nftables utility¶
links: SPA TOC - Linux Firewall - Index
Tables¶
- see available kind of families
nft list tables # list all tables
nft list tables arp|ip|... # list tables per family
nft list table ip myfilter # list the content of a specific table
nft add table ip myfilter # adding an IPv4 table named "myfilter"
nft delete table ip myfilter # delete tyle, table must be empty!
nft flush table ip myfilter # flush the rules, clear all rules
Chains¶
Possible chain types: filter
, route
, nat
Base chain¶
# add new base chain "myinput" to existing IPv4 table "myfilter"
# "myinput" is hooked to the netfilter "input hook"
nft add chain ip myfilter myinput { type filter hook input priority 0 ; }
# add new base chain with a default accept policy
nft add chain ip foo myoutput { type filter hook output priority 0 ; \
policy accept; }
Hook priority value
Regular or non-base chain¶
# add regular chain "myinput" to existing IPv4 table "myfilter"
nft add chain ip myfilter myinput
# delete an empty chain
nft delete chain ip myfilter myinput
# flush a chain (clear all rules)
nft flush chain myfilter myinput
Rules¶
To add new rules, the table and the chain must be specified
# list rules and chains of a table
nft list table myfilter
nft -n list ... # no hostname resolution
nft -nn list ... # no hostname and service name resolution
# add new rules to the table "myfilter" and the chain "myoutput"
nft add rule myfilter myoutput ip daddr 8.8.8.8 counter
nft add rule myfilter myoutput tcp dport ssh counter
Rule management¶
- to add, insert and remove rules at a given position the rule handle is required:
add
: after the referenced ruleinsert
: at the place of the referenced ruledelete
: the referenced rule
- use
flush
to empty a chain or a table
# print out the rule handles
nft -a list ...
# examples
nft add rule myfilter myoutput position 8 ip daddr 127.0.0.8 drop
nft insert rule myfilter myoutput position 9 ip daddr 127.0.0.1 drop
nft delete rule myfilter myoutput handle 5
# insert a rule at the first position of a chain
nft insert rule myfilter myoutput ip daddr 192.168.1.1 counter
# flush all rules of a chain
nft flush chain myfilter myoutput
# flush all rules of all chains of a table
nft flush table myfilter
Expressions¶
nftables provides the following built-in operations:
ne
,!=
: not equallt
,<
: less thangt
,>
: greater thanle
,<=
: less or equal thange
,>=
: greater or equal than
nft add rule myfilter myinput tcp dport != 22
nft add rule myfilter myinput tcp dport >= 1024
Selectors¶
- supported selectors for packet matching:
- meta information: incoming/outgoing interface name/index/type, packet length, ...
- header fields: layer 2 up to layer 4
- connection tracking: conntrack
- routing information
- rate limiting matchings: per packet/byte or burst
Actions¶
- Possible actions on packets:
- accepting and dropping packets
- rejecting traffic
- jumping to chain
- counters
- logging traffic
- performing NAT
- setting packet/connection tracking meta information
- mangling packet headers
- duplicating packets
- load balancing
- queueing to userspace
Unlike iptables multiple actions may be performed in one single rule
Advanced data structures¶
There are advanced data structures for performance packet classification (e.g. intervals, quotas, limits, timeout policies, ...)
Backup & Restore¶
Save Ruleset¶
- a ruleset is essentially a collection of all the rules, chains and tables that have been configured in nftables
- the first line in the backup file has to be a flush command (see example below)
nft list ruleset # list completet ruleset
nft list ruleset arp|ip|... # list ruleset per address family
nft flush ruleset # flush the complete ruleset
nft flush ruleset arp|ip|... # flush ruleset per address family
echo "nft flush ruleset" > backup.nft # add a flush to the ruleset entry
nft list ruleset >> backup.nft # append the ruleset to save/restore
nft -f backup.nft # restore the ruleset from file
nft -j list [| json_pp] > ruleset.json # export in json format
Save specific tables¶
- to (atomically) replace a rule set a
flush table myfilter
line must be added at the beginning of the filemyfilter-table
# backup
echo "nft flush table myfilter" > myfilter-table
nft list table myfilter >> myfilter-table # add rules of table to file
# restore: atomically update rule set from a file
nft -f myfilter-table
Examples¶
IPv4 table examples¶
- the
ipv4-filter
andipv4-nat
of the nftables distribution provides an iptables-like filtering/nat structure
Host firewall¶
IPv4
IPv6
inet
links: SPA TOC - Linux Firewall - Index