Ramblings of an aging IT geek
← Ramblings of an aging IT geek
linux

i moved a firewall to nftables and stopped flinching

Migrating a real firewall from iptables to nftables, what got simpler, and the one habit I had to unlearn.

John Mylchreest
John Mylchreest
2019-06-27 · 4 min read

A terminal showing firewall rules on a Linux box

I have been writing iptables rules for the better part of a decade, and I have never once enjoyed it. The syntax is a museum of accreted decisions: separate tables, separate iptables and ip6tables binaries, rule ordering you have to hold in your head, and the constant small terror of a -D deleting the wrong line because you counted positions instead of names. It worked. I just never trusted myself with it.

So when a box came up for a rebuild this week, I finally did the thing I had been putting off and moved it to nftables. Debian Buster shipped this month with nftables as the default backend, which felt like permission to stop procrastinating.

what actually got better

The big win is that one ruleset covers IPv4 and IPv6. No more maintaining two parallel sets of rules and discovering six months later that the v6 side was wide open because I forgot it existed. You write inet and you mean both.

The second win is that the config reads like a config, not a transcript of commands. Here is roughly what the input chain looks like now:

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        ct state established,related accept
        iif "lo" accept
        ip protocol icmp accept
        ip6 nexthdr icmpv6 accept

        tcp dport { 22, 80, 443 } accept
    }
}

That set syntax, { 22, 80, 443 }, is the bit that made me grin. In iptables every port is its own rule or you reach for multiport and hope. Here it is a set, it is one line, and adding a port is editing a list.

A server rack in a small machine room

the habit i had to unlearn

The thing that caught me out was atomic loading. With iptables I would shell in and add rules one at a time, watching for the moment I locked myself out. nftables wants you to write the whole ruleset to a file and load it atomically with nft -f. Either the file applies cleanly or nothing changes. That is genuinely safer, but it means my muscle memory of "just add one quick rule live" is the wrong move. You edit the file, you load the file. Treat the live ruleset as disposable.

nft list ruleset dumps the running config in the same syntax you wrote, so there is no impedance mismatch between what you see and what you save. After years of iptables-save output that looked nothing like anything a human would write, that alone is worth the move.

I am not going to pretend the whole estate is migrated. The old boxes will run iptables until they get rebuilt, because nothing is on fire and nobody pays me to rewrite working firewalls for fun. But every new build goes to nftables now, and I have stopped flinching when I open the file.