netfilter.org Open in urlscan Pro
2001:4b98:dc0:43:216:3eff:fe87:a456  Public Scan

Submitted URL: http://netfilter.org/
Effective URL: https://netfilter.org/
Submission: On May 01 via api from GB — Scanned from FR

Form analysis 0 forms found in the DOM

Text Content

home | download | git | lists | bugzilla | workshop | patchwork | wiki

About
Coreteam
History
License
Thanks
PGP key
Projects
iptables
nftables
libnftnl
libnfnetlink
libnetfilter_acct
libnetfilter_log
libnetfilter_queue
libnetfilter_conntrack
libnetfilter_cttimeout
libnetfilter_cthelper
conntrack-tools
libmnl
nfacct
ipset
ulogd
xtables-addons
News
libmnl 1.0.5 released
libnfnetlink 1.0.2 released
nftables 1.0.2 released
libnetfilter_conntrack 1.0.9 released
settlement with Patrick McHardy
nftables 1.0.1 released
libnftnl 1.2.1 released
libnetfilter_log 1.0.2 released
nftables 1.0.0 released
nftables 0.9.9 released
libnftnl 1.2.0 released
iptables 1.8.7 released
nftables 0.9.8 released
libnftnl 1.1.9 released
iptables 1.8.6 released
nftables 0.9.7 released
libnftnl 1.1.8 released
new coreteam PGP key
nftables 0.9.6 released
libnetfilter_queue 1.0.5 released
nftables 0.9.5 released
libnftnl 1.1.7 released
libnetfilter_queue 1.0.4 released
iptables 1.8.5 released
conntrack-tools 1.4.6 released
libnetfilter_conntrack 1.0.8 released
nftables 0.9.4 released
libnftnl 1.1.6 released
Documentation
Mailing Lists
List Rules
netfilter-announce list
netfilter list
netfilter-devel list
Contact
Licensing
GPL licensing terms
GPL compliance FAQ
Supporting netfilter




THE NETFILTER.ORG PROJECT


WHAT IS THE NETFILTER.ORG PROJECT?

The netfilter project is a community-driven collaborative FOSS project that
provides packet filtering software for the Linux 2.4.x and later kernel series.
The netfilter project is commonly associated with iptables and its successor
nftables.

The netfilter project enables packet filtering, network address [and port]
translation (NA[P]T), packet logging, userspace packet queueing and other packet
mangling.

The netfilter hooks are a framework inside the Linux kernel that allows kernel
modules to register callback functions at different locations of the Linux
network stack. The registered callback function is then called back for every
packet that traverses the respective hook within the Linux network stack.

iptables is a generic firewalling software that allows you to define rulesets.
Each rule within an IP table consists of a number of classifiers (iptables
matches) and one connected action (iptables target).

nftables is the successor of iptables, it allows for much more flexible,
scalable and performance packet classification. This is where all the fancy new
features are developed.


MAIN FEATURES

 * stateless packet filtering (IPv4 and IPv6)
 * stateful packet filtering (IPv4 and IPv6)
 * all kinds of network address and port translation, e.g. NAT/NAPT (IPv4 and
   IPv6)
 * flexible and extensible infrastructure
 * multiple layers of API's for 3rd party extensions


WHAT CAN I DO WITH NETFILTER?

 * build internet firewalls based on stateless and stateful packet filtering
 * deploy highly available stateless and stateful firewall clusters
 * use NAT and masquerading for sharing internet access if you don't have enough
   public IP addresses
 * use NAT to implement transparent proxies
 * aid the tc and iproute2 systems used to build sophisticated QoS and policy
   routers
 * do further packet manipulation (mangling) like altering the TOS/DSCP/ECN bits
   of the IP header


WHAT VALUE DOES NFTABLES PROVIDE?

 * a single tool with consistent syntax as opposed to the fragmented
   {ip,ip6,eb,arp}tables and ipset
 * faster kernel-side transactional ruleset updates, no need for user-space
   locking
 * sets are more flexible and powerful than ipset, maps push the concept even
   further
 * full ruleset flexibility:
    * no pre-defined tables and chains
    * arbitrary number of user-defined tables to separate the ruleset into
      "namespaces"
    * base chain's hook and priority are configurable

 * more flexible rules: No mandatory parts (like counters), multiple actions
   allowed (e.g. log and drop)
 * ingress hook attaching a chain to an interface for early filtering right
   after TC
 * flowtables provide a software fast path and hardware acceleration
 * some limited scripting ability embedded in the syntax (define variables,
   include other files), support for extensive scripting via JSON input and
   output


LICENSING TERMS

netfilter.org develops software within the Linux kernel, which is released under
the terms of the GNU General Public License version 2 (GPL-2.0) and compatible
licenses. This project also provides userspace libraries and utilities that are
released under the GPL-2.0, please consult licensing terms of each library and
userspace tool specifically for details. For more information, you can consult
our licensing section.


Copyright © 1999-2021 The Netfilter's webmasters . Contact webmaster