Modern nftables Implementation

Modern nftables Implementation

Nftables represents the future of Linux packet filtering, offering improved performance and cleaner syntax compared to iptables. The unified framework replaces multiple legacy tools while maintaining backward compatibility through translation layers. Understanding nftables positions administrators for current and future Linux firewall management.

Nftables uses a hierarchical structure of tables containing chains with rules. Create a basic firewall configuration:

nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
nft add chain inet filter forward { type filter hook forward priority 0 \; policy drop \; }
nft add chain inet filter output { type filter hook output priority 0 \; policy accept \; }
nft add rule inet filter input ct state established,related accept
nft add rule inet filter input iif lo accept
nft add rule inet filter input tcp dport {22, 80, 443} accept

Sets and maps provide powerful capabilities for managing multiple elements efficiently. Define IP address sets for access control:

nft add set inet filter allowed_hosts { type ipv4_addr \; }
nft add element inet filter allowed_hosts { 192.168.1.10, 192.168.1.20 }
nft add rule inet filter input ip saddr @allowed_hosts accept

Maps enable different actions based on packet characteristics, implementing sophisticated policies with minimal rules.

Performance optimization leverages nftables' efficient packet classification. Use verdict maps for rapid decision-making: nft add map inet filter port_verdict { type inet_service : verdict \; }. Configure flow tables for hardware offloading where supported. Monitor performance using nft monitor for real-time rule evaluation tracking. Save configurations to /etc/nftables.conf for persistence across reboots.