I've now used Linux nftables for firewall rules and it went okay

July 22, 2022

For a long time, Linux has perhaps been in a transition from the venerable iptables to nftables. I haven't been terribly enthused about nftables in the past (the last time I considered it I was persuaded to take a different path) for an assortment of reasons. My recent use of nftables wasn't because I've changed my spots; instead, it's because Ubuntu 22.04 has chosen to make nftables the native interface. If you install a stock 22.04 server, you'll get a system where the 'iptables' binary is actually a compatibility shim that sets up nftables rules. When I had to do some new firewall stuff on an Ubuntu 22.04 machine recently, I decided that I'd try nftables through its native interface.

The experience wasn't entirely smooth sailing. Nftables does a number of things differently than iptables, so you have to learn its terminology and rules format, and understand its approach to things. Since I've only dipped into nftables, I have at best a sliver of understanding of the proper nftables way, basically just enough to write some simple firewall rules that worked when I tested them. Depending on your perspective, it's either good or bad that I could actually do this without having to really learn nftables.

(On the one hand, I got things working without too much effort. On the other hand, a lack of true understanding can easily lead to firewall rules that have holes and issues you don't expect.)

Although nftables can be used interactively in a way that's like iptables, I chose to use it in a way more like OpenBSD's pf, where I wrote and modified my rules in /etc/nftables.conf and then reloaded the entire collection of everything with 'nft -f'. This experience is much better than the traditional iptables approach, where the 'load from file' and 'save to file' operations have the feel of a hack rather than a designed format and it can be easier to automate your rule setup with a script.

Some of our other Ubuntu 22.04 systems have existing iptables based rules (carried forward from their 18.04 versions). So far these all appear to work correctly, including some iptables rules that use ipsets. We're likely going to keep them using the iptables command rather than trying to convert them to nftables; we're familiar with iptables, the rules (still) work, and we wouldn't get much if we switched.

(We have some situations where we add and remove firewall rules on the fly, instead of using a static set of them. This doesn't fit well into the nftables.conf approach, so if we did a native conversion we'd have to try to figure out how to integrate static rules, ideally set up through nftables.conf, and dynamic rules added on top of them.)

Written on 22 July 2022.
« You can sensibly move or copy Prometheus's database with rsync
The state of getting per-pool IO statistics in ZFS on Linux as of version 2.1 »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Jul 22 23:27:15 2022
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.