nftables wiki - User contributions [en]

Moving from iptables to nftables

2018-06-14T15:29:48Z

Arushi:

A common situation is the need to move from an existing iptables ruleset to nftables.
The Netfilter team has created some tools and mechanisms to ease in this move.

Please, make sure to check the links below:
* [[Supported features compared to xtables]]
* [[List of available translations via iptables-translate tool]]

After the migration process, you are encouraged to implement new nftables mechanisms such as sets, maps, dictionaries, concatenations and more.

== command translation ==

You can generate a translation of an iptables/ip6tables command to know the nftables equivalent.

<source>
% iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
nft add rule ip filter INPUT tcp dport 22 ct state new counter accept

% ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT
nft add rule ip6 filter FORWARD iifname eth0 oifname eth3 meta l4proto udp udp dport { 111,222} counter accept
</source>

Instead of translating command by command, you can translate your whole ruleset in a single run:

<source>
% iptables-save > save.txt
% cat save.txt
# Generated by iptables-save v1.6.0 on Sat Dec 24 14:26:40 2016
*filter
:INPUT ACCEPT [5166:1752111]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5058:628693]
-A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Sat Dec 24 14:26:40 2016
</source>

<source>
% iptables-restore-translate -f save.txt
# Translated by iptables-restore-translate v1.6.0 on Sat Dec 24 14:26:59 2016
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; }
add chain ip filter FORWARD { type filter hook forward priority 0; }
add chain ip filter OUTPUT { type filter hook output priority 0; }
add rule ip filter FORWARD tcp dport 22 ct state new counter accept
</source>

You should be able to directly give this to nftables:

<source>
% iptables-restore-translate -f save.txt > ruleset.nft
% nft -f ruleset.nft

% nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}

chain FORWARD {
type filter hook forward priority 0; policy accept;
tcp dport ssh ct state new counter packets 0 bytes 0 accept
}

chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
</source>

These translate tools are included in the iptables source tarball and works for iptables and ip6tables.

== using the nf_tables compat backend ==

There is support to use the iptables/ip6tables/arptables/ebtables old syntax with the nf_tables kernel backend.
You will need the *-compat tools:

<source>
% iptables-compat -A FORWARD -p icmp -j ACCEPT

% iptables-compat-save
# Generated by xtables-save v1.6.0 on Sat Dec 24 14:38:08 2016
*filter
:INPUT ACCEPT [62:3777]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [62:4074]
-A FORWARD -p icmp -j ACCEPT
COMMIT
# Completed on Sat Dec 24 14:38:08 2016

% nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}

chain FORWARD {
type filter hook forward priority 0; policy accept;
ip protocol icmp counter packets 0 bytes 0 accept
}

chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
</source>

Note that translation to native nftables syntax is done if available.

In the case of some missing translation, you will see a commented rule in nftables:

<source>
% ebtables-compat -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 2, policy: ACCEPT
--802_3-type 0x0001 -j CONTINUE
--mark 0x1 -j CONTINUE

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

% nft list ruleset
table bridge filter {
chain INPUT {
type filter hook input priority -200; policy accept;
}

chain FORWARD {
type filter hook forward priority -200; policy accept;
#--802_3-type 0x0001 counter packets 0 bytes 0
#--mark 0x1 counter packets 0 bytes 0
}

chain OUTPUT {
type filter hook output priority -200; policy accept;
}
}
</source>

With these tools, the workflow could be saving the old iptables ruleset and then loading it with iptables-compat:

<source>
% iptables-save > iptables.txt
% iptables-compat-restore < iptables.txt

% iptables-compat-save
# Generated by xtables-save v1.6.0 on Sat Dec 24 14:51:41 2016
*filter
:INPUT ACCEPT [19:1283]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18:2487]
-A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Sat Dec 24 14:51:41 2016

% nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}

chain FORWARD {
type filter hook forward priority 0; policy accept;
ip protocol tcp tcp dport 22 ct state new counter packets 0 bytes 0 accept
}

chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
</source>

Beware of using both the compat and the standard tool at the same time. That means using both x_tables and nf_tables kernel subsystems at the same time, and could lead to unexpected results.

== See also ==

* [[Moving from ipset to nftables]]

Building and installing nftables from sources

2017-03-30T17:10:11Z

Arushi:

nftables requires several userspace libraries, the 'nft' userspace command line utility and the kernel modules.

If you are using a major linux distribution, you may consider using [[nftables from distributions]].

= Installing userspace libraries =

You have to install the following userspace libraries:

* [http://www.netfilter.org/projects/libmnl libmnl ], this library provides the interfaces to communicate kernel and userspace via Netlink. ''It is very likely that your distribution already provides a package for libmnl that you can use''. If you decide to use your distributor package, make sure you install the development package as well.

* [http://www.netfilter.org/projects/libnftnl libnftnl] (formerly known as libnftables), this library provides the low-level API to transform netlink messages to objects.

You also need ''libgmp'' and ''libreadline'', most distributions already provide packages for these two libraries, so make sure you install the development extensions of this packages to successfully compile ''nftables''.

If you plan to give a test to ''nftables'', we recommend you to use git snapshots for ''libnftnl'' and ''nft''.

