFd, and two that are NFS servers, there is absolutely no web server on them. They are ROCKS of stability. This is just FreeBSD, a partner ISP I work with runs OpenBSD route reflectors.
        • by fisted ( 2295862 )

          Who, at this point, would be interested in building a new network stack for BSD?

          Nobody. Because it is excellent already. Ask ISPs.
          Your argument for change for change's sake is invalid.
          Also it's an obvious fallacy to restrict yourself to looking at www only.

          Either you're stupid/ignorant, or you really are a troll. I'll give you the benefit of the doubt.

      • Only changed to PF (with very similar syntax) after IPF's license was changed, and all the BSD still use it ... there's still less churn than with Linux.

        The BSD's are definitely more stable. Linux makes more progress, sometimes by adopting other projects' work when it's better. There's no way to have both rapid progress and stability, so it's good that the community has a choice (I avoided saying 'communities' on purpose).

        I've been using BSD for routing and firewalling for about a decade, first by m0n0wal

    • by davecb ( 6526 )

      cat iptables | ip2if_compile | iftables_decompile
      Passing it through a compiler to the iftables virtual machine and then decompiling/describing avoids some "that phrases does not translate" problems. If one can't compile arbitrary iftables code for the vm, then the vm is formally incomplete (:-))


  • Bah (Score:5, Funny)

    by Billly Gates ( 198444 ) on Saturday October 19, 2013 @07:18PM (#45177567) Journal

    IPChains work just fine thank you very much!

    Kernel 2.4 works fine for my needs. You kids today have no idea what it is like upgrading thousands of computers at work! Especially when you have to justify to a beancounter to upgrade an IP table that has worked fine since October 2001 and already works. It is an enterprise standard that works so why fix what isn't broken?

    Last thing I need is another confusing IP table interface designed for teenagers.

    With a modern AV I should be just fine if I do not go to questionable websites.

    • Re: (Score:3, Insightful)

      by d33tah ( 2722297 )
      You don't worry about security too much, do you? As far as I know, 2.4 is not supported anymore.
      • by morcego ( 260031 )

        Not to mentioned 2.4 was iptables already.
        Ipchains was 2.0, maybe 2.2, if I recall.

      • by icebike ( 68054 )

        Being unsupported is not a death sentence.

        As long as iptables/ipchains works, and/or you don't have a ton of open ports, there's really no problem running old kernels.
        80% of the routers in the world are running some really old kernels and have/will never get updates. Baring any newly discovered backdoors,
        they are as secure today as they ever were.

        • Re:Bah (Score:5, Insightful)

          by lgw ( 121541 ) on Sunday October 20, 2013 @01:50AM (#45179109) Journal

          All malware today uses ports 80 and 443. Port-based firewalling is a meaningless ritual from the previous century.

          • Re:Bah (Score:5, Insightful)

            by Kjella ( 173770 ) on Sunday October 20, 2013 @07:15AM (#45179757) Homepage

            All malware today uses ports 80 and 443. Port-based firewalling is a meaningless ritual from the previous century.

            I think you're confusing cause and effect, if we didn't have port based firewalls we'd still have Blaster-style worms spreading like wildfire. Because we've locked things down to a few approved ports, naturally that's where they try getting in.

          • That's not true -- port based firewalling prevents inbound packets to services you want to run but don't want to be accessed from the outside.

            • by lgw ( 121541 )

              Much better to think in terms of servers you want to run but don't want to be accessed from the outside.

    • We kids have no idea what its like upgrading thousands of computers at work because unlike you, grandpa, we use [Ansible [ansibleworks.com] / Salt [saltstack.com] / Chef [opscode.com] / CFEngine [cfengine.com] / Puppet [puppetlabs.com]]. And making changes to thousands and thousands of machines takes seconds to send out to all of them. A bit more time to verify, and any that are stuck can be rebuilt from scratch in a few more moments without even worrying about why it didn't work the first time.

      Second point: why would you need some kind of interface to your firewall rules. Its a text f
  • Noooooo (Score:5, Funny)

    by binarylarry ( 1338699 ) on Saturday October 19, 2013 @07:23PM (#45177591)

    All my precious iptables knowledge gone!

