# Is nftables ready for production?

## 1clue

Hi,

I'm curious about nftables and its reliability and security.

Has anyone adopted nftables and run a security audit? Can you elaborate on any difficulties or performance issues as compared to iptables? How about ease of use?

Edit: I found this link but have not yet had the chance to read it.  https://arxiv.org/pdf/1502.05487.pdf

Thanks.

----------

## Keruskerfuerst

You can visit the home page of nftables here: https://netfilter.org/

They begam in the year 1999 and nearly 20 years after that, the code should be stable and run fast.

----------

## Hu

Your timeline is a bit off.  Netfilter as a general concept is quite old, but according to LWN: Nftables: a new packet filtering engine, nftables was first discussed in 2008 and released in 2009.  OP is specifically interested in the nftables project, not the more general idea of Linux netfilter.

Similarly, there are projects just as old, if not older, that have been poorly maintained and are definitely not suitable for their intended purpose now (if they ever were), so merely looking at the project's age is a poor metric for whether it would satisfy OP's requirements.

----------

## Ant P.

 *Keruskerfuerst wrote:*   

> You can visit the home page of nftables here: https://netfilter.org/
> 
> They begam in the year 1999 and nearly 20 years after that, the code should be stable and run fast.

 

nftables is not 20 years old, it's barely even 5. There's been three full rewrites of the Linux firewall stack in that time.

In any case it's as reliable and secure as iptables since the latter is just a frontend for nftables now. It gets the job done, the syntax is more maintainable with complex rules and in theory you can write much more performant rulesets than iptables, since things like ipsets are baked in instead of an extension. Debugging errors is a pain in the ass though; the error messages are the worst part of the software, sometimes it'll just spit back a stringified libc error code straight from the kernel and you basically have to guess what you did wrong.

----------

## 1clue

 *Ant P. wrote:*   

>  *Keruskerfuerst wrote:*   You can visit the home page of nftables here: https://netfilter.org/
> 
> They begam in the year 1999 and nearly 20 years after that, the code should be stable and run fast. 
> 
> nftables is not 20 years old, it's barely even 5. There's been three full rewrites of the Linux firewall stack in that time.
> ...

 

This was exactly what I was looking for.

Thanks.

----------

