Home / ubuntu / Questions / 459725
Accepted
0xC0000022L
Asked: 2014-05-03 12:56:14 +0800 CST

Where to get nftables?

  • 772

As far as I understand the kernel facility nftables exists in the kernel that comes with Ubuntu 14.04. As is proven by the following two commands:

# grep -E '(NF_TABLES|NFT_)' /boot/config-$(uname -r)
CONFIG_NF_TABLES=m
CONFIG_NFT_EXTHDR=m
CONFIG_NFT_META=m
CONFIG_NFT_CT=m
CONFIG_NFT_RBTREE=m
CONFIG_NFT_HASH=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_NAT=m
CONFIG_NFT_COMPAT=m
CONFIG_NF_TABLES_IPV4=m
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_CHAIN_ROUTE_IPV4=m
CONFIG_NFT_CHAIN_NAT_IPV4=m
CONFIG_NF_TABLES_ARP=m
CONFIG_NF_TABLES_IPV6=m
CONFIG_NFT_CHAIN_ROUTE_IPV6=m
CONFIG_NFT_CHAIN_NAT_IPV6=m
CONFIG_NF_TABLES_BRIDGE=m
# lsmod |grep nf
nf_conntrack_ipv4      15012  1
nf_defrag_ipv4         12758  1 nf_conntrack_ipv4
nf_nat_ipv4            13263  1 iptable_nat
nf_nat                 21798  3 ipt_MASQUERADE,nf_nat_ipv4,iptable_nat
nf_conntrack           96976  5 ipt_MASQUERADE,nf_nat,nf_nat_ipv4,iptable_nat,nf_conntrack_ipv4

However, apt-file search nftables does not yield any results, nor does apt-cache search nftables.

So where can I get the new frontend for nftables, i.e. the nftables program matching the kernel modules?

kernel

3 Answers

  1. Best Answer

    I too am looking for nftables, but as I understand, with 14.04 we have the 3.13 Kernel, and the 3.13 Kernel is the first version to get Nftables merged into it. Merging does not mean working, it just means the code is to a degree good and can be merged without creating other problems.

    iptables is still in the 14.04 and on any other distro until nftables gets a stable release (More so than the 0.3 that was again merged with the Kernel). This, with the fact that nft user-space utils are not there yet will make the wait for nftables a bit longer.

    With that in mind, if you don't want to wait you can use the Nftables step by step installation which includes git cloning the Linux kernel and settings other variables so that you can have Nftables working on your end. This information can be found in regit.org

    Aside from this, here is a feature request

    • 3

  2. apt-get install nftables

    root@forevernow ~ # cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.2 LTS"
    • 1

  3. Starting from the very beginning of the 2018 nftable framework is ready to use in production environments. It supports 3/4 of the existing iptables features, although it provides new features that you cannot find in iptables.

    Framework requires to have kernel >= 3.13, but running a newer kernel >= 4.10 is recommended. After

    apt install nftables

    Note: Make sure you don't run both iptables together with nftables.

    There is a tool to convert from iptables configuration into nftables configuration: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

    Start by issuing the command nft -a list ruleset and start building from there. The list of rulesets will not be empty by default.

    • 1