    Linus hates us precious! Hates us!

    • Re:Noooooo (Score:5, Interesting)

      by binarylarry ( 1338699 ) on Saturday October 19, 2013 @07:24PM (#45177613)

      Okay so after RTFMing, I like the changes.

      It reminds me of the ip command, which is so much better than route.

      NFTables FTW!

      • Here's something interesting:

        IPv6 NAT is possible

        I didn't realize they were working on that.

        • Re:Noooooo (Score:5, Interesting)

          by dbIII ( 701233 ) on Sunday October 20, 2013 @09:36AM (#45180179)
          It's as useless as having the option of having car windows painted black, but people wanted it so it's there (so I've heard - I'm an end user not a developer of this).
          When NAT came in it was a pity we needed that shit due to a lack of numbers instead of having everything adressable, and now for some reason people like the smell of that shit. They think it smells like security.
          If you think I'm wrong please spend at least five minutes learning how a firewall works and look up router on wikipedia or something before you reply. You should work out from that that the devices that provide the security will still be upstream whether you have NAT or not.
          • The only thing I've ever heard that makes any sense is topology hiding. Not worth breaking the internet IMO, but it's the only thing about NAT that I can understand why people want, and can't really be done another way.
      • All my precious iptables knowledge gone!

        Linus hates us precious! Hates us!

        1 minute later...

        Okay so after RTFMing, I like the changes.

        NFTables FTW!

  • pf (Score:5, Informative)

    by Alioth ( 221270 ) <no@spam> on Saturday October 19, 2013 @07:24PM (#45177609) Journal

    Can't we have OpenBSD pf instead? Powerful, nice, decent documentation on how to use it, syntax that makes a lot more sense than iptables.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Can't we have OpenBSD pf instead? Powerful, nice, decent documentation on how to use it, syntax that makes a lot more sense than iptables.

      That would be nice. I was very happy when pf was imported into NetBSD (my preferred BSD). iptables is just meh in comparison. I'll reserve judgment on this NFTables until I see it for myself.

    • You can.

      1) Use OpenBSD

      2) Use FreeBSD

      3) Use Debian with a FreeBSD kernel [debian.org]. This is debian and the kernel has PF. You get everything you want.
    • by epyT-R ( 613989 )

      Go right ahead.. It's a free download.

    • Sure. You can use it in OpenBSD, in FreeBSD, in NetBSD or in OSX.

    • if it s a question about Linux, check LWN. They already have the question and the answer. https://lwn.net/Articles/325194/ [lwn.net]
    • If you weren't already +5 informative, I would have up-voted you. pf has syntax so logical it's almost like speaking English. Then, in comparison, you have to memorize a variety of command flags to get anything done with iptables.

      Mind you, personally i'm a FreeBSD user and (I think?) you can't actually get iptables for *BSD, and I don't have much use for a complicated firewall setup,

  • by vadim_t ( 324782 ) on Saturday October 19, 2013 @07:39PM (#45177719) Homepage

    The main advantage of this is moving protocol knowledge out of the kernel into userspace.

    Which means that the kernel doesn't need a million modules that understand the various bits of various protocols. If something new comes up, the userspace compiler can patched to deal with it.

    It should also make the kernel part much smaller and easier to make secure.

    • by icebike ( 68054 ) on Saturday October 19, 2013 @08:20PM (#45177963)

      It should also make the kernel part much smaller and easier to make secure.

      You hope.
      I've learned to become suspicious of change for change sake.
      Long running well debugged code is almost always better understood than new code.

      • by gweihir ( 88907 ) on Saturday October 19, 2013 @08:36PM (#45178031)

        Indeed. I see several possible outcomes:
        - This never reaches the quality level of iptables
        - It becomes fast and stable enough to use, but nobody cares
        - It replaces iptables in the distant future

        Iptables is not broken. Do not fix it.

        • Iptables is not broken. Do not fix it.

          Compare the command syntax of an iptables rule to a PF rule, and get back to me. There's good reason OpenBSD is commonly used as a firewall, while Linux almost never is...

          • by gweihir ( 88907 )

            You do know that most commercial software firewalls are Linux-based, right? They do not advertise this, but Checkpoint, Juniper, ... all Linux iptables under the hood. The problem with OpenBSD is that hardware support sucks.

