nftables wiki - User contributions [en]

Main Page

2018-08-20T13:32:02Z

AlexanderAlemayhu: Add netfilter workshop from 0x12

Welcome to the ''nftables'' HOWTO documentation page. Here you will find documentation on how to build, install, configure and use nftables.

If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>.

= Introduction =

* [[What is nftables?]]
* [[Why nftables?]]
* [[Main differences with iptables]]
* [[Netfilter hooks]] and integration with existing Netfilter components.
* [[Adoption]]
* [[Legacy xtables tools]]

= Getting started =

* [[Building and installing nftables from sources]]
* Using [[nftables from distributions]]
* [[Troubleshooting|Troubleshooting and FAQ]]
* [[Quick reference-nftables in 10 minutes|Quick reference, nftables in 10 minutes]]
* [[nftables families|Understanding nftables families]]

= Basic operation =

* [[Configuring tables]]
* [[Configuring chains]]
* [[Simple rule management]]
* [[Atomic rule replacement]]
* [[Error reporting from the command line]]
* [[Building rules through expressions]]
* [[Operations at ruleset level]]
* [[Monitoring ruleset updates]]
* [[Scripting]]
* [[Ruleset debug/tracing]]
* [[Moving from iptables to nftables]]
* [[Moving from ipset to nftables]]

= Supported selectors for packet matching =

* [[Matching packet header fields]]
* [[Matching packet metainformation]]
* [[Matching connection tracking stateful metainformation]]
* [[Rate limiting matchings]]
* [[Routing information]]

= Possible actions on packets =

* [[Accepting and dropping packets]]
* [[Jumping to chain]]
* [[Rejecting traffic]]
* [[Logging traffic]]
* [[Performing Network Address Translation (NAT)]]
* [[Setting packet metainformation]]
* [[Queueing to userspace]]
* [[Duplicating packets]]
* [[Mangle packet header fields]]
* [[Mangle TCP options]]
* [[Counters]]
* [[Load balancing]]
* [[Setting packet connection tracking metainformation]]

Note that, unlike ''iptables'', you can perform several actions in one single rule.

= Advanced data structures for performance packet classification =

You will have to redesign your rule-set to benefit from these new nice features:

* [[Sets]]
* [[Dictionaries]]
* [[Intervals]]
* [[Maps]]
* [[Concatenations]]
* [[Meters|Metering]] (formerly known as flow tables before nftables 0.8.1 release)
* [[Updating sets from the packet path]]
* [[Element timeouts]]
* [[Math operations]]
* [[Stateful objects]]

If you are already using [[ipset]] in your ''iptables'' rule-set, that transition may be a bit more simple to you.

= Examples =

* [[Simple ruleset for a workstation]]
* [[Bridge filtering]]
* [[Multiple NATs using nftables maps]]
* [[Classic perimetral firewall example]]
* [[Port knocking example]]

= Development progress =

* [[List of updates since Linux kernel 3.13]]
* [[Supported features compared to xtables|Supported features compared to {ip,ip6,eb,arp}tables]]
* [[List of available translations via iptables-translate tool]]

= External links =

Watch some videos:

* Watch [https://www.youtube.com/watch?v=FXTRRwXi3b4 Getting a grasp of nftables], thanks to [https://www.nluug.nl/index-en.html NLUUG association] for recording this.
* Watch [https://www.youtube.com/watch?v=CaYp0d2wiuU#t=1m47s The ultimate packet classifier for GNU/Linux], thanks to the FSFE for paying my trip to Barcelona and for recommending me as speaker to the KDE Spanish branch.
* [https://www.youtube.com/watch?v=Sy0JDX451ns Florian Westphal - Why nftables?]
* Watch [https://www.youtube.com/watch?v=qXVOA2MKA1s Netdev 2.1 - Netfilter workshop]
* Watch [https://youtu.be/iCj10vEKPrw Netdev 2.2 - Netf‌ilter mini-workshop]
* Watch [https://youtu.be/0hqfzp6tpZo Netdev 0x12 - Netf‌ilter mini-workshop]
* Watch [https://www.youtube.com/watch?v=0wQfSfDVN94 NLUUG - Goodbye iptables, Hello nftables]
* Watch [https://www.youtube.com/watch?v=Uf5ULkEWPL0 LCA2018 - nftables from a user perspective]

