
New in Debian stable Stretch: nftables - marksamman
http://ral-arturo.org/2017/05/05/debian-stretch-stable-nftables.html
======
arca_vorago
Quite a few advantages to nftables. I have been advocating for people to start
learning it now instead of later. One of the primary issues I have seen in
systems from a sysadmin perspective is poorly configured iptables. I disagree
with all the abstractions that make it "easier" but result in more misconfigs.
Besides improvements I expect to filter back over to linux from the dragonfly
bsd netstack, nftables is one of the biggest moves in a while. Next up,
routing engines like Cjdns, but that's a different discussion.

From the nftables wikipedia:

"...iptables firewalling code, which has protocol awareness built-in so deeply
into the logic that the code has had to be replicated four times—for IPv4,
IPv6, ARP, and Ethernet bridging—as the firewall engines are too protocol-
specific to be used in a generic manner.[10]

The main advantages of nftables over iptables are the simplification of the
Linux kernel ABI, reduction of code duplication, improved error reporting, and
more efficient execution, storage and incremental changes of filtering rules.
Traditionally used iptables(8), ip6tables(8), arptables(8) and ebtables(8)
(for IPv4, IPv6, ARP and Ethernet bridging, respectively) are intended to be
replaced with nft(8) as a single unified implementation, providing firewall
configuration on top of the in-kernel virtual machine.

nftables also offers an improved userspace API that allows atomic replacements
of one or more firewall rules within a single Netlink transaction. That speeds
up firewall configuration changes for setups having large rulesets; it can
also help in avoiding race conditions while the rule changes are being
executed. Also, a planned compatibility layer is going to provide translation
of already existing iptables firewall rules into their nftables equivalents."

~~~
joosters
These are all very kernel-orientated improvements. My guess is that a 'common'
user (whatever that may be), cares very little about the efficiency or
improved storage benefits of a new firewall command.

As for users with poorly configured iptables, fair enough but the latest and
greatest new firewall toolset will give ample opportunity to create new poorly
configured nftables too.

This is all coming from a bitter old sysadmin who has had to re-tool through
ipfwadm, ipchains and iptables, and who knows what else in the coming future.
I'm sure each iteration has brought improvements to newer setups and advanced
networking, but this smells like just another "let's re-write some tools"
project.

~~~
lclarkmichalek

        ipfwadm - pre 1996 (I think?)
        ipchains - pre 1998 according to wikipedia
        iptables - 1998 according to wikipedia
        nftables - 2014
    

More churn than javascript frameworks.

Realistically iptables isn't going anywhere, though I'm def looking forward to
nftables being more widely used. My main interest is around the newer setups
and advanced networking, but if you're not dealing with one of them, then you
1) probably won't have to port anything to nftables this decade, and 2) could
probably get away with using a higher level tool like UFW

~~~
krakensden
Plus, current iptables runs on top of nftables, doesn't it?

~~~
lclarkmichalek
iptables the kernel component might run on top of netfilter (i.e. there are
various `nf_` modules loaded in my kernel, some of which are being used by
`iptables_` modules), though I doubt iptables the user space component relies
on ntf/nftables the user space component. Could be wrong I guess (comment and
I shall edit this out if I'm wrong)

As an aside, that's one of the nice things about nftables. No more conflating
the user space binary, the user space format, the kernel module and so on.

------
smartbit
Pablo Neira Ayuso, maintainer of nftables, in May 2016 gave a presentation
_Goodbye iptables, Hello nftables_ [0] and a handson Workshop [1] at the
nluug.nl spring conference.

[0] webm
[http://ftp.nluug.nl/video/nluug/2016-05-26_vj16/Zaal2/21%20-...](http://ftp.nluug.nl/video/nluug/2016-05-26_vj16/Zaal2/21%20-%20Pablo%20Neira%20Ayuso%20--%20Goodbye%20iptables,%20Hello%20nftables.webm)
or
[https://www.youtube.com/watch?v=0wQfSfDVN94](https://www.youtube.com/watch?v=0wQfSfDVN94)

[1] webm
[http://ftp.nluug.nl/video/nluug/2016-05-26_vj16/Zaal3/3%20-%...](http://ftp.nluug.nl/video/nluug/2016-05-26_vj16/Zaal3/3%20-%20Workshop%20-%20Pablo%20Neira%20Ayuso%20-%20Getting%20a%20Practical%20Grasp%20of%20nftables.webm)
or
[https://www.youtube.com/watch?v=FXTRRwXi3b4](https://www.youtube.com/watch?v=FXTRRwXi3b4)

------
ktta
A good answer to the question "why move to nftables?"

[https://developers.redhat.com/blog/2016/10/28/what-comes-
aft...](https://developers.redhat.com/blog/2016/10/28/what-comes-after-
iptables-its-successor-of-course-nftables/)

------
dspillett
_It is worth noting that "Stretch" (Debian Release 9.x) is not yet released as
"stable" and as such is not currently recommended for production use._ It is
currently Debian Testing, not Debian Stable, with "Jessie" (release 8.x)
carrying the "Stable" moniker.

IIRC that is due to change imminently, as Stretch entered full feature freeze
in February in preparation for release, and I've not heard of any massive
show-stoppers since, but if you install "stable" right now you'll get Jessie
(release 8.x) not Stretch (r9).

------
warbiscuit
Does anyone know if
[Shorewall]([http://shorewall.org/](http://shorewall.org/)) has plans to
support nftables, or is it staying on iptables for now?

While I'm excited to hear about a simplified abstraction at the kernel level,
for most setups I've had to configure, I really like the highlevel abstraction
it provides.

~~~
SpiegS
I've used shorewall for some time. As a matter of fact, installed it on my
recent laptop as well (archlinux). But till now I didn't like quite often
config file format changes, because of which I needed to figure out how to
change current config to match the latest one. PF in this regard was more
consistent and more readable and didn't requre to use anything on top of it.
Then again - I never needed very complex FW rules.

------
tmaly
Will we still get the choice to use iptables instead of nftables? I do all the
sysadmin stuff for my own servers, and I prefer stability on the tool front.

I am not yet ready to learn a new tool, and this new tool does not have all
the features as the old tool according to others commenting.

~~~
jeltz
Yes, you will still be able to use iptables in stretch. I am running stretch
on my laptop and can use iptables just fine. I also suspect that the
deprecation of iptables is something for a quite far off future, if it ever
happens.

------
chrisper
I still prefer Vyetta's interface. It can be used in
VyOS([https://vyos.io](https://vyos.io)).

If you have to use it on a regular Linux box, I prefer UFW.

Though, it looks like nftables has finally a nicer syntax than iptables making
wrappers like UFW unecessary.

~~~
georgyo
Those are just tools that configure the system, in both cases iptables.

Nftables is the replacement for iptables, not just the configuration of them.

~~~
chrisper
I understand what you mean. I was strictly referring to the user interaction
with the firewall. Nftables seems easier than iptables, but not as easy as UFW
or VyOS.

~~~
perfectlyoerf
Doesn't VyOS run an EOL operating system with core packages that are years out
of date? I spun up a test server to check it out. I don't see anything on
their website about updating it and running "apt-get update/upgrade" just
throws errors.

Why would I want an edge security device running something like that?

~~~
broknbottle
you can add debian repos but be careful you may break something updating
packages. They are currently working on an update to the current version 1.1.7
to 1.2.0. Development was pretty active but as of the last year it's been
slower.

~~~
chrisper
Do you think running 1.1.7 is a bad idea security wise?

------
kpcyrd
I got excited for a moment, but debian stretch is not released as stable yet?
[https://www.debian.org/releases/](https://www.debian.org/releases/)

------
ptman
IIUC nft tools also provide a way to write the rules in a file and atomically
replace the current ruleset with an updated one. To do this with iptables,
I've had to use ferm [http://ferm.foo-projects.org/](http://ferm.foo-
projects.org/) , which, even if it is a nice tool, is a bit of a badaid on top
of iptables. I've always liked pf.conf & pfctl, and nft tools seem to be a
step in that direction.

------
ilaksh
Sounds better implementation wise but what about the interface for sys admins?
It seems the syntax is complex enough that you need to copy a file to start.

Can ufw use nftables as a back end? And/or is there a good clean and easy to
understand explanation for how to use nftables and useful reference?

Is there a tool to help with common configuration tasks?

------
SpiegS
Still, nothing beats OpenBSD's pf