            The second point is however, that the rule syntax is _not_ the reason for the replacement.

            • The problem with OpenBSD is that hardware support sucks.

              Your firewall doesn't need an SB Audigy sound card...

        • Actually, iptables is sub-optimal, that's the problem: http://lwn.net/Articles/531752/ [lwn.net]

    • by epyT-R ( 613989 )

      moving packets in and out of kernelspace will kill performance.. Well, I guess we'll see, anyway. iptables is used for more than just someone's dsl gateway, and even there, the hardware in use for those is already on the lean side.

  • by RITjobbie ( 211397 ) on Saturday October 19, 2013 @07:45PM (#45177757) Homepage
    I can't get to slashdot. Let's troubleshoot!
    [root@wang]# ifconfig
    bash: ifconfig: command not found

    [root@wang]# iptables -F
    bash: iptables: command not found
    • > [root@wang]# iptables -F

      Suddenly your INPUT chain policy of DROP kills all traffic and your ssh session drops. (You do have a default policy of DROP, right?)

      Seriously, don't do that on an unknown system.

      (I post this because I've had vendors' support try to remedy problems by disabling the firewall. :/)

      • by epyT-R ( 613989 )

        The problem with that is now you have no means of getting into your machine remotely over ip after the vendor fucks it up. Vendors shouldn't be disabling firewalls as permanent solutions, but while troubleshooting, it does make sense to do it temporarily in order to ensure the firewall is not at fault. If your system is a highly sensitive target, you should already have means in place to troubleshoot problems without exposing yourself. Tell the vendor the procedures for that.

      • I've done that to Very Important Client.
        Now I explicitly have a drop everything rule, with default accept. That way -F doesn't bite me.

      • by sjames ( 1099 )

        Suddenly your INPUT chain policy of DROP kills all traffic and your ssh session drops. (You do have a default policy of DROP, right?)

        No, but it's the last rule in the table. That way, iptables -F doesn't kill ssh.

    • by fnj ( 64210 )

      [root@wang]# ethereal
      bash: ethereal: command not found

  • by knorthern knight ( 513660 ) on Saturday October 19, 2013 @11:02PM (#45178587)

    I've been using linux since 2000. Two comments...

    1) IPCHAINS was nice, simple, and usable. IPTABLES has stuff scattered all over the place. This may affect me more as a Gentoo user who configures his own kernel. I have to remember to...
    a) enable Netfilter
    b) enable "Advanced netfilter configuration" so that I can specify multi-port matches
    c) check off the necessary items in "Core Netfilter Configuration"
    d) check off the necessary items in "IP: Netfilter Configuration"
    That's on a simple home system that doesn't attempt NAT/Masq/Routing/etc.

    2) A problem with putting detailed specifications into the kernel is that when I want to enable new features (not just new rules), I have to tweak the kernel, rebuild it, and reboot. If we had to do this with new MTAs or crons or other system programs, there would be a huge outcry. Moving this out of the kernel looks logical.

    • by epyT-R ( 613989 )

      well you could build them as modules and load them dynamically. However, on my router, I just enable all the netfilter related stuff and build it into the kernel. A lot easier.

  • Is NFTables suitable as a generic packet classifier, or is it strictly limited to packet filtering? Van Jacobson's net channels offer the possibility of extraordinary improvements in efficiency and performance, great simplification of drivers, ease of development, and much improved flexibility. The one missing piece is a flexible packet classifier. While NFTables looks like it incorporates many of the essential ideas, it isn't clear wether it is built with this in mind. If not, I'd like to see this fixe

  • by Max Threshold ( 540114 ) on Sunday October 20, 2013 @05:34AM (#45179549)
    Can we unfuck PulseAudio before we go replacing something else that ain't broke? What's it been, ten years? and that PA shit still don't work...
  • by Chris Mattern ( 191822 ) on Sunday October 20, 2013 @04:32PM (#45182759)

    "Too many people had figured out how to configure a host firewall, so we had to change it all around again."

"If you can, help others. If you can't, at least don't hurt others." -- the Dalai Lama