| Original author(s) | The Netfilter Project |
|---|---|
| Developer(s) | The Netfilter Project |
| Stable release | 1.1.1[1] 
/ 2 October 2024 |
| Preview release | |
| Repository | |
| Written in | C |
| Operating system | Linux |
| Platform | Netfilter |
| Type | packet filtering |
| License | GPLv2 |
| Website |
nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. It has been available since Linux kernel 3.13 released on 19 January 2014.[2]
nftables replaces the legacy iptables component of Netfilter. Among the advantages of nftables over iptables is less code duplication and easier extension to new protocols. Among the disadvantages of nftables is that DPI that was provided by "iptables string match" like SNI filtering is not supported.[3]
nftables is configured via the user-space utility nft, while legacy tools are configured via the utilities iptables, ip6tables, arptables and ebtables frameworks.
nftables utilizes the building blocks of the Netfilter infrastructure, such as the existing hooks into the networking stack, connection tracking system, userspace queueing component, and logging subsystem.
- ^ Pablo Neira Ayuso (2 October 2024). "[ANNOUNCE] nftables 1.1.1 release". Retrieved 3 October 2024.
- ^ "nftables, the successor of iptables". Linux 3.13. kernelnewbies.org. 2014-01-19. Retrieved 2016-03-04.
- ^ "How We Used eBPF to Build Programmable Packet Filtering in Magic Firewall".