== Installing userspace libraries from git ==

To install ''libnftnl'', to can type these magic spells:

<source lang="bash">
$ git clone git://git.netfilter.org/libnftnl
$ cd libnftnl
$ sh autogen.sh
$ ./configure
$ make
$ sudo make install
</source>
If you are working behind proxy than it might possible that you are not able to clone using git protocol so try to clone using "http/https:" instead "git:"
<br > Reasons:- 1) The git protocol, by default, uses the port 9418. It might possible that your traffic is blocked on that port.
<br > 2) Also take help and can relate from the [http://stackoverflow.com/a/28494985 solution]

If you have any compilation problem, please report them to the [https://www.netfilter.org/mailinglists.html netfilter developer mailing list] providing as much detailed information as possible.

== Installing userspace libraries from snapshots ==

You can retrieve daily snapshots of this library from the [ftp://ftp.netfilter.org/pub/libnftnl/snapshot/ Netfilter FTP]. Then, to install it you have to:

<source lang="bash">
$ wget ftp://ftp.netfilter.org/pub/libnftnl/snapshot/libnftnl-20140217.tar.bz2
$ tar xvjf libnftnl-20140217.tar.bz2
$ ./configure
$ make
$ sudo make install
</source>

= Installing userspace nft command line utility =

This is the command line utility that provides a user interface to configure ''nftables''.

== Installing from git ==

Just type these commands:

<source lang="bash">
% git clone git://git.netfilter.org/nftables
% cd nftables
% sh autogen.sh
% ./configure
% make
% make install
</source>

You should check that ''nft'' is installed in your system by typing:

<source lang="bash">
% nft
nft: no command specified
</source>

That means ''nft'' has been correctly installed.

= Installing Linux kernel with nftables support =

Prerequisites: nftables is available in Linux kernels since version 3.13 but this is software under development, so we encourage you to run the latest stable kernel.

== Validating your installation ==

You can validate that your installation is working by checking if you can install the 'nf_tables' kernel module.

<source lang="bash">
% modprobe nf_tables
</source>

Then, you can check that's actually there via ''lsmod'':

<source lang="bash">
# lsmod | grep nf_tables
nf_tables 42349 0
</source>

dmesg should show the following message:

<source lang="bash">
% dmesg
...
[13939.468020] nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>
</source>

Make sure you also have loaded the family support, eg.

<source lang="bash">
% modprobe nf_tables_ipv4
</source>

The ''lsmod'' command should show something like:

<source lang="bash">
# lsmod | grep nf_tables
nf_tables_ipv4 12869 0
nf_tables 42349 1 nf_tables_ipv4
</source>

Other family modules are ''nf_tables_ipv6'', ''nf_tables_bridge'', ''nf_tables_arp'' and (since Linux kernel >= 3.14) ''nf_tables_inet''.

These modules provide the corresponding [[Configuring_tables|table]] and the filter [[Configuring_chains|chain]] support for the given family.

You could also check which modules are supported by your current kernel. How to to do this, depends on your distro:
* on debian, look in /boot/config-XXX-YYY, where XXX is your kernel package version, and YYY is your arch, e.g. /boot/config-4.2.0-1-amd64
* on Arch, look in /proc/config.gz. As this is compressed, use a command such as zcat or zgrep.

In the debian example below, CONFIG_NFT_REDIR_IPV4 and CONFIG_NFT_REDIR_IPV6 are not set, so you can't use [http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)#Redirect redirect] in the ruleset:

<source lang="bash">
% grep CONFIG_NFT_ /boot/config-4.2.0-1-amd64
CONFIG_NFT_EXTHDR=m
CONFIG_NFT_META=m
CONFIG_NFT_CT=m
CONFIG_NFT_RBTREE=m
CONFIG_NFT_HASH=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m
CONFIG_NFT_COMPAT=m
CONFIG_NFT_CHAIN_ROUTE_IPV4=m
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_CHAIN_NAT_IPV4=m
CONFIG_NFT_MASQ_IPV4=m
# CONFIG_NFT_REDIR_IPV4 is not set
CONFIG_NFT_CHAIN_ROUTE_IPV6=m
CONFIG_NFT_REJECT_IPV6=m
CONFIG_NFT_CHAIN_NAT_IPV6=m
CONFIG_NFT_MASQ_IPV6=m
# CONFIG_NFT_REDIR_IPV6 is not set
CONFIG_NFT_BRIDGE_META=m
CONFIG_NFT_BRIDGE_REJECT=m
</source>

== Installing from git ==

This is slower as you will retrieve the Linux kernel git tree for nftables:

<source lang="bash">
$ git clone git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables.git
</source>

After retrieving the git tree, you have to follow the same steps that described in the installation from sources.

But you will get the most recent changes for the ''nftables'' kernel code there.

When configuring the kernel, be sure to enable all the nftables modules (choose 'm' or 'y'). This is an example:

<source lang="bash">
$ make oldconfig

Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES) [M/y/?] m
Netfilter nf_tables support (NF_TABLES) [N/m] (NEW) m
Netfilter nf_tables payload module (NFT_PAYLOAD) [N/m] (NEW) m
Netfilter nf_tables IPv6 exthdr module (NFT_EXTHDR) [N/m] (NEW) m
Netfilter nf_tables meta module (NFT_META) [N/m] (NEW) m
Netfilter nf_tables conntrack module (NFT_CT) [N/m] (NEW) m
Netfilter nf_tables rbtree set module (NFT_RBTREE) [N/m] (NEW) m
Netfilter nf_tables hash set module (NFT_HASH) [N/m] (NEW) m
Netfilter nf_tables counter module (NFT_COUNTER) [N/m] (NEW) m
Netfilter nf_tables log module (NFT_LOG) [N/m] (NEW) m
Netfilter nf_tables limit module (NFT_LIMIT) [N/m] (NEW) m
Netfilter nf_tables nat module (NFT_NAT) [N/m] (NEW) m
Netfilter x_tables over nf_tables module (NFT_COMPAT) [N/m/?] (NEW) m

