nftables wiki - User contributions [en]

List of updates since Linux kernel 3.13

2025-06-19T15:56:05Z

Danw: owner, persist flags

A listing of the development progress on the kernel side. See also [[List of updates in the nft command line tool]].

== 6.9 ==

* support for "persist" flag for tables

== 6.5 ==

* Allow using a map in a set lookup expression (discarding the value)

== 6.3 ==

* Support for 'nft destroy'

== 6.2 ==

* Support for inner header matching, such as "udp dport 6081 geneve ip saddr 10.141.11.2"

== 5.17 ==

* fwd command in egress hook

== 5.16 ==

* netdev egress hook
* meta iiftype, meta oiftype

== 5.12 ==

* support for "owner" flag for tables

== 5.11 ==

* multiple expression support for sets (e.g., so a set can have both a limit and a counter)

== 5.10 ==

* Support for ingress hook in inet family
* Support for comments on tables, chains, sets, maps, stateful objects, etc.

== 5.9 ==
* Trying to add a object when a "conflicting" object exists (e.g., base chain with same name but different hook, map element with same key but different value) now returns EEXIST; in older kernels it returned EBUSY.

== 5.7 ==

* Support for stateful expressions (e.g. counters) on set elements

== 5.6 ==

* Support for ranges (intervals) in [[concatenations]]

== 5.4 ==

* meta time / hour / day
* delete set elements from packet path

== 5.3 ==

* [[Bridge filtering#Stateful_filtering|conntrack support for the ''bridge'' family]]
* th expression for [[Matching packet headers#Matching_UDP.2FTCP_headers_in_the_same_rule|matching UDP/TCP headers in the same rule]]
* [[synproxy]] statement

== 5.2 ==

* Support for NAT in inet family

== 5.0 ==

* ipsec / xfrm expressions

== 4.20 ==

* [[secmark]] support

== 4.19 ==

* tproxy statement

== 4.18 ==

* nftables NAT is no longer incompatible with iptables NAT
* [[connlimits]] (but buggy until 4.19.10!)
* [[Meters#Doing_connlimit_with_nft|ct count]]
* log level audit

== 4.16 ==

* flowtable support

== 4.15 ==

* Fetch single elements of a set (i.e, nft get element)

== 4.14 ==

* PMTU calculation / MSS clamping ([[Mangling_packet_headers#Mangling TCP options|tcp option maxseg size set rt mtu]])

== 4.12 ==

* [[Setting_packet_connection_tracking_metainformation#ct_helper_set_-_Assign_conntrack_helper|ct helper set]]

== 4.10 ==

* notrack support
* [[stateful objects]]
* nexthop and fib, for [[matching routing information]]
* improved [[Mangling packet headers|packet mangling]] support

== 4.6 ==

* [[Ruleset debug/tracing]]

== 4.5 ==

* [[Meters]]

== 4.3 ==

* Enhancements for the limit expression, support for ratelimit bytes/time unit.
* Dup expression (equivalent to the ''TEE'' target in iptables) for IPv4 and IPv6.
* VLAN header matching support when NIC support offloads.

== 4.2 ==

* New 'netdev' family for filtering from ingress.
* Context to x_tables extensions to know if they run from nft_compat.

== 4.1 ==

Major updates in the generic set infrastructure:

* [[Concatenations]].
* Timeout per set elements.
* Comments per set elements.
* Dynamic set instantiation.

== 4.0 ==

* Mostly fixes.

== 3.19 ==

* redirect support.

== 3.18 ==

* masquerading support.
* meta cpu, devgroup matching.
* reject bridge support.
* destroy table and its content, ie. ''nft flush ruleset''.

== 3.17 ==

* log and nflog support for ip, ip6, arp and bridge families.

== 3.16 ==

* connlabel support.

== 3.15 ==

* Comments per rule support.
* IPv4 reject support.

== 3.14 ==

* set packet mark support.
* nfqueue support (only for ip and ip6 families).
* rule tracing support.
* IPv6 and inet reject support.

== 3.13 ==

* nf_tables merged mainstream.

List of updates in the nft command line tool

2025-04-30T13:13:48Z

Danw: add 1.1.2, 1.1.3

This page contains links to nftables release announcements. In addition to a summary of bug fixes and new features, each announcement typically includes examples of how to use new features.

See also [[List of updates since Linux kernel 3.13]], for the kernel side of nftables development.

{| class="wikitable"
|- style="vertical-align:bottom;"
! style="text-align:left;" | Date
! style="text-align:left;" | Release Announcement
! style="text-align:left;" | Matching Kernel
! style="text-align:left;" | Comments

|- style="vertical-align:top;"
| 2024-04-30
| [https://marc.info/?l=netfilter&m=174532191318056&w=2 nftables 1.1.3]
|
|

|- style="vertical-align:top;"
| 2025-04-14
| [https://marc.info/?l=netfilter&m=174465273426347&w=2 nftables 1.1.2]
|
|

|- style="vertical-align:top;"
| 2024-10-02
| [https://marc.info/?l=netfilter&m=172790974719428&w=2 nftables 1.1.1]
|
|

|- style="vertical-align:top;"
| 2024-07-16
| [https://marc.info/?l=netfilter&m=172116299430028&w=2 nftables 1.1.0]
|
|

|- style="vertical-align:top;"
| 2023-10-19
| [https://marc.info/?l=netfilter&m=169771597127268&w=2 nftables 1.0.9]
|
|

|- style="vertical-align:top;"
| 2023-07-14
| [https://marc.info/?l=netfilter&m=168933264008248&w=2 nftables 1.0.8]
|
|

|- style="vertical-align:top;"
| 2023-03-13
| [https://marc.info/?l=netfilter&m=167873533514569&w=2 nftables 1.0.7]
|
|

|- style="vertical-align:top;"
| 2022-12-11
| [https://marc.info/?l=netfilter&m=167166501709408&w=2 nftables 1.0.6]
|
|

|- style="vertical-align:top;"
| 2022-08-09
| [https://marc.info/?l=netfilter&m=166007475409847&w=2 nftables 1.0.5]
|
|

|- style="vertical-align:top;"
| 2022-06-07
| [https://marc.info/?l=netfilter&m=165461289522999&w=2 nftables 1.0.4]
| 5.18
|

|- style="vertical-align:top;"
| 2022-05-31
| [https://marc.info/?l=netfilter&m=165399194307396&w=2 nftables 1.0.3]
| 5.18
|

|- style="vertical-align:top;"
| 2022-02-21
| [https://marc.info/?l=netfilter&m=164546566103765&w=2 nftables 1.0.2]
| 5.17-rc
|

|- style="vertical-align:top;"
| 2021-11-18
| [https://marc.info/?l=netfilter&m=163724233607275&w=2 nftables 1.0.1]
| 5.16-rc1
|

|- style="vertical-align:top;"
| 2021-08-19
| [https://marc.info/?l=netfilter&m=162939459210790&w=2 nftables 1.0.0]
| 5.13
|

|- style="vertical-align:top;"
| 2021-05-25
| [https://marc.info/?l=netfilter&m=162197756905358&w=2 nftables 0.9.9]
| 5.13-rc1
|

|- style="vertical-align:top;"
| 2021-01-15
| [https://marc.info/?l=netfilter&m=161074809318720&w=2 nftables 0.9.8]
| 5.11-rc1
|

|- style="vertical-align:top;"
| 2020-10-27
| [https://marc.info/?l=netfilter&m=160379555303808&w=2 nftables 0.9.7]
| 5.10-rc1
|

|- style="vertical-align:top;"
| 2020-06-15
| [https://marc.info/?l=netfilter&m=159225380419197&w=2 nftables 0.9.6]
| 5.7
|

|- style="vertical-align:top;"
| 2020-06-06
| [https://marc.info/?l=netfilter&m=159144250132190&w=2 nftables 0.9.5]
| 5.7
| This release broke ''vmap'' support, this is fixed in 0.9.6.

