nftables wiki - User contributions [en]

Meters

2017-03-02T21:21:38Z

Elise: Add examples of hashlimit translation to nft

== Flow tables ==

Since Linux Kernel 4.3 and nft v0.6 nftables supports flow tables.

Flow tables provides a native replacement for the ''hashlimit'' match in iptables, however, you can use any selector, one or many through [[concatenations]].

== Using flow tables ==

The following commands create a table named ''filter'', a chain named ''input'' which hooks incoming traffic and a rule that uses a flow table:

<source lang="bash">
% nft add table filter
% nft add chain filter input {type filter hook input priority 0\;}
% nft add rule filter input tcp dport 22 ct state new flow table ssh-ftable { ip saddr limit rate 10/second } accept
</source>

In this example we create a rule to match ''new'' ''ssh'' (port 22) connections, which uses a flow table named ''ssh-ftable'' to limit the traffic rate to 10 packets per second for each source IP address. The available time units on limits are: ''second'', ''minute'', ''hour'', ''day'' and ''week''.

You can also use [[concatenations]] to build selectors:

<source lang="bash">
% nft add rule filter input flow table cnt-ftable { iif . ip saddr . tcp dport timeout 60s counter }
</source>

This rule counts incoming packets based on the tuple ''(input interface index, IP source address, TCP destination port)'', the counters are dropped after 60 seconds without update.

== Listing flow tables ==

To list the content matched by the flow table use:

<source lang="bash">
% nft list flow table filter cnt-ftable
table ip filter {
flow table cnt-ftable {
type iface_index . ipv4_addr . inet_service
flags timeout
elements = { "wlan1" . 64.62.190.36 . 55000 expires 38s : counter packets 2 bytes 220, "wlan1" . 83.98.201.47 . 35460 expires 39s : counter packets 10 bytes 5988, "wlan1" . 172.217.7.142 . 43254 expires 46s : counter packets 1 bytes 98}
}
}
</source>

== Doing iptables hashlimit with nft ==

Flow tables replace iptables hashlimit in nft. You can use the tool '''iptables-translate''' to see how to translate hashlimit rules, currently available in the [https://git.netfilter.org/iptables/ iptables git tree] and expected in the next official release, current release is v1.6.1.

Almost all hashlimit options are available in nft, starting with --hashlimit-mode, it is replaced by the selector in a flow table. All modes are available except no mode, a flow table demands a selector, an iptables rule without hashlimit-mode isn't supported in nft. A simple rule translation is:

<source lang="bash">
$ iptables -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200/sec --hashlimit-mode srcip,dstport --hashlimit-name http1 -j DROP

$ nft add rule ip filter input tcp dport 80 flow table http1 { tcp dport . ip saddr limit rate over 200/second} counter drop
</source>

Notice that a flow table is named, like hashlimit, and using multiple hashlimit-modes is similar to using a concatenation of selectors. Also, --hashlimit-above is translated to ''limit rate over'', to simulate --hashlimit-upto just omit or replace ''over'' with ''until'' in the rule.

The options --hashlimit-burst and --hashlimit-htable-expire are translated to ''burst'' and ''timeout'' in a flow table:

<source lang="bash">
$ iptables -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP

$ nft add rule ip filter input tcp dport 80 flow table http2 { tcp dport . ip saddr timeout 3s limit rate over 200 kbytes/second burst 1 mbytes} counter drop
</source>

This rule shows how ''timeout'' and ''burst'' are used in a flow table, also notice that flow tables, similarly to hashlimit, accepts limiting rates by bytes frequency instead of packets.

Another hashlimit option is to limit the traffic rate on subnets, of IP source or destination addresses, using the options --hashlimit-srcmask and --hashlimit-dstmask. This feature is available in nft by attaching a subnet mask to a flow table selector, attach to ''ip saddr'' for source address and to ''ip daddr'' for destination adress:

<source lang="bash">
$ iptables -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-upto 200 --hashlimit-mode srcip --hashlimit-name http3 --hashlimit-srcmask 24 -j DROP

$ nft add rule ip filter input tcp dport 80 flow table http3 { ip saddr and 255.255.255.0 limit rate 200/second} counter drop
</source>

This rule will limit packets rate, grouping subnets determined by the first 24 bits of the IP source address, from the incoming packets on port 80.

The remaining options, --hashlimit-htable-max, --hashlimit-htable-size and --hashlimit-htable-gcinterval don't apply to flow tables.

Mangling packet headers

2017-02-20T17:43:51Z

Elise: /* Mangle packet header fields */

== Mangle packet header fields ==

Since nft v0.6 nftables supports stateless payload mangling.

To mangle packet header fields you should create a rule to match the packet, match the desired header field and set a new value to it:

<source lang="bash">
% nft add table mangle
% nft add chain mangle forward {type filter hook forward priority 0\;}
% nft add rule mangle forward tcp dport 8080 tcp dport set 80
</source>

The commands above create a table named ''mangle'', a chain named ''forward'', see [[Netfilter hooks]], and a rule to mangle the destination port of packets over TCP from 8080 to 80. Keep in mind the interactions with conntrack, flows with mangled traffic must be untracked.

For more information about packet headers to mangle check manpage nft(8), [[Matching packet header fields]] and [[Quick reference-nftables in 10 minutes]].

Mangling packet headers

2017-02-17T15:40:57Z

Elise: Create page mangle packet header fields

== Mangle packet header fields ==

Since nft v0.6 nftables supports stateless payload mangling.

To mangle packet header fields you should create a rule to match the packet, match the desired header field and set a new value to it:

<source lang="bash">
% nft add table mangle
% nft add chain mangle forward {type filter hook forward priority 0\;}
% nft add rule mangle forward tcp dport 8080 tcp dport set 80
</source>

The commands above create a table named ''mangle'', a chain named ''forward'', see [[Netfilter hooks]], and a rule to mangle the destination port of packets over TCP from 8080 to 80. Keep in mind the interactions with conntrack, flows with mangled traffic must be untracked.

The rule below is another example, it matches packets heading to address ''192.168.1.3'' and modifies their ''Time to Live'' field:

<source lang="bash">
% nft add rule mangle forward ip daddr 192.168.1.3 ip ttl set 2
</source>

For more information about packet headers to mangle check manpage nft(8), [[Matching packet header fields]] and [[Quick reference-nftables in 10 minutes]].

Meters

2017-02-15T16:32:53Z

Elise: Add links to concatenations

Meters

2017-02-15T16:29:39Z

Elise: Create "Flow table" page with usage examples

Sets

2017-02-14T12:57:05Z

Elise: /* Named sets specifications */

''nftables'' comes with a built-in generic set infrastructure that allows you to use '''any''' supported selector to build sets. This infrastructure makes possible the representation of [[dictionaries]] and [[maps]].

The set elements are internally represented using performance data structures such as hashtables and red-black trees.

= Anonymous sets =

Anonymous sets are those that are:

* Bound to a rule, if the rule is removed, that set is released too.
* They have no specific name, the kernel internally allocates an identifier.
* They cannot be updated. So you cannot add and delete elements from it once it is bound to a rule.

The following example shows how to create a simple set.

<source lang="bash">
% nft add rule filter output tcp dport { 22, 23 } counter
</source>

This rule above catches all traffic going to TCP ports 22 and 23, in case of matching the counters are updated.

= Named sets =

You can create the named sets with the following command:

<source lang="bash">
% nft add set filter blackhole { type ipv4_addr\;}
</source>

Note that ''blackhole'' is the name of the set in this case. The ''type'' option indicates the data type that this set stores, which is an IPv4 address in the case. Current maximum name length is 16 characters.

<source lang="bash">
% nft add element filter blackhole { 192.168.3.4 }
% nft add element filter blackhole { 192.168.1.4, 192.168.1.5 }
</source>

Then, you can use it from the rule:

<source lang="bash">
% nft add rule ip input ip saddr @blackhole drop
</source>

Named sets can be updated anytime, so you can add and delete element from them.

Eric Leblond in his [https://home.regit.org/2014/01/why-you-will-love-nftables/ Why you will love nftables] article shows a very simple example to compare iptables with nftables:

<source lang="bash">
ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
</source>

Which can be expressed in ''nftables'' with a couple of rules that provide a set:

<source lang="bash">
% nft add rule ip6 filter input tcp dport {telnet, http, https} accept
% nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
</source>

= Named sets specifications =

Sets specifications are:

* '''type''', is obrigatory and determines the data type of the set elements. Supported data types currently are:
** ''ipv4_addr'': IPv4 address
** ''ipv6_addr'': IPv6 address.
** ''ether_addr'': Ethernet address.
** ''inet_proto'': Inet protocol type.
** ''inet_service'': Internet service (read tcp port for example)
** ''mark'': Mark type.

* '''timeout''', it determines how long an element stays in the set. The time string respects the format: ''"v1dv2hv3mv4s"'':

<source lang="bash">
% nft add table filter
% nft add set filter ports {type inet_service \; timeout 3h45s \;}
</source>

These commands create a table named ''filter'' and add a set named ''ports'' to it, where elements are deleted after 3 hours and 45 seconds of being added.

* '''flags''', the available flags are:
** ''constant'' - set content may not change while bound
** ''interval'' - set contains intervals
** ''timeout'' - elements can be added with a timeout

Multiple flags should be separated by comma:

<source lang="bash">
% nft add set filter flags_set {type ipv4_addr\; flags constant, interval\;}
</source>

* '''gc-interval''', stands for garbage collection interval, can only be used if ''timeout'' or ''flags timeout'' are active. The interval follows the same format of ''timeouts'' time string ''"v1dv2hv3mv4s"''.

* '''elements''', initialize the set with some elements in it:

<source lang="bash">
% nft add set filter daddrs {type ipv4_addr \; flags timeout \; elements={192.168.1.1 timeout 10s, 192.168.1.2 timeout 30s} \;}
</source>

This command creates a set name ''daddrs'' with elements ''192.168.1.1'', which stays in it for 10s, and ''192.168.1.2'', which stays for 30s.

* '''size''', limits the maximum number of elements of the set. To create a set with maximum 2 elements type:

<source lang="bash">
% nft add set filter saddrs {type ipv4_addr \; size 2 \;}
</source>

* '''policy''', determines set selection policy. Available values are:
** ''performance'' [default]
** ''memory''

= Listing named sets =

You can list the content of a named set via:

<source lang="bash">
% nft list set filter myset
</source>

Sets

2017-02-13T18:15:54Z

Elise: /* Named sets specifications */

''nftables'' comes with a built-in generic set infrastructure that allows you to use '''any''' supported selector to build sets. This infrastructure makes possible the representation of [[dictionaries]] and [[maps]].

The set elements are internally represented using performance data structures such as hashtables and red-black trees.

= Anonymous sets =

Anonymous sets are those that are:

* Bound to a rule, if the rule is removed, that set is released too.
* They have no specific name, the kernel internally allocates an identifier.
* They cannot be updated. So you cannot add and delete elements from it once it is bound to a rule.

The following example shows how to create a simple set.

<source lang="bash">
% nft add rule filter output tcp dport { 22, 23 } counter
</source>

This rule above catches all traffic going to TCP ports 22 and 23, in case of matching the counters are updated.

= Named sets =

You can create the named sets with the following command:

<source lang="bash">
% nft add set filter blackhole { type ipv4_addr\;}
</source>

Note that ''blackhole'' is the name of the set in this case. The ''type'' option indicates the data type that this set stores, which is an IPv4 address in the case. Current maximum name length is 16 characters.

<source lang="bash">
% nft add element filter blackhole { 192.168.3.4 }
% nft add element filter blackhole { 192.168.1.4, 192.168.1.5 }
</source>

Then, you can use it from the rule:

<source lang="bash">
% nft add rule ip input ip saddr @blackhole drop
</source>

Named sets can be updated anytime, so you can add and delete element from them.

Eric Leblond in his [https://home.regit.org/2014/01/why-you-will-love-nftables/ Why you will love nftables] article shows a very simple example to compare iptables with nftables:

<source lang="bash">
ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
</source>

Which can be expressed in ''nftables'' with a couple of rules that provide a set:

<source lang="bash">
% nft add rule ip6 filter input tcp dport {telnet, http, https} accept
% nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
</source>

= Named sets specifications =

Sets specifications are:

* '''type''', is obrigatory and determines the data type of the set elements. Supported data types currently are:
** ''ipv4_addr'': IPv4 address
** ''ipv6_addr'': IPv6 address.
** ''ether_addr'': Ethernet address.
** ''inet_proto'': Inet protocol type.
** ''inet_service'': Internet service (read tcp port for example)
** ''mark'': Mark type.

* '''timeout''', it determines how long an element stays in the set. The time string respects the format: ''"v1dv2hv3mv4s"'':

<source lang="bash">
% nft add table filter
% nft add set filter ports {type inet_service \; timeout 3h45s \;}
</source>

These commands create a table named ''filter'' and add a set named ''ports'' to it, where elements are deleted after 3 hours and 45 seconds of being added.

* '''flags''', the available flags are:
** ''constant'' - set content may not change while bound
** ''interval'' - set contains intervals
** ''timeout'' - elements can be added with a timeout

Multiple flags should be separated by comma:

<source lang="bash">
% nft add set filter flags_set {type ipv4_addr\; flags constant, interval\;}
</source>

* '''gc-interval''', stands for garbage collection interval, can only be used if ''timeout'' or ''flags timeout'' are active. The interval follows the same format of ''timeouts'' time string ''"v1dv2hv3mv4s"''.

* '''elements''', initialize the set with some elements in it:

<source lang="bash">
% nft add set filter daddrs {type ipv4_addr \; flags timeout \; elements={192.168.1.1 timeout 10s, 192.168.1.2 timeout 30s} \;}
</source>

This command creates a set name ''daddrs'' with elements ''1.1.1.1'', which stays in it for 10s, and ''2.2.2.2'', which stays for 30s.

* '''size''', limits the maximum number of elements of the set. To create a set with maximum 2 elements type:

<source lang="bash">
% nft add set filter saddrs {type ipv4_addr \; size 2 \;}
</source>

* '''policy''', determines set selection policy. Available values are:
** ''performance'' [default]
** ''memory''

= Listing named sets =

You can list the content of a named set via:

<source lang="bash">
% nft list set filter myset
</source>

Sets

2017-02-13T16:32:12Z

Elise: /* Named sets specifications */

''nftables'' comes with a built-in generic set infrastructure that allows you to use '''any''' supported selector to build sets. This infrastructure makes possible the representation of [[dictionaries]] and [[maps]].

The set elements are internally represented using performance data structures such as hashtables and red-black trees.

= Anonymous sets =

Anonymous sets are those that are:

* Bound to a rule, if the rule is removed, that set is released too.
* They have no specific name, the kernel internally allocates an identifier.
* They cannot be updated. So you cannot add and delete elements from it once it is bound to a rule.

The following example shows how to create a simple set.

<source lang="bash">
% nft add rule filter output tcp dport { 22, 23 } counter
</source>

This rule above catches all traffic going to TCP ports 22 and 23, in case of matching the counters are updated.

= Named sets =

You can create the named sets with the following command:

<source lang="bash">
% nft add set filter blackhole { type ipv4_addr\;}
</source>

Note that ''blackhole'' is the name of the set in this case. The ''type'' option indicates the data type that this set stores, which is an IPv4 address in the case. Current maximum name length is 16 characters.

<source lang="bash">
% nft add element filter blackhole { 192.168.3.4 }
% nft add element filter blackhole { 192.168.1.4, 192.168.1.5 }
</source>

Then, you can use it from the rule:

<source lang="bash">
% nft add rule ip input ip saddr @blackhole drop
</source>

Named sets can be updated anytime, so you can add and delete element from them.

Eric Leblond in his [https://home.regit.org/2014/01/why-you-will-love-nftables/ Why you will love nftables] article shows a very simple example to compare iptables with nftables:

<source lang="bash">
ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
</source>

Which can be expressed in ''nftables'' with a couple of rules that provide a set:

<source lang="bash">
% nft add rule ip6 filter input tcp dport {telnet, http, https} accept
% nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
</source>

= Named sets specifications =

Sets specifications are:

* '''type''', is obrigatory and determines the data type of the set elements. Supported data types currently are:
** ''ipv4_addr'': IPv4 address
** ''ipv6_addr'': IPv6 address.
** ''ether_addr'': Ethernet address.
** ''inet_proto'': Inet protocol type.
** ''inet_service'': Internet service (read tcp port for example)
** ''mark'': Mark type.

* '''timeout''', it determines how long an element stays in the set. The time string respects the format: ''"v1dv2hv3mv4s"'':

<source lang="bash">
% nft add table filter
% nft add set filter ports {type inet_service \; timeout 3h45s \;}
</source>

These commands create a table named ''filter'' and add a set named ''ports'' to it, where elements are deleted after 3 hours and 45 seconds of being added.

* '''flags''', only one flag can be set at a time, the available flags are:
** ''constant'' - set content may not change while bound
** ''interval'' - set contains intervals
** ''timeout'' - elements can be added with a timeout

* '''gc-interval''', stands for garbage collection interval, can only be used if ''timeout'' or ''flags timeout'' are active. The interval follows the same format of ''timeouts'' time string ''"v1dv2hv3mv4s"''.

* '''elements''', initialize the set with some elements in it:

<source lang="bash">
% nft add set filter daddrs {type ipv4_addr \; flags timeout \; elements={192.168.1.1 timeout 10s, 192.168.1.2 timeout 30s} \;}
</source>

This command creates a set name ''daddrs'' with elements ''1.1.1.1'', which stays in it for 10s, and ''2.2.2.2'', which stays for 30s.

* '''size''', limits the maximum number of elements of the set. To create a set with maximum 2 elements type:

<source lang="bash">
% nft add set filter saddrs {type ipv4_addr \; size 2 \;}
</source>

* '''policy''', determines set selection policy. Available values are:
** ''performance'' [default]
** ''memory''

= Listing named sets =

You can list the content of a named set via:

<source lang="bash">
% nft list set filter myset
</source>

Main Page

2017-02-13T16:05:28Z

Elise: /* Examples */

Welcome to the ''nftables'' HOWTO documentation page. Here you will find documentation on how to build, install, configure and use nftables.

This documentation was initially started by Eric Leblond, known as the [https://home.regit.org/netfilter-en/nftables-quick-howto/ nftables quick HOWTO], and it has been extended and enhanced by Pablo Neira Ayuso.

If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>.

Note that this documentation is still under development, so '''consider this work in progress'''.

= Introduction =

* [[What is nftables?]]
* [[Why nftables?]]
* [[Main differences with iptables]]
* [[Netfilter hooks]] and integration with existing Netfilter components.

= Getting started =

* [[Building and installing nftables from sources]]
* Using [[nftables from distributions]]
* [[Troubleshooting|Troubleshooting and FAQ]]
* [[Quick reference-nftables in 10 minutes|Quick reference, nftables in 10 minutes]]

= Basic operation =

* [[Configuring tables]]
* [[Configuring chains]]
* [[Simple rule management]]
* [[Atomic rule replacement]]
* [[Error reporting from the command line]]
* [[Building rules through expressions]]
* [[Operations at ruleset level]]
* [[Monitoring ruleset updates]]
* [[Scripting]]
* [[Ruleset debug/tracing]]
* [[Moving from iptables to nftables]]

= Supported selectors for packet matching =

* [[Matching packet header fields]]
* [[Matching packet metainformation]]
* [[Matching connection tracking stateful metainformation]]
* [[Rate limiting matchings]]
* [[Routing information]]

= Possible actions on packets =

* [[Accepting and dropping packets]]
* [[Jumping to chain]]
* [[Rejecting traffic]]
* [[Logging traffic]]
* [[Performing Network Address Translation (NAT)]]
* [[Setting packet metainformation]]
* [[Queueing to userspace]]
* [[Duplicating packets]]
* [[Mangle packet header fields]]
* [[Counters]]
* [[Load balancing]]

Note that, unlike ''iptables'', you can perform several actions in one single rule.

= Advanced data structures for performance packet classification =

You will have to redesign your rule-set to benefit from these new nice features:

* [[Sets]]
* [[Dictionaries]]
* [[Intervals]]
* [[Maps]]
* [[Concatenations]]
* [[Flow tables]]
* [[Updating sets from the packet path]]
* [[Element timeouts]]
* [[Math operations]]
* [[Stateful objects]]

If you are already using [[ipset]] in your ''iptables'' rule-set, that transition may be a bit more simple to you.

= Examples =

* [[Simple ruleset for a workstation]]
* [[Bridge filtering]]
* [[Multiple NATs using nftables maps]]
* [[Classic perimetral firewall example]]

= Development progress =

* [[List of updates since Linux kernel 3.13]]
* [[Supported features compared to xtables|Supported features compared to {ip,ip6,eb,arp}tables]]
* [[List of available translations via iptables-translate tool]]

= Videos =

* Watch [https://www.youtube.com/watch?v=FXTRRwXi3b4 Getting a grasp of nftables], thanks to [https://www.nluug.nl/index-en.html NLUUG association] for recording this.

= Thanks =

To the NLnet foundation for initial sponsorship of this HOWTO:

[https://nlnet.nl https://nlnet.nl/image/logo.gif]

Main Page

2017-02-13T16:04:45Z

Elise: /* Advanced data structures for performance packet classification */

Welcome to the ''nftables'' HOWTO documentation page. Here you will find documentation on how to build, install, configure and use nftables.

This documentation was initially started by Eric Leblond, known as the [https://home.regit.org/netfilter-en/nftables-quick-howto/ nftables quick HOWTO], and it has been extended and enhanced by Pablo Neira Ayuso.

If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>.

Note that this documentation is still under development, so '''consider this work in progress'''.

= Introduction =

* [[What is nftables?]]
* [[Why nftables?]]
* [[Main differences with iptables]]
* [[Netfilter hooks]] and integration with existing Netfilter components.

= Getting started =

* [[Building and installing nftables from sources]]
* Using [[nftables from distributions]]
* [[Troubleshooting|Troubleshooting and FAQ]]
* [[Quick reference-nftables in 10 minutes|Quick reference, nftables in 10 minutes]]

= Basic operation =

* [[Configuring tables]]
* [[Configuring chains]]
* [[Simple rule management]]
* [[Atomic rule replacement]]
* [[Error reporting from the command line]]
* [[Building rules through expressions]]
* [[Operations at ruleset level]]
* [[Monitoring ruleset updates]]
* [[Scripting]]
* [[Ruleset debug/tracing]]
* [[Moving from iptables to nftables]]

= Supported selectors for packet matching =

* [[Matching packet header fields]]
* [[Matching packet metainformation]]
* [[Matching connection tracking stateful metainformation]]
* [[Rate limiting matchings]]
* [[Routing information]]

= Possible actions on packets =

* [[Accepting and dropping packets]]
* [[Jumping to chain]]
* [[Rejecting traffic]]
* [[Logging traffic]]
* [[Performing Network Address Translation (NAT)]]
* [[Setting packet metainformation]]
* [[Queueing to userspace]]
* [[Duplicating packets]]
* [[Mangle packet header fields]]
* [[Counters]]
* [[Load balancing]]

Note that, unlike ''iptables'', you can perform several actions in one single rule.

= Advanced data structures for performance packet classification =

You will have to redesign your rule-set to benefit from these new nice features:

* [[Sets]]
* [[Dictionaries]]
* [[Intervals]]
* [[Maps]]
* [[Concatenations]]
* [[Flow tables]]
* [[Updating sets from the packet path]]
* [[Element timeouts]]
* [[Math operations]]
* [[Stateful objects]]

If you are already using [[ipset]] in your ''iptables'' rule-set, that transition may be a bit more simple to you.

= Examples =

* [[Simple ruleset for a workstation]]
* [[Bridge filtering]]
* [[Multiple NATs using nftables maps]]
* [[Classic perimetral firewall example]]
* [[Stateful objects usage]]

= Development progress =

* [[List of updates since Linux kernel 3.13]]
* [[Supported features compared to xtables|Supported features compared to {ip,ip6,eb,arp}tables]]
* [[List of available translations via iptables-translate tool]]

= Videos =

* Watch [https://www.youtube.com/watch?v=FXTRRwXi3b4 Getting a grasp of nftables], thanks to [https://www.nluug.nl/index-en.html NLUUG association] for recording this.

= Thanks =

To the NLnet foundation for initial sponsorship of this HOWTO:

[https://nlnet.nl https://nlnet.nl/image/logo.gif]

Stateful objects usage

2017-02-13T16:03:17Z

Elise: Elise moved page Stateful objects usage to Stateful objects: This tittle better fit the naming convention

#REDIRECT [[Stateful objects]]

Stateful objects

2017-02-13T16:03:16Z

Elise: Elise moved page Stateful objects usage to Stateful objects: This tittle better fit the naming convention

Since Linux Kernel 4.10 and nft v0.8 nftables supports stateful objects.

Stateful objects group stateful information of rules, the supported types are: counters and quotas. Stateful objects are attached to tables and have a unique name, defined by the user.

= Creating stateful objects =

You can create a counter with the command:

<source lang="bash">
% nft add table filter
% nft add counter filter https-traffic
</source>

These rules create a table named ''filter'', then a counter named ''https-traffic'' and attaches it to ''filter''.

Creating a quota is similar:

<source lang="bash">
% nft add quota filter https-quota 25 mbytes
</source>

A quota named ''https-quota'' is attached to the table ''filter'', notice that you must specify the quota's size on creation.

= Referencing stateful objects in rules =

Stateful objects are referenced in rules by their names, the simplest way is:

<source lang="bash">
% nft add chain filter output { type filter hook output priority 0 \; }
% nft add rule filter output tcp dport https counter name https-traffic
</source>

These rules create a chain named ''output'' in the table ''filter'', then a rule to counter the ''https'' packets generated by your machine and display them in the counter ''https-traffic''.

They can also be used with maps:

<source lang="bash">
% nft add rule filter output counter name tcp dport map { \
https : "https-traffic", \
80 : "http-traffic", \
25 : "foo-counter", \
50 : "foo-counter", \
107 : "foo-counter" \
}
</source>

Similarly, dynamic maps can be used:

<source lang="bash">
% nft add map filter ports { type inet_service : quota \; }
% nft add rule filter output quota name tcp dport map @ports
% nft add quota filter http-quota over 25 mbytes
% nft add quota filter ssh-quota 10 kbytes
% nft add element filter ports { 80 : "http-quota" }
% nft add element filter ports { 22 : "ssh-quota" }
</source>

= Listing stateful objects =

You can list the stateful information of objects individually via:

<source lang="bash">
% nft list counter filter https-traffic
</source>

Also, it's possible to list all stateful objects of the same type:

<source lang="bash">
% nft list quotas
</source>

And list all stateful objects of a type in a table:

<source lang="bash">
% nft list counters table filter
</source>

= Reseting stateful objects =

Reseting an object will atomically dump and reset its content:

<source lang="bash">
% nft reset quota filter https-quota
table ip filter {
quota https-quota {
25 mbytes used 217 kbytes
}
}

% nft list quota filter https-quota
table ip filter {
quota https-quota {
25 mbytes
}
}
</source>

Other usages are similar to the command list, e.g.

<source lang="bash">
% nft reset counters
% nft reset quotas table filter
</source>

Stateful objects

2017-02-11T12:38:01Z

Elise:

Stateful objects

2017-02-11T12:31:47Z

Elise: /* Reseting stateful objects */

Stateful objects group stateful information of rules, the supported types are: counters and quotas. Stateful objects are attached to tables and have a unique name, defined by the user.

= Creating stateful objects =

You can create a counter with the command:

<source lang="bash">
% nft add table filter
% nft add counter filter https-traffic
</source>

These rules create a table named ''filter'', then a counter named ''https-traffic'' and attaches it to ''filter''.

Creating a quota is similar:

<source lang="bash">
% nft add quota filter https-quota 25 mbytes
</source>

A quota named ''https-quota'' is attached to the table ''filter'', notice that you must specify the quota's size on creation.

= Referencing stateful objects in rules =

Stateful objects are referenced in rules by their names, the simplest way is:

<source lang="bash">
% nft add chain filter output { type filter hook output priority 0 \; }
% nft add rule filter output tcp dport https counter name https-traffic
</source>

These rules create a chain named ''output'' in the table ''filter'', then a rule to counter the ''https'' packets generated by your machine and display them in the counter ''https-traffic''.

They can also be used with maps:

<source lang="bash">
% nft add rule filter output counter name tcp dport map { \
https : "https-traffic", \
80 : "http-traffic", \
25 : "foo-counter", \
50 : "foo-counter", \
107 : "foo-counter" \
}
</source>

Similarly, dynamic maps can be used:

<source lang="bash">
% nft add map filter ports { type inet_service : quota \; }
% nft add rule filter output quota name tcp dport map @ports
% nft add quota filter http-quota over 25 mbytes
% nft add quota filter ssh-quota 10 kbytes
% nft add element filter ports { 80 : "http-quota" }
% nft add element filter ports { 22 : "ssh-quota" }
</source>

= Listing stateful objects =

You can list the stateful information of objects individually via:

<source lang="bash">
% nft list counter filter https-traffic
</source>

Also, it's possible to list all stateful objects of the same type:

<source lang="bash">
% nft list quotas
</source>

And list all stateful objects of a type in a table:

<source lang="bash">
% nft list counters table filter
</source>

= Reseting stateful objects =

Reseting an object will list its content and set it to 0:

<source lang="bash">
% nft reset quota filter https-quota
table ip filter {
quota https-quota {
25 mbytes used 217 kbytes
}
}

% nft list quota filter https-quota
table ip filter {
quota https-quota {
25 mbytes
}
}
</source>

Other usages are similar to the command list, e.g.

<source lang="bash">
% nft reset counters
% nft reset quotas table filter
</source>

Sets

2017-02-09T17:18:31Z

Elise: /* Named sets specifications */

''nftables'' comes with a built-in generic set infrastructure that allows you to use '''any''' supported selector to build sets. This infrastructure makes possible the representation of [[dictionaries]] and [[maps]].

The set elements are internally represented using performance data structures such as hashtables and red-black trees.

= Anonymous sets =

Anonymous sets are those that are:

* Bound to a rule, if the rule is removed, that set is released too.
* They have no specific name, the kernel internally allocates an identifier.
* They cannot be updated. So you cannot add and delete elements from it once it is bound to a rule.

The following example shows how to create a simple set.

<source lang="bash">
% nft add rule filter output tcp dport { 22, 23 } counter
</source>

This rule above catches all traffic going to TCP ports 22 and 23, in case of matching the counters are updated.

= Named sets =

You can create the named sets with the following command:

<source lang="bash">
% nft add set filter blackhole { type ipv4_addr\;}
</source>

Note that ''blackhole'' is the name of the set in this case. The ''type'' option indicates the data type that this set stores, which is an IPv4 address in the case. Current maximum name length is 16 characters.

<source lang="bash">
% nft add element filter blackhole { 192.168.3.4 }
% nft add element filter blackhole { 192.168.1.4, 192.168.1.5 }
</source>

Then, you can use it from the rule:

<source lang="bash">
% nft add rule ip input ip saddr @blackhole drop
</source>

Named sets can be updated anytime, so you can add and delete element from them.

Eric Leblond in his [https://home.regit.org/2014/01/why-you-will-love-nftables/ Why you will love nftables] article shows a very simple example to compare iptables with nftables:

<source lang="bash">
ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
</source>

Which can be expressed in ''nftables'' with a couple of rules that provide a set:

<source lang="bash">
% nft add rule ip6 filter input tcp dport {telnet, http, https} accept
% nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
</source>

= Named sets specifications =

Sets specifications are:

* '''type''', is obrigatory and determines the data type of the set elements. Supported data types currently are:
** ''ipv4_addr'': IPv4 address
** ''ipv6_addr'': IPv6 address.
** ''ether_addr'': Ethernet address.
** ''inet_proto'': Inet protocol type.
** ''inet_service'': Internet service (read tcp port for example)
** ''mark'': Mark type.

* '''timeout''', it determines how long an element stays in the set. The time string respects the format: ''"v1dv2hv3mv4s"'':

<source lang="bash">
% nft add table filter
% nft add set filter ports {type inet_service \; timeout 3h45s \;}
</source>

These commands create a table named ''filter'' and add a set to it, where elements are deleted after 3 hours and 45 seconds of being added.

* '''flags''', only one flag can be set at a time, the available flags are:
** ''constant'' - set content may not change while bound
** ''interval'' - set contains intervals
** ''timeout'' - elements can be added with a timeout

* '''gc-interval''', stands for garbage collection interval, can only be used if ''timeout'' or ''flags timeout'' are active. The interval follows the same format of ''timeouts'' time string ''"v1dv2hv3mv4s"''.

* '''elements''', initialize the set with some elements in it:

<source lang="bash">
% nft add set filter daddrs {type ipv4_addr \; flags timeout \; elements={192.168.1.1 timeout 10s, 192.168.1.2 timeout 30s} \;}
</source>

This command creates a set name ''daddrs'' with elements ''1.1.1.1'', which stays in it for 10s, and ''2.2.2.2'', which stays for 30s.

* '''size''', limits the maximum number of elements of the set. To create a set with maximum 2 elements type:

<source lang="bash">
% nft add set filter saddrs {type ipv4_addr \; size 2 \;}
</source>

* '''policy''', determines set selection policy. Available values are:
** ''memory''
** ''performance''

= Listing named sets =

You can list the content of a named set via:

<source lang="bash">
% nft list set filter myset
</source>

Sets

2017-02-09T16:53:09Z

Elise: /* Named sets */

''nftables'' comes with a built-in generic set infrastructure that allows you to use '''any''' supported selector to build sets. This infrastructure makes possible the representation of [[dictionaries]] and [[maps]].

The set elements are internally represented using performance data structures such as hashtables and red-black trees.

= Anonymous sets =

Anonymous sets are those that are:

* Bound to a rule, if the rule is removed, that set is released too.
* They have no specific name, the kernel internally allocates an identifier.
* They cannot be updated. So you cannot add and delete elements from it once it is bound to a rule.

The following example shows how to create a simple set.

<source lang="bash">
% nft add rule filter output tcp dport { 22, 23 } counter
</source>

This rule above catches all traffic going to TCP ports 22 and 23, in case of matching the counters are updated.

= Named sets =

You can create the named sets with the following command:

<source lang="bash">
% nft add set filter blackhole { type ipv4_addr\;}
</source>

Note that ''blackhole'' is the name of the set in this case. The ''type'' option indicates the data type that this set stores, which is an IPv4 address in the case. Current maximum name length is 16 characters.

<source lang="bash">
% nft add element filter blackhole { 192.168.3.4 }
% nft add element filter blackhole { 192.168.1.4, 192.168.1.5 }
</source>

Then, you can use it from the rule:

<source lang="bash">
% nft add rule ip input ip saddr @blackhole drop
</source>

Named sets can be updated anytime, so you can add and delete element from them.

Eric Leblond in his [https://home.regit.org/2014/01/why-you-will-love-nftables/ Why you will love nftables] article shows a very simple example to compare iptables with nftables:

<source lang="bash">
ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
</source>

Which can be expressed in ''nftables'' with a couple of rules that provide a set:

<source lang="bash">
% nft add rule ip6 filter input tcp dport {telnet, http, https} accept
% nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
</source>

= Named sets specifications =

Sets specifications are:

* '''type''', is obrigatory and determines the data type of the set elements. Supported data types currently are:
** ''ipv4_addr'': IPv4 address
** ''ipv6_addr'': IPv6 address.
** ''ether_addr'': Ethernet address.
** ''inet_proto'': Inet protocol type.
** ''inet_service'': Internet service (read tcp port for example)
** ''mark'': Mark type.

* '''timeout''', it determines how long an element stays in the set. The time string respects the format: ''"v1dv2hv3mv4s"'':

<source lang="bash">
% nft add table filter
% nft add set filter ports {type inet_service \; timeout 3h45s \;}
</source>

These commands create a table named ''filter'' and add a set to it, where elements are deleted after 3 hours and 45 seconds of being added.

* '''flags''', only one flag can be set at a time, the available flags are:
** ''constant'' - set content may not change while bound
** ''interval'' - set contains intervals
** ''timeout'' - elements can be added with a timeout

* '''gc-interval''', stands for garbage collection interval, can only be used if ''timeout'' or ''flags timeout'' are active. The interval follows the same format of ''timeouts'' time string ''"v1dv2hv3mv4s"''.

* '''elements''', initialize the set with some elements in it:

<source lang="bash">
% nft add set filter daddrs {type ipv4_addr \; flags timeout \; elements={192.168.1.1 timeout 10s, 192.168.1.2 timeout 30s} \;}
</source>

This command creates a set name ''daddrs'' with elements ''1.1.1.1'', which stays in it for 10s, and ''2.2.2.2'', which stays for 30s.

* '''size''', limits the maximum number of elements of the set. To create a set with maximum 2 elements type:

<source lang="bash">
% nft add set filter saddrs {type ipv4_addr \; size 2 \;}
</source>

* '''policy''', determines set selection policy. Available values are:
** ''memory''
** ''performance''

= Listing named sets =

You can list the content of a named set via:

<source lang="bash">
% nft list set filter myset
</source>

Sets

2017-02-09T16:52:18Z

Elise: /* Named sets specifications */

''nftables'' comes with a built-in generic set infrastructure that allows you to use '''any''' supported selector to build sets. This infrastructure makes possible the representation of [[dictionaries]] and [[maps]].

The set elements are internally represented using performance data structures such as hashtables and red-black trees.

= Anonymous sets =

Anonymous sets are those that are:

* Bound to a rule, if the rule is removed, that set is released too.
* They have no specific name, the kernel internally allocates an identifier.
* They cannot be updated. So you cannot add and delete elements from it once it is bound to a rule.

The following example shows how to create a simple set.

<source lang="bash">
% nft add rule filter output tcp dport { 22, 23 } counter
</source>

This rule above catches all traffic going to TCP ports 22 and 23, in case of matching the counters are updated.

= Named sets =

You can create the named sets with the following command:

<source lang="bash">
% nft add set filter blackhole { type ipv4_addr\;}
</source>

Note that ''blackhole'' is the name of the set in this case. The ''type'' option indicates the data type that this set stores, which is an IPv4 address in the case. Current maximum name length is 16 characters.

<source lang="bash">
% nft add element filter blackhole { 192.168.3.4 }
% nft add element filter blackhole { 192.168.1.4, 192.168.1.5 }
</source>

Then, you can use it from the rule:

<source lang="bash">
% nft add rule ip input ip saddr @blackhole drop
</source>

The supported data types currently are:

* ''ipv4_addr'': IPv4 address
* ''ipv6_addr'': IPv6 address.
* ''ether_addr'': Ethernet address.
* ''inet_proto'': Inet protocol type.
* ''inet_service'': Internet service (read tcp port for example)
* ''mark'': Mark type.

Named sets can be updated anytime, so you can add and delete element from them.

Eric Leblond in his [https://home.regit.org/2014/01/why-you-will-love-nftables/ Why you will love nftables] article shows a very simple example to compare iptables with nftables:

<source lang="bash">
ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
</source>

Which can be expressed in ''nftables'' with a couple of rules that provide a set:

<source lang="bash">
% nft add rule ip6 filter input tcp dport {telnet, http, https} accept
% nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
</source>

= Named sets specifications =

Sets specifications are:

* '''type''', is obrigatory and determines the data type of the set elements. Supported data types currently are:
** ''ipv4_addr'': IPv4 address
** ''ipv6_addr'': IPv6 address.
** ''ether_addr'': Ethernet address.
** ''inet_proto'': Inet protocol type.
** ''inet_service'': Internet service (read tcp port for example)
** ''mark'': Mark type.

* '''timeout''', it determines how long an element stays in the set. The time string respects the format: ''"v1dv2hv3mv4s"'':

<source lang="bash">
% nft add table filter
% nft add set filter ports {type inet_service \; timeout 3h45s \;}
</source>

These commands create a table named ''filter'' and add a set to it, where elements are deleted after 3 hours and 45 seconds of being added.

* '''flags''', only one flag can be set at a time, the available flags are:
** ''constant'' - set content may not change while bound
** ''interval'' - set contains intervals
** ''timeout'' - elements can be added with a timeout

* '''gc-interval''', stands for garbage collection interval, can only be used if ''timeout'' or ''flags timeout'' are active. The interval follows the same format of ''timeouts'' time string ''"v1dv2hv3mv4s"''.

* '''elements''', initialize the set with some elements in it:

<source lang="bash">
% nft add set filter daddrs {type ipv4_addr \; flags timeout \; elements={192.168.1.1 timeout 10s, 192.168.1.2 timeout 30s} \;}
</source>

This command creates a set name ''daddrs'' with elements ''1.1.1.1'', which stays in it for 10s, and ''2.2.2.2'', which stays for 30s.

* '''size''', limits the maximum number of elements of the set. To create a set with maximum 2 elements type:

<source lang="bash">
% nft add set filter saddrs {type ipv4_addr \; size 2 \;}
</source>

* '''policy''', determines set selection policy. Available values are:
** ''memory''
** ''performance''

= Listing named sets =

You can list the content of a named set via:

<source lang="bash">
% nft list set filter myset
</source>

Sets

2017-02-09T16:27:58Z

Elise:

Stateful objects

2017-02-08T15:19:24Z

Elise:

Stateful objects group stateful information of rules, the supported types are: counters and quotas. Stateful objects are attached to tables and have a unique name, defined by the user.

= Creating stateful objects =

You can create a counter with the command:

<source lang="bash">
% nft add table filter
% nft add counter filter https-traffic
</source>

These rules create a table named ''filter'', then a counter named ''https-traffic'' and attaches it to ''filter''.

Creating a quota is similar:

<source lang="bash">
% nft add quota filter https-quota 25 mbytes
</source>

A quota named ''https-quota'' is attached to the table ''filter'', notice that you must specify the quota's size on creation.

= Referencing stateful objects in rules =

Stateful objects are referenced in rules by their names, the simplest way is:

<source lang="bash">
% nft add chain filter output { type filter hook output priority 0 \; }
% nft add rule filter output tcp dport https counter name https-traffic
</source>

These rules create a chain named ''output'' in the table ''filter'', then a rule to counter the ''https'' packets generated by your machine and display them in the counter ''https-traffic''.

They can also be used with maps:

<source lang="bash">
% nft add rule filter output counter name tcp dport map { \
https : "https-traffic", \
80 : "http-traffic", \
25 : "foo-counter", \
50 : "foo-counter", \
107 : "foo-counter" \
}
</source>

Similarly, dynamic maps can be used:

<source lang="bash">
% nft add map filter ports { type inet_service : quota \; }
% nft add rule filter output quota name tcp dport map @ports
% nft add quota filter http-quota over 25 mbytes
% nft add quota filter ssh-quota 10 kbytes
% nft add element filter ports { 80 : "http-quota" }
% nft add element filter ports { 22 : "ssh-quota" }
</source>

= Listing stateful objects =

You can list the stateful information of objects individually via:

<source lang="bash">
% nft list counter filter https-traffic
</source>

Also, it's possible to list all stateful objects of the same type:

<source lang="bash">
% nft list quotas
</source>

And list all stateful objects of a type in a table:

<source lang="bash">
% nft list counters table filter
</source>

= Reseting stateful objects =

Reseting an object will list its content and set it to 0. The usage is similar to listing objects:

<source lang="bash">
% nft reset quota filter http-quota
% nft reset counters
% nft reset quotas table filter
</source>

Stateful objects

2017-02-08T13:55:47Z

Elise: Created page with "Since v0.7 nftables support stateful objects, which group stateful information of rules, the supported types are: counters and quotas. Stateful objects are attached to tables..."

Since v0.7 nftables support stateful objects, which group stateful information of rules, the supported types are: counters and quotas. Stateful objects are attached to tables and have a unique name, defined by the user.

Main Page

2017-02-08T13:53:52Z

Elise: /* Examples */

Welcome to the ''nftables'' HOWTO documentation page. Here you will find documentation on how to build, install, configure and use nftables.

This documentation was initially started by Eric Leblond, known as the [https://home.regit.org/netfilter-en/nftables-quick-howto/ nftables quick HOWTO], and it has been extended and enhanced by Pablo Neira Ayuso.

If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>.

Note that this documentation is still under development, so '''consider this work in progress'''.

= Introduction =

* [[What is nftables?]]
* [[Why nftables?]]
* [[Main differences with iptables]]
* [[Netfilter hooks]] and integration with existing Netfilter components.

= Getting started =

* [[Building and installing nftables from sources]]
* Using [[nftables from distributions]]
* [[Troubleshooting|Troubleshooting and FAQ]]
* [[Quick reference-nftables in 10 minutes|Quick reference, nftables in 10 minutes]]

= Basic operation =

* [[Configuring tables]]
* [[Configuring chains]]
* [[Simple rule management]]
* [[Atomic rule replacement]]
* [[Error reporting from the command line]]
* [[Building rules through expressions]]
* [[Operations at ruleset level]]
* [[Monitoring ruleset updates]]
* [[Scripting]]
* [[Ruleset debug/tracing]]
* [[Moving from iptables to nftables]]

= Supported selectors for packet matching =

* [[Matching packet header fields]]
* [[Matching packet metainformation]]
* [[Matching connection tracking stateful metainformation]]
* [[Rate limiting matchings]]
* [[Routing information]]

= Possible actions on packets =

* [[Accepting and dropping packets]]
* [[Jumping to chain]]
* [[Rejecting traffic]]
* [[Logging traffic]]
* [[Performing Network Address Translation (NAT)]]
* [[Setting packet metainformation]]
* [[Queueing to userspace]]
* [[Duplicating packets]]
* [[Mangle packet header fields]]
* [[Counters]]
* [[Load balancing]]

Note that, unlike ''iptables'', you can perform several actions in one single rule.

= Advanced data structures for performance packet classification =

You will have to redesign your rule-set to benefit from these new nice features:

* [[Sets]]
* [[Dictionaries]]
* [[Intervals]]
* [[Maps]]
* [[Concatenations]]
* [[Flow tables]]
* [[Updating sets from the packet path]]
* [[Element timeouts]]
* [[Math operations]]

If you are already using [[ipset]] in your ''iptables'' rule-set, that transition may be a bit more simple to you.

= Examples =

* [[Simple ruleset for a workstation]]
* [[Bridge filtering]]
* [[Multiple NATs using nftables maps]]
* [[Classic perimetral firewall example]]
* [[Stateful objects usage]]

= Development progress =

* [[List of updates since Linux kernel 3.13]]
* [[Supported features compared to xtables|Supported features compared to {ip,ip6,eb,arp}tables]]
* [[List of available translations via iptables-translate tool]]

= Videos =

* Watch [https://www.youtube.com/watch?v=FXTRRwXi3b4 Getting a grasp of nftables], thanks to [https://www.nluug.nl/index-en.html NLUUG association] for recording this.

= Thanks =

To the NLnet foundation for initial sponsorship of this HOWTO:

[https://nlnet.nl https://nlnet.nl/image/logo.gif]