IPv4 nf_tables support (NF_TABLES_IPV4) [N/m] (NEW) m
nf_tables IPv4 reject support (NFT_REJECT_IPV4) [N/m] (NEW) m
IPv4 nf_tables route chain support (NFT_CHAIN_ROUTE_IPV4) [N/m] (NEW) m
IPv4 nf_tables nat chain support (NFT_CHAIN_NAT_IPV4) [N/m] (NEW) m

IPv6 nf_tables support (NF_TABLES_IPV6) [M/n] m
IPv6 nf_tables route chain support (NFT_CHAIN_ROUTE_IPV6) [M/n] m
IPv6 nf_tables nat chain support (NFT_CHAIN_NAT_IPV6) [M/n] m

Ethernet Bridge nf_tables support (NF_TABLES_BRIDGE) [N/m/y] (NEW) m
</source>

Building and installing nftables from sources

2017-03-30T17:08:22Z

Arushi:

nftables requires several userspace libraries, the 'nft' userspace command line utility and the kernel modules.

If you are using a major linux distribution, you may consider using [[nftables from distributions]].

= Installing userspace libraries =

You have to install the following userspace libraries:

* [http://www.netfilter.org/projects/libmnl libmnl ], this library provides the interfaces to communicate kernel and userspace via Netlink. ''It is very likely that your distribution already provides a package for libmnl that you can use''. If you decide to use your distributor package, make sure you install the development package as well.

* [http://www.netfilter.org/projects/libnftnl libnftnl] (formerly known as libnftables), this library provides the low-level API to transform netlink messages to objects.

You also need ''libgmp'' and ''libreadline'', most distributions already provide packages for these two libraries, so make sure you install the development extensions of this packages to successfully compile ''nftables''.

If you plan to give a test to ''nftables'', we recommend you to use git snapshots for ''libnftnl'' and ''nft''.

== Installing userspace libraries from git ==

To install ''libnftnl'', to can type these magic spells:

<source lang="bash">
$ git clone git://git.netfilter.org/libnftnl
$ cd libnftnl
$ sh autogen.sh
$ ./configure
$ make
$ sudo make install
</source>
If you are working behind proxy than it might possible that you are not able to clone using git protocol so try to clone using "http/https:" instead "git:"
Reasons:- 1) The git protocol, by default, uses the port 9418. It might possible that your traffic is blocked on that port.
2) Also take help and can relate from the [http://stackoverflow.com/a/28494985 solution]

If you have any compilation problem, please report them to the [https://www.netfilter.org/mailinglists.html netfilter developer mailing list] providing as much detailed information as possible.

== Installing userspace libraries from snapshots ==

You can retrieve daily snapshots of this library from the [ftp://ftp.netfilter.org/pub/libnftnl/snapshot/ Netfilter FTP]. Then, to install it you have to:

<source lang="bash">
$ wget ftp://ftp.netfilter.org/pub/libnftnl/snapshot/libnftnl-20140217.tar.bz2
$ tar xvjf libnftnl-20140217.tar.bz2
$ ./configure
$ make
$ sudo make install
</source>

= Installing userspace nft command line utility =

This is the command line utility that provides a user interface to configure ''nftables''.

== Installing from git ==

Just type these commands:

<source lang="bash">
% git clone git://git.netfilter.org/nftables
% cd nftables
% sh autogen.sh
% ./configure
% make
% make install
</source>

You should check that ''nft'' is installed in your system by typing:

<source lang="bash">
% nft
nft: no command specified
</source>

That means ''nft'' has been correctly installed.

= Installing Linux kernel with nftables support =

Prerequisites: nftables is available in Linux kernels since version 3.13 but this is software under development, so we encourage you to run the latest stable kernel.

== Validating your installation ==

You can validate that your installation is working by checking if you can install the 'nf_tables' kernel module.

<source lang="bash">
% modprobe nf_tables
</source>

Then, you can check that's actually there via ''lsmod'':

<source lang="bash">
# lsmod | grep nf_tables
nf_tables 42349 0
</source>

dmesg should show the following message:

<source lang="bash">
% dmesg
...
[13939.468020] nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>
</source>

Make sure you also have loaded the family support, eg.

<source lang="bash">
% modprobe nf_tables_ipv4
</source>

The ''lsmod'' command should show something like:

<source lang="bash">
# lsmod | grep nf_tables
nf_tables_ipv4 12869 0
nf_tables 42349 1 nf_tables_ipv4
</source>

Other family modules are ''nf_tables_ipv6'', ''nf_tables_bridge'', ''nf_tables_arp'' and (since Linux kernel >= 3.14) ''nf_tables_inet''.

These modules provide the corresponding [[Configuring_tables|table]] and the filter [[Configuring_chains|chain]] support for the given family.

You could also check which modules are supported by your current kernel. How to to do this, depends on your distro:
* on debian, look in /boot/config-XXX-YYY, where XXX is your kernel package version, and YYY is your arch, e.g. /boot/config-4.2.0-1-amd64
* on Arch, look in /proc/config.gz. As this is compressed, use a command such as zcat or zgrep.