|- style="vertical-align:top;"
| 2020-04-01
| [https://marc.info/?l=netfilter&m=158575148505527&w=2 nftables 0.9.4]
| 5.6
|

|- style="vertical-align:top;"
| 2019-12-02
| [https://marc.info/?l=netfilter&m=157532146917292&w=2 nftables 0.9.3]
| 5.5-rc
|

|- style="vertical-align:top;"
| 2019-08-19
| [https://marc.info/?l=netfilter&m=156621590113089&w=2 nftables 0.9.2]
| 5.3-rc1
|

|- style="vertical-align:top;"
| 2019-06-24
| [https://marc.info/?l=netfilter&m=156139496810281&w=2 nftables 0.9.1]
| 5.2
|

|- style="vertical-align:top;"
| 2019-06-08
| [https://marc.info/?l=netfilter&m=152849974510956&w=2 nftables 0.9.0]
| 4.18
|

|- style="vertical-align:top;"
| 2018-05-10
| [https://marc.info/?l=netfilter&m=152595594524056&w=2 nftables 0.8.5]
|
|

|- style="vertical-align:top;"
| 2018-05-01
| [https://marc.info/?l=netfilter&m=152521206028754&w=2 nftables 0.8.4]
|
|

|- style="vertical-align:top;"
| 2018-03-03
| [https://marc.info/?l=netfilter&m=152009279821556&w=2 nftables 0.8.3]
|
|

|- style="vertical-align:top;"
| 2018-02-02
| [https://marc.info/?l=netfilter&m=151759567102838&w=2 nftables 0.8.2]
|
|

|- style="vertical-align:top;"
| 2018-01-16
| [https://marc.info/?l=netfilter&m=151610774011377&w=2 nftables 0.8.1]
|
|

|- style="vertical-align:top;"
| 2017-10-12
| [https://marc.info/?l=netfilter&m=150785219810541&w=2 nftables 0.8]
| 4.14
|

|- style="vertical-align:top;"
| 2016-12-20
| [https://marc.info/?l=netfilter&m=148226682025890&w=2 nftables 0.7]
| 4.10-rc1
|

|- style="vertical-align:top;"
| 2016-06-02
| [https://marc.info/?l=netfilter&m=146488681521497&w=2 nftables 0.6]
| 4.7-rc1
|

|- style="vertical-align:top;"
| 2015-09-17
| [https://marc.info/?l=netfilter&m=144251853500774&w=2 nftables 0.5]
| 4.2
|

|- style="vertical-align:top;"
| 2014-12-16
| [https://marc.info/?l=netfilter&m=141869063212230&w=2 nftables 0.4]
| 3.18
|

|- style="vertical-align:top;"
| 2014-06-25
| [https://marc.info/?l=netfilter&m=140371155009356&w=2 nftables 0.3]
| 3.15
|

|- style="vertical-align:top;"
| 2014-04-14
| [https://marc.info/?l=netfilter&m=139747559724664&w=2 nftables 0.2]
| 3.14
|

|- style="vertical-align:top;"
| 2014-01-20
| [https://marc.info/?l=netfilter&m=139022350623824&w=2 nftables 0.099]
| 3.13
| The first release intended for users.

|- style="vertical-align:top;"
| 2009-03-18
| [https://marc.info/?l=netfilter-devel&m=123735060518576&w=2 nftables first alpha]
|
| First full public release, alpha quality not meant for users.
Release notes include design summary, with differences from iptables.

|}

Adoption

2025-03-24T12:24:57Z

Danw:

The Netfilter project and community is focused on replacing the iptables framework with nftables, adding new features and refreshing some workflows along the way.

Many upstream projects use iptables to handle filtering, NAT, mangling and other networking tasks. This page tracks '''nftables adoption''' in the wider community.

= Cases =

Known cases and examples we could heard of. '''TODO: extend with more current data'''.

All major Linux distributions contains the nftables framework ready to use. Check [[Nftables from distributions]].

== system / firewalling / management ==

=== Supporting nftables ===

The following projects are known to either directly support nftables or have authors actively working on nftables integration.

* https://www.fail2ban.org/ -- the fail2ban tool already includes native support for nftables.
* https://firewalld.org/ -- firewalld by RedHat is currently developing a native integration with nftables.
* https://suricata-ids.org/ -- suricata can work natively with nftables ([https://home.regit.org/2014/02/suricata-and-nftables/ link])
* https://keepalived.org/ -- keepalived works natively with nftables ([https://github.com/acassen/keepalived/issues/924])

=== Supporting iptables only ===

The following projects are known to only support iptables/iptables-nft, with no plans to support nftables in the future.

* http://ferm.foo-projects.org/ -- [https://github.com/MaxKellermann/ferm/issues/35#issuecomment-386091563 citation]
* https://shorewall.org/ -- [https://sourceforge.net/p/shorewall/mailman/message/35458915/ citation]

== virtualization / cloud / infrastructure ==

* https://github.com/relianoid/nftlb -- nftlb by [https://www.relianoid.com Relianoid ADC] is a nftables-based loadbalancer
* https://www.docker.com/ -- Some discussion happened in the Docker community regarding a native integration with nftables, which could ease some of their use cases ([https://github.com/moby/moby/issues/26824 link]) ([https://github.com/robbertkl/docker-ipv6nat/issues/17 link]) ([https://stephank.nl/p/2017-06-05-ipv6-on-production-docker.html running docker with IPv6 using nftables])
* https://kubernetes.io/ -- As of v1.33, kube-proxy has a fully-supported nftables mode ([https://kubernetes.io/blog/2025/02/28/nftables-kube-proxy/ blog post])
* http://openstack.org/ -- Openstack does not support nftables yet. Compat tools may be used to trick neutron and other components into using nftables transparently.
* https://libvirt.org/ -- there are reports of people running libvirt with nftables for bridge filtering for virtual machines
* https://saltstack.com/ -- SaltStack includes native support for nftables ([https://docs.saltstack.com/en/latest/ref/states/all/salt.states.nftables.html link]).
* https://coreos.com/ -- the CoreOS ecosystem includes native support for nftables ([https://github.com/coreos/coreos-overlay/pull/2662 link])

== others ==

* https://openwrt.org/ -- there are reports of people running nftables rather than iptables in openwrt systems
* https://www.cica.es/ -- this regional [https://en.wikipedia.org/wiki/National_research_and_education_network NREN] uses nftables in the datacenter for their perimetral firewalls ([http://workshop.netfilter.org/2017/wiki/index.php/Developer_days.html#nftables_at_CICA.2C_our_experience slides])
* [[Nftables from distributions]] -- all major Linux distribution already include nftables ready to use
* https://www.nano-editor.org/ -- The nano editor includes syntax highlighting for nftables in files with .nft name extension or nft shebang
* https://github.com/nfnty/vim-nftables -- the VIM editor includes syntax highlighting for nftables
* [https://github.com/ipr-cnrs Institut de Physique de Rennes] -- this french research entity seems to be using nftables with ansible ([https://github.com/ipr-cnrs/nftables link])
* VPN -- nftables can be combined with other software packages like OpenVPN to build great VPN solutions ([http://ral-arturo.org/2017/04/07/openvpn-debian-stretch.html link])
* [https://github.com/mdlayher/netlink netlink golang package] -- the Golang Netlink package got batching support to be able to work with nftables ([https://github.com/mdlayher/netlink/issues/81 link])
* [https://github.com/google/nftables nftables golang library] -- This nftables golang integration library was made by Google

= See also =

* [[Moving from iptables to nftables]]
* [[Moving from ipset to nftables]]
* [[List of updates since Linux kernel 3.13]]
* [[Supported features compared to xtables]]
* [[List of available translations via iptables-translate tool]]

Adoption

2025-03-24T12:24:18Z

Danw: update kubernetes status

The Netfilter project and community is focused on replacing the iptables framework with nftables, adding new features and refreshing some workflows along the way.

Many upstream projects use iptables to handle filtering, NAT, mangling and other networking tasks. This page tracks '''nftables adoption''' in the wider community.

= Cases =

Known cases and examples we could heard of. '''TODO: extend with more current data'''.

All major Linux distributions contains the nftables framework ready to use. Check [[Nftables from distributions]].

== system / firewalling / management ==

=== Supporting nftables ===

The following projects are known to either directly support nftables or have authors actively working on nftables integration.

* https://www.fail2ban.org/ -- the fail2ban tool already includes native support for nftables.
* https://firewalld.org/ -- firewalld by RedHat is currently developing a native integration with nftables.
* https://suricata-ids.org/ -- suricata can work natively with nftables ([https://home.regit.org/2014/02/suricata-and-nftables/ link])
* https://keepalived.org/ -- keepalived works natively with nftables ([https://github.com/acassen/keepalived/issues/924])

=== Supporting iptables only ===

The following projects are known to only support iptables/iptables-nft, with no plans to support nftables in the future.

