nftables wiki - User contributions [en]

Supported features compared to xtables

2025-07-14T14:49:18Z

Fw: TCPOPTSTRIP is supported via nft_exthdr since 2022.

Last update: Mar/2022

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== RATEEST ====
* consider native interface
=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== targets: arp ===

TODO

== Supported extensions ==
(Links updated via [http://nwl.cc/~n0-1/update_nftables_wiki_xlate_links.sh script].)

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Matching routing information]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_addrtype.txlate Examples from iptables-translate testsuite]

==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_cgroup.txlate Examples from iptables-translate testsuite]
[Awaits support for cgroup2]

==== cluster ====
* nft_hash
* [https://git.netfilter.org/iptables/tree/extensions/libxt_cluster.txlate Examples from iptables-translate testsuite]

==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_headers#Matching_UDP.2FTCP_headers_in_the_same_rule|matching UDP/TCP headers in the same rule]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_comment.txlate Examples from iptables-translate testsuite]

==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_connbytes.txlate Examples from iptables-translate testsuite]
==== connlabel ====
* nft_meta, since 3.16.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_connlabel.txlate Examples from iptables-translate testsuite]
==== connlimit ====
* consider native interface. Refer to [[Meters]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_connlimit.txlate Examples from iptables-translate testsuite]
==== connmark ====
* nft_meta.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_connmark.txlate Examples from iptables-translate testsuite]
==== conntrack ====
* nft_ct.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_conntrack.txlate Examples from iptables-translate testsuite]
==== cpu ====
* nft_meta, since 3.18.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_cpu.txlate Examples from iptables-translate testsuite]
==== dccp ====
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_dccp.txlate Examples from iptables-translate testsuite]
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_devgroup.txlate Examples from iptables-translate testsuite]
==== dscp ====
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_dscp.txlate Examples from iptables-translate testsuite]
==== ecn ====
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_ecn.txlate Examples from iptables-translate testsuite]
==== esp ====
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_esp.txlate Examples from iptables-translate testsuite]
==== hashlimit ====
* meter statement. Refer to [[Meters]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_hashlimit.txlate Examples from iptables-translate testsuite]
==== helper ====
* nft_ct.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_helper.txlate Examples from iptables-translate testsuite]
==== ipcomp ====
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_ipcomp.txlate Examples from iptables-translate testsuite]
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_iprange.txlate Examples from iptables-translate testsuite]
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_length.txlate Examples from iptables-translate testsuite]
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_limit.txlate Examples from iptables-translate testsuite]
==== mac ====
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_mac.txlate Examples from iptables-translate testsuite]
==== mark ====
* nft_meta.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_mark.txlate Examples from iptables-translate testsuite]
==== multiport ====
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_multiport.txlate Examples from iptables-translate testsuite]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_owner.txlate Examples from iptables-translate testsuite]
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
* [https://git.netfilter.org/iptables/tree/extensions/libxt_pkttype.txlate Examples from iptables-translate testsuite]
==== policy ====
* nft_xfrm, since 5.0
* [https://git.netfilter.org/iptables/tree/extensions/libxt_policy.txlate Examples from iptables-translate testsuite]
==== recent ====
* consider native interface. Refer to [[Sets]].
==== sctp ====
* nft_payload
* nft_exthdr for --chunk-types
* [https://git.netfilter.org/iptables/tree/extensions/libxt_sctp.txlate Examples from iptables-translate testsuite]
==== socket ====
* consider native interface
* [https://git.netfilter.org/iptables/tree/extensions/libxt_socket.txlate Examples from iptables-translate testsuite]
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_statistic.txlate Examples from iptables-translate testsuite]
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libxt_tcp.txlate Examples from iptables-translate testsuite]
==== tcpmss ====
* nft_exthdr, since 4.14
* [https://git.netfilter.org/iptables/tree/extensions/libxt_tcpmss.txlate Examples from iptables-translate testsuite]

==== time ====
* nft_meta, since 5.4
* [https://git.netfilter.org/iptables/tree/extensions/libxt_time.txlate Examples from iptables-translate testsuite]

==== udp ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libxt_udp.txlate Examples from iptables-translate testsuite]

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_AUDIT.txlate Examples from iptables-translate testsuite]
==== CLASSIFY ====
* nft_meta, since 3.14.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_CLASSIFY.txlate Examples from iptables-translate testsuite]
==== CONNMARK ====
* nft_ct
* [https://git.netfilter.org/iptables/tree/extensions/libxt_CONNMARK.txlate Examples from iptables-translate testsuite]
==== CONNSECMARK ====
* nft_ct, since 4.20
==== DSCP ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libxt_DSCP.txlate Examples from iptables-translate testsuite]
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash.
==== MARK ====
* nft_meta, since 3.14.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_MARK.txlate Examples from iptables-translate testsuite]
==== NETMAP ====
* nft_nat, upcoming 5.8
==== NFLOG ====
* nft_log, since 3.17.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_NFLOG.txlate Examples from iptables-translate testsuite]
==== NFQUEUE ====
* nft_queue, since 3.14.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_NFQUEUE.txlate Examples from iptables-translate testsuite]
==== SECMARK ====
* nft_meta, since 4.20

==== SYNPROXY ====
* nft_synproxy, since 5.3
* [https://git.netfilter.org/iptables/tree/extensions/libxt_SYNPROXY.txlate Examples from iptables-translate testsuite]

==== TEE ====
* nft_dup, since 4.3.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_TEE.txlate Examples from iptables-translate testsuite]
==== TPROXY ====
* nft_tproxy, since 4.19
* [https://git.netfilter.org/iptables/tree/extensions/libxt_TPROXY.txlate Examples from iptables-translate testsuite]

==== TRACE ====
* nft_meta, since 3.14.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_TRACE.txlate Examples from iptables-translate testsuite]

==== TCPMSS ====
* nft_exthdr, since 4.14
* [https://git.netfilter.org/iptables/tree/extensions/libxt_TCPMSS.txlate Examples from iptables-translate testsuite]

==== TCPOPTSTRIP ====
* nft_exthdr, since 5.18

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
* [https://git.netfilter.org/iptables/tree/extensions/libipt_ah.txlate Examples from iptables-translate testsuite]
==== icmp ====
* nft_payload + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_icmp.txlate Examples from iptables-translate testsuite]
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_realm.txlate Examples from iptables-translate testsuite]
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libipt_ttl.txlate Examples from iptables-translate testsuite]

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_ah.txlate Examples from iptables-translate testsuite]
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_frag.txlate Examples from iptables-translate testsuite]
==== hbh ====
* nft_exthdr + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_hbh.txlate Examples from iptables-translate testsuite]
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_hl.txlate Examples from iptables-translate testsuite]
==== icmp6 ====
* nft_payload + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_icmp6.txlate Examples from iptables-translate testsuite]
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_mh.txlate Examples from iptables-translate testsuite]
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_rt.txlate Examples from iptables-translate testsuite]
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_DNAT.txlate Examples from iptables-translate testsuite]
==== LOG ====
* nft_log, since 3.17.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_LOG.txlate Examples from iptables-translate testsuite]
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_MASQUERADE.txlate Examples from iptables-translate testsuite]
==== REDIRECT ====
* nft_redirect, since 3.19.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_REDIRECT.txlate Examples from iptables-translate testsuite]

==== REJECT ====
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_REJECT.txlate Examples from iptables-translate testsuite]
==== SNAT ====
* nft_nat, since 3.13.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_SNAT.txlate Examples from iptables-translate testsuite]

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_DNAT.txlate Examples from iptables-translate testsuite]
==== LOG ====
* nft_log, since 3.17.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_LOG.txlate Examples from iptables-translate testsuite]
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_MASQUERADE.txlate Examples from iptables-translate testsuite]
==== REDIRECT ====
* nft_redirect, since 3.19.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_REDIRECT.txlate Examples from iptables-translate testsuite]

==== REJECT ====
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_REJECT.txlate Examples from iptables-translate testsuite]
==== SNAT ====
* nft_nat, since 3.13.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_SNAT.txlate Examples from iptables-translate testsuite]

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libebt_ip.txlate Examples from iptables-translate testsuite]

==== ip6 ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libebt_ip6.txlate Examples from iptables-translate testsuite]

==== limit ====
* nft_limit
* [https://git.netfilter.org/iptables/tree/extensions/libebt_limit.txlate Examples from iptables-translate testsuite]

==== mark ====
* nft_mark
* [https://git.netfilter.org/iptables/tree/extensions/libebt_mark_m.txlate Examples from iptables-translate testsuite]

==== pkttype ====
* nft_meta
* [https://git.netfilter.org/iptables/tree/extensions/libebt_pkttype.txlate Examples from iptables-translate testsuite]

==== stp ====
* nft_payload

==== vlan ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libebt_vlan.txlate Examples from iptables-translate testsuite]

=== targets: bridge ===

==== dnat ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libebt_dnat.txlate Examples from iptables-translate testsuite]

==== snat ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libebt_snat.txlate Examples from iptables-translate testsuite]

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark
* [https://git.netfilter.org/iptables/tree/extensions/libebt_mark.txlate Examples from iptables-translate testsuite]

=== watchers: bridge ===

==== log ====
* nft_log
* [https://git.netfilter.org/iptables/tree/extensions/libebt_log.txlate Examples from iptables-translate testsuite]

==== nflog ====
* nft_log
* [https://git.netfilter.org/iptables/tree/extensions/libebt_nflog.txlate Examples from iptables-translate testsuite]

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Supported features compared to xtables

2025-07-14T14:47:20Z

Fw: tcpoptstrip is supported since 2022, remove from unsupported list.

Last update: Mar/2022

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== RATEEST ====
* consider native interface
=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== targets: arp ===

TODO

== Supported extensions ==
(Links updated via [http://nwl.cc/~n0-1/update_nftables_wiki_xlate_links.sh script].)

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Matching routing information]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_addrtype.txlate Examples from iptables-translate testsuite]

==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_cgroup.txlate Examples from iptables-translate testsuite]
[Awaits support for cgroup2]

==== cluster ====
* nft_hash
* [https://git.netfilter.org/iptables/tree/extensions/libxt_cluster.txlate Examples from iptables-translate testsuite]

==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_headers#Matching_UDP.2FTCP_headers_in_the_same_rule|matching UDP/TCP headers in the same rule]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_comment.txlate Examples from iptables-translate testsuite]

==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_connbytes.txlate Examples from iptables-translate testsuite]
==== connlabel ====
* nft_meta, since 3.16.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_connlabel.txlate Examples from iptables-translate testsuite]
==== connlimit ====
* consider native interface. Refer to [[Meters]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_connlimit.txlate Examples from iptables-translate testsuite]
==== connmark ====
* nft_meta.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_connmark.txlate Examples from iptables-translate testsuite]
==== conntrack ====
* nft_ct.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_conntrack.txlate Examples from iptables-translate testsuite]
==== cpu ====
* nft_meta, since 3.18.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_cpu.txlate Examples from iptables-translate testsuite]
==== dccp ====
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_dccp.txlate Examples from iptables-translate testsuite]
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_devgroup.txlate Examples from iptables-translate testsuite]
==== dscp ====
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_dscp.txlate Examples from iptables-translate testsuite]
==== ecn ====
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_ecn.txlate Examples from iptables-translate testsuite]
==== esp ====
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_esp.txlate Examples from iptables-translate testsuite]
==== hashlimit ====
* meter statement. Refer to [[Meters]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_hashlimit.txlate Examples from iptables-translate testsuite]
==== helper ====
* nft_ct.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_helper.txlate Examples from iptables-translate testsuite]
==== ipcomp ====
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_ipcomp.txlate Examples from iptables-translate testsuite]
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_iprange.txlate Examples from iptables-translate testsuite]
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_length.txlate Examples from iptables-translate testsuite]
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_limit.txlate Examples from iptables-translate testsuite]
==== mac ====
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_mac.txlate Examples from iptables-translate testsuite]
==== mark ====
* nft_meta.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_mark.txlate Examples from iptables-translate testsuite]
==== multiport ====
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_multiport.txlate Examples from iptables-translate testsuite]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_owner.txlate Examples from iptables-translate testsuite]
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
* [https://git.netfilter.org/iptables/tree/extensions/libxt_pkttype.txlate Examples from iptables-translate testsuite]
==== policy ====
* nft_xfrm, since 5.0
* [https://git.netfilter.org/iptables/tree/extensions/libxt_policy.txlate Examples from iptables-translate testsuite]
==== recent ====
* consider native interface. Refer to [[Sets]].
==== sctp ====
* nft_payload
* nft_exthdr for --chunk-types
* [https://git.netfilter.org/iptables/tree/extensions/libxt_sctp.txlate Examples from iptables-translate testsuite]
==== socket ====
* consider native interface
* [https://git.netfilter.org/iptables/tree/extensions/libxt_socket.txlate Examples from iptables-translate testsuite]
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_statistic.txlate Examples from iptables-translate testsuite]
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libxt_tcp.txlate Examples from iptables-translate testsuite]
==== tcpmss ====
* nft_exthdr, since 4.14
* [https://git.netfilter.org/iptables/tree/extensions/libxt_tcpmss.txlate Examples from iptables-translate testsuite]

==== time ====
* nft_meta, since 5.4
* [https://git.netfilter.org/iptables/tree/extensions/libxt_time.txlate Examples from iptables-translate testsuite]

==== udp ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libxt_udp.txlate Examples from iptables-translate testsuite]

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_AUDIT.txlate Examples from iptables-translate testsuite]
==== CLASSIFY ====
* nft_meta, since 3.14.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_CLASSIFY.txlate Examples from iptables-translate testsuite]
==== CONNMARK ====
* nft_ct
* [https://git.netfilter.org/iptables/tree/extensions/libxt_CONNMARK.txlate Examples from iptables-translate testsuite]
==== CONNSECMARK ====
* nft_ct, since 4.20
==== DSCP ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libxt_DSCP.txlate Examples from iptables-translate testsuite]
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash.
==== MARK ====
* nft_meta, since 3.14.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_MARK.txlate Examples from iptables-translate testsuite]
==== NETMAP ====
* nft_nat, upcoming 5.8
==== NFLOG ====
* nft_log, since 3.17.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_NFLOG.txlate Examples from iptables-translate testsuite]
==== NFQUEUE ====
* nft_queue, since 3.14.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_NFQUEUE.txlate Examples from iptables-translate testsuite]
==== SECMARK ====
* nft_meta, since 4.20

==== SYNPROXY ====
* nft_synproxy, since 5.3
* [https://git.netfilter.org/iptables/tree/extensions/libxt_SYNPROXY.txlate Examples from iptables-translate testsuite]

==== TEE ====
* nft_dup, since 4.3.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_TEE.txlate Examples from iptables-translate testsuite]
==== TPROXY ====
* nft_tproxy, since 4.19
* [https://git.netfilter.org/iptables/tree/extensions/libxt_TPROXY.txlate Examples from iptables-translate testsuite]

==== TRACE ====
* nft_meta, since 3.14.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_TRACE.txlate Examples from iptables-translate testsuite]

==== TCPMSS ====
* nft_exthdr, since 4.14
* [https://git.netfilter.org/iptables/tree/extensions/libxt_TCPMSS.txlate Examples from iptables-translate testsuite]