In the debian example below, CONFIG_NFT_REDIR_IPV4 and CONFIG_NFT_REDIR_IPV6 are not set, so you can't use [http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)#Redirect redirect] in the ruleset:

<source lang="bash">
% grep CONFIG_NFT_ /boot/config-4.2.0-1-amd64
CONFIG_NFT_EXTHDR=m
CONFIG_NFT_META=m
CONFIG_NFT_CT=m
CONFIG_NFT_RBTREE=m
CONFIG_NFT_HASH=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m
CONFIG_NFT_COMPAT=m
CONFIG_NFT_CHAIN_ROUTE_IPV4=m
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_CHAIN_NAT_IPV4=m
CONFIG_NFT_MASQ_IPV4=m
# CONFIG_NFT_REDIR_IPV4 is not set
CONFIG_NFT_CHAIN_ROUTE_IPV6=m
CONFIG_NFT_REJECT_IPV6=m
CONFIG_NFT_CHAIN_NAT_IPV6=m
CONFIG_NFT_MASQ_IPV6=m
# CONFIG_NFT_REDIR_IPV6 is not set
CONFIG_NFT_BRIDGE_META=m
CONFIG_NFT_BRIDGE_REJECT=m
</source>

== Installing from git ==

This is slower as you will retrieve the Linux kernel git tree for nftables:

<source lang="bash">
$ git clone git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables.git
</source>

After retrieving the git tree, you have to follow the same steps that described in the installation from sources.

But you will get the most recent changes for the ''nftables'' kernel code there.

When configuring the kernel, be sure to enable all the nftables modules (choose 'm' or 'y'). This is an example:

<source lang="bash">
$ make oldconfig

Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES) [M/y/?] m
Netfilter nf_tables support (NF_TABLES) [N/m] (NEW) m
Netfilter nf_tables payload module (NFT_PAYLOAD) [N/m] (NEW) m
Netfilter nf_tables IPv6 exthdr module (NFT_EXTHDR) [N/m] (NEW) m
Netfilter nf_tables meta module (NFT_META) [N/m] (NEW) m
Netfilter nf_tables conntrack module (NFT_CT) [N/m] (NEW) m
Netfilter nf_tables rbtree set module (NFT_RBTREE) [N/m] (NEW) m
Netfilter nf_tables hash set module (NFT_HASH) [N/m] (NEW) m
Netfilter nf_tables counter module (NFT_COUNTER) [N/m] (NEW) m
Netfilter nf_tables log module (NFT_LOG) [N/m] (NEW) m
Netfilter nf_tables limit module (NFT_LIMIT) [N/m] (NEW) m
Netfilter nf_tables nat module (NFT_NAT) [N/m] (NEW) m
Netfilter x_tables over nf_tables module (NFT_COMPAT) [N/m/?] (NEW) m

IPv4 nf_tables support (NF_TABLES_IPV4) [N/m] (NEW) m
nf_tables IPv4 reject support (NFT_REJECT_IPV4) [N/m] (NEW) m
IPv4 nf_tables route chain support (NFT_CHAIN_ROUTE_IPV4) [N/m] (NEW) m
IPv4 nf_tables nat chain support (NFT_CHAIN_NAT_IPV4) [N/m] (NEW) m

IPv6 nf_tables support (NF_TABLES_IPV6) [M/n] m
IPv6 nf_tables route chain support (NFT_CHAIN_ROUTE_IPV6) [M/n] m
IPv6 nf_tables nat chain support (NFT_CHAIN_NAT_IPV6) [M/n] m

Ethernet Bridge nf_tables support (NF_TABLES_BRIDGE) [N/m/y] (NEW) m
</source>

Building and installing nftables from sources

2017-03-30T17:08:01Z

Arushi:

nftables requires several userspace libraries, the 'nft' userspace command line utility and the kernel modules.

If you are using a major linux distribution, you may consider using [[nftables from distributions]].

= Installing userspace libraries =

You have to install the following userspace libraries:

* [http://www.netfilter.org/projects/libmnl libmnl ], this library provides the interfaces to communicate kernel and userspace via Netlink. ''It is very likely that your distribution already provides a package for libmnl that you can use''. If you decide to use your distributor package, make sure you install the development package as well.

* [http://www.netfilter.org/projects/libnftnl libnftnl] (formerly known as libnftables), this library provides the low-level API to transform netlink messages to objects.

You also need ''libgmp'' and ''libreadline'', most distributions already provide packages for these two libraries, so make sure you install the development extensions of this packages to successfully compile ''nftables''.

If you plan to give a test to ''nftables'', we recommend you to use git snapshots for ''libnftnl'' and ''nft''.

== Installing userspace libraries from git ==

To install ''libnftnl'', to can type these magic spells:

<source lang="bash">
$ git clone git://git.netfilter.org/libnftnl
$ cd libnftnl
$ sh autogen.sh
$ ./configure
$ make
$ sudo make install
</source>
If you are working behind proxy than it might possible that you are not able to clone using git protocol so try to clone using "http/https:" instead "git:"

Reasons:- 1) The git protocol, by default, uses the port 9418. It might possible that your traffic is blocked on that port.

2) Also take help and can relate from the [http://stackoverflow.com/a/28494985 solution]

If you have any compilation problem, please report them to the [https://www.netfilter.org/mailinglists.html netfilter developer mailing list] providing as much detailed information as possible.