* http://ferm.foo-projects.org/ -- [https://github.com/MaxKellermann/ferm/issues/35#issuecomment-386091563 citation]
* https://shorewall.org/ -- [https://sourceforge.net/p/shorewall/mailman/message/35458915/ citation]

== virtualization / cloud / infrastructure ==

* https://github.com/relianoid/nftlb -- nftlb by [https://www.relianoid.com Relianoid ADC] is a nftables-based loadbalancer
* https://www.docker.com/ -- Some discussion happened in the Docker community regarding a native integration with nftables, which could ease some of their use cases ([https://github.com/moby/moby/issues/26824 link]) ([https://github.com/robbertkl/docker-ipv6nat/issues/17 link]) ([https://stephank.nl/p/2017-06-05-ipv6-on-production-docker.html running docker with IPv6 using nftables])
* https://kubernetes.io/ -- As of v1.33, kube-proxy has a fully-supported nftables mode ([https://kubernetes.io/blog/2025/02/28/nftables-kube-proxy/])
* http://openstack.org/ -- Openstack does not support nftables yet. Compat tools may be used to trick neutron and other components into using nftables transparently.
* https://libvirt.org/ -- there are reports of people running libvirt with nftables for bridge filtering for virtual machines
* https://saltstack.com/ -- SaltStack includes native support for nftables ([https://docs.saltstack.com/en/latest/ref/states/all/salt.states.nftables.html link]).
* https://coreos.com/ -- the CoreOS ecosystem includes native support for nftables ([https://github.com/coreos/coreos-overlay/pull/2662 link])

== others ==

* https://openwrt.org/ -- there are reports of people running nftables rather than iptables in openwrt systems
* https://www.cica.es/ -- this regional [https://en.wikipedia.org/wiki/National_research_and_education_network NREN] uses nftables in the datacenter for their perimetral firewalls ([http://workshop.netfilter.org/2017/wiki/index.php/Developer_days.html#nftables_at_CICA.2C_our_experience slides])
* [[Nftables from distributions]] -- all major Linux distribution already include nftables ready to use
* https://www.nano-editor.org/ -- The nano editor includes syntax highlighting for nftables in files with .nft name extension or nft shebang
* https://github.com/nfnty/vim-nftables -- the VIM editor includes syntax highlighting for nftables
* [https://github.com/ipr-cnrs Institut de Physique de Rennes] -- this french research entity seems to be using nftables with ansible ([https://github.com/ipr-cnrs/nftables link])
* VPN -- nftables can be combined with other software packages like OpenVPN to build great VPN solutions ([http://ral-arturo.org/2017/04/07/openvpn-debian-stretch.html link])
* [https://github.com/mdlayher/netlink netlink golang package] -- the Golang Netlink package got batching support to be able to work with nftables ([https://github.com/mdlayher/netlink/issues/81 link])
* [https://github.com/google/nftables nftables golang library] -- This nftables golang integration library was made by Google

= See also =

* [[Moving from iptables to nftables]]
* [[Moving from ipset to nftables]]
* [[List of updates since Linux kernel 3.13]]
* [[Supported features compared to xtables]]
* [[List of available translations via iptables-translate tool]]

List of updates in the nft command line tool

2024-12-14T22:41:24Z

Danw: add 1.1.0, 1.1.1

This page contains links to nftables release announcements. In addition to a summary of bug fixes and new features, each announcement typically includes examples of how to use new features.

See also [[List of updates since Linux kernel 3.13]], for the kernel side of nftables development.

{| class="wikitable"
|- style="vertical-align:bottom;"
! style="text-align:left;" | Date
! style="text-align:left;" | Release Announcement
! style="text-align:left;" | Matching Kernel
! style="text-align:left;" | Comments

|- style="vertical-align:top;"
| 2024-10-02
| [https://marc.info/?l=netfilter&m=172790974719428&w=2 nftables 1.1.1]
|
|

|- style="vertical-align:top;"
| 2024-07-16
| [https://marc.info/?l=netfilter&m=172116299430028&w=2 nftables 1.1.0]
|
|

|- style="vertical-align:top;"
| 2023-10-19
| [https://marc.info/?l=netfilter&m=169771597127268&w=2 nftables 1.0.9]
|
|

|- style="vertical-align:top;"
| 2023-07-14
| [https://marc.info/?l=netfilter&m=168933264008248&w=2 nftables 1.0.8]
|
|

|- style="vertical-align:top;"
| 2023-03-13
| [https://marc.info/?l=netfilter&m=167873533514569&w=2 nftables 1.0.7]
|
|

|- style="vertical-align:top;"
| 2022-12-11
| [https://marc.info/?l=netfilter&m=167166501709408&w=2 nftables 1.0.6]
|
|

|- style="vertical-align:top;"
| 2022-08-09
| [https://marc.info/?l=netfilter&m=166007475409847&w=2 nftables 1.0.5]
|
|

|- style="vertical-align:top;"
| 2022-06-07
| [https://marc.info/?l=netfilter&m=165461289522999&w=2 nftables 1.0.4]
| 5.18
|

|- style="vertical-align:top;"
| 2022-05-31
| [https://marc.info/?l=netfilter&m=165399194307396&w=2 nftables 1.0.3]
| 5.18
|

|- style="vertical-align:top;"
| 2022-02-21
| [https://marc.info/?l=netfilter&m=164546566103765&w=2 nftables 1.0.2]
| 5.17-rc
|

|- style="vertical-align:top;"
| 2021-11-18
| [https://marc.info/?l=netfilter&m=163724233607275&w=2 nftables 1.0.1]
| 5.16-rc1
|

|- style="vertical-align:top;"
| 2021-08-19
| [https://marc.info/?l=netfilter&m=162939459210790&w=2 nftables 1.0.0]
| 5.13
|

|- style="vertical-align:top;"
| 2021-05-25
| [https://marc.info/?l=netfilter&m=162197756905358&w=2 nftables 0.9.9]
| 5.13-rc1
|

|- style="vertical-align:top;"
| 2021-01-15
| [https://marc.info/?l=netfilter&m=161074809318720&w=2 nftables 0.9.8]
| 5.11-rc1
|

|- style="vertical-align:top;"
| 2020-10-27
| [https://marc.info/?l=netfilter&m=160379555303808&w=2 nftables 0.9.7]
| 5.10-rc1
|

|- style="vertical-align:top;"
| 2020-06-15
| [https://marc.info/?l=netfilter&m=159225380419197&w=2 nftables 0.9.6]
| 5.7
|

|- style="vertical-align:top;"
| 2020-06-06
| [https://marc.info/?l=netfilter&m=159144250132190&w=2 nftables 0.9.5]
| 5.7
| This release broke ''vmap'' support, this is fixed in 0.9.6.

|- style="vertical-align:top;"
| 2020-04-01
| [https://marc.info/?l=netfilter&m=158575148505527&w=2 nftables 0.9.4]
| 5.6
|

|- style="vertical-align:top;"
| 2019-12-02
| [https://marc.info/?l=netfilter&m=157532146917292&w=2 nftables 0.9.3]
| 5.5-rc
|

|- style="vertical-align:top;"
| 2019-08-19
| [https://marc.info/?l=netfilter&m=156621590113089&w=2 nftables 0.9.2]
| 5.3-rc1
|

|- style="vertical-align:top;"
| 2019-06-24
| [https://marc.info/?l=netfilter&m=156139496810281&w=2 nftables 0.9.1]
| 5.2
|

|- style="vertical-align:top;"
| 2019-06-08
| [https://marc.info/?l=netfilter&m=152849974510956&w=2 nftables 0.9.0]
| 4.18
|

|- style="vertical-align:top;"
| 2018-05-10
| [https://marc.info/?l=netfilter&m=152595594524056&w=2 nftables 0.8.5]
|
|

|- style="vertical-align:top;"
| 2018-05-01
| [https://marc.info/?l=netfilter&m=152521206028754&w=2 nftables 0.8.4]
|
|

|- style="vertical-align:top;"
| 2018-03-03
| [https://marc.info/?l=netfilter&m=152009279821556&w=2 nftables 0.8.3]
|
|

|- style="vertical-align:top;"
| 2018-02-02
| [https://marc.info/?l=netfilter&m=151759567102838&w=2 nftables 0.8.2]
|
|

|- style="vertical-align:top;"
| 2018-01-16
| [https://marc.info/?l=netfilter&m=151610774011377&w=2 nftables 0.8.1]
|
|

|- style="vertical-align:top;"
| 2017-10-12
| [https://marc.info/?l=netfilter&m=150785219810541&w=2 nftables 0.8]
| 4.14
|

|- style="vertical-align:top;"
| 2016-12-20
| [https://marc.info/?l=netfilter&m=148226682025890&w=2 nftables 0.7]
| 4.10-rc1
|

|- style="vertical-align:top;"
| 2016-06-02
| [https://marc.info/?l=netfilter&m=146488681521497&w=2 nftables 0.6]
| 4.7-rc1
|

|- style="vertical-align:top;"
| 2015-09-17
| [https://marc.info/?l=netfilter&m=144251853500774&w=2 nftables 0.5]
| 4.2
|

|- style="vertical-align:top;"
| 2014-12-16
| [https://marc.info/?l=netfilter&m=141869063212230&w=2 nftables 0.4]
| 3.18
|

|- style="vertical-align:top;"
| 2014-06-25
| [https://marc.info/?l=netfilter&m=140371155009356&w=2 nftables 0.3]
| 3.15
|

|- style="vertical-align:top;"
| 2014-04-14
| [https://marc.info/?l=netfilter&m=139747559724664&w=2 nftables 0.2]
| 3.14
|

|- style="vertical-align:top;"
| 2014-01-20
| [https://marc.info/?l=netfilter&m=139022350623824&w=2 nftables 0.099]
| 3.13
| The first release intended for users.

|- style="vertical-align:top;"
| 2009-03-18
| [https://marc.info/?l=netfilter-devel&m=123735060518576&w=2 nftables first alpha]
|
| First full public release, alpha quality not meant for users.
Release notes include design summary, with differences from iptables.

|}

Flowtables

2024-10-28T16:58:38Z

Danw:

Flowtables allow you to accelerate packet forwarding in software (and in hardware if your NIC supports it) by using a conntrack-based network stack bypass.