Additional documentations and articles:

* Tutorial [https://zasdfgbnm.github.io/2017/09/07/Extending-nftables/ Extending nftables by Xiang Gao]
* Article [http://ral-arturo.org/2017/05/05/debian-stretch-stable-nftables.html New in Debian stable Stretch: nftables]

= Thanks =

To the NLnet foundation for initial sponsorship of this HOWTO:

[https://nlnet.nl https://nlnet.nl/image/logo.gif]

To Eric Leblond, for boostrapping the [https://home.regit.org/netfilter-en/nftables-quick-howto/ Nftables quick howto] in 2013.

Main Page

2018-08-16T05:50:46Z

AlexanderAlemayhu: Add netfilter workshop from netdev 2.2

Welcome to the ''nftables'' HOWTO documentation page. Here you will find documentation on how to build, install, configure and use nftables.

If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>.

= Introduction =

* [[What is nftables?]]
* [[Why nftables?]]
* [[Main differences with iptables]]
* [[Netfilter hooks]] and integration with existing Netfilter components.
* [[Adoption]]
* [[Legacy xtables tools]]

= Getting started =

* [[Building and installing nftables from sources]]
* Using [[nftables from distributions]]
* [[Troubleshooting|Troubleshooting and FAQ]]
* [[Quick reference-nftables in 10 minutes|Quick reference, nftables in 10 minutes]]
* [[nftables families|Understanding nftables families]]

= Basic operation =

* [[Configuring tables]]
* [[Configuring chains]]
* [[Simple rule management]]
* [[Atomic rule replacement]]
* [[Error reporting from the command line]]
* [[Building rules through expressions]]
* [[Operations at ruleset level]]
* [[Monitoring ruleset updates]]
* [[Scripting]]
* [[Ruleset debug/tracing]]
* [[Moving from iptables to nftables]]
* [[Moving from ipset to nftables]]

= Supported selectors for packet matching =

* [[Matching packet header fields]]
* [[Matching packet metainformation]]
* [[Matching connection tracking stateful metainformation]]
* [[Rate limiting matchings]]
* [[Routing information]]

= Possible actions on packets =

* [[Accepting and dropping packets]]
* [[Jumping to chain]]
* [[Rejecting traffic]]
* [[Logging traffic]]
* [[Performing Network Address Translation (NAT)]]
* [[Setting packet metainformation]]
* [[Queueing to userspace]]
* [[Duplicating packets]]
* [[Mangle packet header fields]]
* [[Mangle TCP options]]
* [[Counters]]
* [[Load balancing]]
* [[Setting packet connection tracking metainformation]]

Note that, unlike ''iptables'', you can perform several actions in one single rule.

= Advanced data structures for performance packet classification =

You will have to redesign your rule-set to benefit from these new nice features:

* [[Sets]]
* [[Dictionaries]]
* [[Intervals]]
* [[Maps]]
* [[Concatenations]]
* [[Meters|Metering]] (formerly known as flow tables before nftables 0.8.1 release)
* [[Updating sets from the packet path]]
* [[Element timeouts]]
* [[Math operations]]
* [[Stateful objects]]

If you are already using [[ipset]] in your ''iptables'' rule-set, that transition may be a bit more simple to you.

= Examples =

* [[Simple ruleset for a workstation]]
* [[Bridge filtering]]
* [[Multiple NATs using nftables maps]]
* [[Classic perimetral firewall example]]
* [[Port knocking example]]

= Development progress =

* [[List of updates since Linux kernel 3.13]]
* [[Supported features compared to xtables|Supported features compared to {ip,ip6,eb,arp}tables]]
* [[List of available translations via iptables-translate tool]]

= External links =

Watch some videos:

* Watch [https://www.youtube.com/watch?v=FXTRRwXi3b4 Getting a grasp of nftables], thanks to [https://www.nluug.nl/index-en.html NLUUG association] for recording this.
* Watch [https://www.youtube.com/watch?v=CaYp0d2wiuU#t=1m47s The ultimate packet classifier for GNU/Linux], thanks to the FSFE for paying my trip to Barcelona and for recommending me as speaker to the KDE Spanish branch.
* [https://www.youtube.com/watch?v=Sy0JDX451ns Florian Westphal - Why nftables?]
* Watch [https://www.youtube.com/watch?v=qXVOA2MKA1s Netdev 2.1 - Netfilter workshop]
* Watch [https://youtu.be/iCj10vEKPrw Netdev 2.2 - Netf‌ilter mini-workshop]
* Watch [https://www.youtube.com/watch?v=0wQfSfDVN94 NLUUG - Goodbye iptables, Hello nftables]
* Watch [https://www.youtube.com/watch?v=Uf5ULkEWPL0 LCA2018 - nftables from a user perspective]

Additional documentations and articles:

* Tutorial [https://zasdfgbnm.github.io/2017/09/07/Extending-nftables/ Extending nftables by Xiang Gao]
* Article [http://ral-arturo.org/2017/05/05/debian-stretch-stable-nftables.html New in Debian stable Stretch: nftables]

= Thanks =

To the NLnet foundation for initial sponsorship of this HOWTO:

[https://nlnet.nl https://nlnet.nl/image/logo.gif]

To Eric Leblond, for boostrapping the [https://home.regit.org/netfilter-en/nftables-quick-howto/ Nftables quick howto] in 2013.

Main Page

2018-01-24T09:48:04Z

AlexanderAlemayhu: Removing soon to be broken link

Welcome to the ''nftables'' HOWTO documentation page. Here you will find documentation on how to build, install, configure and use nftables.

If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>.

= Introduction =

* [[What is nftables?]]
* [[Why nftables?]]
* [[Main differences with iptables]]
* [[Netfilter hooks]] and integration with existing Netfilter components.

= Getting started =

* [[Building and installing nftables from sources]]
* Using [[nftables from distributions]]
* [[Troubleshooting|Troubleshooting and FAQ]]
* [[Quick reference-nftables in 10 minutes|Quick reference, nftables in 10 minutes]]
* [[nftables families|Understanding nftables families]]

= Basic operation =

* [[Configuring tables]]
* [[Configuring chains]]
* [[Simple rule management]]
* [[Atomic rule replacement]]
* [[Error reporting from the command line]]
* [[Building rules through expressions]]
* [[Operations at ruleset level]]
* [[Monitoring ruleset updates]]
* [[Scripting]]
* [[Ruleset debug/tracing]]
* [[Moving from iptables to nftables]]

= Supported selectors for packet matching =

* [[Matching packet header fields]]
* [[Matching packet metainformation]]
* [[Matching connection tracking stateful metainformation]]
* [[Rate limiting matchings]]
* [[Routing information]]

= Possible actions on packets =

* [[Accepting and dropping packets]]
* [[Jumping to chain]]
* [[Rejecting traffic]]
* [[Logging traffic]]
* [[Performing Network Address Translation (NAT)]]
* [[Setting packet metainformation]]
* [[Queueing to userspace]]
* [[Duplicating packets]]
* [[Mangle packet header fields]]
* [[Mangle TCP options]]
* [[Counters]]
* [[Load balancing]]
* [[Setting packet connection tracking metainformation]]

Note that, unlike ''iptables'', you can perform several actions in one single rule.

= Advanced data structures for performance packet classification =

You will have to redesign your rule-set to benefit from these new nice features:

* [[Sets]]
* [[Dictionaries]]
* [[Intervals]]
* [[Maps]]
* [[Concatenations]]
* [[Meters|Metering]] (formerly known as flow tables before nftables 0.8.1 release)
* [[Updating sets from the packet path]]
* [[Element timeouts]]
* [[Math operations]]
* [[Stateful objects]]

If you are already using [[ipset]] in your ''iptables'' rule-set, that transition may be a bit more simple to you.