== Installing userspace libraries from snapshots ==

You can retrieve daily snapshots of this library from the [ftp://ftp.netfilter.org/pub/libnftnl/snapshot/ Netfilter FTP]. Then, to install it you have to:

<source lang="bash">
$ wget ftp://ftp.netfilter.org/pub/libnftnl/snapshot/libnftnl-20140217.tar.bz2
$ tar xvjf libnftnl-20140217.tar.bz2
$ ./configure
$ make
$ sudo make install
</source>

= Installing userspace nft command line utility =

This is the command line utility that provides a user interface to configure ''nftables''.

== Installing from git ==

Just type these commands:

<source lang="bash">
% git clone git://git.netfilter.org/nftables
% cd nftables
% sh autogen.sh
% ./configure
% make
% make install
</source>

You should check that ''nft'' is installed in your system by typing:

<source lang="bash">
% nft
nft: no command specified
</source>

That means ''nft'' has been correctly installed.

= Installing Linux kernel with nftables support =

Prerequisites: nftables is available in Linux kernels since version 3.13 but this is software under development, so we encourage you to run the latest stable kernel.

== Validating your installation ==

You can validate that your installation is working by checking if you can install the 'nf_tables' kernel module.

<source lang="bash">
% modprobe nf_tables
</source>

Then, you can check that's actually there via ''lsmod'':

<source lang="bash">
# lsmod | grep nf_tables
nf_tables 42349 0
</source>

dmesg should show the following message:

<source lang="bash">
% dmesg
...
[13939.468020] nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>
</source>

Make sure you also have loaded the family support, eg.

<source lang="bash">
% modprobe nf_tables_ipv4
</source>

The ''lsmod'' command should show something like:

<source lang="bash">
# lsmod | grep nf_tables
nf_tables_ipv4 12869 0
nf_tables 42349 1 nf_tables_ipv4
</source>

Other family modules are ''nf_tables_ipv6'', ''nf_tables_bridge'', ''nf_tables_arp'' and (since Linux kernel >= 3.14) ''nf_tables_inet''.

These modules provide the corresponding [[Configuring_tables|table]] and the filter [[Configuring_chains|chain]] support for the given family.

You could also check which modules are supported by your current kernel. How to to do this, depends on your distro:
* on debian, look in /boot/config-XXX-YYY, where XXX is your kernel package version, and YYY is your arch, e.g. /boot/config-4.2.0-1-amd64
* on Arch, look in /proc/config.gz. As this is compressed, use a command such as zcat or zgrep.

In the debian example below, CONFIG_NFT_REDIR_IPV4 and CONFIG_NFT_REDIR_IPV6 are not set, so you can't use [http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)#Redirect redirect] in the ruleset:

<source lang="bash">
% grep CONFIG_NFT_ /boot/config-4.2.0-1-amd64
CONFIG_NFT_EXTHDR=m
CONFIG_NFT_META=m
CONFIG_NFT_CT=m
CONFIG_NFT_RBTREE=m
CONFIG_NFT_HASH=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m
CONFIG_NFT_COMPAT=m
CONFIG_NFT_CHAIN_ROUTE_IPV4=m
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_CHAIN_NAT_IPV4=m
CONFIG_NFT_MASQ_IPV4=m
# CONFIG_NFT_REDIR_IPV4 is not set
CONFIG_NFT_CHAIN_ROUTE_IPV6=m
CONFIG_NFT_REJECT_IPV6=m
CONFIG_NFT_CHAIN_NAT_IPV6=m
CONFIG_NFT_MASQ_IPV6=m
# CONFIG_NFT_REDIR_IPV6 is not set
CONFIG_NFT_BRIDGE_META=m
CONFIG_NFT_BRIDGE_REJECT=m
</source>

== Installing from git ==

This is slower as you will retrieve the Linux kernel git tree for nftables:

<source lang="bash">
$ git clone git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables.git
</source>

After retrieving the git tree, you have to follow the same steps that described in the installation from sources.

But you will get the most recent changes for the ''nftables'' kernel code there.

When configuring the kernel, be sure to enable all the nftables modules (choose 'm' or 'y'). This is an example:

<source lang="bash">
$ make oldconfig

Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES) [M/y/?] m
Netfilter nf_tables support (NF_TABLES) [N/m] (NEW) m
Netfilter nf_tables payload module (NFT_PAYLOAD) [N/m] (NEW) m
Netfilter nf_tables IPv6 exthdr module (NFT_EXTHDR) [N/m] (NEW) m
Netfilter nf_tables meta module (NFT_META) [N/m] (NEW) m
Netfilter nf_tables conntrack module (NFT_CT) [N/m] (NEW) m
Netfilter nf_tables rbtree set module (NFT_RBTREE) [N/m] (NEW) m
Netfilter nf_tables hash set module (NFT_HASH) [N/m] (NEW) m
Netfilter nf_tables counter module (NFT_COUNTER) [N/m] (NEW) m
Netfilter nf_tables log module (NFT_LOG) [N/m] (NEW) m
Netfilter nf_tables limit module (NFT_LIMIT) [N/m] (NEW) m
Netfilter nf_tables nat module (NFT_NAT) [N/m] (NEW) m
Netfilter x_tables over nf_tables module (NFT_COMPAT) [N/m/?] (NEW) m