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
* [https://git.netfilter.org/iptables/tree/extensions/libipt_ah.txlate Examples from iptables-translate testsuite]
==== icmp ====
* nft_payload + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_icmp.txlate Examples from iptables-translate testsuite]
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_realm.txlate Examples from iptables-translate testsuite]
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libipt_ttl.txlate Examples from iptables-translate testsuite]

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_ah.txlate Examples from iptables-translate testsuite]
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_frag.txlate Examples from iptables-translate testsuite]
==== hbh ====
* nft_exthdr + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_hbh.txlate Examples from iptables-translate testsuite]
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_hl.txlate Examples from iptables-translate testsuite]
==== icmp6 ====
* nft_payload + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_icmp6.txlate Examples from iptables-translate testsuite]
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_mh.txlate Examples from iptables-translate testsuite]
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_rt.txlate Examples from iptables-translate testsuite]
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_DNAT.txlate Examples from iptables-translate testsuite]
==== LOG ====
* nft_log, since 3.17.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_LOG.txlate Examples from iptables-translate testsuite]
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_MASQUERADE.txlate Examples from iptables-translate testsuite]
==== REDIRECT ====
* nft_redirect, since 3.19.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_REDIRECT.txlate Examples from iptables-translate testsuite]

==== REJECT ====
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_REJECT.txlate Examples from iptables-translate testsuite]
==== SNAT ====
* nft_nat, since 3.13.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_SNAT.txlate Examples from iptables-translate testsuite]

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_DNAT.txlate Examples from iptables-translate testsuite]
==== LOG ====
* nft_log, since 3.17.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_LOG.txlate Examples from iptables-translate testsuite]
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_MASQUERADE.txlate Examples from iptables-translate testsuite]
==== REDIRECT ====
* nft_redirect, since 3.19.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_REDIRECT.txlate Examples from iptables-translate testsuite]

==== REJECT ====
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_REJECT.txlate Examples from iptables-translate testsuite]
==== SNAT ====
* nft_nat, since 3.13.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_SNAT.txlate Examples from iptables-translate testsuite]

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libebt_ip.txlate Examples from iptables-translate testsuite]

==== ip6 ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libebt_ip6.txlate Examples from iptables-translate testsuite]

==== limit ====
* nft_limit
* [https://git.netfilter.org/iptables/tree/extensions/libebt_limit.txlate Examples from iptables-translate testsuite]

==== mark ====
* nft_mark
* [https://git.netfilter.org/iptables/tree/extensions/libebt_mark_m.txlate Examples from iptables-translate testsuite]

==== pkttype ====
* nft_meta
* [https://git.netfilter.org/iptables/tree/extensions/libebt_pkttype.txlate Examples from iptables-translate testsuite]

==== stp ====
* nft_payload

==== vlan ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libebt_vlan.txlate Examples from iptables-translate testsuite]

=== targets: bridge ===

==== dnat ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libebt_dnat.txlate Examples from iptables-translate testsuite]

==== snat ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libebt_snat.txlate Examples from iptables-translate testsuite]

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark
* [https://git.netfilter.org/iptables/tree/extensions/libebt_mark.txlate Examples from iptables-translate testsuite]

=== watchers: bridge ===

==== log ====
* nft_log
* [https://git.netfilter.org/iptables/tree/extensions/libebt_log.txlate Examples from iptables-translate testsuite]

==== nflog ====
* nft_log
* [https://git.netfilter.org/iptables/tree/extensions/libebt_nflog.txlate Examples from iptables-translate testsuite]

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Nftables families

2024-05-29T11:41:34Z

Fw: inet ingress was added in d3519cb89f6d (v5.10-rc1)

[https://netfilter.org/ Netfilter] enables filtering at multiple [https://en.wikipedia.org/wiki/Internet_protocol_suite networking levels]. With iptables there is a separate tool for each level: ''iptables'', ''ip6tables'', ''arptables'', ''ebtables''. With nftables the multiple networking levels are abstracted into '''families''', all of which are served by the single tool ''nft''.

Please note that what traffic/packets you see and at which point in the network stack depends on the [[Netfilter_hooks|'''hook''']] you are using.

Following are descriptions of current nftables families. Additional families may be added in the future.

== ip ==

Tables of this family see [https://en.wikipedia.org/wiki/IPv4 IPv4] traffic/packets.
The ''iptables'' tool is the legacy x_tables equivalent.

== ip6 ==

Tables of this family see [https://en.wikipedia.org/wiki/IPv6 IPv6] traffic/packets.
The ''ip6tables'' tool is the legacy x_tables equivalent.

== inet ==

Tables of this family see both IPv4 and IPv6 traffic/packets, simplifying dual stack support.

Within a table of ''inet'' family, both IPv4 and IPv6 packets traverse the same rules. Rules for IPv4 packets don't affect IPv6 packets and vice-versa. Rules for both layer 3 protocols affect both. Use [[Matching_packet_headers#Matching_transport_protocol|meta l4proto]] to match on the layer 4 protocol regardless the packet is either IPv4 or IPv6.

Examples:
<source>
# This rule affects only IPv4 packets:
add rule inet filter input ip saddr 1.1.1.1 counter accept

# This rule affects only IPv6 packets:
add rule inet filter input ip6 daddr fe00::2 counter accept

# These rules affect both IPv4 and IPv6 packets:
add rule inet filter input ct state established,related counter accept
add rule inet filter input udp dport 53 accept
</source>

New in nftables 0.9.7 and Linux kernel 5.10 is the inet family [[Netfilter_hooks|''ingress'']] hook, which filters at the same location as the netdev ''ingress'' hook.

== arp ==

Tables of this family see [https://en.wikipedia.org/wiki/Address_Resolution_Protocol ARP]-level (i.e, L2) traffic, before any L3 handling is done by the kernel. The ''arptables'' tool is the legacy x_tables equivalent.

== bridge ==

Tables of this family see traffic/packets traversing [https://wiki.linuxfoundation.org/networking/bridge bridges] (i.e. switching). No assumptions are made about L3 protocols.

The ''ebtables'' tool is the legacy x_tables equivalent. Some old x_tables modules such as ''physdev'' will also eventually be served from the nftables ''bridge'' family.

Note that there is no nf_conntrack integration for the nftables ''bridge'' family.

== netdev ==

The ''netdev'' family is different from the others in that it is used to create base chains attached to a '''single network interface'''. Such base chains see '''all''' network traffic on the specified interface, with no assumptions about L2 or L3 protocols. Therefore you can filter ARP traffic from here. There is no legacy x_tables equivalent to the ''netdev'' family.

The principal (only?) use for this family is for base chains using the [[Netfilter_hooks|''ingress'' hook]], new in Linux kernel 4.2. Such ''ingress'' chains see network packets just after the NIC driver passes them up to the networking stack. This very early location in the packet path is ideal for dropping packets associated with [https://en.wikipedia.org/wiki/Denial-of-service_attack#Distributed_attack DDoS] attacks. Dropping packets from an ''ingress'' chain is twice as efficient as doing so from a ''prerouting'' chain. (Do note that in an ''ingress'' chain, fragmented datagrams have not yet been reassembled. So, for example, matching ip saddr and daddr works for all ip packets, but matching L4 headers like udp dport works only for unfragmented packets, or the first fragment.)

The ''ingress'' hook provides an alternative to ''tc'' ingress filtering. You still need ''tc'' for traffic shaping/queue management.

You can also use the ''ingress'' hook for [[load balancing]], including Direct Server Return (DSR), [https://netdevconf.org/1.2/slides/oct6/08_nftables_Load_Balancing_with_nftables_II_Slides.pdf that has been reported to be 10x faster].

Updating sets from the packet path

2023-02-27T08:28:56Z

Fw:

Since nftables v0.7 you can update sets from the packet path, i.e., update the content of a set based on the packets the firewall is receiving.

This usually used in combination with [[Element timeouts]], and one of the main use cases in to create dynamic black lists or ban lists.

There are two main operations: '''add''' and '''update''', which differs in how they modify any previous element timeout. The '''update''' command refreshes the element timeout for each packet seen, while '''add''' does not.

An example using the '''update''' operation, with timeouts, follows:

<source>
% nft add table filter
% nft add chain filter input { type filter hook input priority 0\; }
% nft add set filter myset { type inet_service\; flags timeout,dynamic\; }
% nft add rule filter input set update tcp dport timeout 60s @myset
% nft list ruleset
table ip filter {
set myset {
type inet_service
flags timeout
elements = { http expires 9s}
}

chain input {
type filter hook input priority 0; policy accept;
update @myset { tcp dport timeout 1m }
}
}
</source>

This example uses the '''add''' operation in a set without timeouts:

<source>
% nft add table filter
% nft add chain filter input { type filter hook input priority 0\; }
% nft add set filter myset { type ipv4_addr\; }
% nft add rule filter input set add ip saddr @myset
% nft list ruleset
table ip filter {
set myset {
type ipv4_addr
elements = { 1.1.1.1 }
}

chain input {
type filter hook input priority 0; policy accept;
add @myset { ip saddr }
}
}
</source>

List of updates since Linux kernel 3.13

2023-01-18T16:11:00Z

Fw: inner header matching

A listing of the development progress.

== 6.2 ==

* Support for inner header matching, such as "udp dport 6081 geneve ip saddr 10.141.11.2"

== 5.6 ==

* Support for ranges (intervals) in concatenations

== 4.16 ==

* flowtable support

== 4.15 ==

* Fetch single elements of a set (i.e, nft get element)

== 4.10 ==

* notrack support

== 4.3 ==

* Enhancements for the limit expression, support for ratelimit bytes/time unit.
* Dup expression (equivalent to the ''TEE'' target in iptables) for IPv4 and IPv6.
* VLAN header matching support when NIC support offloads.

== 4.2 ==

* New 'netdev' family for filtering from ingress.
* Context to x_tables extensions to know if they run from nft_compat.

== 4.1 ==

Major updates in the generic set infrastructure:

* Concatenations.
* Timeout per set elements.
* Comments per set elements.
* Dynamic set instantiation.

== 4.0 ==

* Mostly fixes.

== 3.19 ==

* redirect support.

== 3.18 ==

* masquerading support.
* meta cpu, devgroup matching.
* reject bridge support.
* destroy table and its content, ie. ''nft flush ruleset''.

== 3.17 ==

* log and nflog support for ip, ip6, arp and bridge families.

== 3.16 ==

* connlabel support.

== 3.15 ==

* Comments per rule support.
* IPv4 reject support.

== 3.14 ==

* set packet mark support.
* nfqueue support (only for ip and ip6 families).
* rule tracing support.
* IPv6 and inet reject support.

== 3.13 ==

* nf_tables merged mainstream.

Quick reference-nftables in 10 minutes

2021-10-01T13:43:38Z

Fw: /* Chains */

Find below some basic concepts to know before using nftables.

'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.

'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].

'''rule''' refers to an action to be configured within a ''chain''.

= nft command line =

''nft'' is the command line tool in order to interact with nftables at userspace.

== Tables ==

'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''.

<source lang="bash">
% nft list tables [<family>]
% nft list table [<family>] <name> [-n] [-a]
% nft (add | delete | flush) table [<family>] <name>
</source>

The argument ''-n'' shows the addresses and other information that uses names in numeric format. The ''-a'' argument is used to display the ''handle''.

== Chains ==

'''type''' refers to the kind of chain to be created. Possible types are:

* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.

'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].

* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.
* The hooks for ''arp'' family are: '' input'', ''output''.
* The ''bridge'' family handles ethernet packets traversing bridge devices.
* The hook for ''netdev'' is: ''ingress''.

'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.

'''policy''' is the default verdict statement to control the flow in the base chain. Possible values are: ''accept'' (default) and ''drop''. Warning: Setting the policy to ''drop'' discards all packets that
have not been accepted by the ruleset.

<source lang="bash">
% nft (add | create) chain [<family>] <table> <name> [ { type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] } ]
% nft (delete | list | flush) chain [<family>] <table> <name>
% nft rename chain [<family>] <table> <name> <newname>
</source>

== Rules ==

'''handle''' is an internal number that identifies a certain ''rule''.

'''position''' is an internal number that is used to insert a ''rule'' before a certain ''handle''.

<source lang="bash">
% nft add rule [<family>] <table> <chain> <matches> <statements>
% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements>
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements>
% nft delete rule [<family>] <table> <chain> [handle <handle>]
</source>

=== Matches ===

'''matches''' are clues used to access to certain packet information and create filters according to them.

==== Ip ====

{| class="wikitable"
!colspan="6"|ip match
|-
| | ''dscp <value>''
|
|<source lang="bash">
ip dscp cs1
ip dscp != cs1
ip dscp 0x38
ip dscp != 0x20
ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21,
af22, af23, af31, af32, af33, af41, af42, af43, ef}
</source>
|-
| ''length <length>''
| Total packet length
|<source lang="bash">
ip length 232
ip length != 233
ip length 333-435
ip length != 333-453
ip length { 333, 553, 673, 838}
</source>
|-
| ''id <id>''
| IP ID
|<source lang="bash">
ip id 22
ip id != 233
ip id 33-45
ip id != 33-45
ip id { 33, 55, 67, 88 }
</source>
|-
| ''frag-off <value>''
| Fragmentation offset
|<source lang="bash">
ip frag-off 222
ip frag-off != 233
ip frag-off 33-45
ip frag-off != 33-45
ip frag-off { 33, 55, 67, 88 }
</source>
|-
| ''ttl <ttl>''
| Time to live
|<source lang="bash">
ip ttl 0
ip ttl 233
ip ttl 33-55
ip ttl != 45-50
ip ttl { 43, 53, 45 }
ip ttl { 33-55 }
</source>
|-
| ''protocol <protocol>''
| Upper layer protocol
|<source lang="bash">
ip protocol tcp
ip protocol 6
ip protocol != tcp
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }
</source>
|-
| ''checksum <checksum>''
| IP header checksum
|<source lang="bash">
ip checksum 13172
ip checksum 22
ip checksum != 233
ip checksum 33-45
ip checksum != 33-45
ip checksum { 33, 55, 67, 88 }
ip checksum { 33-55 }
</source>
|-
| ''saddr <ip source address>''
| Source address
|<source lang="bash">
ip saddr 192.168.2.0/24
ip saddr != 192.168.2.0/24
ip saddr 192.168.3.1 ip daddr 192.168.3.100
ip saddr != 1.1.1.1
ip saddr 1.1.1.1
ip saddr & 0xff == 1
ip saddr & 0.0.0.255 < 0.0.0.127
</source>
|-
| ''daddr <ip destination address>''
| Destination address
|<source lang="bash">
ip daddr 192.168.0.1
ip daddr != 192.168.0.1
ip daddr 192.168.0.1-192.168.0.250
ip daddr 10.0.0.0-10.255.255.255
ip daddr 172.16.0.0-172.31.255.255
ip daddr 192.168.3.1-192.168.4.250
ip daddr != 192.168.0.1-192.168.0.250
ip daddr { 192.168.0.1-192.168.0.250 }
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }
</source>
|-
| ''version <version>''
| Ip Header version
|<source lang="bash">
ip version 4
</source>
|-
| ''hdrlength <header length>''
| IP header length
|<source lang="bash">
ip hdrlength 0
ip hdrlength 15
</source>
|}