= Examples =

* [[Simple ruleset for a workstation]]
* [[Bridge filtering]]
* [[Multiple NATs using nftables maps]]
* [[Classic perimetral firewall example]]

= Development progress =

* [[List of updates since Linux kernel 3.13]]
* [[Supported features compared to xtables|Supported features compared to {ip,ip6,eb,arp}tables]]
* [[List of available translations via iptables-translate tool]]

= External links =

Watch some videos:

* Watch [https://www.youtube.com/watch?v=FXTRRwXi3b4 Getting a grasp of nftables], thanks to [https://www.nluug.nl/index-en.html NLUUG association] for recording this.
* Watch [https://www.youtube.com/watch?v=CaYp0d2wiuU#t=1m47s The ultimate packet classifier for GNU/Linux], thanks to the FSFE for paying my trip to Barcelona and for recommending me as speaker to the KDE Spanish branch.
* [https://www.youtube.com/watch?v=Sy0JDX451ns Florian Westphal - Why nftables?]
* Watch [https://www.youtube.com/watch?v=qXVOA2MKA1s Netdev 2.1 - Netfilter workshop]
* Watch [https://www.youtube.com/watch?v=0wQfSfDVN94 NLUUG - Goodbye iptables, Hello nftables]

Additional documentations and articles:

* Tutorial [https://zasdfgbnm.github.io/2017/09/07/Extending-nftables/ Extending nftables by Xiang Gao]
* Article [http://ral-arturo.org/2017/05/05/debian-stretch-stable-nftables.html New in Debian stable Stretch: nftables]

= Thanks =

To the NLnet foundation for initial sponsorship of this HOWTO:

[https://nlnet.nl https://nlnet.nl/image/logo.gif]

To Eric Leblond, for boostrapping the [https://home.regit.org/netfilter-en/nftables-quick-howto/ Nftables quick howto] in 2013.

Main Page

2017-04-06T20:55:21Z

AlexanderAlemayhu: Add short talk by fw.

Welcome to the ''nftables'' HOWTO documentation page. Here you will find documentation on how to build, install, configure and use nftables.

This documentation was initially started by Eric Leblond, known as the [https://home.regit.org/netfilter-en/nftables-quick-howto/ nftables quick HOWTO], and it has been extended and enhanced by Pablo Neira Ayuso.

If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>.

Note that this documentation is still under development, so '''consider this work in progress'''.

= Introduction =

* [[What is nftables?]]
* [[Why nftables?]]
* [[Main differences with iptables]]
* [[Netfilter hooks]] and integration with existing Netfilter components.

= Getting started =

* [[Building and installing nftables from sources]]
* Using [[nftables from distributions]]
* [[Troubleshooting|Troubleshooting and FAQ]]
* [[Quick reference-nftables in 10 minutes|Quick reference, nftables in 10 minutes]]
* [https://2nft.alemayhu.com/ Translate your iptables rules from a web app]

= Basic operation =

* [[Configuring tables]]
* [[Configuring chains]]
* [[Simple rule management]]
* [[Atomic rule replacement]]
* [[Error reporting from the command line]]
* [[Building rules through expressions]]
* [[Operations at ruleset level]]
* [[Monitoring ruleset updates]]
* [[Scripting]]
* [[Ruleset debug/tracing]]
* [[Moving from iptables to nftables]]

= Supported selectors for packet matching =

* [[Matching packet header fields]]
* [[Matching packet metainformation]]
* [[Matching connection tracking stateful metainformation]]
* [[Rate limiting matchings]]
* [[Routing information]]

= Possible actions on packets =

* [[Accepting and dropping packets]]
* [[Jumping to chain]]
* [[Rejecting traffic]]
* [[Logging traffic]]
* [[Performing Network Address Translation (NAT)]]
* [[Setting packet metainformation]]
* [[Queueing to userspace]]
* [[Duplicating packets]]
* [[Mangle packet header fields]]
* [[Counters]]
* [[Load balancing]]

Note that, unlike ''iptables'', you can perform several actions in one single rule.