IPv4 nf_tables support (NF_TABLES_IPV4) [N/m] (NEW) m
nf_tables IPv4 reject support (NFT_REJECT_IPV4) [N/m] (NEW) m
IPv4 nf_tables route chain support (NFT_CHAIN_ROUTE_IPV4) [N/m] (NEW) m
IPv4 nf_tables nat chain support (NFT_CHAIN_NAT_IPV4) [N/m] (NEW) m

IPv6 nf_tables support (NF_TABLES_IPV6) [M/n] m
IPv6 nf_tables route chain support (NFT_CHAIN_ROUTE_IPV6) [M/n] m
IPv6 nf_tables nat chain support (NFT_CHAIN_NAT_IPV6) [M/n] m

Ethernet Bridge nf_tables support (NF_TABLES_BRIDGE) [N/m/y] (NEW) m
</source>

Building and installing nftables from sources

2017-03-30T17:06:05Z

Arushi:

nftables requires several userspace libraries, the 'nft' userspace command line utility and the kernel modules.

If you are using a major linux distribution, you may consider using [[nftables from distributions]].

= Installing userspace libraries =

You have to install the following userspace libraries:

* [http://www.netfilter.org/projects/libmnl libmnl ], this library provides the interfaces to communicate kernel and userspace via Netlink. ''It is very likely that your distribution already provides a package for libmnl that you can use''. If you decide to use your distributor package, make sure you install the development package as well.

* [http://www.netfilter.org/projects/libnftnl libnftnl] (formerly known as libnftables), this library provides the low-level API to transform netlink messages to objects.

You also need ''libgmp'' and ''libreadline'', most distributions already provide packages for these two libraries, so make sure you install the development extensions of this packages to successfully compile ''nftables''.

If you plan to give a test to ''nftables'', we recommend you to use git snapshots for ''libnftnl'' and ''nft''.

== Installing userspace libraries from git ==

To install ''libnftnl'', to can type these magic spells:

<source lang="bash">
$ git clone git://git.netfilter.org/libnftnl
$ cd libnftnl
$ sh autogen.sh
$ ./configure
$ make
$ sudo make install
</source>
If you are working behind proxy than it might possible that you are not able to clone using git protocol so try to clone using "http/https:" instead "git:"
Reasons:- 1) The git protocol, by default, uses the port 9418. It might possible that your traffic is blocked on that port.
2) Also take help and can relate from the [http://stackoverflow.com/a/28494985 solution]

If you have any compilation problem, please report them to the [https://www.netfilter.org/mailinglists.html netfilter developer mailing list] providing as much detailed information as possible.

== Installing userspace libraries from snapshots ==

You can retrieve daily snapshots of this library from the [ftp://ftp.netfilter.org/pub/libnftnl/snapshot/ Netfilter FTP]. Then, to install it you have to:

<source lang="bash">
$ wget ftp://ftp.netfilter.org/pub/libnftnl/snapshot/libnftnl-20140217.tar.bz2
$ tar xvjf libnftnl-20140217.tar.bz2
$ ./configure
$ make
$ sudo make install
</source>

= Installing userspace nft command line utility =

This is the command line utility that provides a user interface to configure ''nftables''.

== Installing from git ==

Just type these commands:

<source lang="bash">
% git clone git://git.netfilter.org/nftables
% cd nftables
% sh autogen.sh
% ./configure
% make
% make install
</source>

You should check that ''nft'' is installed in your system by typing:

<source lang="bash">
% nft
nft: no command specified
</source>

That means ''nft'' has been correctly installed.

= Installing Linux kernel with nftables support =

Prerequisites: nftables is available in Linux kernels since version 3.13 but this is software under development, so we encourage you to run the latest stable kernel.

== Validating your installation ==

You can validate that your installation is working by checking if you can install the 'nf_tables' kernel module.

<source lang="bash">
% modprobe nf_tables
</source>

Then, you can check that's actually there via ''lsmod'':

<source lang="bash">
# lsmod | grep nf_tables
nf_tables 42349 0
</source>

dmesg should show the following message:

<source lang="bash">
% dmesg
...
[13939.468020] nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>
</source>

Make sure you also have loaded the family support, eg.

<source lang="bash">
% modprobe nf_tables_ipv4
</source>

The ''lsmod'' command should show something like:

<source lang="bash">
# lsmod | grep nf_tables
nf_tables_ipv4 12869 0
nf_tables 42349 1 nf_tables_ipv4
</source>

Other family modules are ''nf_tables_ipv6'', ''nf_tables_bridge'', ''nf_tables_arp'' and (since Linux kernel >= 3.14) ''nf_tables_inet''.

These modules provide the corresponding [[Configuring_tables|table]] and the filter [[Configuring_chains|chain]] support for the given family.

You could also check which modules are supported by your current kernel. How to to do this, depends on your distro:
* on debian, look in /boot/config-XXX-YYY, where XXX is your kernel package version, and YYY is your arch, e.g. /boot/config-4.2.0-1-amd64
* on Arch, look in /proc/config.gz. As this is compressed, use a command such as zcat or zgrep.