==== Ip6 ====

{| class="wikitable"
!colspan="6"|ip6 match
|-
| ''dscp <value>''
|
|<source lang="bash">
ip6 dscp cs1
ip6 dscp != cs1
ip6 dscp 0x38
ip6 dscp != 0x20
ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
</source>
|-
| ''flowlabel <label>''
| Flow label
|<source lang="bash">
ip6 flowlabel 22
ip6 flowlabel != 233
ip6 flowlabel { 33, 55, 67, 88 }
ip6 flowlabel { 33-55 }
</source>
|-
| ''length <length>''
| Payload length
|<source lang="bash">
ip6 length 232
ip6 length != 233
ip6 length 333-435
ip6 length != 333-453
ip6 length { 333, 553, 673, 838}
</source>
|-
| ''nexthdr <header>''
| Next header type (Upper layer protocol number)
|<source lang="bash">
ip6 nexthdr {esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6}
ip6 nexthdr esp
ip6 nexthdr != esp
ip6 nexthdr { 33-44 }
ip6 nexthdr 33-44
ip6 nexthdr != 33-44
</source>
|-
| ''hoplimit <hoplimit>''
| Hop limit
|<source lang="bash">
ip6 hoplimit 1
ip6 hoplimit != 233
ip6 hoplimit 33-45
ip6 hoplimit != 33-45
ip6 hoplimit {33, 55, 67, 88}
ip6 hoplimit {33-55}
</source>
|-
| ''saddr <ip source address>''
| Source Address
|<source lang="bash">
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234
ip6 saddr ::/64
ip6 saddr ::1 ip6 daddr ::2
</source>
|-
| ''daddr <ip destination address>''
| Destination Address
|<source lang="bash">
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234
</source>
|-
| ''version <version>''
| IP header version
|<source lang="bash">
ip6 version 6
</source>
|}

==== Tcp ====

{| class="wikitable"
!colspan="6"|tcp match
|-
| ''dport <destination port>''
| Destination port
|<source lang="bash">
tcp dport 22
tcp dport != 33-45
tcp dport { 33-55 }
tcp dport {telnet, http, https }
tcp dport vmap { 22 : accept, 23 : drop }
tcp dport vmap { 25:accept, 28:drop }
</source>
|-
| ''sport < source port>''
| Source port
|<source lang="bash">
tcp sport 22
tcp sport != 33-45
tcp sport { 33, 55, 67, 88}
tcp sport { 33-55}
tcp sport vmap { 25:accept, 28:drop }
tcp sport 1024 tcp dport 22
</source>
|-
| ''sequence <value>''
| Sequence number
|<source lang="bash">
tcp sequence 22
tcp sequence != 33-45
</source>
|-
| ''ackseq <value>''
| Acknowledgement number
|<source lang="bash">
tcp ackseq 22
tcp ackseq != 33-45
tcp ackseq { 33, 55, 67, 88 }
tcp ackseq { 33-55 }
</source>
|-
| ''flags <flags>''
| TCP flags
|<source lang="bash">
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr}
tcp flags cwr
tcp flags != cwr
</source>
|-
| ''window <value>''
| Window
|<source lang="bash">
tcp window 22
tcp window != 33-45
tcp window { 33, 55, 67, 88 }
tcp window { 33-55 }
</source>
|-
| ''checksum <checksum>''
| IP header checksum
|<source lang="bash">
tcp checksum 22
tcp checksum != 33-45
tcp checksum { 33, 55, 67, 88 }
tcp checksum { 33-55 }
</source>
|-
| ''urgptr <pointer>''
| Urgent pointer
|<source lang="bash">
tcp urgptr 22
tcp urgptr != 33-45
tcp urgptr { 33, 55, 67, 88 }
</source>
|-
| ''doff <offset>''
| Data offset
|<source lang="bash">
tcp doff 8
</source>
|}

==== Udp ====

{| class="wikitable"
!colspan="6"|udp match
|-
| ''dport <destination port>''
| Destination port
|<source lang="bash">
udp dport 22
udp dport != 33-45
udp dport { 33-55 }
udp dport {telnet, http, https }
udp dport vmap { 22 : accept, 23 : drop }
udp dport vmap { 25:accept, 28:drop }
</source>
|-
| ''sport < source port>''
| Source port
|<source lang="bash">
udp sport 22
udp sport != 33-45
udp sport { 33, 55, 67, 88}
udp sport { 33-55}
udp sport vmap { 25:accept, 28:drop }
udp sport 1024 tcp dport 22
</source>
|-
| ''length <length>''
| Total packet length
|<source lang="bash">
udp length 6666
udp length != 50-65
udp length { 50, 65 }
udp length { 35-50 }
</source>
|-
| ''checksum <checksum>''
| UDP checksum
|<source lang="bash">
udp checksum 22
udp checksum != 33-45
udp checksum { 33, 55, 67, 88 }
udp checksum { 33-55 }
</source>
|}

==== Udplite ====

{| class="wikitable"
!colspan="6"|udplite match
|-
| ''dport <destination port>''
| Destination port
|<source lang="bash">
udplite dport 22
udplite dport != 33-45
udplite dport { 33-55 }
udplite dport {telnet, http, https }
udplite dport vmap { 22 : accept, 23 : drop }
udplite dport vmap { 25:accept, 28:drop }
</source>
|-
| ''sport < source port>''
| Source port
|<source lang="bash">
udplite sport 22
udplite sport != 33-45
udplite sport { 33, 55, 67, 88}
udplite sport { 33-55}
udplite sport vmap { 25:accept, 28:drop }
udplite sport 1024 tcp dport 22
</source>
|-
| ''checksum <checksum>''
| Checksum
|<source lang="bash">
udplite checksum 22
udplite checksum != 33-45
udplite checksum { 33, 55, 67, 88 }
udplite checksum { 33-55 }
</source>
|}

==== Sctp ====

{| class="wikitable"
!colspan="6"|sctp match
|-
| ''dport <destination port>''
| Destination port
|<source lang="bash">
sctp dport 22
sctp dport != 33-45
sctp dport { 33-55 }
sctp dport {telnet, http, https }
sctp dport vmap { 22 : accept, 23 : drop }
sctp dport vmap { 25:accept, 28:drop }
</source>
|-
| ''sport < source port>''
| Source port
|<source lang="bash">
sctp sport 22
sctp sport != 33-45
sctp sport { 33, 55, 67, 88}
sctp sport { 33-55}
sctp sport vmap { 25:accept, 28:drop }
sctp sport 1024 tcp dport 22
</source>
|-
| ''checksum <checksum>''
| Checksum
|<source lang="bash">
sctp checksum 22
sctp checksum != 33-45
sctp checksum { 33, 55, 67, 88 }
sctp checksum { 33-55 }
</source>
|-
| ''vtag <tag>''
| Verification tag
|<source lang="bash">
sctp vtag 22
sctp vtag != 33-45
sctp vtag { 33, 55, 67, 88 }
sctp vtag { 33-55 }
</source>
|-
| ''chunk <type>''
| Existence of a chunk with given type in packet
|<source lang="bash">
sctp chunk init exists
sctp chunk error missing
</source>
|-
| ''chunk <type> <field>''
| A chunk's field value (implies chunk existence)
|<sourcex lang="bash">
sctp chunk init flags 0x1
sctp chunk data tsn 0x23
</source>
|}

==== Dccp ====

{| class="wikitable"
!colspan="6"|dccp match
|-
| ''dport <destination port>''
| Destination port
|<source lang="bash">
dccp dport 22
dccp dport != 33-45
dccp dport { 33-55 }
dccp dport {telnet, http, https }
dccp dport vmap { 22 : accept, 23 : drop }
dccp dport vmap { 25:accept, 28:drop }
</source>
|-
| ''sport < source port>''
| Source port
|<source lang="bash">
dccp sport 22
dccp sport != 33-45
dccp sport { 33, 55, 67, 88}
dccp sport { 33-55}
dccp sport vmap { 25:accept, 28:drop }
dccp sport 1024 tcp dport 22
</source>
|-
| ''type <type>''
| Type of packet
|<source lang="bash">
dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
dccp type request
dccp type != request
</source>
|}

==== Ah ====

{| class="wikitable"
!colspan="6"|ah match
|-
| ''hdrlength <length>''
| AH header length
|<source lang="bash">
ah hdrlength 11-23
ah hdrlength != 11-23
ah hdrlength {11, 23, 44 }
</source>
|-
| ''reserved <value>''
|
|<source lang="bash">
ah reserved 22
ah reserved != 33-45
ah reserved {23, 100 }
ah reserved { 33-55 }
</source>
|-
| ''spi <value>''
|
|<source lang="bash">
ah spi 111
ah spi != 111-222
ah spi {111, 122 }
</source>
|-
| ''sequence <sequence>''
| Sequence Number
|<source lang="bash">
ah sequence 123
ah sequence {23, 25, 33}
ah sequence != 23-33
</source>
|}

==== Esp ====

{| class="wikitable"
!colspan="6"|esp match
|-
| ''spi <value>''
|
|<source lang="bash">
esp spi 111
esp spi != 111-222
esp spi {111, 122 }
</source>
|-
| ''sequence <sequence>''
| Sequence Number
|<source lang="bash">
esp sequence 123
esp sequence {23, 25, 33}
esp sequence != 23-33
</source>
|}

==== Comp ====

{| class="wikitable"
!colspan="6"|comp match
|-
| ''nexthdr <protocol>''
| Next header protocol (Upper layer protocol)
|<source lang="bash">
comp nexthdr != esp
comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp}
</source>
|-
| ''flags <flags>''
| Flags
|<source lang="bash">
comp flags 0x0
comp flags != 0x33-0x45
comp flags {0x33, 0x55, 0x67, 0x88}
</source>
|-
| ''cpi <value>''
| Compression Parameter Index
|<source lang="bash">
comp cpi 22
comp cpi != 33-45
comp cpi {33, 55, 67, 88}
</source>
|}

==== Icmp ====

{| class="wikitable"
!colspan="6"|icmp match
|-
| ''type <type>''
| ICMP packet type
|<source lang="bash">
icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation}
</source>
|-
| ''code <code>''
| ICMP packet code
|<source lang="bash">
icmp code 111
icmp code != 33-55
icmp code { 2, 4, 54, 33, 56}
</source>
|-
| ''checksum <value>''
| ICMP packet checksum
|<source lang="bash">
icmp checksum 12343
icmp checksum != 11-343
icmp checksum { 1111, 222, 343 }
</source>
|-
| ''id <value>''
| ICMP packet id
|<source lang="bash">
icmp id 12343
icmp id != 11-343
icmp id { 1111, 222, 343 }
</source>
|-
| ''sequence <value>''
| ICMP packet sequence
|<source lang="bash">
icmp sequence 12343
icmp sequence != 11-343
icmp sequence { 1111, 222, 343 }
</source>
|-
| ''mtu <value>''
| ICMP packet mtu
|<source lang="bash">
icmp mtu 12343
icmp mtu != 11-343
icmp mtu { 1111, 222, 343 }
</source>
|-
| ''gateway <value>''
| ICMP packet gateway
|<source lang="bash">
icmp gateway 12343
icmp gateway != 11-343
icmp gateway { 1111, 222, 343 }
</source>
|}

==== Icmpv6 ====

{| class="wikitable"
!colspan="6"|icmpv6 match
|-
| ''type <type>''
| ICMPv6 packet type
|<source lang="bash">
icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect, parameter-problem, router-renumbering}
</source>
|-
| ''code <code>''
| ICMPv6 packet code
|<source lang="bash">
icmpv6 code 4
icmpv6 code 3-66
icmpv6 code {5, 6, 7}
</source>
|-
| ''checksum <value>''
| ICMPv6 packet checksum
|<source lang="bash">
icmpv6 checksum 12343
icmpv6 checksum != 11-343
icmpv6 checksum { 1111, 222, 343 }
</source>
|-
| ''id <value>''
| ICMPv6 packet id
|<source lang="bash">
icmpv6 id 12343
icmpv6 id != 11-343
icmpv6 id { 1111, 222, 343 }
</source>
|-
| ''sequence <value>''
| ICMPv6 packet sequence
|<source lang="bash">
icmpv6 sequence 12343
icmpv6 sequence != 11-343
icmpv6 sequence { 1111, 222, 343 }
</source>
|-
| ''mtu <value>''
| ICMPv6 packet mtu
|<source lang="bash">
icmpv6 mtu 12343
icmpv6 mtu != 11-343
icmpv6 mtu { 1111, 222, 343 }
</source>
|-
| ''max-delay <value>''
| ICMPv6 packet max delay
|<source lang="bash">
icmpv6 max-delay 33-45
icmpv6 max-delay != 33-45
icmpv6 max-delay {33, 55, 67, 88}
</source>
|}

==== Ether ====

{| class="wikitable"
!colspan="6"|ether match
|-
| ''saddr <mac address>''
| Source mac address
|<source lang="bash">
ether saddr 00:0f:54:0c:11:04
</source>
|-
| ''type <type>''
|
|<source lang="bash">
ether type vlan
</source>
|}

==== Dst ====

{| class="wikitable"
!colspan="6"|dst match
|-
| ''nexthdr <proto>''
| Next protocol header
|<source lang="bash">
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
dst nexthdr 22
dst nexthdr != 33-45
</source>
|-
| ''hdrlength <length>''
| Header Length
|<source lang="bash">
dst hdrlength 22
dst hdrlength != 33-45
dst hdrlength { 33, 55, 67, 88 }
</source>
|}

==== Frag ====

{| class="wikitable"
!colspan="6"|frag match
|-
| ''nexthdr <proto>''
| Next protocol header
|<source lang="bash">
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp}
frag nexthdr 6
frag nexthdr != 50-51
</source>
|-
| ''reserved <value>''
|
|<source lang="bash">
frag reserved 22
frag reserved != 33-45
frag reserved { 33, 55, 67, 88}
</source>
|-
| ''frag-off <value>''
|
|<source lang="bash">
frag frag-off 22
frag frag-off != 33-45
frag frag-off { 33, 55, 67, 88}
</source>
|-
| ''more-fragments <value>''
|
|<source lang="bash">
frag more-fragments 0
frag more-fragments 0
</source>
|-
| ''id <value>''
|
|<source lang="bash">
frag id 1
frag id 33-45
</source>
|}

==== Hbh ====

{| class="wikitable"
!colspan="6"|hbh match
|-
| ''nexthdr <proto>''
| Next protocol header
|<source lang="bash">
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6}
hbh nexthdr 22
hbh nexthdr != 33-45
</source>
|-
| ''hdrlength <length>''
| Header Length
|<source lang="bash">
hbh hdrlength 22
hbh hdrlength != 33-45
hbh hdrlength { 33, 55, 67, 88 }
</source>
|}

==== Mh ====

{| class="wikitable"
!colspan="6"|mh match
|-
| ''nexthdr <proto>''
| Next protocol header
|<source lang="bash">
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }
mh nexthdr 22
mh nexthdr != 33-45
</source>
|-
| ''hdrlength <length>''
| Header Length
|<source lang="bash">
mh hdrlength 22
mh hdrlength != 33-45
mh hdrlength { 33, 55, 67, 88 }
</source>
|-
| ''type <type>''
|
|<source lang="bash">
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}
mh type home-agent-switch-message
mh type != home-agent-switch-message
</source>
|-
| ''reserved <value>''
|
|<source lang="bash">
mh reserved 22
mh reserved != 33-45
mh reserved { 33, 55, 67, 88}
</source>
|-
| ''checksum <value>''
|
|<source lang="bash">
mh checksum 22
mh checksum != 33-45
mh checksum { 33, 55, 67, 88}
</source>
|}