= Advanced data structures for performance packet classification =

You will have to redesign your rule-set to benefit from these new nice features:

* [[Sets]]
* [[Dictionaries]]
* [[Intervals]]
* [[Maps]]
* [[Concatenations]]
* [[Flow tables]]
* [[Updating sets from the packet path]]
* [[Element timeouts]]
* [[Math operations]]
* [[Stateful objects]]

If you are already using [[ipset]] in your ''iptables'' rule-set, that transition may be a bit more simple to you.

= Examples =

* [[Simple ruleset for a workstation]]
* [[Bridge filtering]]
* [[Multiple NATs using nftables maps]]
* [[Classic perimetral firewall example]]

= Development progress =

* [[List of updates since Linux kernel 3.13]]
* [[Supported features compared to xtables|Supported features compared to {ip,ip6,eb,arp}tables]]
* [[List of available translations via iptables-translate tool]]

= Videos =

* Watch [https://www.youtube.com/watch?v=FXTRRwXi3b4 Getting a grasp of nftables], thanks to [https://www.nluug.nl/index-en.html NLUUG association] for recording this.
* [https://www.youtube.com/watch?v=Sy0JDX451ns Florian Westphal - Why nftables?]

= Thanks =

To the NLnet foundation for initial sponsorship of this HOWTO:

[https://nlnet.nl https://nlnet.nl/image/logo.gif]

Main Page

2017-03-10T16:45:16Z

AlexanderAlemayhu: add 2nft to 'Getting started' (if that is the wrong section please move it)

Welcome to the ''nftables'' HOWTO documentation page. Here you will find documentation on how to build, install, configure and use nftables.

This documentation was initially started by Eric Leblond, known as the [https://home.regit.org/netfilter-en/nftables-quick-howto/ nftables quick HOWTO], and it has been extended and enhanced by Pablo Neira Ayuso.

If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>.

Note that this documentation is still under development, so '''consider this work in progress'''.

= Introduction =

* [[What is nftables?]]
* [[Why nftables?]]
* [[Main differences with iptables]]
* [[Netfilter hooks]] and integration with existing Netfilter components.

= Getting started =

* [[Building and installing nftables from sources]]
* Using [[nftables from distributions]]
* [[Troubleshooting|Troubleshooting and FAQ]]
* [[Quick reference-nftables in 10 minutes|Quick reference, nftables in 10 minutes]]
* [https://2nft.alemayhu.com/ Translate your iptables rules from a web app]

= Basic operation =

* [[Configuring tables]]
* [[Configuring chains]]
* [[Simple rule management]]
* [[Atomic rule replacement]]
* [[Error reporting from the command line]]
* [[Building rules through expressions]]
* [[Operations at ruleset level]]
* [[Monitoring ruleset updates]]
* [[Scripting]]
* [[Ruleset debug/tracing]]
* [[Moving from iptables to nftables]]

= Supported selectors for packet matching =

* [[Matching packet header fields]]
* [[Matching packet metainformation]]
* [[Matching connection tracking stateful metainformation]]
* [[Rate limiting matchings]]
* [[Routing information]]

= Possible actions on packets =

* [[Accepting and dropping packets]]
* [[Jumping to chain]]
* [[Rejecting traffic]]
* [[Logging traffic]]
* [[Performing Network Address Translation (NAT)]]
* [[Setting packet metainformation]]
* [[Queueing to userspace]]
* [[Duplicating packets]]
* [[Mangle packet header fields]]
* [[Counters]]
* [[Load balancing]]

Note that, unlike ''iptables'', you can perform several actions in one single rule.

= Advanced data structures for performance packet classification =

You will have to redesign your rule-set to benefit from these new nice features:

* [[Sets]]
* [[Dictionaries]]
* [[Intervals]]
* [[Maps]]
* [[Concatenations]]
* [[Flow tables]]
* [[Updating sets from the packet path]]
* [[Element timeouts]]
* [[Math operations]]
* [[Stateful objects]]

If you are already using [[ipset]] in your ''iptables'' rule-set, that transition may be a bit more simple to you.