Entries are represented through a tuple that is composed of the input interface, source and destination address, source and destination port; and layer 3/4
protocols. Each entry also caches the destination interface and the gateway address (to update the destination link-layer address) to forward packets.

The TTL and hoplimit fields are also decremented. Hence, flowtables provides an alternative path that allow packets to bypass the classic forwarding path.

<pre>
userspace process
^ |
| |
_____|____ ____\/___
/ \ / \
| input | | output |
\__________/ \_________/
^ |
| |
_________ __________ --------- _____\/_____
/ \ / \ |Routing | / \
--> ingress ---> prerouting ---> |decision| | postrouting|--> neigh_xmit
\_________/ \__________/ ---------- \____________/ ^
| ^ | ^ |
flowtable | ____\/___ | |
| | / \ | |
__\/___ | | forward |------------ |
|-----| | \_________/ |
|-----| | 'flow offload' rule |
|-----| | adds entry to |
|_____| | flowtable |
| | |
/ \ | |
/hit\_no_| |
\ ? / |
\ / |
|__yes_________________fastpath bypass ____________________________|

Fig.1 Netfilter hooks and flowtable interactions
</pre>

Flowtables reside in the ingress hook that is located before the prerouting hook. You can select which flows you want to offload through the flow expression from the forward chain. Flowtables are identified by their address [[Nftables_families|family]] and their name. The address family must be one of ip, ip6, or inet. When no address family is specified, ip is used by default.

Flows are offloaded after the state is created. That means that usually the first reply packet will create the flowtable entry.
A firewall rule to accept the initial traffic is required.
The flow expression on the forward chain must match the return traffic of the initial connection.
Be aware that the return route is deducted from the packet, that creates the flowtable entry.
This also means if you are using special ip rules, you need to make sure that they match the reply packet traffic as well as the original traffic.

The *priority* can be a signed integer or *filter* which stands for 0. Addition and subtraction can be used to set relative priority, e.g. filter + 5 equals to 5.

The *devices* are specified as [[Data_types|iifname]](s) of the input interface(s) of the traffic that should be offloaded. Devices are required for both traffic directions.

An Example to offload HTTP traffic for a router:

<pre>
define DEV_PRIVATE=eth0
define DEV_INTERNET=eth1

table inet x {

flowtable f {
hook ingress priority 0
devices = { $DEV_PRIVATE, $DEV_INTERNET }
}

chain forward {
type filter hook forward priority 0; policy drop;

# offload established HTTP connections
tcp dport { 80, 443 } ct state established flow offload @f counter packets 0 bytes 0

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# connections from the internal net to the internet or to other
# internal nets are allowed
iifname $DEV_PRIVATE counter accept
}
}
</pre>

Note that:

# The rule that uses the ''flow offload'' statement determines what flows are added to the flowtable. This ruleset above adds entries to the flowtable for established HTTP connections.
# The devices you specify in the flowtable declaration determine where the flowtable hooks in the pipeline for lookups, in the example above, it registers a hook for devices eth0 and eth1 in the ingress hook at priority 0.

== See also ==

* [https://www.kernel.org/doc/html/latest/networking/nf_flowtable.html Linux kernel documentation on Netfilter flowtable]
* [https://netdevconf.info/0x13/session.html?workshop-netfilter-mini Netfilter Mini-Workshop, Netdev 0x13, 2019-03]
* [https://lwn.net/Articles/804384/ Mellanox flowtable hardware offload]
* [https://www.programmersought.com/article/11833283913/ Some Mellanox flowtable hardware offload performance measurements by Wen Xu of UCloud]
* [https://linuxplumbersconf.org/event/4/contributions/463/ Netfilter hardware offloads, Pablo Neira Ayuso, Linux Plumbers Conference, 2019-09]

List of updates since Linux kernel 3.13

2024-05-01T12:16:39Z

Danw: a few more updates

A listing of the development progress on the kernel side. See also [[List of updates in the nft command line tool]].

== 6.5 ==

* Allow using a map in a set lookup expression (discarding the value)

== 6.3 ==

* Support for 'nft destroy'

== 6.2 ==

* Support for inner header matching, such as "udp dport 6081 geneve ip saddr 10.141.11.2"

== 5.17 ==

* fwd command in egress hook

== 5.16 ==

* netdev egress hook
* meta iiftype, meta oiftype

== 5.11 ==

* multiple expression support for sets (e.g., so a set can have both a limit and a counter)

== 5.10 ==

* Support for ingress hook in inet family
* Support for comments on tables, chains, sets, maps, stateful objects, etc.

== 5.9 ==
* Trying to add a object when a "conflicting" object exists (e.g., base chain with same name but different hook, map element with same key but different value) now returns EEXIST; in older kernels it returned EBUSY.

== 5.7 ==

* Support for stateful expressions (e.g. counters) on set elements

== 5.6 ==

* Support for ranges (intervals) in [[concatenations]]

== 5.4 ==

* meta time / hour / day
* delete set elements from packet path

== 5.3 ==

* [[Bridge filtering#Stateful_filtering|conntrack support for the ''bridge'' family]]
* th expression for [[Matching packet headers#Matching_UDP.2FTCP_headers_in_the_same_rule|matching UDP/TCP headers in the same rule]]
* [[synproxy]] statement

== 5.2 ==

* Support for NAT in inet family

== 5.0 ==

* ipsec / xfrm expressions

== 4.20 ==

* [[secmark]] support

== 4.19 ==

* tproxy statement

== 4.18 ==

* nftables NAT is no longer incompatible with iptables NAT
* [[connlimits]] (but buggy until 4.19.10!)
* [[Meters#Doing_connlimit_with_nft|ct count]]
* log level audit

== 4.16 ==

* flowtable support

== 4.15 ==

* Fetch single elements of a set (i.e, nft get element)

== 4.14 ==

* PMTU calculation / MSS clamping ([[Mangling_packet_headers#Mangling TCP options|tcp option maxseg size set rt mtu]])

== 4.12 ==

* [[Setting_packet_connection_tracking_metainformation#ct_helper_set_-_Assign_conntrack_helper|ct helper set]]

== 4.10 ==

* notrack support
* [[stateful objects]]
* nexthop and fib, for [[matching routing information]]
* improved [[Mangling packet headers|packet mangling]] support

== 4.6 ==

* [[Ruleset debug/tracing]]

== 4.5 ==

* [[Meters]]

== 4.3 ==

* Enhancements for the limit expression, support for ratelimit bytes/time unit.
* Dup expression (equivalent to the ''TEE'' target in iptables) for IPv4 and IPv6.
* VLAN header matching support when NIC support offloads.

== 4.2 ==

* New 'netdev' family for filtering from ingress.
* Context to x_tables extensions to know if they run from nft_compat.

== 4.1 ==

Major updates in the generic set infrastructure:

* [[Concatenations]].
* Timeout per set elements.
* Comments per set elements.
* Dynamic set instantiation.

== 4.0 ==

* Mostly fixes.

== 3.19 ==

* redirect support.

== 3.18 ==

* masquerading support.
* meta cpu, devgroup matching.
* reject bridge support.
* destroy table and its content, ie. ''nft flush ruleset''.

== 3.17 ==

* log and nflog support for ip, ip6, arp and bridge families.

== 3.16 ==

* connlabel support.

== 3.15 ==

* Comments per rule support.
* IPv4 reject support.

== 3.14 ==

* set packet mark support.
* nfqueue support (only for ip and ip6 families).
* rule tracing support.
* IPv6 and inet reject support.

== 3.13 ==

* nf_tables merged mainstream.

List of updates in the nft command line tool

2024-01-05T14:34:46Z

Danw: add recent releases, add "matching kernel" versions (where noted in release announcement)

This page contains links to nftables release announcements. In addition to a summary of bug fixes and new features, each announcement typically includes examples of how to use new features.

See also [[List of updates since Linux kernel 3.13]], for the kernel side of nftables development.

