Nf_tables modules not found.

Technical issues/questions of an intermediate or advanced nature.
Testuser
Samurai
Samurai
Posts: 137
Joined: 26 May 2021, 15:11
Distribution: Porteus-v5.0-64-LXDE

Nf_tables modules not found.

Post#16 by Testuser » 08 Dec 2022, 14:08

Guys,

NFTables is working as expected now.

We need to have binary package of nftables from here - https://debian.pkgs.org/sid/debian-main ... 4.deb.html (will also need lib - libnftables.so.1.1.0)

https://wiki.nftables.org/wiki-nftables ... o_nftables

The above URL has details of how to convert iptables rules to nftables rules all at once.

In short

To display rules:
# nft list ruleset

To disable nftables run
# nft flush ruleset

Save Nftables rules to a file

sudo nft list ruleset > /etc/nftables.conf

To make it enable on system boot run the first command via sh script.

/usr/sbin/nft -f /etc/nftables.conf

User avatar
ncmprhnsbl
DEV Team
DEV Team
Posts: 3924
Joined: 20 Mar 2012, 03:42
Distribution: v5.0-64bit
Location: australia
Contact:

Nf_tables modules not found.

Post#17 by ncmprhnsbl » 09 Dec 2022, 00:47

Testuser wrote:
08 Dec 2022, 14:08
we need to have binary package of nftables from here
there's also a slackware 15 native: https://mirrors.slackware.com/slackware ... 6_64-1.txz
Forum Rules : https://forum.porteus.org/viewtopic.php?f=35&t=44

Testuser
Samurai
Samurai
Posts: 137
Joined: 26 May 2021, 15:11
Distribution: Porteus-v5.0-64-LXDE

Nf_tables modules not found.

Post#18 by Testuser » 09 Dec 2022, 13:15

ncmprhnsbl wrote:
09 Dec 2022, 00:47
there's also a slackware 15 native: https://mirrors.slackware.com/slackware ... 6_64-1.txz
:good:

User avatar
Rava
Contributor
Contributor
Posts: 5401
Joined: 11 Jan 2011, 02:46
Distribution: XFCE 5.01 x86_64 + 4.0 i586
Location: Forests of Germany

Nf_tables modules not found.

Post#19 by Rava » 10 Dec 2022, 06:12

donald wrote:
06 Dec 2022, 15:43
Hmmm...as long as iptables does what it is supposed to do, why change it?
What would be the advantage of using nftables?
Good question indeed.

Aside from the simpler syntax and that you an combine ports, e.g. do this

Code: Select all

nft add rule inet traffic-filter input tcp dport { 22, 80, 443 } accept
and this - Allow several IPv6 ICMP packets:

Code: Select all

nft add rule ip6 traffic-filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
and do multiple actions, e.g.

Code: Select all

nft add rule ip filter input ip protocol vmap { tcp : jump tcp-chain, udp : jump udp-chain, icmp : jump icmp-chain }
( all examples are from https://linux-audit.com/differences-bet ... explained/ )

At least according to a performance comparison
https://developers.redhat.com/blog/2017 ... g-nftables
Also worth noting is that iptables performs slightly better.
The graph of the 1st test:
Image

But the 2nd test changes that:
Just like with the previous test, iptables' performance degrades as the number of rules increases. This time, the degradation is even quite linear. The baseline performance of nftables is a bit lower than that of iptables, but that is expected since the single match rule is already in place and so setups differ at that point. The remaining nftables graph though shows how well the set lookup performs: Irrelevant of item count, the lookup time seems to be stable allowing for constant throughput over the whole test range. So at this stage of nftables development, one could say that as soon as more than about 120 ports have to be matched individually, nftables is clearly in advance.
Here the graph of that 2nd test:
Image
Last edited by Rava on 10 Dec 2022, 06:19, edited 2 times in total.
Reason: added nft example
Cheers!
Yours Rava

Post Reply