New firewall for the Linux kernel
The Netfilter development team's Patrick McHardy has released an alpha version of nftables, a new firewall implementation for the Linux kernel, with a user space tool for controlling the firewall. nftables introduces a fundamental distinction between the user space defined rules and network objects in the kernel: the kernel component works with generic data such as IP addresses, ports and protocols and provides some generic operations for comparing the values of a packet with constants or for discarding a packet.
Firewall rules, which the user defines with the nft
tool, are checked by the nft program for correctness and then translated into the required generic operations and kernel objects. A first impression of the examples in the announcement shows nftables to have a different syntax to iptables. The rules can be added either incrementally on the command line, or read from a file with nft supporting rule files, which can import and include other rules files for easier modularisation.
The nftables
code is currently alpha-quality; it contains bugs and not all features are implemented. It is not recommended for use on production systems, but the developers report that it is already robust enough to experiment with. According to McHardy, "Nevertheless, all of the basic features and most of the rest should work fine, the last [kernel] crash has been several months ago."
(djwm)