Networking: Nftables vs. iptables

Droidian
1

Hello, everyone!

I’m discovering the Droidian system for Poco X3 Pro device, kernel 4.14-190-xiaomi-vayu (packaged as of 2025.10.24). Firstly, it is admirable how fluently the flashing proceeded and the system worked out of the box on my device!

Since I’m interested in some networking applications, I started roaming around the installation and the following question appeared. The question is about general system-level networking, so I decided to ask it here.

Observations

It seems that nftables functionality is disabled in the kernel, since

zgrep 'NF_TABLES' /proc/config.gz # outputs:
# CONFIG_NF_TABLES is not set

Apparently, iptables v1.8.11 (legacy) are used instead for packet filtering and dispatching.

On the other hand, nft utility is still preinstalled (package nftables v1.1.3-1), though not functioning as expected since disabled in kernel. (E.g. nft --help prints fine, but nft list ruleset complains with netlink: Error: cache initialization failed: Invalid argument)
Furthermore, many other nftables-related kernel config options are enabled, see e.g. output of:

zgrep -E 'IP_NF|IP6_NF' /proc/config.gz

Thus, it seems that nftables would have been enabled completely, if not the main toggle CONFIG_NF_TABLES were switched off.

Questions

The general question is, why so?

  1. Won’t it be better to enable nftables consistently and even migrate from iptables-legacy to iptables-nft, like the upstream Debian does? If some software relies on iptables syntax, it will be emulated by nftables as a modern backend
  2. Or, maybe, there were some compatibility issues that made this transition still problematic and forced the developers to switch off CONFIG_NF_TABLES?
  3. Finally, is there a way to enable nftables locally on my device without deploying the whole porting machinery and recompiling the kernel?
  4. Btw, it looks like all modules are statically integrated into the kernel. Is there a chance for dynamic module handling (modprobe, lsmod etc.) in Droidian, maybe future releases? As far as I know, bigger Debian itself tends to dynamic modules quite often. With dynamic kernel modules in play one might conduct more local experiments (e.g. enabling nftables or adding extra filesystems support)
2

Well, I personally never looked into that. We running downstream android kernels, every device with different vendor patches. We do not have a common kernel which works on all devices.

If I would want to look into, would just enable the config, rebuilt the kernel and see if it boots and everything works. If it does, test the userspace.