nftables Linux Firewall Framework

nftables is the modern replacement for iptables, providing a unified, high-performance packet filtering and network address translation framework for the Linux kernel. Developed by the Netfilter Core Team, primarily led by Pablo Neira Ayuso (headquartered in Spain, funded by the Netfilter Foundation), nftables was first introduced in Linux kernel 3.13 (2014) and has been the recommended firewall framework since kernel 5.0 (2019). Key features: unified framework: nftables replaces iptables, ip6tables, arptables, and ebtables with a single unified framework that handles IPv4, IPv6, ARP, and bridge filtering, eliminating the need for separate tools and reducing code duplication in the kernel. The nf_tables kernel subsystem evaluates rules in a virtual machine (nft VM) using bytecode generated by the nft userspace tool. Tables and chains: nftables organizes rules into tables (address families: ip, ip6, inet, arp, bridge, netdev) and chains (regular chains for grouping rules, and base chains attached to Netfilter hooks). Chains specify hook type (input, output, forward, prerouting, postrouting), priority, and policy (accept, drop). Rule syntax: nftables rules use a clean, expressive syntax with named sets and maps for efficient matching: nft add rule inet filter input tcp dport { 22, 80, 443 } accept. Atomic operations: the entire ruleset can be loaded, replaced, or flushed atomically via a single transaction, preventing race conditions. Sets and maps: first-class data structures for efficient multi-value matching (IP addresses, port ranges, prefixes), with interval sets and concatenations. Stateful objects: counters and quotas that can be shared across rules. JSON export/import for programmatic management. Native integration with conntrack. Backward compatibility: iptables-nft provides iptables syntax on top of nftables backend. Used in Debian, Ubuntu, Fedora, Arch Linux. GPL-2.0.