~~~
agumonkey
Could you explain what's pf pros and cons ? better semantics ? syntax ?

~~~
marios
Human readable syntax. Documentation.

A complex iptables ruleset is difficult to understand, while a pf.conf almost
reads like prose.

Feature-wise, netfilter is richer, if only for the fact that there are more
contributors. On the other hand, iptables and other frontends I've had the
opportunity to use (ufw, firewalld) down right suck. Did I mention that most
HOWTOs regarding iptables lead you down a wrong path, which is writing your
ruleset as a shell script which calls the iptables / ip6tables binaries. If
you fat finger a rule and run the script, you'll end up loading half the
ruleset (which could be harmless, but you could very well lock yourself out a
server if doing this remotely). PF rules are loaded atomically using the pfctl
tool: either you get the whole new ruleset inplace, or you keep the old one. I
believe the same behavior can be obtained with iptables-save/restore.

PF feels much more coherent and also has fantastic documentation. The OpenBSD
FAQ as well as the pf.conf and pfctl cover most things you need to know
regarding PF (there's also a book by Peter Hansteen called "The Book of PF"
that is an excellent resource).

netfilter on the hand feels much more "stitched together". You want to
configure IPv4 rules ? iptables. IPv6 ? ip6tables. You have rules tracking
state? conntrack. The documentation around each of these tools is of varying
quality. The one I'm having most trouble with is "tc", but that may because I
don't grok queueing/traffic shaping/QoS yet. I have no experience with the
latter on OpenBSD so I can not comment.

~~~
Twirrim
firewalld: I know, let's take the already somewhat user unfriendly interface
of iptables AND ADD XML!

------
rfraile
[https://developers.redhat.com/blog/2017/04/11/benchmarking-n...](https://developers.redhat.com/blog/2017/04/11/benchmarking-
nftables/)

------
nwmcsween
I still don't understand why $firewall isn't simply a psuedo fs like /proc and
control is simply managing trees or chains using basic command line tools.

~~~
nisa
Well if you are hardcore you could probably hack some fuse abstraction that
talks to netlink and does what you want. However it's probably not that
straight forward to map nftables to directory/files.

------
joosters
This page is terribly written, it gives almost no information about why
nftables is better than iptables. What features does it have? What can it do
that iptables can't? The page can't be bothered to tell us.

Instead, all we get is a vague 'the system is more configurable than in
iptables' and 'the syntax is much better than in iptables' (like what good is
that to someone who already has iptables set up? The last thing people want to
do is mess with firewall rules on a working system)

Yes, I know that Debian is FOSS and I can help improve it, but why introduce a
whole new firewall system where the 'Moving from iptables to nftables' docs
are pages and pages of shell commands? Wouldn't some kind of automated update,
to help common use cases, be a sensible thing to include in such an update?
(Maybe such a thing exists, but the page doesn't bother to tell me about any
such thing).

Instead of going on about how to set up nftables from scratch, perhaps they
should focus a little more on 'I have a system using your older recommended
firewall, what do I need to do to keep things working?'

~~~
m45t3r
> Instead of going on about how to set up nftables from scratch, perhaps they
> should focus a little more on 'I have a system using your older recommended
> firewall, what do I need to do to keep things working?'

Because you don't need to do anything: you can continue to use iptables. Even
in the future, when iptables is removed from kernel, you can continue to use
iptables syntax, since iptables user-space program will simply start to output
nftables (a.k.a. iptables will be a symbolic link to this:
[https://wiki.nftables.org/wiki-
nftables/index.php/Moving_fro...](https://wiki.nftables.org/wiki-
nftables/index.php/Moving_from_iptables_to_nftables)). nftables is for people
who are deploying new systems and want a sane configuration file instead of
iptables mess, and at the same time offers improved error messages and better
performance, while being more flexible.

So if you want you can continue to use iptables for the future. No need to be
snark about OP.

~~~
mjw1007
That's good to know.

I think the author could have emphasised that more.

«Yes, nftables _replaces_ iptables. You are highly encouraged to migrate from
iptables to nftables.» sounds a bit too much like "expect iptables to stop
working in another release or two".

