Nftables

nftables are the Linux kernel's successor to iptables, using xtables. The primary tool used to interact with nftables is nft. The most important difference between the two is that nftables introduces a multidimensional tree and generic set infrastructure; the combination of IPv4 and IPv6 into the inet family is most welcome.

The iptables tool can use an nftables backend. Typically the old iptables backend is available via a tool named e.g. iptables-legacy, while the new one can often be explicitly invoked using iptables-nft. Note, however, that even iptables-nft will not necessarily show all nftables, depending on how they were configured (for instance, using the IPMasquerade option of systemd-networkd with an nftables backend will not result in anything visible using iptables-nft -t nat -L). It's thus best to get in the habit of using nft list ruleset.

nft

nft is the nftables administration tool, replacing iptables.

See also

• "Moving from iptables to nftables" from the nftables wiki