In the debian example below, CONFIG_NFT_REDIR_IPV4 and CONFIG_NFT_REDIR_IPV6 are not set, so you can't use [http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)#Redirect redirect] in the ruleset:

<source lang="bash">
% grep CONFIG_NFT_ /boot/config-4.2.0-1-amd64
CONFIG_NFT_EXTHDR=m
CONFIG_NFT_META=m
CONFIG_NFT_CT=m
CONFIG_NFT_RBTREE=m
CONFIG_NFT_HASH=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m
CONFIG_NFT_COMPAT=m
CONFIG_NFT_CHAIN_ROUTE_IPV4=m
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_CHAIN_NAT_IPV4=m
CONFIG_NFT_MASQ_IPV4=m
# CONFIG_NFT_REDIR_IPV4 is not set
CONFIG_NFT_CHAIN_ROUTE_IPV6=m
CONFIG_NFT_REJECT_IPV6=m
CONFIG_NFT_CHAIN_NAT_IPV6=m
CONFIG_NFT_MASQ_IPV6=m
# CONFIG_NFT_REDIR_IPV6 is not set
CONFIG_NFT_BRIDGE_META=m
CONFIG_NFT_BRIDGE_REJECT=m
</source>

== Installing from git ==

This is slower as you will retrieve the Linux kernel git tree for nftables:

<source lang="bash">
$ git clone git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables.git
</source>

After retrieving the git tree, you have to follow the same steps that described in the installation from sources.

But you will get the most recent changes for the ''nftables'' kernel code there.

When configuring the kernel, be sure to enable all the nftables modules (choose 'm' or 'y'). This is an example:

<source lang="bash">
$ make oldconfig

Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES) [M/y/?] m
Netfilter nf_tables support (NF_TABLES) [N/m] (NEW) m
Netfilter nf_tables payload module (NFT_PAYLOAD) [N/m] (NEW) m
Netfilter nf_tables IPv6 exthdr module (NFT_EXTHDR) [N/m] (NEW) m
Netfilter nf_tables meta module (NFT_META) [N/m] (NEW) m
Netfilter nf_tables conntrack module (NFT_CT) [N/m] (NEW) m
Netfilter nf_tables rbtree set module (NFT_RBTREE) [N/m] (NEW) m
Netfilter nf_tables hash set module (NFT_HASH) [N/m] (NEW) m
Netfilter nf_tables counter module (NFT_COUNTER) [N/m] (NEW) m
Netfilter nf_tables log module (NFT_LOG) [N/m] (NEW) m
Netfilter nf_tables limit module (NFT_LIMIT) [N/m] (NEW) m
Netfilter nf_tables nat module (NFT_NAT) [N/m] (NEW) m
Netfilter x_tables over nf_tables module (NFT_COMPAT) [N/m/?] (NEW) m

IPv4 nf_tables support (NF_TABLES_IPV4) [N/m] (NEW) m
nf_tables IPv4 reject support (NFT_REJECT_IPV4) [N/m] (NEW) m
IPv4 nf_tables route chain support (NFT_CHAIN_ROUTE_IPV4) [N/m] (NEW) m
IPv4 nf_tables nat chain support (NFT_CHAIN_NAT_IPV4) [N/m] (NEW) m

IPv6 nf_tables support (NF_TABLES_IPV6) [M/n] m
IPv6 nf_tables route chain support (NFT_CHAIN_ROUTE_IPV6) [M/n] m
IPv6 nf_tables nat chain support (NFT_CHAIN_NAT_IPV6) [M/n] m

Ethernet Bridge nf_tables support (NF_TABLES_BRIDGE) [N/m/y] (NEW) m
</source>

Building and installing nftables from sources

2017-03-29T22:03:13Z

Arushi:

nftables requires several userspace libraries, the 'nft' userspace command line utility and the kernel modules.

If you are using a major linux distribution, you may consider using [[nftables from distributions]].

= Installing userspace libraries =

You have to install the following userspace libraries:

* [http://www.netfilter.org/projects/libmnl libmnl ], this library provides the interfaces to communicate kernel and userspace via Netlink. ''It is very likely that your distribution already provides a package for libmnl that you can use''. If you decide to use your distributor package, make sure you install the development package as well.

* [http://www.netfilter.org/projects/libnftnl libnftnl] (formerly known as libnftables), this library provides the low-level API to transform netlink messages to objects.

You also need ''libgmp'' and ''libreadline'', most distributions already provide packages for these two libraries, so make sure you install the development extensions of this packages to successfully compile ''nftables''.

If you plan to give a test to ''nftables'', we recommend you to use git snapshots for ''libnftnl'' and ''nft''.

== Installing userspace libraries from git ==

To install ''libnftnl'', to can type these magic spells:

<source lang="bash">
$ git clone git://git.netfilter.org/libnftnl
$ cd libnftnl
$ sh autogen.sh
$ ./configure
$ make
$ sudo make install
</source>

If you are working behind proxy than it might possible that you are not able to clone using git protocol so try to clone using "http/https:" instead "git:"

If you have any compilation problem, please report them to the [https://www.netfilter.org/mailinglists.html netfilter developer mailing list] providing as much detailed information as possible.

== Installing userspace libraries from snapshots ==

You can retrieve daily snapshots of this library from the [ftp://ftp.netfilter.org/pub/libnftnl/snapshot/ Netfilter FTP]. Then, to install it you have to:

<source lang="bash">
$ wget ftp://ftp.netfilter.org/pub/libnftnl/snapshot/libnftnl-20140217.tar.bz2
$ tar xvjf libnftnl-20140217.tar.bz2
$ ./configure
$ make
$ sudo make install
</source>

= Installing userspace nft command line utility =

This is the command line utility that provides a user interface to configure ''nftables''.

