Talk:Nftables

Unnamed section
What happened to this project? Still no news? 87.217.10.211 (talk) 07:42, 2 May 2010 (UTC)
 * As of today, still no news. Some development happened in 2010, but nothing since more than 12 month (according to the git of Patrick McHardy on kernel.org). I believe the page should be modified again to state that the project is no longer under development (since may 2010, not 2009) (the email cited in the march 2011 update by user Stevenwagner are more than one year old). Emmanuel Deloget (talk) 15:29, 21 July 2011 (UTC)
 * This is an ancient question, and talk pages are for discussion of the wikipedia page, but I would like anyone seeing this to know that nftables is very active, useful, and deployed in many places. Bepvte (talk) 14:43, 24 January 2019 (UTC)

what is it?
Introduction: "nftables is an engine and utility program" Is it just a utility program like iptables, or is it a software comprising a utility program AND some engine code? ScotXW (talk) 09:48, 22 October 2013 (UTC)


 * The sentence is quite clear, it says it's an engine and utility program. -- Dsimic (talk) 12:21, 22 October 2013 (UTC)


 * Got the language improved a bit for additional clarity. -- Dsimic (talk) 12:33, 22 October 2013 (UTC)


 * Official nftables is the project that aims to replace the existing {ip,ip6,arp,eb}tables framework. Basically, this project provides a new packet filtering framework, a new userspace utility and also a compatibility layer for {ip,ip6}tables. nftables is built upon the building blocks of the Netfilter infrastructure such as the existing hooks, the connection tracking system, the userspace queueing component and the logging subsystem. ScotXW (talk) 20:33, 26 October 2013 (UTC)


 * Right, but nftables is also the name of the userspace binary used for configuring the kernel part, besides the kernel part itself being also called nftables. Anyway, got the heading section extended, for additional clarity. -- Dsimic (talk) 21:46, 26 October 2013 (UTC)


 * No, according to netfilter.org the new userspace utility is called nft. AFAIR it was to be called nftables, but it seems they decided for the shorter variant. ScotXW (talk) 11:41, 27 October 2013 (UTC)


 * You're right, it was my bad, thanks for pointing that out. Git tree also confirms that.  Got the article updated accordingly. -- Dsimic (talk) 14:28, 27 October 2013 (UTC)

software architecture
Conforming to Linux User Magazine germany, among the differences to netfilter are:
 * nftables is part of the network stack instead of sitting on top of the network stack; this removes the necessity to pass data from the network stack to the actual packet filter
 * is implemented as a "virtual machine" (though I do not understand what this is supposed to mean!)
 * handles IPv4, IPv6, ARP and EB withouth code duplication in contrast to netfilter
 * nftables shall replace netfilter, and nft shall replace iptables, ip6tables, arptables and ebtables!

For netfilter there is File:Netfilter-components.svg, the code works on top of the network stack and there is a lot of code duplication between the different modules (ipv4, ipv6, arp and eb). Something similar would be nice for nftables. User:ScotXW t@lk 11:41, 18 April 2015 (UTC)

Berkeley Packet Filter
It appears that Extended Berkeley Packet Filter (eBPF) is going to be the new kernel infrastructure for building firewalls, not npt as previously planned:


 * https://cilium.io/blog/2018/04/17/why-is-the-kernel-community-replacing-iptables/
 * https://www.littleman.co/articles/coming-to-grips-with-ebpf/

-- ScratchMonkey (talk) 11:13, 24 October 2019 (UTC)