= Examples =

* [[Simple ruleset for a workstation]]
* [[Bridge filtering]]
* [[Multiple NATs using nftables maps]]
* [[Classic perimetral firewall example]]

= Development progress =

* [[List of updates since Linux kernel 3.13]]
* [[Supported features compared to xtables|Supported features compared to {ip,ip6,eb,arp}tables]]
* [[List of available translations via iptables-translate tool]]

= Videos =

* Watch [https://www.youtube.com/watch?v=FXTRRwXi3b4 Getting a grasp of nftables], thanks to [https://www.nluug.nl/index-en.html NLUUG association] for recording this.

= Thanks =

To the NLnet foundation for initial sponsorship of this HOWTO:

[https://nlnet.nl https://nlnet.nl/image/logo.gif]

Building and installing nftables from sources

2016-10-23T17:30:59Z

AlexanderAlemayhu: fix typo

nftables requires several userspace libraries, the 'nft' userspace command line utility and the kernel modules.

If you are using a major linux distribution, you may consider using [[nftables from distributions]].

= Installing userspace libraries =

You have to install the following userspace libraries:

* [http://www.netfilter.org/projects/libmnl libmnl ], this library provides the interfaces to communicate kernel and userspace via Netlink. ''It is very likely that your distribution already provides a package for libmnl that you can use''. If you decide to use your distributor package, make sure you install the development package as well.

* [http://www.netfilter.org/projects/libnftnl libnftnl] (formerly known as libnftables), this library provides the low-level API to transform netlink messages to objects.

You also need ''libgmp'' and ''libreadline'', most distributions already provide packages for these two libraries, so make sure you install the development extensions of this packages to successfully compile ''nftables''.

If you plan to give a test to ''nftables'', we recommend you to use git snapshots for ''libnftnl'' and ''nft''.

== Installing userspace libraries from git ==

To install ''libnftnl'', to can type these magic spells:

<source lang="bash">
$ git clone git://git.netfilter.org/libnftnl
$ cd libnftnl
$ sh autogen.sh
$ ./configure
$ make
$ sudo make install
</source>

If you have any compilation problem, please report them to the [https://www.netfilter.org/mailinglists.html netfilter developer mailing list] providing as much detailed information as possible.

== Installing userspace libraries from snapshots ==

You can retrieve daily snapshots of this library from the [ftp://ftp.netfilter.org/pub/libnftnl/snapshot/ Netfilter FTP]. Then, to install it you have to:

<source lang="bash">
$ wget ftp://ftp.netfilter.org/pub/libnftnl/snapshot/libnftnl-20140217.tar.bz2
$ tar xvjf libnftnl-20140217.tar.bz2
$ ./configure
$ make
$ sudo make install
</source>

= Installing userspace nft command line utility =

This is the command line utility that provides a user interface to configure ''nftables''.

== Installing from git ==

Just type these commands:

<source lang="bash">
% git clone git://git.netfilter.org/nftables
% cd nftables
% sh autogen.sh
% ./configure
% make
% make install
</source>

You should check that ''nft'' is installed in your system by typing:

<source lang="bash">
% nft
nft: no command specified
</source>

That means ''nft'' has been correctly installed.

= Installing Linux kernel with nftables support =

Prerequisites: nftables is available in Linux kernels since version 3.13 but this is software under development, so we encourage you to run the latest stable kernel.

== Validating your installation ==

You can validate that your installation is working by checking if you can install the 'nf_tables' kernel module.

<source lang="bash">
% modprobe nf_tables
</source>

Then, you can check that's actually there via ''lsmod'':

<source lang="bash">
# lsmod | grep nf_tables
nf_tables 42349 0
</source>

dmesg should show the following message:

<source lang="bash">
% dmesg
...
[13939.468020] nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>
</source>

Make sure you also have loaded the family support, eg.

<source lang="bash">
% modprobe nf_tables_ipv4
</source>

The ''lsmod'' command should show something like:

<source lang="bash">
# lsmod | grep nf_tables
nf_tables_ipv4 12869 0
nf_tables 42349 1 nf_tables_ipv4
</source>

Other family modules are ''nf_tables_ipv6'', ''nf_tables_bridge'', ''nf_tables_arp'' and (since Linux kernel >= 3.14) ''nf_tables_inet''.