== Installing from git ==

Just type these commands:

<source lang="bash">
% git clone git://git.netfilter.org/nftables
% cd nftables
% sh autogen.sh
% ./configure
% make
% make install
</source>

You should check that ''nft'' is installed in your system by typing:

<source lang="bash">
% nft
nft: no command specified
</source>

That means ''nft'' has been correctly installed.

= Installing Linux kernel with nftables support =

Prerequisites: nftables is available in Linux kernels since version 3.13 but this is software under development, so we encourage you to run the latest stable kernel.

== Validating your installation ==

You can validate that your installation is working by checking if you can install the 'nf_tables' kernel module.

<source lang="bash">
% modprobe nf_tables
</source>

Then, you can check that's actually there via ''lsmod'':

<source lang="bash">
# lsmod | grep nf_tables
nf_tables 42349 0
</source>

dmesg should show the following message:

<source lang="bash">
% dmesg
...
[13939.468020] nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>
</source>

Make sure you also have loaded the family support, eg.

<source lang="bash">
% modprobe nf_tables_ipv4
</source>

The ''lsmod'' command should show something like:

<source lang="bash">
# lsmod | grep nf_tables
nf_tables_ipv4 12869 0
nf_tables 42349 1 nf_tables_ipv4
</source>

Other family modules are ''nf_tables_ipv6'', ''nf_tables_bridge'', ''nf_tables_arp'' and (since Linux kernel >= 3.14) ''nf_tables_inet''.

These modules provide the corresponding [[Configuring_tables|table]] and the filter [[Configuring_chains|chain]] support for the given family.

You could also check which modules are supported by your current kernel. How to to do this, depends on your distro:
* on debian, look in /boot/config-XXX-YYY, where XXX is your kernel package version, and YYY is your arch, e.g. /boot/config-4.2.0-1-amd64
* on Arch, look in /proc/config.gz. As this is compressed, use a command such as zcat or zgrep.

In the debian example below, CONFIG_NFT_REDIR_IPV4 and CONFIG_NFT_REDIR_IPV6 are not set, so you can't use [http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)#Redirect redirect] in the ruleset:

<source lang="bash">
% grep CONFIG_NFT_ /boot/config-4.2.0-1-amd64
CONFIG_NFT_EXTHDR=m
CONFIG_NFT_META=m
CONFIG_NFT_CT=m
CONFIG_NFT_RBTREE=m
CONFIG_NFT_HASH=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m
CONFIG_NFT_COMPAT=m
CONFIG_NFT_CHAIN_ROUTE_IPV4=m
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_CHAIN_NAT_IPV4=m
CONFIG_NFT_MASQ_IPV4=m
# CONFIG_NFT_REDIR_IPV4 is not set
CONFIG_NFT_CHAIN_ROUTE_IPV6=m
CONFIG_NFT_REJECT_IPV6=m
CONFIG_NFT_CHAIN_NAT_IPV6=m
CONFIG_NFT_MASQ_IPV6=m
# CONFIG_NFT_REDIR_IPV6 is not set
CONFIG_NFT_BRIDGE_META=m
CONFIG_NFT_BRIDGE_REJECT=m
</source>

== Installing from git ==

This is slower as you will retrieve the Linux kernel git tree for nftables:

<source lang="bash">
$ git clone git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables.git
</source>

After retrieving the git tree, you have to follow the same steps that described in the installation from sources.

But you will get the most recent changes for the ''nftables'' kernel code there.

When configuring the kernel, be sure to enable all the nftables modules (choose 'm' or 'y'). This is an example:

<source lang="bash">
$ make oldconfig

Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES) [M/y/?] m
Netfilter nf_tables support (NF_TABLES) [N/m] (NEW) m
Netfilter nf_tables payload module (NFT_PAYLOAD) [N/m] (NEW) m
Netfilter nf_tables IPv6 exthdr module (NFT_EXTHDR) [N/m] (NEW) m
Netfilter nf_tables meta module (NFT_META) [N/m] (NEW) m
Netfilter nf_tables conntrack module (NFT_CT) [N/m] (NEW) m
Netfilter nf_tables rbtree set module (NFT_RBTREE) [N/m] (NEW) m
Netfilter nf_tables hash set module (NFT_HASH) [N/m] (NEW) m
Netfilter nf_tables counter module (NFT_COUNTER) [N/m] (NEW) m
Netfilter nf_tables log module (NFT_LOG) [N/m] (NEW) m
Netfilter nf_tables limit module (NFT_LIMIT) [N/m] (NEW) m
Netfilter nf_tables nat module (NFT_NAT) [N/m] (NEW) m
Netfilter x_tables over nf_tables module (NFT_COMPAT) [N/m/?] (NEW) m

IPv4 nf_tables support (NF_TABLES_IPV4) [N/m] (NEW) m
nf_tables IPv4 reject support (NFT_REJECT_IPV4) [N/m] (NEW) m
IPv4 nf_tables route chain support (NFT_CHAIN_ROUTE_IPV4) [N/m] (NEW) m
IPv4 nf_tables nat chain support (NFT_CHAIN_NAT_IPV4) [N/m] (NEW) m

IPv6 nf_tables support (NF_TABLES_IPV6) [M/n] m
IPv6 nf_tables route chain support (NFT_CHAIN_ROUTE_IPV6) [M/n] m
IPv6 nf_tables nat chain support (NFT_CHAIN_NAT_IPV6) [M/n] m

Ethernet Bridge nf_tables support (NF_TABLES_BRIDGE) [N/m/y] (NEW) m
</source>