==== Rt ====

{| class="wikitable"
!colspan="6"|rt match
|-
| ''nexthdr <proto>''
| Next protocol header
|<source lang="bash">
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }
rt nexthdr 22
rt nexthdr != 33-45
</source>
|-
| ''hdrlength <length>''
| Header Length
|<source lang="bash">
rt hdrlength 22
rt hdrlength != 33-45
rt hdrlength { 33, 55, 67, 88 }
</source>
|-
| ''type <type>''
|
|<source lang="bash">
rt type 22
rt type != 33-45
rt type { 33, 55, 67, 88 }
</source>
|-
| ''seg-left <value>''
|
|<source lang="bash">
rt seg-left 22
rt seg-left != 33-45
rt seg-left { 33, 55, 67, 88}
</source>
|}

==== Vlan ====

{| class="wikitable"
!colspan="6"|vlan match
|-
| ''id <value>''
| Vlan tag ID
|<source lang="bash">
vlan id 4094
vlan id 0
</source>
|-
| ''cfi <value>''
|
|<source lang="bash">
vlan cfi 0
vlan cfi 1
</source>
|-
| ''pcp <value>''
|
|<source lang="bash">
vlan pcp 7
vlan pcp 3
</source>
|}

==== Arp ====

{| class="wikitable"
!colspan="6"|arp match
|-
| ''ptype <value>''
| Payload type
|<source lang="bash">
arp ptype 0x0800
</source>
|-
| ''htype <value>''
| Header type
|<source lang="bash">
arp htype 1
arp htype != 33-45
arp htype { 33, 55, 67, 88}
</source>
|-
| ''hlen <length>''
| Header Length
|<source lang="bash">
arp hlen 1
arp hlen != 33-45
arp hlen { 33, 55, 67, 88}
</source>
|-
| ''plen <length>''
| Payload length
|<source lang="bash">
arp plen 1
arp plen != 33-45
arp plen { 33, 55, 67, 88}
</source>
|-
| ''operation <value>''
|
|<source lang="bash">
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}
</source>
|}

==== Ct ====

{| class="wikitable"
!colspan="6"|ct match
|-
| ''state <state>''
| State of the connection
|<source lang="bash">
ct state { new, established, related, untracked }
ct state != related
ct state established
ct state 8
</source>
|-
| ''direction <value>''
| Direction of the packet relative to the connection
|<source lang="bash">
ct direction original
ct direction != original
ct direction {reply, original}
</source>
|-
| ''status <status>''
| Status of the connection
|<source lang="bash">
ct status expected
(ct status & expected) != expected
ct status {expected,seen-reply,assured,confirmed,snat,dnat,dying}
</source>
|-
| ''mark [set] ''
| Mark of the connection
|<source lang="bash">
ct mark 0
ct mark or 0x23 == 0x11
ct mark or 0x3 != 0x1
ct mark and 0x23 == 0x11
ct mark and 0x3 != 0x1
ct mark xor 0x23 == 0x11
ct mark xor 0x3 != 0x1
ct mark 0x00000032
ct mark != 0x00000032
ct mark 0x00000032-0x00000045
ct mark != 0x00000032-0x00000045
ct mark {0x32, 0x2222, 0x42de3}
ct mark {0x32-0x2222, 0x4444-0x42de3}
ct mark set 0x11 xor 0x1331
ct mark set 0x11333 and 0x11
ct mark set 0x12 or 0x11
ct mark set 0x11
ct mark set mark
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }
</source>
|-
| ''expiration <time>''
| Connection expiration time
|<source lang="bash">
ct expiration 30
ct expiration 30s
ct expiration != 233
ct expiration != 3m53s
ct expiration 33-45
ct expiration 33s-45s
ct expiration != 33-45
ct expiration != 33s-45s
ct expiration {33, 55, 67, 88}
ct expiration { 1m7s, 33s, 55s, 1m28s}
</source>
|-
| ''helper "<helper>"''
| Helper associated with the connection
|<source lang="bash">
ct helper "ftp"
</source>
|-
| | ''[original | reply] bytes <value>''
|
|<source lang="bash">
ct original bytes > 100000
ct bytes > 100000
</source>
|-
| | ''[original | reply] packets <value>''
|
|<source lang="bash">
ct reply packets < 100
</source>
|-
| | ''[original | reply] ip saddr <ip source address>''
|
|<source lang="bash">
ct original ip saddr 192.168.0.1
ct reply ip saddr 192.168.0.1
ct original ip saddr 192.168.1.0/24
ct reply ip saddr 192.168.1.0/24
</source>
|-
| | ''[original | reply] ip daddr <ip destination address>''
|
|<source lang="bash">
ct original ip daddr 192.168.0.1
ct reply ip daddr 192.168.0.1
ct original ip daddr 192.168.1.0/24
ct reply ip daddr 192.168.1.0/24
</source>
|-
| | ''[original | reply] l3proto <protocol>''
|
|<source lang="bash">
ct original l3proto ipv4
</source>
|-
| | ''[original | reply] protocol <protocol>''
|
|<source lang="bash">
ct original protocol 6
</source>
|-
| | ''[original | reply] proto-dst <port>''
|
|<source lang="bash">
ct original proto-dst 22
</source>
|-
| | ''[original | reply] proto-src <port>''
|
|<source lang="bash">
ct reply proto-src 53
</source>
|-
| | ''count [over] <number of connections>''
|
|<source lang="bash">
ct count over 2

tcp dport 22 add @ssh_flood { ip saddr ct count over 2 } reject
[ which requires an existing ssh_flood set, ie. add set filter ssh_flood { type ipv4_addr; flags dynamic; } ]
</source>
|}

==== Meta ====

[[Matching packet metainformation|''meta'']] matches packet by metainformation.

{| class="wikitable"
!colspan="6"|meta match
|-
| ''iifname <input interface name>''
| Input interface name
|<source lang="bash">
meta iifname "eth0"
meta iifname != "eth0"
meta iifname {"eth0", "lo"}
meta iifname "eth*"
</source>
|-
| ''oifname <output interface name>''
| Output interface name
|<source lang="bash">
meta oifname "eth0"
meta oifname != "eth0"
meta oifname {"eth0", "lo"}
meta oifname "eth*"
</source>
|-
| ''iif <input interface index>''
| Input interface index
|<source lang="bash">
meta iif eth0
meta iif != eth0
</source>
|-
| ''oif <output interface index>''
| Output interface index
|<source lang="bash">
meta oif lo
meta oif != lo
meta oif {eth0, lo}
</source>
|-
| ''iiftype <input interface type>''
| Input interface type
|<source lang="bash">
meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}
meta iiftype != ether
meta iiftype ether
</source>
|-
| ''oiftype <output interface type>''
| Output interface hardware type
|<source lang="bash">
meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}
meta oiftype != ether
meta oiftype ether
</source>
|-
| ''length <length>''
| Length of the packet in bytes
|<source lang="bash">
meta length 1000
meta length != 1000
meta length > 1000
meta length 33-45
meta length != 33-45
meta length { 33, 55, 67, 88 }
meta length { 33-55, 67-88 }
</source>
|-
| ''protocol <protocol>''
| ethertype protocol
|<source lang="bash">
meta protocol ip
meta protocol != ip
meta protocol { ip, arp, ip6, vlan }
</source>
|-
| ''nfproto <protocol>''
|
|<source lang="bash">
meta nfproto ipv4
meta nfproto != ipv6
meta nfproto { ipv4, ipv6 }
</source>
|-
| ''l4proto <protocol>''
|
|<source lang="bash">
meta l4proto 22
meta l4proto != 233
meta l4proto 33-45
meta l4proto { 33, 55, 67, 88 }
meta l4proto { 33-55 }
</source>
|-
| ''mark [set] ''
| Packet mark
|<source lang="bash">
meta mark 0x4
meta mark 0x00000032
meta mark and 0x03 == 0x01
meta mark and 0x03 != 0x01
meta mark != 0x10
meta mark or 0x03 == 0x01
meta mark or 0x03 != 0x01
meta mark xor 0x03 == 0x01
meta mark xor 0x03 != 0x01
meta mark set 0xffffffc8 xor 0x16
meta mark set 0x16 and 0x16
meta mark set 0xffffffe9 or 0x16
meta mark set 0xffffffde and 0x16
meta mark set 0x32 or 0xfffff
meta mark set 0xfffe xor 0x16
</source>
|-
| ''priority [set] <priority>''
| tc class id
|<source lang="bash">
meta priority none
meta priority 0x1:0x1
meta priority 0x1:0xffff
meta priority 0xffff:0xffff
meta priority set 0x1:0x1
meta priority set 0x1:0xffff
meta priority set 0xffff:0xffff
</source>
|-
| ''skuid <user id>''
| UID associated with originating socket
|<source lang="bash">
meta skuid {bin, root, daemon}
meta skuid root
meta skuid != root
meta skuid lt 3000
meta skuid gt 3000
meta skuid eq 3000
meta skuid 3001-3005
meta skuid != 2001-2005
meta skuid { 2001-2005 }
</source>
|-
| ''skgid <group id>''
| GID associated with originating socket
|<source lang="bash">
meta skgid {bin, root, daemon}
meta skgid root
meta skgid != root
meta skgid lt 3000
meta skgid gt 3000
meta skgid eq 3000
meta skgid 3001-3005
meta skgid != 2001-2005
meta skgid { 2001-2005 }
</source>
|-
| ''rtclassid <class>''
| Routing realm
|<source lang="bash">
meta rtclassid cosmos
</source>
|-
| ''pkttype <type>''
| Packet type
|<source lang="bash">
meta pkttype broadcast
meta pkttype != broadcast
meta pkttype { broadcast, unicast, multicast}
</source>
|-
| ''cpu <cpu index>''
| CPU ID
|<source lang="bash">
meta cpu 1
meta cpu != 1
meta cpu 1-3
meta cpu != 1-2
meta cpu { 2,3 }
meta cpu { 2-3, 5-7 }
</source>
|-
| ''iifgroup <input group>''
| Input interface group
|<source lang="bash">
meta iifgroup 0
meta iifgroup != 0
meta iifgroup default
meta iifgroup != default
meta iifgroup {default}
meta iifgroup { 11,33 }
meta iifgroup {11-33}
</source>
|-
| ''oifgroup <group>''
| Output interface group
|<source lang="bash">
meta oifgroup 0
meta oifgroup != 0
meta oifgroup default
meta oifgroup != default
meta oifgroup {default}
meta oifgroup { 11,33 }
meta oifgroup {11-33}
</source>
|-
| ''cgroup <group>''
|
|<source lang="bash">
meta cgroup 1048577
meta cgroup != 1048577
meta cgroup { 1048577, 1048578 }
meta cgroup 1048577-1048578
meta cgroup != 1048577-1048578
meta cgroup {1048577-1048578}
</source>
|}

=== Statements ===

'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.

==== Verdict statements ====

The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:

* ''accept'': Accept the packet and stop the remain rules evaluation.
* ''drop'': Drop the packet and stop the remain rules evaluation.
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.
* ''continue'': Continue the ruleset evaluation with the next rule.
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement

==== Log ====

{| class="wikitable"
!colspan="6"|log statement
|-
| ''level [over] <value> <unit> [burst <value> <unit>]''
| Log level
|<source lang="bash">
log
log level emerg
log level alert
log level crit
log level err
log level warn
log level notice
log level info
log level debug
</source>
|-
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''
|
|<source lang="bash">
log prefix aaaaa-aaaaaa group 2 snaplen 33
log group 2 queue-threshold 2
log group 2 snaplen 33
</source>
|}

==== Reject ====

The default '''reject''' will be the ICMP type '''port-unreachable'''. The '''icmpx''' is only used for inet family support.

More information on the [[Rejecting_traffic]] page.

{| class="wikitable"
!colspan="6"|reject statement
|-
| ''with <protocol> type <type>''
|
|<source lang="bash">
reject
reject with icmp type host-unreachable
reject with icmp type net-unreachable
reject with icmp type prot-unreachable
reject with icmp type port-unreachable
reject with icmp type net-prohibited
reject with icmp type host-prohibited
reject with icmp type admin-prohibited
reject with icmpv6 type no-route
reject with icmpv6 type admin-prohibited
reject with icmpv6 type addr-unreachable
reject with icmpv6 type port-unreachable
reject with icmpx type host-unreachable
reject with icmpx type no-route
reject with icmpx type admin-prohibited
reject with icmpx type port-unreachable
ip protocol tcp reject with tcp reset
</source>
|}

==== Counter ====

{| class="wikitable"
!colspan="6"|counter statement
|-
| ''packets <packets> bytes <bytes>''
|
|<source lang="bash">
counter
counter packets 0 bytes 0
</source>
|}

==== Limit ====

{| class="wikitable"
!colspan="6"|limit statement
|-
| ''rate [over] <value> <unit> [burst <value> <unit>]''
| Rate limit
|<source lang="bash">
limit rate 400/minute
limit rate 400/hour
limit rate over 40/day
limit rate over 400/week
limit rate over 1023/second burst 10 packets
limit rate 1025 kbytes/second
limit rate 1023000 mbytes/second
limit rate 1025 bytes/second burst 512 bytes
limit rate 1025 kbytes/second burst 1023 kbytes
limit rate 1025 mbytes/second burst 1025 kbytes
limit rate 1025000 mbytes/second burst 1023 mbytes
</source>
|}

==== Nat ====

{| class="wikitable"
!colspan="6"|nat statement
|-
| ''dnat to <destination address>''
| Destination address translation
|<source lang="bash">
dnat to 192.168.3.2
dnat to ct mark map { 0x00000014 : 1.2.3.4}
</source>
|-
| ''snat to <ip source address>''
| Source address translation
|<source lang="bash">
snat to 192.168.3.2
snat to 2001:838:35f:1::-2001:838:35f:2:::100
</source>
|-
| ''masquerade [<type>] [to :<port>]''
| Masquerade
|<source lang="bash">
masquerade
masquerade persistent,fully-random,random
masquerade to :1024
masquerade to :1024-2048
</source>
|}

==== Queue ====

{| class="wikitable"
!colspan="6"|queue statement
|-
| ''num <value> <scheduler>''
|
|<source lang="bash">
queue
queue num 2
queue num 2-3
queue num 4-5 fanout bypass
queue num 4-5 fanout
queue num 4-5 bypass
</source>
|}

== Extras ==

=== Export Configuration ===

<source lang="bash">
% nft export (xml | json)
</source>

=== Monitor Events ===

Monitor events from Netlink creating filters.

<source lang="bash">
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]
</source>

= Nft scripting =

== List ruleset ==

<source lang="bash">
% nft list ruleset
</source>

== Flush ruleset ==

<source lang="bash">
% nft flush ruleset
</source>

== Load ruleset ==

Create a command batch file and load it with the nft interpreter,

<source lang="bash">
% echo "flush ruleset" > /etc/nftables.rules
% echo "add table filter" >> /etc/nftables.rules
% echo "add chain filter input" >> /etc/nftables.rules
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules
% nft -f /etc/nftables.rules
</source>

or create an executable nft script file,

<source lang="bash">
% cat << EOF > /etc/nftables.rules
> #!/usr/local/sbin/nft -f
> flush ruleset
> add table filter
> add chain filter input
> add rule filter input meta iifname lo accept
> EOF
% chmod u+x /etc/nftables.rules
% /etc/nftables.rules
</source>

or create an executable nft script file from an already created ruleset,

<source lang="bash">
% nft list ruleset > /etc/nftables.rules
% nft flush ruleset
% nft -f /etc/nftables.rules
</source>

= Examples =

== Simple IP/IPv6 Firewall ==

<source lang="bash">
flush ruleset

table firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# loopback interface
iifname lo accept

# icmp
icmp type echo-request accept

# open tcp ports: sshd (22), httpd (80)
tcp dport {ssh, http} accept
}
}

table ip6 firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# invalid connections
ct state invalid drop

# loopback interface
iifname lo accept

# icmp
# routers may also want: mld-listener-query, nd-router-solicit
icmpv6 type {echo-request,nd-neighbor-solicit} accept

# open tcp ports: sshd (22), httpd (80)
tcp dport {ssh, http} accept
}
}
</source>

Conntrack helpers

2021-03-12T11:22:55Z

Fw: add explicit warning wrt. helper use on routers

Some internet protocols use multiple ports that are negotiated between endpoints during the initial connection. Netfilter's [[Connection_Tracking_System|connection tracking system]] uses protocol helpers that look inside these negotiation packets to determine which ports will be part of the connection. The ct helper tells conntrack to expect packets to these ports; when such packets arrive conntrack assigns them ''related'' status.

To enable a conntrack helper in your ruleset:
# Add a ''ct helper <my_ct_helper>'' stateful object which specifies the in-kernel name of the ct helper to use.
# Add a filter rule for the initial protocol negotiation connection, using a ''ct helper set "<my_ct_helper>"'' statement to specify which ct helper to use.
# Add filter rules as necessary to allow initial, established and related packets through your firewall.

The following heavily-commented example shows how to enable a helper for [https://en.wikipedia.org/wiki/File_Transfer_Protocol ftp] traffic to the usual tcp/21 port:
<source>
table inet stateful_ftp {

# 1. ct helper stateful object
# "ftp-standard" is the name of this ct helper stateful object.
# "ftp" is the in-kernel name of the ct helper for ftp.
ct helper ftp-standard {
type "ftp" protocol tcp;
}

chain PRE {
type filter hook prerouting priority filter;

# 2. Rule for initial ftp connection (control channel), specifying ct helper stateful object to use.
# NOTE "ftp-standard" is the name of the ct helper stateful object.
tcp dport 21 ct helper set "ftp-standard"
}

# Example (partial) input filter base chain.
# NOTE default policy drop - we have to explicitly accept all allowed packets.
chain IN {
type filter hook input priority filter; policy drop;

# 3a. Rule for ftp control channel.
# NOTE conntrack works here without needing helper.
tcp dport 21 ct state new,established accept

# 3b. Rule for related packets on ftp data channel.
# NOTE in-kernel ct helper name "ftp" is used here;
# trying to use ct helper stateful object name "ftp-standard" will NOT work.
ct helper "ftp" accept
}
}
</source>

Further comments on above example:
* Rule 2 enables our ''ftp-standard'' ct helper in a ''prerouting'' chain. This makes the ct helper available to both forwarded and input traffic flows. If for some reason you want the ct helper to only be available for forwarded OR input flows, you can put Rule 2 in a ''forward'' or ''input'' chain, respectively.
* You may want to be more restrictive in Rule 3b. For example if you are using ftp passive mode you could use
<source>ct state related ip daddr $ftphost ct helper "ftp" tcp dport { 1024-65535 } accept</source> and drop other tcp-related traffic.

If the helper is needed for a host behind a stateful router its criticial to limit the helper assigment and the "releated" connections to the specific server.
This is because helpers may allow arbitrary port forwarding, much like allowing untrusted remote hosts to inject "dnat"-based port forwarding rules.

You can read more on how to enable conntrack helpers in a secure way [https://github.com/regit/secure-conntrack-helpers/blob/master/secure-conntrack-helpers.rst here].

= Supported conntrack helpers =

Conntrack provides the following helpers:

* FTP
* TFTP
* NetBIOS
* IRC
* SIP
* H.323
* SNMP
* PPTP
* SANE
* Amanda

The [https://conntrack-tools.netfilter.org/manual.html#helpers conntrackd] daemon also provides support for userspace helpers, such as:

* DHCPv6
* MDNS
* SLP
* SSDP
* RPC
* NFS version 3
* Oracle TNS

Bridge filtering

2020-11-26T22:12:55Z

Fw: /* Examples */

== Examples ==

Filter on TCP destination port in ipv4 packets:

<source lang="bash">
nft add rule bridge filter forward ether type ip tcp dport 22 accept
</source>

Accept arp packet:

<source lang="bash">
nft add rule bridge filter forward ether type arp accept
</source>

Bridge filtering

2020-11-26T22:12:13Z

Fw: /* Limitation */

== Examples ==

Filter on TCP destination port:

<source lang="bash">
nft add rule bridge filter forward ether type ip tcp dport 22 accept
</source>

Accept arp packet:

<source lang="bash">
nft add rule bridge filter forward ether type arp accept
</source>

Matching packet metainformation

2020-11-26T22:11:47Z

Fw: fix in/output bridge keywords.

The meta selectors allows you to match ([[Setting_packet_metainformation |and in some cases, set]]) packet metainformation.

= The meta selectors =

We have 2 types of meta statement, qualified and unqualified. Qualified ones require you use the '''meta''' keyword, and for unqualified ones it can be skipped.

* qualified meta statements:
** length -- packet lenght
** protocol -- packet protocol (as in skb->protocol)
** nfproto -- netfilter packet protocol family (like ipv4, ipv6, etc..).
** l4proto -- layer 4 protocol (tcp, udp, etc..)
** priority -- packet priority, tc handle. [[Setting_packet_metainformation |Can be set]].
** random -- match against a single/simple random number
** secmark -- packet secmark. [[Setting_packet_metainformation |Can be set]].
** ibrvproto -- match the bridge protocol
** ibrpvid -- match the bridge pvid

* unqualified meta statements:
** mark -- packet mark. [[Setting_packet_metainformation |Can be set]].
** iif -- input interface index
** iifname -- input interface name
** iiftype -- input interface type
** oif -- output interface index
** oifname -- output interface name
** oiftype -- output interface type
** skuid -- socket uid
** skgid -- socket gid
** nftrace -- [[Ruleset_debug/tracing|nftrace debugging]] bit. [[Setting_packet_metainformation |Can be set]].
** rtclassid -- realm
** ibriport -- input bridge port
** obriport -- output bridge port
** ibrname -- input bridge name
** obrname -- output bridge name
** pkttype -- packet type. [[Setting_packet_metainformation |Can be set]].
** cpu -- cpu number
** iifgroup -- input interface group
** oifgroup -- output interface group
** cgroup -- cgroup number
** ipsec -- ipsec (secpath) packet or not
** time -- packet timestamp
** day -- packet timestamp
** hour -- packet timestamp

= Matching packets by interface name =

You can use one of the following selectors to match the interface name:

* ''iifname'', to match the input network interface name.
* ''oifname'', to match the output network interface name.
* ''iif'', to match the interface index of the network interface name. This is faster than ''iifname'' as it only has to compare a 32-bits unsigned integer instead of a string. The interface index is dynamically allocated, so don't use this for interfaces that are dynamically created and destroyed, eg. ''ppp0''.
* ''oif'', like ''iif'' but it matches the output network interface index.

An example usage of the interface name is the following:

<source lang="bash">
% nft add rule filter input meta oifname lo accept
</source>

This rule accepts all traffic for the loopback pseudodevice ''lo''.

= Matching packets by packet mark =

You can match packets whose mark is 123 with the following rule:

<source lang="bash">
nft add rule filter output meta mark 123 counter
</source>

= Matching packets the socket UID =

You can use your user name to match traffic, eg.

<source lang="bash">
% nft add rule filter output meta skuid pablo counter
</source>

Or the 32-bits unsigned integer (UID) in case there is no entry in /etc/passwd for a given user.

<source lang="bash">
% nft add rule filter output meta skuid 1000 counter
</source>

Let's just generate some HTTP traffic to test this rule:

<source lang="bash">
% wget --spider http://www.google.com
</source>

Then, if you check the counters, you can verify that the packets are matching that rule.

<source lang="bash">
% nft list table filter
table ip filter {
chain output {
type filter hook output priority 0;
skuid pablo counter packets 7 bytes 510
}

chain input {
type filter hook input priority 0;
}
}
</source>

'''Important''': Beware if you test this with ''ping'', it is usually installed with suid so that traffic will match the root user (uid=0).

= Matching packet priority =

* Since nftables v0.7 you can match the packet priority, the tc classid:

<source>
% nft add rule filter forward meta priority abcd:1234
</source>

* Packet without set priority can be matched using meta priority none
<source>
% nft add rule filter forward meta priority none
</source>

Operations at ruleset level

2020-11-23T16:15:39Z

Fw: xml/json export is not longer supported.

== Using native nft syntax ==

Linux Kernel 3.18 includes some improvements regarding the available operations to manage your ruleset as a whole.

=== listing ===

Listing the complete ruleset:
<source lang="bash">
% nft list ruleset
</source>

Listing the ruleset per family:
<source lang="bash">
% nft list ruleset arp
% nft list ruleset ip
% nft list ruleset ip6
% nft list ruleset bridge
% nft list ruleset inet
</source>
These commands will print all tables/chains/sets/rules of the given family.

=== flushing ===

In addition, you can also flush (erase, delete, wipe) the complete ruleset:
<source lang="bash">
% nft flush ruleset
</source>
Also per family:
<source lang="bash">
% nft flush ruleset arp
% nft flush ruleset ip
% nft flush ruleset ip6
% nft flush ruleset bridge
% nft flush ruleset inet
</source>
=== backup/restore ===

You can combine these two commands above to backup your ruleset:
<source lang="bash">
% echo "nft flush ruleset" > backup.nft
% nft list ruleset >> backup.nft
</source>
And load it [[Atomic_rule_replacement|atomically]]:
<source lang="bash">
% nft -f backup.nft
</source>
== Listing in JSON format ==

You can also export your ruleset in JSON format, just pass the
'--json' option:

<source lang="bash">
% nft --json list ruleset > ruleset.json
</source>

== See also ==

Some related information you may want to read:

* [[Atomic rule replacement]]
* [[Scripting]]

Performing Network Address Translation (NAT)

2020-06-23T22:00:10Z

Fw: /* Incompatibilities */

The ''nat'' chain type allows you to perform NAT. This chain type comes with special semantics:

* The first packet of a flow is used to look up for a matching rule which sets up the NAT binding for this flow. This also manipulates this first packet accordingly.
* No rule lookup happens for follow up packets in the flow: the NAT engine uses the NAT binding information already set up by the first packet to perform the packet manipulation.

Adding a NAT rule to a filter type chain will result in an error.

= Stateful NAT =

The stateful NAT involves the nf_conntrack kernel engine to match/set packet stateful information and will engage according to the state of connections.
This is the most common way of performing NAT and the approach we recommend you to follow.

Be aware that '''with kernel versions before 4.18, you have to register the prerouting/postrouting chains even if you have no rules there''' since these chain will invoke the NAT engine for the packets coming in the reply direction. The remaining documentation in this article assumes a newer kernel which doesn't require this inconvenience anymore.

== Source NAT ==

If you want to source NAT the traffic that leaves from your local area network to the Internet, you can create a new table ''nat'' with the postrouting chain:

<source lang="bash">
% nft add table nat
% nft 'add chain nat postrouting { type nat hook postrouting priority 100 ; }'
</source>

Then, add the following rule:

<source lang="bash">
% nft add rule nat postrouting ip saddr 192.168.1.0/24 oif eth0 snat 1.2.3.4
</source>

This matches for all traffic from the 192.168.1.0/24 network to the interface ''eth0''. The IPv4 address 1.2.3.4 is used as source for the packets that match this rule.

== Destination NAT ==

You need to add the following table and chain configuration:

<source lang="bash">
% nft add table nat
% nft 'add chain nat prerouting { type nat hook prerouting priority -100; }'
</source>

Then, you can add the following rule:

<source lang="bash">
% nft 'add rule nat prerouting iif eth0 tcp dport { 80, 443 } dnat 192.168.1.120'
</source>

This redirects the incoming traffic for TCP ports 80 and 443 to 192.168.1.120.

== Masquerading ==

NOTE: ''masquerade'' is available starting with Linux Kernel 3.18.

Masquerade is a special case of SNAT, where the source address is automagically set to the address of the output interface. For example:

<source lang="bash">
% nft add rule nat postrouting masquerade
</source>

Note that ''masquerade'' only makes sense from postrouting chain of NAT type.

== Redirect ==

NOTE: ''redirect'' is available starting with Linux Kernel 3.19.

By using redirect, packets will be forwarded to local machine. Is a special case of DNAT where the destination is the current machine.

<source lang="bash">
% nft add rule nat prerouting redirect
</source>

This example redirects 22/tcp traffic to 2222/tcp:

<source lang="bash">
% nft add rule nat prerouting tcp dport 22 redirect to 2222
</source>

Note that: ''redirect'' only makes sense in a prerouting chain of NAT type.

== NAT flags ==

Since Linux kernel 3.18, you can combine the following flags with your NAT statements:

* random: randomize source port mapping.
* fully-random: full port randomization.
* persistent: gives a client the same source-/destination-address for each connection.

For example:

<source lang="bash">
% nft add rule nat postrouting masquerade random,persistent
% nft add rule nat postrouting ip saddr 192.168.1.0/24 oif eth0 snat 1.2.3.4 fully-random
</source>

== Inet family NAT ==

Since Linux kernel 5.2, there is support for performing stateful NAT in ''inet'' family chains. Syntax and semantics are equivalent to ''ip''/''ip6'' families; the only exception being if IP addresses are specified, a prefix of either ''ip'' or ''ip6'' to clarify the address family is required:

<source lang="bash">
% nft add rule inet nat prerouting dnat ip to 10.0.0.2
% nft add rule inet nat prerouting dnat ip6 to feed::c0fe
</source>

== Incompatibilities ==

You cannot use iptables and nft to perform NAT at the same time before kernel 4.18. So make sure that the ''iptable_nat'' module is unloaded:

<source lang="bash">
% rmmod iptable_nat
</source>

With later kernels, it is possible to use iptables and nftables nat at the same time.
The nat chains are consulted according to their priorities, the first matching rule
that adds a nat mapping (dnat, snat, masquerade) is the one that will be used for the connection.

= Stateless NAT =

This type of NAT just modifies each packet according to your rules without any other state/connection tracking.

This is valid for 1:1 mappings and is faster than stateful NAT. However, it's easy to shoot yourself in the foot.
If your environment doesn't require this approach, better stick to stateful NAT.

You have to disable connection tracking for modified packets.

The example below sets IP/port for each packet (also valid in IPv6):

<source>
% nft add rule ip raw prerouting ip protocol tcp ip daddr set 192.168.1.100 tcp dport set 10 notrack
% nft add rule ip6 raw prerouting ip6 nexthdr tcp ip6 daddr set fe00::1 tcp dport set 10 notrack
</source>

Be sure to check our documentation regarding [[Mangle packet header fields | mangling packets]] and [[setting packet connection tracking metainformation]].

To use this feature you require nftables >=0.7 and linux kernel >= 4.9.

Performing Network Address Translation (NAT)

2020-06-23T21:51:21Z

Fw: change quoting style to single-quotes

The ''nat'' chain type allows you to perform NAT. This chain type comes with special semantics:

* The first packet of a flow is used to look up for a matching rule which sets up the NAT binding for this flow. This also manipulates this first packet accordingly.
* No rule lookup happens for follow up packets in the flow: the NAT engine uses the NAT binding information already set up by the first packet to perform the packet manipulation.

Adding a NAT rule to a filter type chain will result in an error.

= Stateful NAT =

The stateful NAT involves the nf_conntrack kernel engine to match/set packet stateful information and will engage according to the state of connections.
This is the most common way of performing NAT and the approach we recommend you to follow.

Be aware that '''with kernel versions before 4.18, you have to register the prerouting/postrouting chains even if you have no rules there''' since these chain will invoke the NAT engine for the packets coming in the reply direction. The remaining documentation in this article assumes a newer kernel which doesn't require this inconvenience anymore.

== Source NAT ==

If you want to source NAT the traffic that leaves from your local area network to the Internet, you can create a new table ''nat'' with the postrouting chain:

<source lang="bash">
% nft add table nat
% nft 'add chain nat postrouting { type nat hook postrouting priority 100 ; }'
</source>

Then, add the following rule:

<source lang="bash">
% nft add rule nat postrouting ip saddr 192.168.1.0/24 oif eth0 snat 1.2.3.4
</source>

This matches for all traffic from the 192.168.1.0/24 network to the interface ''eth0''. The IPv4 address 1.2.3.4 is used as source for the packets that match this rule.

== Destination NAT ==

You need to add the following table and chain configuration:

<source lang="bash">
% nft add table nat
% nft 'add chain nat prerouting { type nat hook prerouting priority -100; }'
</source>

Then, you can add the following rule:

<source lang="bash">
% nft 'add rule nat prerouting iif eth0 tcp dport { 80, 443 } dnat 192.168.1.120'
</source>

This redirects the incoming traffic for TCP ports 80 and 443 to 192.168.1.120.

== Masquerading ==

NOTE: ''masquerade'' is available starting with Linux Kernel 3.18.

Masquerade is a special case of SNAT, where the source address is automagically set to the address of the output interface. For example:

<source lang="bash">
% nft add rule nat postrouting masquerade
</source>

Note that ''masquerade'' only makes sense from postrouting chain of NAT type.

== Redirect ==

NOTE: ''redirect'' is available starting with Linux Kernel 3.19.

By using redirect, packets will be forwarded to local machine. Is a special case of DNAT where the destination is the current machine.

<source lang="bash">
% nft add rule nat prerouting redirect
</source>

This example redirects 22/tcp traffic to 2222/tcp:

<source lang="bash">
% nft add rule nat prerouting tcp dport 22 redirect to 2222
</source>

Note that: ''redirect'' only makes sense in a prerouting chain of NAT type.

== NAT flags ==

Since Linux kernel 3.18, you can combine the following flags with your NAT statements:

* random: randomize source port mapping.
* fully-random: full port randomization.
* persistent: gives a client the same source-/destination-address for each connection.

For example:

<source lang="bash">
% nft add rule nat postrouting masquerade random,persistent
% nft add rule nat postrouting ip saddr 192.168.1.0/24 oif eth0 snat 1.2.3.4 fully-random
</source>

== Inet family NAT ==

Since Linux kernel 5.2, there is support for performing stateful NAT in ''inet'' family chains. Syntax and semantics are equivalent to ''ip''/''ip6'' families; the only exception being if IP addresses are specified, a prefix of either ''ip'' or ''ip6'' to clarify the address family is required:

<source lang="bash">
% nft add rule inet nat prerouting dnat ip to 10.0.0.2
% nft add rule inet nat prerouting dnat ip6 to feed::c0fe
</source>

== Incompatibilities ==

You cannot use iptables and nft to perform NAT at the same time. So make sure that the ''iptable_nat'' module is unloaded:

<source lang="bash">
% rmmod iptable_nat
</source>

= Stateless NAT =

This type of NAT just modifies each packet according to your rules without any other state/connection tracking.

This is valid for 1:1 mappings and is faster than stateful NAT. However, it's easy to shoot yourself in the foot.
If your environment doesn't require this approach, better stick to stateful NAT.

You have to disable connection tracking for modified packets.

The example below sets IP/port for each packet (also valid in IPv6):

<source>
% nft add rule ip raw prerouting ip protocol tcp ip daddr set 192.168.1.100 tcp dport set 10 notrack
% nft add rule ip6 raw prerouting ip6 nexthdr tcp ip6 daddr set fe00::1 tcp dport set 10 notrack
</source>

Be sure to check our documentation regarding [[Mangle packet header fields | mangling packets]] and [[setting packet connection tracking metainformation]].

To use this feature you require nftables >=0.7 and linux kernel >= 4.9.

Configuring chains

2020-06-23T21:50:01Z

Fw: convert quoting style to single-quotes, some shells such as zsh also require quoting of curly braces. route/nat now work with inet family.

As in ''iptables'', you attach your [[Simple rule management|rules]] to chains. However, contrary to the ''iptables'' modus operandi, the ''nftables'' infrastructure comes with no predefined chains, so you need to register your base chains in first place before you can add any rule. This allows very flexible configurations.

= Adding base chains =

The syntax to add base chains is the following:

<source lang="bash">
% nft add chain [<family>] <table-name> <chain-name> { type <type> hook <hook> priority <value> \; [policy <policy>] }
</source>

Base chains are those that are registered into the [[Netfilter hooks]], ie. these chains see packets flowing through your Linux TCP/IP stack.

The following example show how you can add new base chains to the ''foo'' table through the following command:

<source lang="bash">
% nft 'add chain ip foo input { type filter hook input priority 0 ; }'
</source>

'''Important''': nft re-uses special characters, such as curly braces and the semicolon.I
f you are running these commands from a shell such as ''bash'', all the special characters need
to be escaped. The most simple way to prevent the shell from attempting to parse the nft syntax
is to quote everything withing single quotes. Alternatively, you can run the command

<source lang="bash">
% nft -i
</source>

and run nft in interactive mode.

The ''add chain'' command registers the ''input'' chain, that it attached to the ''input'' hook so it will see packets that are addressed to the local processes.

The ''priority'' is important since it determines the ordering of the chains, thus, if you have several chains in the ''input'' hook, you can decide which one sees packets before another.
For example, input chains with priorities -12, -1, 0, 10 would be consulted exactly in that order. Its possible to give two base chains the same priority, but there
is no guaranteed evaluation order of base chains with identical priority that are attached to the same hook location.

If you want to use ''nftables'' to filter traffic for desktop Linux computers, ie. a computer which does not forward traffic, you can also register the output chain:

<source lang="bash">
% nft 'add chain ip foo output { type filter hook output priority 0 ; }'
</source>

Now you are ready to filter incoming (directed to local processes) and outgoing (generated by local processes) traffic.

'''Important note''': If you don't include the chain configuration that is specified enclosed in the curly braces, you are creating a non-base chain that will not see any packets (similar to ''iptables -N chain-name'').

Since nftables 0.5, you can also specify the default policy for base chains as in ''iptables'':

<source lang="bash">
% nft 'add chain ip foo output { type filter hook output priority 0 ; policy accept; }'
</source>

As in ''iptables'', the two possible default policies are ''accept'' and ''drop''.

When adding a chain on '''ingress''' hook, it is mandatory to specify the device where the chain will be attached:
<source lang="bash">
% nft 'add chain netdev foo dev0filter { type filter hook ingress device eth0 priority 0 ; }'
</source>

== Base chain types ==

The possible chain types are:

* '''filter''', which is obviously used to filter packets. This is supported by the arp, bridge, ip, ip6 and inet table families.
* '''route''', which is used to reroute packets if any relevant IP header field or the packet mark is modified. If you are familiar with ''iptables'', this chain type provides equivalent semantics to the ''mangle'' table but only for the ''output'' hook (for other hooks use type ''filter'' instead). This is supported by the ip, ip6 and inet table families.
* '''nat''', which is used to perform Networking Address Translation (NAT). The first packet that belongs to a flow always hits this chain, follow up packets not. Therefore, never use this chain for filtering. This is supported by the ip, ip6 and inet table families.

== Base chain hooks ==

The possible hooks that you can use when you configure your chain are:

* '''prerouting''': the routing decision for those packets didn't happen yet, so you don't know if they are addressed to the local or remote systems.
* '''input''': It happens after the routing decision, you can see packets that are directed to the local system and processes running in system.
* '''forward''': It also happens after the routing decision, you can see packet that are not directed to the local machine.
* '''output''': to catch packets that are originated from processes in the local machine.
* '''postrouting''': After the routing decision for packets leaving the local system.
* '''ingress''' (only available at the ''netdev'' family): Since Linux kernel 4.2, you can filter traffic way before prerouting, after the packet is passed up from the NIC driver. So you have an alternative to ''tc''.

== Base chain priority ==

The priority can be used to order the chains or to put them before or after some Netfilter internal operations. For example, a chain on the ''prerouting'' hook with the priority ''-300'' will be placed before connection tracking operations.

For reference, here's the list of different priority used in iptables:

* NF_IP_PRI_CONNTRACK_DEFRAG (-400): priority of defragmentation
* NF_IP_PRI_RAW (-300): traditional priority of the raw table placed before connection tracking operation
* NF_IP_PRI_SELINUX_FIRST (-225): SELinux operations
* NF_IP_PRI_CONNTRACK (-200): Connection tracking operations
* NF_IP_PRI_MANGLE (-150): mangle operation
* NF_IP_PRI_NAT_DST (-100): destination NAT
* NF_IP_PRI_FILTER (0): filtering operation, the filter table
* NF_IP_PRI_SECURITY (50): Place of security table where secmark can be set for example
* NF_IP_PRI_NAT_SRC (100): source NAT
* NF_IP_PRI_SELINUX_LAST (225): SELinux at packet exit
* NF_IP_PRI_CONNTRACK_HELPER (300): connection tracking at exit

'''NOTE''': if a packet gets accepted and there is another base chain in the same hook which is ordered with a later priority, the packet will be evaluated '''again'''.
That is, packets will traverse chains in a given hook, until it is dropped or no more base chains exist. Drops take instant effect, no further rules or chains are evaluated.

Example ruleset of this behavior:

<pre>
table inet filter {
# this chain is evaluated first due to priority
chain ssh {
type filter hook input priority 0; policy accept;
# ssh packet accepted
tcp dport ssh accept
}

# this chain is evaluated last due to priority
chain input {
type filter hook input priority 1; policy drop;
# the same ssh packet is dropped here by means of default policy
}
}
</pre>

If priority of the 'input chain' above would be changed to -1, all packets would
be dropped.

== Base chain policy ==

This is the default verdict that will be applied to packets reaching the end of the chain (i.e, no more rules to be evaluated against).

Currently there are 2 policies: '''accept''' (default) or '''drop'''.

* The ''accept'' verdict means that the packet will keep traversing the network stack (default).
* The ''drop'' verdict means that the packet is discarded if the packet reaches the end of the base chain.

'''NOTE''': If no policy is explicitly selected, the default policy '''accept''' will be used.

= Adding non-base chains =

You can also create non-base chains as in ''iptables'' via:

<source lang="bash">
% nft add chain ip <table_name> <chain_name>
</source>

Note that this chain does '''not''' see any traffic as it is not attached to any hook, but it can be very useful to arrange your rule-set in a tree of chains by using the [[jumping to chain|jump to chain]] action.

The chain name is an arbitrary string, with arbitrary case.

= Deleting chains =

You can delete the chains that you don't need, eg.

<source lang="bash">
% nft delete chain ip foo input
</source>

The only condition is that the chain you want to delete needs to be empty, otherwise the kernel will tell you that such chain is in used.

<source lang="bash">
% nft delete chain ip foo input
<cmdline>:1:1-28: Error: Could not delete chain: Device or resource busy
delete chain ip foo input
^^^^^^^^^^^^^^^^^^^^^^^^^
</source>

You will have to [[Simple rule management|flush the ruleset]] in that chain before you can remove the chain.

= Flushing chain =

You can also flush the content of a chain. If you want to flush all the rule in the chain ''input'' of the ''foo'' table, you have to type:

<source lang="bash">
nft flush chain foo input
</source>

= Example configuration: Filtering traffic for your standalone computer =

You can create a table with two base chains to define rule to filter traffic coming to and leaving from your computer, asumming IPv4 connectivity:

<source lang="bash">
% nft add table ip filter
% nft 'add chain ip filter input { type filter hook input priority 0 ; }'
% nft 'add chain ip filter output { type filter hook output priority 0 ; }'
</source>

Now, you can start attaching [[Simple rule management|rules]] to these two base chains. Note that you don't need the ''forward'' chain in this case since this example assumes that you're configuring nftables to filter traffic for a standalone computer that doesn't behave as router.

Supported features compared to xtables

2020-06-17T16:43:30Z

Fw: NETMAP is now supported

Last update: Aug/2018

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== RATEEST ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====
* nft_meta, since 3.16.
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18.
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18.
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== policy ====
* nft_xfrm, since 5.0
==== recent ====
* consider native interface. Refer to [[Sets]].
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14

==== time ====
* nft_meta, since 5.4

==== udp ====
* nft_payload

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18.
==== CLASSIFY ====
* nft_meta, since 3.14.
==== CONNMARK ====
* nft_ct
==== CONNSECMARK ====
* nft_ct, since 4.20
==== DSCP ====
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash.
==== MARK ====
* nft_meta, since 3.14.
==== NETMAP ====
* nft_nat, upcoming 5.8
==== NFLOG ====
* nft_log, since 3.17.
==== NFQUEUE ====
* nft_queue, since 3.14.
==== SECMARK ====
* nft_meta, since 4.20

==== SYNPROXY ====
* nft_synproxy, since 5.3

==== TEE ====
* nft_dup, since 4.3.
==== TPROXY ====
* nft_tproxy, since 4.19

==== TRACE ====
* nft_meta, since 3.14.

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Updating sets from the packet path

2019-12-04T11:53:22Z

Fw:

Since nftables v0.7 you can update sets from the packet path, i.e., update the content of a set based on the packets the firewall is receiving.

This usually used in combination with [[Element timeouts]], and one of the main use cases in to create dynamic black lists or ban lists.

There are two main operations: '''add''' and '''update''', which differs in how they modify any previous element timeout. The '''update''' command refreshes the element timeout for each packet seen, while '''add''' does not.

An example using the '''update''' operation, with timeouts, follows:

<source>
% nft add table filter
% nft add chain filter input { type filter hook input priority 0\; }
% nft add set filter myset { type inet_service\; flags timeout\; }
% nft add rule filter input set update tcp dport timeout 60s @myset
% nft list ruleset
table ip filter {
set myset {
type inet_service
flags timeout
elements = { http expires 9s}
}

chain input {
type filter hook input priority 0; policy accept;
update @myset { tcp dport timeout 1m }
}
}
</source>

This example uses the '''add''' operation in a set without timeouts:

<source>
% nft add table filter
% nft add chain filter input { type filter hook input priority 0\; }
% nft add set filter myset { type ipv4_addr\; }
% nft add rule filter input set add ip saddr @myset
% nft list ruleset
table ip filter {
set myset {
type ipv4_addr
elements = { 1.1.1.1 }
}

chain input {
type filter hook input priority 0; policy accept;
add @myset { ip saddr }
}
}
</source>

Matching routing information

2019-11-15T16:00:25Z

Fw: /* fib */

Starting with linux 4.10 and nftables v0.7, there are new mechanisms to match several routing information related to packets and the firewall machine.

== nexthop ==

The directly connected IP address that an outgoing packet is sent to, which can be used either
for matching or accounting, eg:

<source>
nft add rule filter postrouting ip daddr 192.168.1.0/24 rt nexthop != 192.168.0.1 drop
</source>

This will drop any traffic to 192.168.1.0/24 that is not routed via 192.168.0.1.

<source>
nft add rule filter postrouting flow table acct { rt nexthop timeout 600s counter }
nft add rule ip6 filter postrouting flow table acct { rt nexthop timeout 600s counter }
</source>

These rules count outgoing traffic per nexthop. Note that the timeout releases an entry if no traffic
is seen for this nexthop within 10 minutes.

General syntax is: '''rt''' ''key'' operator ''expression'', where:

* key: classid, nexthop
* operator: eq, neq, gt, lt, gte, lte, vmap, map

== fib ==

The fib statement can be used to obtain the output interface from the route table based on either source
or destination address of a packet.

This can be used to e.g. add reverse path filtering, or eg. drop if not coming from the same interface packet arrived on:

<source>
nft add rule x prerouting fib saddr . iif oif eq 0 drop
</source>

Accept only if from eth:

<source>
nft add rule x prerouting fib saddr . iif oif eq "eth0" accept
</source>

Accept if from any valid interface:

<source>
nft add rule x prerouting fib saddr oif accept
</source>

Querying of address type is also supported, this can be used to only accept packets to addresses configured in the same
interface, eg:

<source>
nft add rule x prerouting fib daddr . iif type local accept
</source>

Its also possible to use verdict maps, eg:

<source>
nft 'add rule x prerouting fib saddr . mark oif vmap { "eth0" : drop, "ppp0" : accept }'
</source>

This takes the packet source address and queries the routing table
for the output interface index that would be used to send a packet
to that address. The packets destination address is used as source
address. The ". mark" syntax tells the fib expression it should also
consider the packet mark when the fib is queried.
Likewise, "iif" and "oif" tell fib to consider the packets in and output
interface on lookup.

General syntax is: '''fib''' ''key'' ''data'' operator ''expression'', where:

* key: saddr, daddr, mark, iif, oif (use '.' for concatenations to represent tuples)
* data: oif, oifname, (address) type
* operator: eq, neq, vmap, map

Supported features compared to xtables

2019-10-10T15:33:06Z

Fw: /* policy */

Last update: Aug/2018

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====
* nft_meta, since 3.16.
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18.
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18.
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== policy ====
* nft_xfrm, since 5.0

==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].

==== recent ====
* consider native interface. Refer to [[Sets]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14

==== time ====
* nft_meta, upcoming 5.4

==== udp ====
* nft_payload

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18.
==== CLASSIFY ====
* nft_meta, since 3.14.
==== CONNMARK ====
* nft_ct
==== CONNSECMARK ====
* nft_ct, since 4.20
==== DSCP ====
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash.
==== MARK ====
* nft_meta, since 3.14.
==== NFLOG ====
* nft_log, since 3.17.
==== NFQUEUE ====
* nft_queue, since 3.14.
==== SECMARK ====
* nft_meta, since 4.20

==== SYNPROXY ====
* nft_synproxy, since 5.3

==== TEE ====
* nft_dup, since 4.3.
==== TPROXY ====
* nft_tproxy, since 4.19

==== TRACE ====
* nft_meta, since 3.14.

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Supported features compared to xtables

2019-10-10T15:32:43Z

Fw: /* tcpmss */

Last update: Aug/2018

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====
* nft_meta, since 3.16.
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18.
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18.
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== policy ====
* nft_xfrm, upcoming linux 4.20 (5.0?)
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].

==== recent ====
* consider native interface. Refer to [[Sets]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14

==== time ====
* nft_meta, upcoming 5.4

==== udp ====
* nft_payload

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18.
==== CLASSIFY ====
* nft_meta, since 3.14.
==== CONNMARK ====
* nft_ct
==== CONNSECMARK ====
* nft_ct, since 4.20
==== DSCP ====
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash.
==== MARK ====
* nft_meta, since 3.14.
==== NFLOG ====
* nft_log, since 3.17.
==== NFQUEUE ====
* nft_queue, since 3.14.
==== SECMARK ====
* nft_meta, since 4.20

==== SYNPROXY ====
* nft_synproxy, since 5.3

==== TEE ====
* nft_dup, since 4.3.
==== TPROXY ====
* nft_tproxy, since 4.19

==== TRACE ====
* nft_meta, since 3.14.

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Supported features compared to xtables

2019-10-10T15:31:28Z

Fw: /* tproxy */

Last update: Aug/2018

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====
* nft_meta, since 3.16.
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18.
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18.
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== policy ====
* nft_xfrm, upcoming linux 4.20 (5.0?)
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].

==== recent ====
* consider native interface. Refer to [[Sets]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14

==== udp ====
* nft_payload

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18.
==== CLASSIFY ====
* nft_meta, since 3.14.
==== CONNMARK ====
* nft_ct
==== CONNSECMARK ====
* nft_ct, since 4.20
==== DSCP ====
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash.
==== MARK ====
* nft_meta, since 3.14.
==== NFLOG ====
* nft_log, since 3.17.
==== NFQUEUE ====
* nft_queue, since 3.14.
==== SECMARK ====
* nft_meta, since 4.20

==== SYNPROXY ====
* nft_synproxy, since 5.3

==== TEE ====
* nft_dup, since 4.3.
==== TPROXY ====
* nft_tproxy, since 4.19

==== TRACE ====
* nft_meta, since 3.14.

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Supported features compared to xtables

2019-10-10T15:31:09Z

Fw: /* SECMARK */

Last update: Aug/2018

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====
* nft_meta, since 3.16.
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18.
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18.
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== policy ====
* nft_xfrm, upcoming linux 4.20 (5.0?)
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].

==== tproxy ====
* nft_tproxy

==== recent ====
* consider native interface. Refer to [[Sets]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14

==== udp ====
* nft_payload

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18.
==== CLASSIFY ====
* nft_meta, since 3.14.
==== CONNMARK ====
* nft_ct
==== CONNSECMARK ====
* nft_ct, since 4.20
==== DSCP ====
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash.
==== MARK ====
* nft_meta, since 3.14.
==== NFLOG ====
* nft_log, since 3.17.
==== NFQUEUE ====
* nft_queue, since 3.14.
==== SECMARK ====
* nft_meta, since 4.20

==== SYNPROXY ====
* nft_synproxy, since 5.3

==== TEE ====
* nft_dup, since 4.3.
==== TPROXY ====
* nft_tproxy, since 4.19

==== TRACE ====
* nft_meta, since 3.14.

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Supported features compared to xtables

2019-10-10T15:29:30Z

Fw: /* TPROXY */

Last update: Aug/2018

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====
* nft_meta, since 3.16.
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18.
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18.
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== policy ====
* nft_xfrm, upcoming linux 4.20 (5.0?)
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].

==== tproxy ====
* nft_tproxy

==== recent ====
* consider native interface. Refer to [[Sets]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14

==== udp ====
* nft_payload

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18.
==== CLASSIFY ====
* nft_meta, since 3.14.
==== CONNMARK ====
* nft_ct
==== CONNSECMARK ====
* nft_ct, since 4.20
==== DSCP ====
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash.
==== MARK ====
* nft_meta, since 3.14.
==== NFLOG ====
* nft_log, since 3.17.
==== NFQUEUE ====
* nft_queue, since 3.14.
==== SECMARK ====
* nft_meta, since 4.20
==== TEE ====
* nft_dup, since 4.3.
==== TPROXY ====
* nft_tproxy, since 4.19

==== TRACE ====
* nft_meta, since 3.14.

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Supported features compared to xtables

2019-10-10T15:29:13Z

Fw: /* tproxy */

Last update: Aug/2018

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====
* nft_meta, since 3.16.
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18.
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18.
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== policy ====
* nft_xfrm, upcoming linux 4.20 (5.0?)
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].

==== tproxy ====
* nft_tproxy

==== recent ====
* consider native interface. Refer to [[Sets]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14

==== udp ====
* nft_payload

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18.
==== CLASSIFY ====
* nft_meta, since 3.14.
==== CONNMARK ====
* nft_ct
==== CONNSECMARK ====
* nft_ct, since 4.20
==== DSCP ====
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash.
==== MARK ====
* nft_meta, since 3.14.
==== NFLOG ====
* nft_log, since 3.17.
==== NFQUEUE ====
* nft_queue, since 3.14.
==== SECMARK ====
* nft_meta, since 4.20
==== TEE ====
* nft_dup, since 4.3.
==== TPROXY ====
* nft_tproxy, upcoming release (4.19)
==== TRACE ====
* nft_meta, since 3.14.

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Supported features compared to xtables

2019-10-10T15:28:57Z

Fw: /* tcpmss */

Last update: Aug/2018

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====
* nft_meta, since 3.16.
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18.
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18.
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== policy ====
* nft_xfrm, upcoming linux 4.20 (5.0?)
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].

==== tproxy ====
* nft_tproxy

==== recent ====
* consider native interface. Refer to [[Sets]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14

==== tproxy ====
* nft_tproxy, since 4.19

==== udp ====
* nft_payload

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18.
==== CLASSIFY ====
* nft_meta, since 3.14.
==== CONNMARK ====
* nft_ct
==== CONNSECMARK ====
* nft_ct, since 4.20
==== DSCP ====
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash.
==== MARK ====
* nft_meta, since 3.14.
==== NFLOG ====
* nft_log, since 3.17.
==== NFQUEUE ====
* nft_queue, since 3.14.
==== SECMARK ====
* nft_meta, since 4.20
==== TEE ====
* nft_dup, since 4.3.
==== TPROXY ====
* nft_tproxy, upcoming release (4.19)
==== TRACE ====
* nft_meta, since 3.14.

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Supported features compared to xtables

2019-10-10T15:27:45Z

Fw: /* statistic */

Last update: Aug/2018

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====
* nft_meta, since 3.16.
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18.
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18.
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== policy ====
* nft_xfrm, upcoming linux 4.20 (5.0?)
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].

==== tproxy ====
* nft_tproxy

==== recent ====
* consider native interface. Refer to [[Sets]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14
==== udp ====
* nft_payload

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18.
==== CLASSIFY ====
* nft_meta, since 3.14.
==== CONNMARK ====
* nft_ct
==== CONNSECMARK ====
* nft_ct, since 4.20
==== DSCP ====
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash.
==== MARK ====
* nft_meta, since 3.14.
==== NFLOG ====
* nft_log, since 3.17.
==== NFQUEUE ====
* nft_queue, since 3.14.
==== SECMARK ====
* nft_meta, since 4.20
==== TEE ====
* nft_dup, since 4.3.
==== TPROXY ====
* nft_tproxy, upcoming release (4.19)
==== TRACE ====
* nft_meta, since 3.14.

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Supported features compared to xtables

2019-10-10T15:27:04Z

Fw: /* SET */

Last update: Aug/2018

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====
* nft_meta, since 3.16.
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18.
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18.
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== policy ====
* nft_xfrm, upcoming linux 4.20 (5.0?)
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].
==== recent ====
* consider native interface. Refer to [[Sets]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14
==== udp ====
* nft_payload

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18.
==== CLASSIFY ====
* nft_meta, since 3.14.
==== CONNMARK ====
* nft_ct
==== CONNSECMARK ====
* nft_ct, since 4.20
==== DSCP ====
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash.
==== MARK ====
* nft_meta, since 3.14.
==== NFLOG ====
* nft_log, since 3.17.
==== NFQUEUE ====
* nft_queue, since 3.14.
==== SECMARK ====
* nft_meta, since 4.20
==== TEE ====
* nft_dup, since 4.3.
==== TPROXY ====
* nft_tproxy, upcoming release (4.19)
==== TRACE ====
* nft_meta, since 3.14.

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Supported features compared to xtables

2019-10-10T15:26:48Z

Fw: time is now supported

Last update: Aug/2018

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== SET ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====
* nft_meta, since 3.16.
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18.
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18.
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== policy ====
* nft_xfrm, upcoming linux 4.20 (5.0?)
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].
==== recent ====
* consider native interface. Refer to [[Sets]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14
==== udp ====
* nft_payload

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18.
==== CLASSIFY ====
* nft_meta, since 3.14.
==== CONNMARK ====
* nft_ct
==== CONNSECMARK ====
* nft_ct, since 4.20
==== DSCP ====
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash.
==== MARK ====
* nft_meta, since 3.14.
==== NFLOG ====
* nft_log, since 3.17.
==== NFQUEUE ====
* nft_queue, since 3.14.
==== SECMARK ====
* nft_meta, since 4.20
==== TEE ====
* nft_dup, since 4.3.
==== TPROXY ====
* nft_tproxy, upcoming release (4.19)
==== TRACE ====
* nft_meta, since 3.14.

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Supported features compared to xtables

2019-10-10T15:26:30Z

Fw: synproxy is now supported

Last update: Aug/2018

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== time ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== SET ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====
* nft_meta, since 3.16.
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18.
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18.
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== policy ====
* nft_xfrm, upcoming linux 4.20 (5.0?)
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].
==== recent ====
* consider native interface. Refer to [[Sets]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14
==== udp ====
* nft_payload

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18.
==== CLASSIFY ====
* nft_meta, since 3.14.
==== CONNMARK ====
* nft_ct
==== CONNSECMARK ====
* nft_ct, since 4.20
==== DSCP ====
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash.
==== MARK ====
* nft_meta, since 3.14.
==== NFLOG ====
* nft_log, since 3.17.
==== NFQUEUE ====
* nft_queue, since 3.14.
==== SECMARK ====
* nft_meta, since 4.20
==== TEE ====
* nft_dup, since 4.3.
==== TPROXY ====
* nft_tproxy, upcoming release (4.19)
==== TRACE ====
* nft_meta, since 3.14.

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Sets

2019-10-04T15:29:44Z

Fw: /* Anonymous sets */

''nftables'' comes with a built-in generic set infrastructure that allows you to use '''any''' supported selector to build sets. This infrastructure makes possible the representation of [[dictionaries]] and [[maps]].

The set elements are internally represented using performance data structures such as hashtables and red-black trees.

= Anonymous sets =

Anonymous sets are those that are:

* Bound to a rule, if the rule is removed, that set is released too.
* They have no specific name, the kernel internally allocates an identifier.
* They cannot be updated. So you cannot add and delete elements from it once it is bound to a rule.

The following example shows how to create a simple set.

<source lang="bash">
% nft add rule ip filter output tcp dport { 22, 23 } counter
</source>

This rule above catches all traffic going to TCP ports 22 and 23, in case of matching the counters are updated.

Eric Leblond in his [https://home.regit.org/2014/01/why-you-will-love-nftables/ Why you will love nftables] article shows a very simple example to compare iptables with nftables:

<source lang="bash">
ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
</source>

Which can be expressed in ''nftables'' with a couple of rules that provide a set:

<source lang="bash">
% nft add rule ip6 filter input tcp dport {telnet, http, https} accept
% nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
</source>

= Named sets =

You can create the named sets with the following command:

<source lang="bash">
% nft add set ip filter blackhole { type ipv4_addr\;}
</source>

Note that ''blackhole'' is the name of the set in this case. The ''type'' option indicates the data type that this set stores, which is an IPv4 address in this case. Current maximum name length is 16 characters.

