What is the difference between NFTables and BPFilter?

bogdanbiv · 2018-11-05 14:39:45 UTC

I trying to secure my home network with OpenWRT routers. In this context I started to customize my iptables rules to my needs and found some iptables concepts hard to understand / use.

I’ve discovered that nftables is the NEXT big change in firewall software for Linux based systems (as of ~3.18), replacing iptables which is hard to use or inefficient. More recently, I’ve learnt bpfilter is being merged into Linux 4.18 and it is a “Better Firewall / Packet Filtering” also meant to replace iptables.

Now, I’m quite confused: could you point me to a simple one paragraph description of each technology, nftables/netfilter vs bpfilter ? Are they both trying to solve the same problem / do they overlap? Is there any relationship between the two? I am looking for a short description of each that helps me understand when to use one or the other.

As far as I know, nftables is currently supported in all OpenWRT build targets (Correct me if I'm wrong). I would also like to know your position on supporting eBPF in OpenWRT.

jeff · 2018-11-05 18:13:45 UTC

From what I understand of the Linux world, nftables is intended to replace iptables as the "standard" interface to the kernel-level implementation of packet filtering. From what I understand, many (most?) people are clinging to the iptables interface and have not transitioned.

nftables can be installed on OpenWrt, but there is no "official" UCI/LuCI integration at this time. I'm not aware of non-official UCI/LuCI support either.

bpfilter seems to be an early contender. Personally, I don't trust "early" on security-critical things like firewalls.

Current status of BPFILTER

The development is currently at an early stage.

(2018-07-10, Linux Audit, linked below)

Some articles that may be of interest in helping you make a personal decision include

dlakelan · 2018-11-06 11:45:04 UTC

To elaborate further. In the last few years the eBPF virtual machine has been plugged into many different parts of the kernel, in particular all kinds of performance monitoring and data collection about the kernel. Plus of course it can be used for packet classification in queueing/tc. It's very useful in part because it let's you write regular code in languages like C or in specialty languages, and then compile to the bytecode and load into the kernel where it can be checked for determinism, and then compiled to machine code by the kernel.

Given that nftables has been slow to adopt, and BPF has quickly gained ground, what might ultimately happen is unknown. It seems likely that user level tools from nftables might be converted to output eBPF thereby consolidating things... Who knows.

For the moment though, most people are still using iptables for firewalls, and still using tc for traffic control. Better user level tools that output eBPF could change that.

Leannon60 · 2018-11-06 14:26:31 UTC

It's worth noting that current state of BPFilter is "don't use it": https://marc.info/?l=linux-netdev&m=153542730925638&w=2