Nf_tables modules not found.

Post#16 by **Testuser** » 08 Dec 2022, 14:08

Guys,

NFTables is working as expected now.

We need to have binary package of nftables from here - https://debian.pkgs.org/sid/debian-main ... 4.deb.html (will also need lib - libnftables.so.1.1.0)

https://wiki.nftables.org/wiki-nftables ... o_nftables

The above URL has details of how to convert iptables rules to nftables rules all at once.

In short

To display rules:
# nft list ruleset

To disable nftables run
# nft flush ruleset

Save Nftables rules to a file

sudo nft list ruleset > /etc/nftables.conf

To make it enable on system boot run the first command via sh script.

/usr/sbin/nft -f /etc/nftables.conf

Post#17 by **ncmprhnsbl** » 09 Dec 2022, 00:47

Testuser wrote: ↑
08 Dec 2022, 14:08
we need to have binary package of nftables from here

there's also a slackware 15 native: https://mirrors.slackware.com/slackware ... 6_64-1.txz

Post#18 by **Testuser** » 09 Dec 2022, 13:15

ncmprhnsbl wrote: ↑
09 Dec 2022, 00:47

there's also a slackware 15 native: https://mirrors.slackware.com/slackware ... 6_64-1.txz

Post#19 by **Rava** » 10 Dec 2022, 06:12

donald wrote: ↑
06 Dec 2022, 15:43
Hmmm...as long as iptables does what it is supposed to do, why change it?
What would be the advantage of using nftables?

Good question indeed.

Aside from the simpler syntax and that you an combine ports, e.g. do this

Code: Select all

nft add rule inet traffic-filter input tcp dport { 22, 80, 443 } accept

and this - Allow several IPv6 ICMP packets:

Code: Select all

nft add rule ip6 traffic-filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

and do multiple actions, e.g.

Code: Select all

nft add rule ip filter input ip protocol vmap { tcp : jump tcp-chain, udp : jump udp-chain, icmp : jump icmp-chain }

( all examples are from https://linux-audit.com/differences-bet ... explained/ )

At least according to a performance comparison
https://developers.redhat.com/blog/2017 ... g-nftables

Also worth noting is that iptables performs slightly better.

The graph of the 1st test:

But the 2nd test changes that:

Just like with the previous test, iptables' performance degrades as the number of rules increases. This time, the degradation is even quite linear. The baseline performance of nftables is a bit lower than that of iptables, but that is expected since the single match rule is already in place and so setups differ at that point. The remaining nftables graph though shows how well the set lookup performs: Irrelevant of item count, the lookup time seems to be stable allowing for constant throughput over the whole test range. So at this stage of nftables development, one could say that as soon as more than about 120 ports have to be matched individually, nftables is clearly in advance.

Here the graph of that 2nd test: