nftables
Original author	The Netfilter Project
Developer	The Netfilter Project
Stable release	1.1.6[1]  / 5 December 2025; 2 months ago (5 December 2025)
Preview release	Git repo
Written in	C
Operating system	Linux
Platform	Netfilter
Type	packet filtering
License	GPLv2
Website	netfilter.org/projects/nftables wiki.nftables.org
Repository	git.netfilter.org/nftables/

nftables is a subsystem of theLinux kernel providing filtering and classification ofnetwork packets/datagrams/frames. It has been available since Linux kernel 3.13 released on 19 January 2014.^[2]

nftables replaces the legacyiptables component ofNetfilter. Among the advantages of nftables over iptables is less code duplication and easier extension to new protocols. Among the disadvantages of nftables is thatDPI that was provided by "iptables string match" likeSNI filtering is not supported.^[3]

nftables is configured via theuser-space utilitynft, while legacy tools are configured via the utilitiesiptables,ip6tables,arptables andebtables frameworks.

nftables utilizes the building blocks of theNetfilter infrastructure, such as the existing hooks into the networking stack, connection tracking system, userspace queueing component, and logging subsystem.

A command to drop any packets with destination IP address1.2.3.4:

nft add rule ip filter output ip daddr 1.2.3.4 drop

Note that the new syntax differs significantly from that of iptables, in which the same rule would be written:

iptables -A OUTPUT -d 1.2.3.4 -j DROP

The new syntax can appear more verbose, but it is also far more flexible. nftables incorporatesadvanced data structures such as dictionaries, maps and concatenations that do not exist with iptables. Making use of these can significantly reduce the number of chains and rules needed to express a given packet filtering design.

Theiptables-translate tool can be used to translate many existing iptables rules to equivalent nftables rules.^[4][5]Debian 10 (Buster), among otherLinux distributions, uses nftables along withiptables-translate as the default packet filtering backend.^[6]

The project was first publicly presented at Netfilter Workshop 2008 by Patrick McHardy from the Netfilter Core Team.^[7] The first preview release of kernel and userspace implementation was given in March 2009.^[8] Although the tool has been called "the biggest change to Linux firewalling since the introduction of iptables in 2001", it has received little press attention.^[9] Notable hackerFyodor Vaskovich (Gordon Lyon) said that he is "looking forward to its general release in the mainstreamLinux kernel".^[9]

The project stayed in alpha stage, and the official website was removed in 2009. In March 2010, emails from the author on the project mailing lists showed the project was still active and approaching a beta release,^[10][11] but the latter was never shipped officially. In October 2012, Pablo Neira Ayuso proposed a compatibility layer for iptables^[12] and announced a possible inclusion of the project into mainstream kernel.

On 16 October 2013, Pablo Neira Ayuso submitted a nftables corepull request to theLinux kernel mainline tree.^[13] It was merged into the kernel mainline on 19 January 2014, with the release of Linux kernel version 3.13.^[2]

The nftables kernel engine adds a simplevirtual machine to the Linux kernel which is able to execute bytecode to inspect a network packet and make decisions on how that packet should be handled. The operations implemented by this virtual machine are intentionally made basic. It can get data from the packet itself, have a look at the associated metadata (inbound interface, for example), and manage connection-tracking data. Arithmetic, bitwise and comparison operators can be used for making decisions based on that data. The virtual machine is also capable of manipulating sets of data (typically, IP addresses), allowing multiple comparison operations to be replaced with a single set lookup.^[14]

The above-described organization is contrary to the iptables firewalling code, which has protocol awareness built-in so deeply into the logic that the code has had to be replicated four times—forIPv4,IPv6,ARP, and Ethernetbridging—as the firewall engines are too protocol-specific to be used in a generic manner.^[14]

The main advantages of nftables over iptables are the simplification of the Linux kernelABI, reduction ofcode duplication, improvederror reporting, and more efficient execution, storage and incremental changes of filtering rules. Traditionally usediptables(8),ip6tables(8),arptables(8) andebtables(8) (for IPv4, IPv6, ARP and Ethernet bridging, respectively) are intended to be replaced withnft(8) as a single unified implementation, providing firewall configuration on top of thein-kernel virtual machine.

nftables also offers an improved userspace API that allowsatomic replacements of one or more firewall rules within a singleNetlink transaction. This speeds up firewall configuration changes for setups having large rulesets; it can also help in avoiding race conditions while the rule changes are being executed. nftables also includes compatibility features to ease transition from previous firewalls, command-line utilities to convert rules in the iptables format,^[15] and syntax-compatible versions of iptables commands that use the nftables backend.^[16]

• First release of nftables (2009-03-18)
• Pablo Neira Ayuso: [RFC] back on nf_tables (plus compatibility layer)
• nftables quick HOWTO
• nftables sections inArchWiki andGentoo Wiki
• Corbet, Jonathan (2009-03-24)."nftables: a new packet filtering engine".LWN.net.
• McHardy, Patrick (2008-09-30).nftables – a successor to iptables, ip6tables, ebtables and arptables.Netfilter Workshop 2008. Archived fromthe original(ODP) on 2009-03-22.
• nft_compat extended to support ebtables extensions (merged in Linux kernel 4.0)
• Extended and enhanced manual for the nft command line tool

• Firewall software
• Linux security software
• Linux kernel features

• Articles with short description
• Short description matches Wikidata