{| class="wikitable"
|- style="vertical-align:bottom;"
! style="text-align:left;" | Date
! style="text-align:left;" | Release Announcement
! style="text-align:left;" | Matching Kernel
! style="text-align:left;" | Comments

|- style="vertical-align:top;"
| 2023-10-19
| [https://marc.info/?l=netfilter&m=169771597127268&w=2 nftables 1.0.9]
|
|

|- style="vertical-align:top;"
| 2023-07-14
| [https://marc.info/?l=netfilter&m=168933264008248&w=2 nftables 1.0.8]
|
|

|- style="vertical-align:top;"
| 2023-03-13
| [https://marc.info/?l=netfilter&m=167873533514569&w=2 nftables 1.0.7]
|
|

|- style="vertical-align:top;"
| 2022-12-11
| [https://marc.info/?l=netfilter&m=167166501709408&w=2 nftables 1.0.6]
|
|

|- style="vertical-align:top;"
| 2022-08-09
| [https://marc.info/?l=netfilter&m=166007475409847&w=2 nftables 1.0.5]
|
|

|- style="vertical-align:top;"
| 2022-06-07
| [https://marc.info/?l=netfilter&m=165461289522999&w=2 nftables 1.0.4]
| 5.18
|

|- style="vertical-align:top;"
| 2022-05-31
| [https://marc.info/?l=netfilter&m=165399194307396&w=2 nftables 1.0.3]
| 5.18
|

|- style="vertical-align:top;"
| 2022-02-21
| [https://marc.info/?l=netfilter&m=164546566103765&w=2 nftables 1.0.2]
| 5.17-rc
|

|- style="vertical-align:top;"
| 2021-11-18
| [https://marc.info/?l=netfilter&m=163724233607275&w=2 nftables 1.0.1]
| 5.16-rc1
|

|- style="vertical-align:top;"
| 2021-08-19
| [https://marc.info/?l=netfilter&m=162939459210790&w=2 nftables 1.0.0]
| 5.13
|

|- style="vertical-align:top;"
| 2021-05-25
| [https://marc.info/?l=netfilter&m=162197756905358&w=2 nftables 0.9.9]
| 5.13-rc1
|

|- style="vertical-align:top;"
| 2021-01-15
| [https://marc.info/?l=netfilter&m=161074809318720&w=2 nftables 0.9.8]
| 5.11-rc1
|

|- style="vertical-align:top;"
| 2020-10-27
| [https://marc.info/?l=netfilter&m=160379555303808&w=2 nftables 0.9.7]
| 5.10-rc1
|

|- style="vertical-align:top;"
| 2020-06-15
| [https://marc.info/?l=netfilter&m=159225380419197&w=2 nftables 0.9.6]
| 5.7
|

|- style="vertical-align:top;"
| 2020-06-06
| [https://marc.info/?l=netfilter&m=159144250132190&w=2 nftables 0.9.5]
| 5.7
| This release broke ''vmap'' support, this is fixed in 0.9.6.

|- style="vertical-align:top;"
| 2020-04-01
| [https://marc.info/?l=netfilter&m=158575148505527&w=2 nftables 0.9.4]
| 5.6
|

|- style="vertical-align:top;"
| 2019-12-02
| [https://marc.info/?l=netfilter&m=157532146917292&w=2 nftables 0.9.3]
| 5.5-rc
|

|- style="vertical-align:top;"
| 2019-08-19
| [https://marc.info/?l=netfilter&m=156621590113089&w=2 nftables 0.9.2]
| 5.3-rc1
|

|- style="vertical-align:top;"
| 2019-06-24
| [https://marc.info/?l=netfilter&m=156139496810281&w=2 nftables 0.9.1]
| 5.2
|

|- style="vertical-align:top;"
| 2019-06-08
| [https://marc.info/?l=netfilter&m=152849974510956&w=2 nftables 0.9.0]
| 4.18
|

|- style="vertical-align:top;"
| 2018-05-10
| [https://marc.info/?l=netfilter&m=152595594524056&w=2 nftables 0.8.5]
|
|

|- style="vertical-align:top;"
| 2018-05-01
| [https://marc.info/?l=netfilter&m=152521206028754&w=2 nftables 0.8.4]
|
|

|- style="vertical-align:top;"
| 2018-03-03
| [https://marc.info/?l=netfilter&m=152009279821556&w=2 nftables 0.8.3]
|
|

|- style="vertical-align:top;"
| 2018-02-02
| [https://marc.info/?l=netfilter&m=151759567102838&w=2 nftables 0.8.2]
|
|

|- style="vertical-align:top;"
| 2018-01-16
| [https://marc.info/?l=netfilter&m=151610774011377&w=2 nftables 0.8.1]
|
|

|- style="vertical-align:top;"
| 2017-10-12
| [https://marc.info/?l=netfilter&m=150785219810541&w=2 nftables 0.8]
| 4.14
|

|- style="vertical-align:top;"
| 2016-12-20
| [https://marc.info/?l=netfilter&m=148226682025890&w=2 nftables 0.7]
| 4.10-rc1
|

|- style="vertical-align:top;"
| 2016-06-02
| [https://marc.info/?l=netfilter&m=146488681521497&w=2 nftables 0.6]
| 4.7-rc1
|

|- style="vertical-align:top;"
| 2015-09-17
| [https://marc.info/?l=netfilter&m=144251853500774&w=2 nftables 0.5]
| 4.2
|

|- style="vertical-align:top;"
| 2014-12-16
| [https://marc.info/?l=netfilter&m=141869063212230&w=2 nftables 0.4]
| 3.18
|

|- style="vertical-align:top;"
| 2014-06-25
| [https://marc.info/?l=netfilter&m=140371155009356&w=2 nftables 0.3]
| 3.15
|

|- style="vertical-align:top;"
| 2014-04-14
| [https://marc.info/?l=netfilter&m=139747559724664&w=2 nftables 0.2]
| 3.14
|

|- style="vertical-align:top;"
| 2014-01-20
| [https://marc.info/?l=netfilter&m=139022350623824&w=2 nftables 0.099]
| 3.13
| The first release intended for users.

|- style="vertical-align:top;"
| 2009-03-18
| [https://marc.info/?l=netfilter-devel&m=123735060518576&w=2 nftables first alpha]
|
| First full public release, alpha quality not meant for users.
Release notes include design summary, with differences from iptables.

|}

List of updates in the nft command line tool

2024-01-05T14:18:41Z

Danw: cross-link to kernel updates page

This page contains links to nftables release announcements. In addition to a summary of bug fixes and new features, each announcement typically includes examples of how to use new features.

See also [[List of updates since Linux kernel 3.13]], for the kernel side of nftables development.

{| class="wikitable"
|- style="vertical-align:bottom;"
! style="text-align:left;" | Date
! style="text-align:left;" | Release Announcement
! style="text-align:left;" | Comments

|- style="vertical-align:top;"
| 2022-02-21
| [https://marc.info/?l=netfilter&m=164546566103765&w=2 nftables 1.0.2]
|

|- style="vertical-align:top;"
| 2021-11-18
| [https://marc.info/?l=netfilter&m=163724233607275&w=2 nftables 1.0.1]
|

|- style="vertical-align:top;"
| 2021-08-19
| [https://marc.info/?l=netfilter&m=162939459210790&w=2 nftables 1.0.0]
|

|- style="vertical-align:top;"
| 2021-05-25
| [https://marc.info/?l=netfilter&m=162197756905358&w=2 nftables 0.9.9]
|

|- style="vertical-align:top;"
| 2021-01-15
| [https://marc.info/?l=netfilter&m=161074809318720&w=2 nftables 0.9.8]
|

|- style="vertical-align:top;"
| 2020-10-27
| [https://marc.info/?l=netfilter&m=160379555303808&w=2 nftables 0.9.7]
|

|- style="vertical-align:top;"
| 2020-06-15
| [https://marc.info/?l=netfilter&m=159225380419197&w=2 nftables 0.9.6]
|

|- style="vertical-align:top;"
| 2020-06-06
| [https://marc.info/?l=netfilter&m=159144250132190&w=2 nftables 0.9.5]
| This release broke ''vmap'' support, this is fixed in 0.9.6.

|- style="vertical-align:top;"
| 2020-04-01
| [https://marc.info/?l=netfilter&m=158575148505527&w=2 nftables 0.9.4]
|

|- style="vertical-align:top;"
| 2019-12-02
| [https://marc.info/?l=netfilter&m=157532146917292&w=2 nftables 0.9.3]
|

|- style="vertical-align:top;"
| 2019-08-19
| [https://marc.info/?l=netfilter&m=156621590113089&w=2 nftables 0.9.2]
|

|- style="vertical-align:top;"
| 2019-06-24
| [https://marc.info/?l=netfilter&m=156139496810281&w=2 nftables 0.9.1]
|

|- style="vertical-align:top;"
| 2019-06-08
| [https://marc.info/?l=netfilter&m=152849974510956&w=2 nftables 0.9.0]
|

|- style="vertical-align:top;"
| 2018-05-10
| [https://marc.info/?l=netfilter&m=152595594524056&w=2 nftables 0.8.5]
|

|- style="vertical-align:top;"
| 2018-05-01
| [https://marc.info/?l=netfilter&m=152521206028754&w=2 nftables 0.8.4]
|

|- style="vertical-align:top;"
| 2018-03-03
| [https://marc.info/?l=netfilter&m=152009279821556&w=2 nftables 0.8.3]
|

|- style="vertical-align:top;"
| 2018-02-02
| [https://marc.info/?l=netfilter&m=151759567102838&w=2 nftables 0.8.2]
|

|- style="vertical-align:top;"
| 2018-01-16
| [https://marc.info/?l=netfilter&m=151610774011377&w=2 nftables 0.8.1]
|

|- style="vertical-align:top;"
| 2017-10-12
| [https://marc.info/?l=netfilter&m=150785219810541&w=2 nftables 0.8]
|

|- style="vertical-align:top;"
| 2016-12-20
| [https://marc.info/?l=netfilter&m=148226682025890&w=2 nftables 0.7]
|

|- style="vertical-align:top;"
| 2016-06-02
| [https://marc.info/?l=netfilter&m=146488681521497&w=2 nftables 0.6]
|

|- style="vertical-align:top;"
| 2015-09-17
| [https://marc.info/?l=netfilter&m=144251853500774&w=2 nftables 0.5]
|

|- style="vertical-align:top;"
| 2014-12-16
| [https://marc.info/?l=netfilter&m=141869063212230&w=2 nftables 0.4]
|

|- style="vertical-align:top;"
| 2014-06-25
| [https://marc.info/?l=netfilter&m=140371155009356&w=2 nftables 0.3]
|

|- style="vertical-align:top;"
| 2014-04-14
| [https://marc.info/?l=netfilter&m=139747559724664&w=2 nftables 0.2]
|

|- style="vertical-align:top;"
| 2014-01-20
| [https://marc.info/?l=netfilter&m=139022350623824&w=2 nftables 0.099]
| The first released intended for users.

|- style="vertical-align:top;"
| 2009-03-18
| [https://marc.info/?l=netfilter-devel&m=123735060518576&w=2 nftables first alpha]
| First full public release, alpha quality not meant for users.
Release notes include design summary, with differences from iptables.

|}

List of updates since Linux kernel 3.13

2024-01-05T14:17:49Z

Danw: cross-link to cli updates page

A listing of the development progress on the kernel side. See also [[List of updates in the nft command line tool]].

== 6.3 ==

* Support for 'nft destroy'

== 6.2 ==

* Support for inner header matching, such as "udp dport 6081 geneve ip saddr 10.141.11.2"

== 5.17 ==

* fwd command in egress hook

== 5.16 ==

* netdev egress hook

== 5.11 ==

* multiple expression support for sets (e.g., so a set can have both a limit and a counter)

== 5.10 ==

* Support for ingress hook in inet family
* Support for comments on tables, chains, sets, maps, stateful objects, etc.

== 5.7 ==

* Support for stateful expressions (e.g. counters) on set elements

== 5.6 ==

* Support for ranges (intervals) in [[concatenations]]

== 5.4 ==

* meta time / hour / day

== 5.3 ==

* [[Bridge filtering#Stateful_filtering|conntrack support for the ''bridge'' family]]
* th expression for [[Matching packet headers#Matching_UDP.2FTCP_headers_in_the_same_rule|matching UDP/TCP headers in the same rule]]
* [[synproxy]] statement

== 5.2 ==

* Support for NAT in inet family

== 5.0 ==

* ipsec / xfrm expressions

== 4.20 ==

* [[secmark]] support

== 4.19 ==

* tproxy statement

== 4.18 ==

* nftables NAT is no longer incompatible with iptables NAT
* [[connlimits]] (but buggy until 4.19.10!)
* [[Meters#Doing_connlimit_with_nft|ct count]]
* log level audit

== 4.16 ==

* flowtable support

== 4.15 ==

* Fetch single elements of a set (i.e, nft get element)

== 4.14 ==

* PMTU calculation / MSS clamping ([[Mangling_packet_headers#Mangling TCP options|tcp option maxseg size set rt mtu]])

== 4.12 ==

* [[Setting_packet_connection_tracking_metainformation#ct_helper_set_-_Assign_conntrack_helper|ct helper set]]

== 4.10 ==

* notrack support
* [[stateful objects]]
* nexthop and fib, for [[matching routing information]]
* improved [[Mangling packet headers|packet mangling]] support

== 4.6 ==

* [[Ruleset debug/tracing]]

== 4.5 ==

* [[Meters]]

== 4.3 ==

* Enhancements for the limit expression, support for ratelimit bytes/time unit.
* Dup expression (equivalent to the ''TEE'' target in iptables) for IPv4 and IPv6.
* VLAN header matching support when NIC support offloads.

== 4.2 ==

* New 'netdev' family for filtering from ingress.
* Context to x_tables extensions to know if they run from nft_compat.

== 4.1 ==

Major updates in the generic set infrastructure:

* [[Concatenations]].
* Timeout per set elements.
* Comments per set elements.
* Dynamic set instantiation.

== 4.0 ==

* Mostly fixes.

== 3.19 ==

* redirect support.

== 3.18 ==

* masquerading support.
* meta cpu, devgroup matching.
* reject bridge support.
* destroy table and its content, ie. ''nft flush ruleset''.

== 3.17 ==

* log and nflog support for ip, ip6, arp and bridge families.

== 3.16 ==

* connlabel support.

== 3.15 ==

* Comments per rule support.
* IPv4 reject support.

== 3.14 ==

* set packet mark support.
* nfqueue support (only for ip and ip6 families).
* rule tracing support.
* IPv6 and inet reject support.

== 3.13 ==

* nf_tables merged mainstream.

List of updates since Linux kernel 3.13

2023-12-22T16:23:00Z

Danw: a few more

A listing of the development progress.

== 6.3 ==

* Support for 'nft destroy'

== 6.2 ==

* Support for inner header matching, such as "udp dport 6081 geneve ip saddr 10.141.11.2"

== 5.17 ==

* fwd command in egress hook

== 5.16 ==

* netdev egress hook

== 5.11 ==

* multiple expression support for sets (e.g., so a set can have both a limit and a counter)

== 5.10 ==

* Support for ingress hook in inet family
* Support for comments on tables, chains, sets, maps, stateful objects, etc.

== 5.7 ==

* Support for stateful expressions (e.g. counters) on set elements

== 5.6 ==

* Support for ranges (intervals) in [[concatenations]]

== 5.4 ==

* meta time / hour / day

== 5.3 ==

* [[Bridge filtering#Stateful_filtering|conntrack support for the ''bridge'' family]]
* th expression for [[Matching packet headers#Matching_UDP.2FTCP_headers_in_the_same_rule|matching UDP/TCP headers in the same rule]]
* [[synproxy]] statement

== 5.2 ==

* Support for NAT in inet family

== 5.0 ==

* ipsec / xfrm expressions

== 4.20 ==

* [[secmark]] support

== 4.19 ==

* tproxy statement

== 4.18 ==

* nftables NAT is no longer incompatible with iptables NAT
* [[connlimits]] (but buggy until 4.19.10!)
* [[Meters#Doing_connlimit_with_nft|ct count]]
* log level audit

== 4.16 ==

* flowtable support

== 4.15 ==

* Fetch single elements of a set (i.e, nft get element)

== 4.14 ==

* PMTU calculation / MSS clamping ([[Mangling_packet_headers#Mangling TCP options|tcp option maxseg size set rt mtu]])

== 4.12 ==

* [[Setting_packet_connection_tracking_metainformation#ct_helper_set_-_Assign_conntrack_helper|ct helper set]]

== 4.10 ==

* notrack support
* [[stateful objects]]
* nexthop and fib, for [[matching routing information]]
* improved [[Mangling packet headers|packet mangling]] support

== 4.6 ==

* [[Ruleset debug/tracing]]

== 4.5 ==

* [[Meters]]

== 4.3 ==

* Enhancements for the limit expression, support for ratelimit bytes/time unit.
* Dup expression (equivalent to the ''TEE'' target in iptables) for IPv4 and IPv6.
* VLAN header matching support when NIC support offloads.

== 4.2 ==

* New 'netdev' family for filtering from ingress.
* Context to x_tables extensions to know if they run from nft_compat.

== 4.1 ==

Major updates in the generic set infrastructure:

* [[Concatenations]].
* Timeout per set elements.
* Comments per set elements.
* Dynamic set instantiation.

== 4.0 ==

* Mostly fixes.

== 3.19 ==

* redirect support.

== 3.18 ==

* masquerading support.
* meta cpu, devgroup matching.
* reject bridge support.
* destroy table and its content, ie. ''nft flush ruleset''.

== 3.17 ==

* log and nflog support for ip, ip6, arp and bridge families.

== 3.16 ==

* connlabel support.

== 3.15 ==

* Comments per rule support.
* IPv4 reject support.

== 3.14 ==

* set packet mark support.
* nfqueue support (only for ip and ip6 families).
* rule tracing support.
* IPv6 and inet reject support.

== 3.13 ==

* nf_tables merged mainstream.

List of updates since Linux kernel 3.13

2023-12-22T15:00:20Z

Danw: fix netdev egress version (it was reverted from 5.7 before release)

A listing of the development progress.

== 6.2 ==

* Support for inner header matching, such as "udp dport 6081 geneve ip saddr 10.141.11.2"

== 5.16 ==

* netdev egress hook

== 5.10 ==

* Support for ingress hook in inet family
* Support for comments on tables, chains, sets, maps, etc.

== 5.6 ==

* Support for ranges (intervals) in [[concatenations]]

== 5.4 ==

* meta time / hour / day

== 5.3 ==

* [[Bridge filtering#Stateful_filtering|conntrack support for the ''bridge'' family]]
* th expression for [[Matching packet headers#Matching_UDP.2FTCP_headers_in_the_same_rule|matching UDP/TCP headers in the same rule]]
* [[synproxy]] statement

== 5.2 ==

* Support for NAT in inet family

== 5.0 ==

* ipsec / xfrm expressions

== 4.20 ==

* [[secmark]] support

== 4.19 ==

* tproxy statement

== 4.18 ==

* nftables NAT is no longer incompatible with iptables NAT
* [[connlimits]] (but buggy until 4.19.10!)
* [[Meters#Doing_connlimit_with_nft|ct count]]
* log level audit

== 4.16 ==

* flowtable support

== 4.15 ==

* Fetch single elements of a set (i.e, nft get element)

== 4.14 ==

* PMTU calculation / MSS clamping ([[Mangling_packet_headers#Mangling TCP options|tcp option maxseg size set rt mtu]])

== 4.12 ==

* [[Setting_packet_connection_tracking_metainformation#ct_helper_set_-_Assign_conntrack_helper|ct helper set]]

== 4.10 ==

* notrack support
* [[stateful objects]]
* nexthop and fib, for [[matching routing information]]
* improved [[Mangling packet headers|packet mangling]] support

== 4.6 ==

* [[Ruleset debug/tracing]]

== 4.5 ==

* [[Meters]]

== 4.3 ==

* Enhancements for the limit expression, support for ratelimit bytes/time unit.
* Dup expression (equivalent to the ''TEE'' target in iptables) for IPv4 and IPv6.
* VLAN header matching support when NIC support offloads.

== 4.2 ==

* New 'netdev' family for filtering from ingress.
* Context to x_tables extensions to know if they run from nft_compat.

== 4.1 ==

Major updates in the generic set infrastructure:

* [[Concatenations]].
* Timeout per set elements.
* Comments per set elements.
* Dynamic set instantiation.

== 4.0 ==

* Mostly fixes.

== 3.19 ==

* redirect support.

== 3.18 ==

* masquerading support.
* meta cpu, devgroup matching.
* reject bridge support.
* destroy table and its content, ie. ''nft flush ruleset''.

== 3.17 ==

* log and nflog support for ip, ip6, arp and bridge families.

== 3.16 ==

* connlabel support.

== 3.15 ==

* Comments per rule support.
* IPv4 reject support.

== 3.14 ==

* set packet mark support.
* nfqueue support (only for ip and ip6 families).
* rule tracing support.
* IPv6 and inet reject support.

== 3.13 ==

* nf_tables merged mainstream.

Netfilter hooks

2023-12-22T14:59:28Z

Danw: fix netdev egress version (it was reverted from 5.7 before release)

''nftables'' uses mostly the same Netfilter infrastructure as legacy ''iptables''. The hook infrastructure, [http://people.netfilter.org/pablo/docs/login.pdf Connection Tracking System], NAT engine, logging infrastructure, and userspace queueing remain the same. Only the packet classification framework is new.

__TOC__

== Netfilter hooks into Linux networking packet flows ==

The following schematic shows packet flows through Linux networking:

https://people.netfilter.org/pablo/nf-hooks.png

Traffic flowing to the local machine in the input path sees the prerouting and input hooks. Then, the traffic that is generated by local processes follows the output and postrouting path.

If you configure your Linux box to behave as a router, do not forget to enable forwarding via:

echo 1 > /proc/sys/net/ipv4/ip_forward

Then packets that are not addressed to your local system will be seen from the forward hook. Such forwarded packets follow the path: prerouting, forward and postrouting.

In a major change from iptables, which predefines chains at '''every''' hook (i.e. ''INPUT'' chain in ''filter'' table), nftables predefines '''no''' chains at all. You must must explicitly create a [[Configuring_chains#Base_chain_hooks | base chain]] at each hook at which you want to filter traffic.

=== Ingress hook ===

The ingress hook was added in Linux kernel 4.2. Unlike the other netfilter hooks, the ingress hook is attached to a particular network interface.

You can use ''nftables'' with the ingress hook to enforce very early filtering policies that take effect even before prerouting. Do note that at this very early stage, fragmented datagrams have not yet been reassembled. So, for example, matching ip saddr and daddr works for all ip packets, but matching L4 headers like udp dport works only for unfragmented packets, or the first fragment.

The ingress hook provides an alternative to ''tc'' ingress filtering. You still need ''tc'' for traffic shaping/queue management.

== Hooks by family and chain type ==

The following table lists available hooks by [[Nftables_families|family]] and [[Configuring_chains#Base_chain_types|chain type]]. Minimum nftables and Linux kernel versions are shown for recently-added hooks.

{| class="wikitable"
|- style="vertical-align:bottom;"
! style="text-align:left;" rowspan="2" | Chain type
! colspan="7" | Hooks

|-
! ingress
! prerouting
! forward
! input
! output
! postrouting
! egress

|- style="vertical-align:bottom;"
! colspan="8" | inet family

|- style="vertical-align:top;"
| filter
| {{yes|1=[https://marc.info/?l=netfilter&m=160379555303808&w=2 0.9.7] / [https://kernelnewbies.org/Linux_5.10 5.10]}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{no}}

|- style="vertical-align:top;"
| nat
| {{no}}
| {{yes}}
| {{no}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{no}}

|- style="vertical-align:top;"
| route
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{yes}}
| {{no}}
| {{no}}

|- style="vertical-align:bottom;"
! colspan="8" | ip6 family

|- style="vertical-align:top;"
| filter
| {{no}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{no}}

|- style="vertical-align:top;"
| nat
| {{no}}
| {{yes}}
| {{no}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{no}}

|- style="vertical-align:top;"
| route
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{yes}}
| {{no}}
| {{no}}

|- style="vertical-align:bottom;"
! colspan="8" | ip family

|- style="vertical-align:top;"
| filter
| {{no}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{no}}

|- style="vertical-align:top;"
| nat
| {{no}}
| {{yes}}
| {{no}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{no}}

|- style="vertical-align:top;"
| route
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{yes}}
| {{no}}
| {{no}}

|- style="vertical-align:bottom;"
! colspan="8" | arp family

|- style="vertical-align:top;"
| filter
| {{no}}
| {{no}}
| {{no}}
| {{yes}}
| {{yes}}
| {{no}}
| {{no}}

|- style="vertical-align:top;"
| nat
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}

|- style="vertical-align:top;"
| route
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}

|- style="vertical-align:bottom;"
! colspan="8" | bridge family

|- style="vertical-align:top;"
| filter
| {{no}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{no}}

|- style="vertical-align:top;"
| nat
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}

|- style="vertical-align:top;"
| route
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}

|- style="vertical-align:bottom;"
! colspan="8" | netdev family

|- style="vertical-align:top;"
| filter
| {{yes|1=[https://marc.info/?l=netfilter&m=146488681521497&w=2 0.6] / [https://kernelnewbies.org/Linux_4.2 4.2]}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{yes|1=[https://marc.info/?l=netfilter&m=163724233607275&w=2 1.0.1] / [https://kernelnewbies.org/Linux_5.16 5.16]}}

|- style="vertical-align:top;"
| nat
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}

|- style="vertical-align:top;"
| route
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}

|}

== Priority within hook ==

Within a given hook, Netfilter performs operations in order of increasing numerical priority. Each nftables [[Configuring_chains#Base_chain_hooks | base chain]] and [[Flowtables|flowtable]] is assigned a priority that defines its ordering among other base chains and flowtables and Netfilter internal operations at the same hook. For example, a chain on the ''prerouting'' hook with priority ''-300'' will be placed before connection tracking operations.

The following table shows Netfilter priority values, check the nft manpage for reference.

{| class="wikitable"
|- style="vertical-align:bottom;"
! style="text-align:left;" | nftables [[Nftables_families|Families]]
! style="text-align:left;" | Typical hooks
! style="text-align:left;" | ''nft'' Keyword
! style="text-align:right;" | Value
! style="text-align:left;" | Netfilter Internal Priority
! style="text-align:left;" | Description

|- style="vertical-align:top;"
|
| prerouting
|
| style="text-align:right;" | -450
| NF_IP_PRI_RAW_BEFORE_DEFRAG
|

|- style="vertical-align:top;"
| inet, ip, ip6
| prerouting
|
| style="text-align:right;" | -400
| NF_IP_PRI_CONNTRACK_DEFRAG
| Packet defragmentation / datagram reassembly

|- style="vertical-align:top;"
| inet, ip, ip6
| all
| '''raw'''
| style="text-align:right;" | -300
| NF_IP_PRI_RAW
| Traditional priority of the raw table placed before connection tracking operation

|- style="vertical-align:top;"
|
|
|
| style="text-align:right;" | -225
| NF_IP_PRI_SELINUX_FIRST
| SELinux operations

|- style="vertical-align:top;"
| inet, ip, ip6
| prerouting, output
|
| style="text-align:right;" | -200
| NF_IP_PRI_CONNTRACK
| [[Connection_Tracking_System | Connection tracking]] processes run early in prerouting and output hooks to associate packets with tracked connections.

|- style="vertical-align:top;"
| inet, ip, ip6
| all
| '''mangle'''
| style="text-align:right;" | -150
| NF_IP_PRI_MANGLE
| Mangle operation

|- style="vertical-align:top;"
| inet, ip, ip6
| prerouting
| '''dstnat'''
| style="text-align:right;" | -100
| NF_IP_PRI_NAT_DST
| Destination NAT

|- style="vertical-align:top;"
| inet, ip, ip6, arp, netdev
| all
| '''filter'''
| style="text-align:right;" | 0
| NF_IP_PRI_FILTER
| Filtering operation, the filter table

|- style="vertical-align:top;"
| inet, ip, ip6
| all
| '''security'''
| style="text-align:right;" | 50
| NF_IP_PRI_SECURITY
| Place of security table, where secmark can be set for example

|- style="vertical-align:top;"
| inet, ip, ip6
| postrouting
| '''srcnat'''
| style="text-align:right;" | 100
| NF_IP_PRI_NAT_SRC
| Source NAT

|- style="vertical-align:top;"
|
| postrouting
|
| style="text-align:right;" | 225
| NF_IP_PRI_SELINUX_LAST
| SELinux at packet exit

|- style="vertical-align:top;"
| inet, ip, ip6
| postrouting
|
| style="text-align:right;" | 300
| NF_IP_PRI_CONNTRACK_HELPER
| Connection tracking helpers, which identify expected and related packets.

|- style="vertical-align:top;"
| inet, ip, ip6
| input, postrouting
|
| style="text-align:right;" | INT_MAX
| NF_IP_PRI_CONNTRACK_CONFIRM
| Connection tracking adds new tracked connections at final step in input & postrouting hooks.

|- style="vertical-align:top;"
| colspan="6" |  

|- style="vertical-align:top;"
| bridge
| prerouting
| '''dstnat'''
| style="text-align:right;" | -300
| NF_BR_PRI_NAT_DST_BRIDGED
|

|- style="vertical-align:top;"
| bridge
| all
| '''filter'''
| style="text-align:right;" | -200
| NF_BR_PRI_FILTER_BRIDGED
|

|- style="vertical-align:top;"
| bridge
|
|
| style="text-align:right;" | 0
| NF_BR_PRI_BRNF
|

|- style="vertical-align:top;"
| bridge
| output
| '''out'''
| style="text-align:right;" | 100
| NF_BR_PRI_NAT_DST_OTHER
|

|- style="vertical-align:top;"
| bridge
|
|
| style="text-align:right;" | 200
| NF_BR_PRI_FILTER_OTHER
|

|- style="vertical-align:top;"
| bridge
| postrouting
| '''srcnat'''
| style="text-align:right;" | 300
| NF_BR_PRI_NAT_SRC
|

|}

Starting with nftables 0.9.6 you may set priority using keywords instead of numbers. (Note that the same keyword maps to different numerical priorities in the bridge family vs. the other families.) You can also specify priority as an integral offset from a keyword, i.e. ''mangle - 5'' is equivalent to numerical priority -155.

It's possible to specify keyword priorities even in family/hook combinations where they don't make logical sense. Recall that the relative numerical ordering of priorities within a given hook is all that matters as far as Netfilter is concerned. Keep in mind that this relative ordering includes packet defragmentation, connection tracking and other Netfilter operations as well as your nftables base chains and flowtables.

NOTE: nat type chains must use priority > -200, which is used by conntrack hooks.

List of updates since Linux kernel 3.13

2023-12-22T13:21:52Z

Danw: add more features mentioned on other wiki pages

A listing of the development progress.

== 6.2 ==

* Support for inner header matching, such as "udp dport 6081 geneve ip saddr 10.141.11.2"

== 5.10 ==

* Support for ingress hook in inet family
* Support for comments on tables, chains, sets, maps, etc.

== 5.7 ==

* netdev egress hook

== 5.6 ==

* Support for ranges (intervals) in [[concatenations]]

== 5.4 ==

* meta time / hour / day

== 5.3 ==

* [[Bridge filtering#Stateful_filtering|conntrack support for the ''bridge'' family]]
* th expression for [[Matching packet headers#Matching_UDP.2FTCP_headers_in_the_same_rule|matching UDP/TCP headers in the same rule]]
* [[synproxy]] statement

== 5.2 ==

* Support for NAT in inet family

== 5.0 ==

* ipsec / xfrm expressions

== 4.20 ==

* [[secmark]] support

== 4.19 ==

* tproxy statement

== 4.18 ==

* nftables NAT is no longer incompatible with iptables NAT
* [[connlimits]] (but buggy until 4.19.10!)
* [[Meters#Doing_connlimit_with_nft|ct count]]
* log level audit

== 4.16 ==

* flowtable support

== 4.15 ==

* Fetch single elements of a set (i.e, nft get element)

== 4.14 ==

* PMTU calculation / MSS clamping ([[Mangling_packet_headers#Mangling TCP options|tcp option maxseg size set rt mtu]])

== 4.12 ==

* [[Setting_packet_connection_tracking_metainformation#ct_helper_set_-_Assign_conntrack_helper|ct helper set]]

== 4.10 ==

* notrack support
* [[stateful objects]]
* nexthop and fib, for [[matching routing information]]
* improved [[Mangling packet headers|packet mangling]] support

== 4.6 ==

* [[Ruleset debug/tracing]]

== 4.5 ==

* [[Meters]]

== 4.3 ==

* Enhancements for the limit expression, support for ratelimit bytes/time unit.
* Dup expression (equivalent to the ''TEE'' target in iptables) for IPv4 and IPv6.
* VLAN header matching support when NIC support offloads.

== 4.2 ==

* New 'netdev' family for filtering from ingress.
* Context to x_tables extensions to know if they run from nft_compat.

== 4.1 ==

Major updates in the generic set infrastructure:

* [[Concatenations]].
* Timeout per set elements.
* Comments per set elements.
* Dynamic set instantiation.

== 4.0 ==

* Mostly fixes.

== 3.19 ==

* redirect support.

== 3.18 ==

* masquerading support.
* meta cpu, devgroup matching.
* reject bridge support.
* destroy table and its content, ie. ''nft flush ruleset''.

== 3.17 ==

* log and nflog support for ip, ip6, arp and bridge families.

== 3.16 ==

* connlabel support.

== 3.15 ==

* Comments per rule support.
* IPv4 reject support.

== 3.14 ==

* set packet mark support.
* nfqueue support (only for ip and ip6 families).
* rule tracing support.
* IPv6 and inet reject support.

== 3.13 ==

* nf_tables merged mainstream.

List of updates since Linux kernel 3.13

2023-12-22T12:08:00Z

Danw: add some features from the man page

A listing of the development progress.

== 6.2 ==

* Support for inner header matching, such as "udp dport 6081 geneve ip saddr 10.141.11.2"

== 5.10 ==

* Support for ingress hook in inet family

== 5.6 ==

* Support for ranges (intervals) in concatenations

== 5.2 ==

* Support for NAT in inet family

== 4.16 ==

* flowtable support

== 4.15 ==

* Fetch single elements of a set (i.e, nft get element)

== 4.10 ==

* notrack support

== 4.3 ==

* Enhancements for the limit expression, support for ratelimit bytes/time unit.
* Dup expression (equivalent to the ''TEE'' target in iptables) for IPv4 and IPv6.
* VLAN header matching support when NIC support offloads.

== 4.2 ==

* New 'netdev' family for filtering from ingress.
* Context to x_tables extensions to know if they run from nft_compat.

== 4.1 ==

Major updates in the generic set infrastructure:

* Concatenations.
* Timeout per set elements.
* Comments per set elements.
* Dynamic set instantiation.

== 4.0 ==

* Mostly fixes.

== 3.19 ==

* redirect support.

== 3.18 ==

* masquerading support.
* meta cpu, devgroup matching.
* reject bridge support.
* destroy table and its content, ie. ''nft flush ruleset''.

== 3.17 ==

* log and nflog support for ip, ip6, arp and bridge families.

== 3.16 ==

* connlabel support.

== 3.15 ==

* Comments per rule support.
* IPv4 reject support.

== 3.14 ==

* set packet mark support.
* nfqueue support (only for ip and ip6 families).
* rule tracing support.
* IPv6 and inet reject support.

== 3.13 ==

* nf_tables merged mainstream.