ConfigClarityGlossary › nftables

nftables

nftables is the modern Linux firewall framework that replaced iptables as the default in Debian 10+, Ubuntu 20.10+, and RHEL 8+. It provides a unified interface for IPv4, IPv6, and ARP filtering with improved performance and syntax.
nftablesiptablesFirewallLinuxNetworkingUbuntu

nftables is the successor to iptables, ip6tables, arptables, and ebtables — replacing four separate tools with a single framework. It was merged into the Linux kernel in 3.13 (2014) and became the default firewall backend in Debian 10 (Buster, 2019) and Ubuntu 20.10.

The transition from iptables to nftables is largely transparent when using UFW — UFW abstracts both backends. Problems arise when iptables rules are mixed with nftables rules, or when Docker (which uses iptables directly) is running on a system using nftables.

nftables vs iptables

iptables uses separate tables (filter, nat, mangle) with separate commands. nftables uses a single nft command with a unified syntax. nftables supports sets (groups of addresses or ports) natively, reducing rule count. nftables has better performance at high rule counts due to kernel-level set operations.

Docker and nftables Conflict

Docker uses iptables compatibility mode on nftables systems. This can cause the DOCKER chain in iptables to not interact correctly with nftables rules, leading to UFW-like bypass issues where containers appear protected but are actually accessible. The fix involves explicitly configuring Docker to use the nftables-compatible iptables backend.

Related Tools

Firewall Auditor →

Fix Guides

nftables Ubuntu 22 fixnftables Docker conflict fix

Frequently Asked Questions

Is nftables better than iptables?
For new deployments, yes. nftables has cleaner syntax, better performance at scale, native set support, and is actively maintained. For existing setups, migration requires care — Docker, fail2ban, and some VPN software still default to iptables rules that need compatibility configuration.
How do I check if my system is using nftables or iptables?
Run sudo nft list ruleset. If it returns rules, nftables is active. Run sudo iptables -L — on nftables systems this uses the iptables-nft compatibility layer. Check dpkg -l nftables iptables to see which packages are installed.
Does UFW work with nftables?
Yes. UFW on Ubuntu 20.10+ uses the nftables backend by default. The firewall rules you write with ufw allow/deny are translated to nftables rules. However, Docker's iptables rules may not integrate correctly — see the Docker UFW bypass glossary entry.