These modules provide the corresponding [[Configuring_tables|table]] and the filter [[Configuring_chains|chain]] support for the given family.

You could also check which modules are supported by your current kernel. How to to do this, depends on your distro:
* on debian, look in /boot/config-XXX-YYY, where XXX is your kernel package version, and YYY is your arch, e.g. /boot/config-4.2.0-1-amd64
* on Arch, look in /proc/config.gz. As this is compressed, use a command such as zcat or zgrep.

In the debian example below, CONFIG_NFT_REDIR_IPV4 and CONFIG_NFT_REDIR_IPV6 are not set, so you can't use [http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)#Redirect redirect] in the ruleset:

<source lang="bash">
% grep CONFIG_NFT_ /boot/config-4.2.0-1-amd64
CONFIG_NFT_EXTHDR=m
CONFIG_NFT_META=m
CONFIG_NFT_CT=m
CONFIG_NFT_RBTREE=m
CONFIG_NFT_HASH=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m
CONFIG_NFT_COMPAT=m
CONFIG_NFT_CHAIN_ROUTE_IPV4=m
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_CHAIN_NAT_IPV4=m
CONFIG_NFT_MASQ_IPV4=m
# CONFIG_NFT_REDIR_IPV4 is not set
CONFIG_NFT_CHAIN_ROUTE_IPV6=m
CONFIG_NFT_REJECT_IPV6=m
CONFIG_NFT_CHAIN_NAT_IPV6=m
CONFIG_NFT_MASQ_IPV6=m
# CONFIG_NFT_REDIR_IPV6 is not set
CONFIG_NFT_BRIDGE_META=m
CONFIG_NFT_BRIDGE_REJECT=m
</source>

== Installing from git ==

This is slower as you will retrieve the Linux kernel git tree for nftables:

<source lang="bash">
$ git clone git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables.git
</source>

After retrieving the git tree, you have to follow the same steps that described in the installation from sources.

But you will get the most recent changes for the ''nftables'' kernel code there.

When configuring the kernel, be sure to enable all the nftables modules (choose 'm' or 'y'). This is an example:

<source lang="bash">
$ make oldconfig

Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES) [M/y/?] m
Netfilter nf_tables support (NF_TABLES) [N/m] (NEW) m
Netfilter nf_tables payload module (NFT_PAYLOAD) [N/m] (NEW) m
Netfilter nf_tables IPv6 exthdr module (NFT_EXTHDR) [N/m] (NEW) m
Netfilter nf_tables meta module (NFT_META) [N/m] (NEW) m
Netfilter nf_tables conntrack module (NFT_CT) [N/m] (NEW) m
Netfilter nf_tables rbtree set module (NFT_RBTREE) [N/m] (NEW) m
Netfilter nf_tables hash set module (NFT_HASH) [N/m] (NEW) m
Netfilter nf_tables counter module (NFT_COUNTER) [N/m] (NEW) m
Netfilter nf_tables log module (NFT_LOG) [N/m] (NEW) m
Netfilter nf_tables limit module (NFT_LIMIT) [N/m] (NEW) m
Netfilter nf_tables nat module (NFT_NAT) [N/m] (NEW) m
Netfilter x_tables over nf_tables module (NFT_COMPAT) [N/m/?] (NEW) m

IPv4 nf_tables support (NF_TABLES_IPV4) [N/m] (NEW) m
nf_tables IPv4 reject support (NFT_REJECT_IPV4) [N/m] (NEW) m
IPv4 nf_tables route chain support (NFT_CHAIN_ROUTE_IPV4) [N/m] (NEW) m
IPv4 nf_tables nat chain support (NFT_CHAIN_NAT_IPV4) [N/m] (NEW) m

IPv6 nf_tables support (NF_TABLES_IPV6) [M/n] m
IPv6 nf_tables route chain support (NFT_CHAIN_ROUTE_IPV6) [M/n] m
IPv6 nf_tables nat chain support (NFT_CHAIN_NAT_IPV6) [M/n] m

Ethernet Bridge nf_tables support (NF_TABLES_BRIDGE) [N/m/y] (NEW) m
</source>