<source lang="bash">
% nft add element ip filter blackhole { 192.168.3.4 }
% nft add element ip filter blackhole { 192.168.1.4, 192.168.1.5 }
</source>

Then, you can use it from the rule:

<source lang="bash">
% nft add rule ip filter input ip saddr @blackhole drop
</source>

Named sets can be updated anytime, so you can add and delete element from them.

= Named sets specifications =

Sets specifications are:

* '''type''', is obligatory and determines the data type of the set elements. Supported data types currently are:
** ''ipv4_addr'': IPv4 address
** ''ipv6_addr'': IPv6 address.
** ''ether_addr'': Ethernet address.
** ''inet_proto'': Inet protocol type.
** ''inet_service'': Internet service (read tcp port for example)
** ''mark'': Mark type.

* '''timeout''', it determines how long an element stays in the set. The time string respects the format: ''"v1dv2hv3mv4s"'':

<source lang="bash">
% nft add table ip filter
% nft add set ip filter ports {type inet_service \; timeout 3h45s \;}
</source>

These commands create a table named ''filter'' and add a set named ''ports'' to it, where elements are deleted after 3 hours and 45 seconds of being added.

* '''flags''', the available flags are:
** ''constant'' - set content may not change while bound
** ''interval'' - set contains intervals
** ''timeout'' - elements can be added with a timeout

Multiple flags should be separated by comma:

<source lang="bash">
% nft add set ip filter flags_set {type ipv4_addr\; flags constant, interval\;}
</source>

* '''gc-interval''', stands for garbage collection interval, can only be used if ''timeout'' or ''flags timeout'' are active. The interval follows the same format of ''timeouts'' time string ''"v1dv2hv3mv4s"''.

* '''elements''', initialize the set with some elements in it:

<source lang="bash">
% nft add set ip filter daddrs {type ipv4_addr \; flags timeout \; elements={192.168.1.1 timeout 10s, 192.168.1.2 timeout 30s} \;}
</source>

This command creates a set name ''daddrs'' with elements ''192.168.1.1'', which stays in it for 10s, and ''192.168.1.2'', which stays for 30s.

* '''size''', limits the maximum number of elements of the set. To create a set with maximum 2 elements type:

<source lang="bash">
% nft add set ip filter saddrs {type ipv4_addr \; size 2 \;}
</source>

* '''policy''', determines set selection policy. Available values are:
** ''performance'' [default]
** ''memory''

= Listing named sets =

You can list the content of a named set via:

<source lang="bash">
% nft list set ip filter myset
</source>

Sets

2019-10-04T15:29:24Z

Fw: /* Listing named sets */

''nftables'' comes with a built-in generic set infrastructure that allows you to use '''any''' supported selector to build sets. This infrastructure makes possible the representation of [[dictionaries]] and [[maps]].

The set elements are internally represented using performance data structures such as hashtables and red-black trees.

= Anonymous sets =

Anonymous sets are those that are:

* Bound to a rule, if the rule is removed, that set is released too.
* They have no specific name, the kernel internally allocates an identifier.
* They cannot be updated. So you cannot add and delete elements from it once it is bound to a rule.

The following example shows how to create a simple set.

<source lang="bash">
% nft add rule filter output tcp dport { 22, 23 } counter
</source>

This rule above catches all traffic going to TCP ports 22 and 23, in case of matching the counters are updated.

Eric Leblond in his [https://home.regit.org/2014/01/why-you-will-love-nftables/ Why you will love nftables] article shows a very simple example to compare iptables with nftables:

<source lang="bash">
ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
</source>

Which can be expressed in ''nftables'' with a couple of rules that provide a set:

<source lang="bash">
% nft add rule ip6 filter input tcp dport {telnet, http, https} accept
% nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
</source>

= Named sets =

You can create the named sets with the following command:

<source lang="bash">
% nft add set ip filter blackhole { type ipv4_addr\;}
</source>

Note that ''blackhole'' is the name of the set in this case. The ''type'' option indicates the data type that this set stores, which is an IPv4 address in this case. Current maximum name length is 16 characters.

<source lang="bash">
% nft add element ip filter blackhole { 192.168.3.4 }
% nft add element ip filter blackhole { 192.168.1.4, 192.168.1.5 }
</source>

Then, you can use it from the rule:

<source lang="bash">
% nft add rule ip filter input ip saddr @blackhole drop
</source>

Named sets can be updated anytime, so you can add and delete element from them.

= Named sets specifications =

Sets specifications are:

* '''type''', is obligatory and determines the data type of the set elements. Supported data types currently are:
** ''ipv4_addr'': IPv4 address
** ''ipv6_addr'': IPv6 address.
** ''ether_addr'': Ethernet address.
** ''inet_proto'': Inet protocol type.
** ''inet_service'': Internet service (read tcp port for example)
** ''mark'': Mark type.

* '''timeout''', it determines how long an element stays in the set. The time string respects the format: ''"v1dv2hv3mv4s"'':

<source lang="bash">
% nft add table ip filter
% nft add set ip filter ports {type inet_service \; timeout 3h45s \;}
</source>

These commands create a table named ''filter'' and add a set named ''ports'' to it, where elements are deleted after 3 hours and 45 seconds of being added.

* '''flags''', the available flags are:
** ''constant'' - set content may not change while bound
** ''interval'' - set contains intervals
** ''timeout'' - elements can be added with a timeout

Multiple flags should be separated by comma:

<source lang="bash">
% nft add set ip filter flags_set {type ipv4_addr\; flags constant, interval\;}
</source>

* '''gc-interval''', stands for garbage collection interval, can only be used if ''timeout'' or ''flags timeout'' are active. The interval follows the same format of ''timeouts'' time string ''"v1dv2hv3mv4s"''.

* '''elements''', initialize the set with some elements in it:

<source lang="bash">
% nft add set ip filter daddrs {type ipv4_addr \; flags timeout \; elements={192.168.1.1 timeout 10s, 192.168.1.2 timeout 30s} \;}
</source>

This command creates a set name ''daddrs'' with elements ''192.168.1.1'', which stays in it for 10s, and ''192.168.1.2'', which stays for 30s.

* '''size''', limits the maximum number of elements of the set. To create a set with maximum 2 elements type:

<source lang="bash">
% nft add set ip filter saddrs {type ipv4_addr \; size 2 \;}
</source>

* '''policy''', determines set selection policy. Available values are:
** ''performance'' [default]
** ''memory''

= Listing named sets =

You can list the content of a named set via:

<source lang="bash">
% nft list set ip filter myset
</source>

Sets

2019-10-04T15:29:12Z

Fw: /* Named sets specifications */

''nftables'' comes with a built-in generic set infrastructure that allows you to use '''any''' supported selector to build sets. This infrastructure makes possible the representation of [[dictionaries]] and [[maps]].

The set elements are internally represented using performance data structures such as hashtables and red-black trees.

= Anonymous sets =

Anonymous sets are those that are:

* Bound to a rule, if the rule is removed, that set is released too.
* They have no specific name, the kernel internally allocates an identifier.
* They cannot be updated. So you cannot add and delete elements from it once it is bound to a rule.

The following example shows how to create a simple set.

<source lang="bash">
% nft add rule filter output tcp dport { 22, 23 } counter
</source>

This rule above catches all traffic going to TCP ports 22 and 23, in case of matching the counters are updated.

Eric Leblond in his [https://home.regit.org/2014/01/why-you-will-love-nftables/ Why you will love nftables] article shows a very simple example to compare iptables with nftables:

<source lang="bash">
ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
</source>

Which can be expressed in ''nftables'' with a couple of rules that provide a set:

<source lang="bash">
% nft add rule ip6 filter input tcp dport {telnet, http, https} accept
% nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
</source>

= Named sets =

You can create the named sets with the following command:

<source lang="bash">
% nft add set ip filter blackhole { type ipv4_addr\;}
</source>

Note that ''blackhole'' is the name of the set in this case. The ''type'' option indicates the data type that this set stores, which is an IPv4 address in this case. Current maximum name length is 16 characters.

<source lang="bash">
% nft add element ip filter blackhole { 192.168.3.4 }
% nft add element ip filter blackhole { 192.168.1.4, 192.168.1.5 }
</source>

Then, you can use it from the rule:

<source lang="bash">
% nft add rule ip filter input ip saddr @blackhole drop
</source>

Named sets can be updated anytime, so you can add and delete element from them.

= Named sets specifications =

Sets specifications are:

* '''type''', is obligatory and determines the data type of the set elements. Supported data types currently are:
** ''ipv4_addr'': IPv4 address
** ''ipv6_addr'': IPv6 address.
** ''ether_addr'': Ethernet address.
** ''inet_proto'': Inet protocol type.
** ''inet_service'': Internet service (read tcp port for example)
** ''mark'': Mark type.

* '''timeout''', it determines how long an element stays in the set. The time string respects the format: ''"v1dv2hv3mv4s"'':

<source lang="bash">
% nft add table ip filter
% nft add set ip filter ports {type inet_service \; timeout 3h45s \;}
</source>

These commands create a table named ''filter'' and add a set named ''ports'' to it, where elements are deleted after 3 hours and 45 seconds of being added.

* '''flags''', the available flags are:
** ''constant'' - set content may not change while bound
** ''interval'' - set contains intervals
** ''timeout'' - elements can be added with a timeout

Multiple flags should be separated by comma:

<source lang="bash">
% nft add set ip filter flags_set {type ipv4_addr\; flags constant, interval\;}
</source>

* '''gc-interval''', stands for garbage collection interval, can only be used if ''timeout'' or ''flags timeout'' are active. The interval follows the same format of ''timeouts'' time string ''"v1dv2hv3mv4s"''.

* '''elements''', initialize the set with some elements in it:

<source lang="bash">
% nft add set ip filter daddrs {type ipv4_addr \; flags timeout \; elements={192.168.1.1 timeout 10s, 192.168.1.2 timeout 30s} \;}
</source>

This command creates a set name ''daddrs'' with elements ''192.168.1.1'', which stays in it for 10s, and ''192.168.1.2'', which stays for 30s.

* '''size''', limits the maximum number of elements of the set. To create a set with maximum 2 elements type:

<source lang="bash">
% nft add set ip filter saddrs {type ipv4_addr \; size 2 \;}
</source>

* '''policy''', determines set selection policy. Available values are:
** ''performance'' [default]
** ''memory''

= Listing named sets =

You can list the content of a named set via:

<source lang="bash">
% nft list set filter myset
</source>

Sets

2019-10-04T15:28:16Z

Fw: /* Named sets */

''nftables'' comes with a built-in generic set infrastructure that allows you to use '''any''' supported selector to build sets. This infrastructure makes possible the representation of [[dictionaries]] and [[maps]].

The set elements are internally represented using performance data structures such as hashtables and red-black trees.

= Anonymous sets =

Anonymous sets are those that are:

* Bound to a rule, if the rule is removed, that set is released too.
* They have no specific name, the kernel internally allocates an identifier.
* They cannot be updated. So you cannot add and delete elements from it once it is bound to a rule.

The following example shows how to create a simple set.

<source lang="bash">
% nft add rule filter output tcp dport { 22, 23 } counter
</source>

This rule above catches all traffic going to TCP ports 22 and 23, in case of matching the counters are updated.

Eric Leblond in his [https://home.regit.org/2014/01/why-you-will-love-nftables/ Why you will love nftables] article shows a very simple example to compare iptables with nftables:

<source lang="bash">
ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
</source>

Which can be expressed in ''nftables'' with a couple of rules that provide a set:

<source lang="bash">
% nft add rule ip6 filter input tcp dport {telnet, http, https} accept
% nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
</source>

= Named sets =

You can create the named sets with the following command:

<source lang="bash">
% nft add set ip filter blackhole { type ipv4_addr\;}
</source>

Note that ''blackhole'' is the name of the set in this case. The ''type'' option indicates the data type that this set stores, which is an IPv4 address in this case. Current maximum name length is 16 characters.

<source lang="bash">
% nft add element ip filter blackhole { 192.168.3.4 }
% nft add element ip filter blackhole { 192.168.1.4, 192.168.1.5 }
</source>

Then, you can use it from the rule:

<source lang="bash">
% nft add rule ip filter input ip saddr @blackhole drop
</source>

Named sets can be updated anytime, so you can add and delete element from them.

= Named sets specifications =

Sets specifications are:

* '''type''', is obligatory and determines the data type of the set elements. Supported data types currently are:
** ''ipv4_addr'': IPv4 address
** ''ipv6_addr'': IPv6 address.
** ''ether_addr'': Ethernet address.
** ''inet_proto'': Inet protocol type.
** ''inet_service'': Internet service (read tcp port for example)
** ''mark'': Mark type.

* '''timeout''', it determines how long an element stays in the set. The time string respects the format: ''"v1dv2hv3mv4s"'':

<source lang="bash">
% nft add table filter
% nft add set filter ports {type inet_service \; timeout 3h45s \;}
</source>

These commands create a table named ''filter'' and add a set named ''ports'' to it, where elements are deleted after 3 hours and 45 seconds of being added.

* '''flags''', the available flags are:
** ''constant'' - set content may not change while bound
** ''interval'' - set contains intervals
** ''timeout'' - elements can be added with a timeout

Multiple flags should be separated by comma:

<source lang="bash">
% nft add set filter flags_set {type ipv4_addr\; flags constant, interval\;}
</source>

* '''gc-interval''', stands for garbage collection interval, can only be used if ''timeout'' or ''flags timeout'' are active. The interval follows the same format of ''timeouts'' time string ''"v1dv2hv3mv4s"''.

* '''elements''', initialize the set with some elements in it:

<source lang="bash">
% nft add set filter daddrs {type ipv4_addr \; flags timeout \; elements={192.168.1.1 timeout 10s, 192.168.1.2 timeout 30s} \;}
</source>

This command creates a set name ''daddrs'' with elements ''192.168.1.1'', which stays in it for 10s, and ''192.168.1.2'', which stays for 30s.

* '''size''', limits the maximum number of elements of the set. To create a set with maximum 2 elements type:

<source lang="bash">
% nft add set filter saddrs {type ipv4_addr \; size 2 \;}
</source>

* '''policy''', determines set selection policy. Available values are:
** ''performance'' [default]
** ''memory''

= Listing named sets =

You can list the content of a named set via:

<source lang="bash">
% nft list set filter myset
</source>

Sets

2019-10-04T15:27:37Z

Fw: add family to add set/element commands

''nftables'' comes with a built-in generic set infrastructure that allows you to use '''any''' supported selector to build sets. This infrastructure makes possible the representation of [[dictionaries]] and [[maps]].

The set elements are internally represented using performance data structures such as hashtables and red-black trees.

= Anonymous sets =

Anonymous sets are those that are:

* Bound to a rule, if the rule is removed, that set is released too.
* They have no specific name, the kernel internally allocates an identifier.
* They cannot be updated. So you cannot add and delete elements from it once it is bound to a rule.

The following example shows how to create a simple set.

<source lang="bash">
% nft add rule filter output tcp dport { 22, 23 } counter
</source>

This rule above catches all traffic going to TCP ports 22 and 23, in case of matching the counters are updated.

Eric Leblond in his [https://home.regit.org/2014/01/why-you-will-love-nftables/ Why you will love nftables] article shows a very simple example to compare iptables with nftables:

<source lang="bash">
ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
</source>

Which can be expressed in ''nftables'' with a couple of rules that provide a set:

<source lang="bash">
% nft add rule ip6 filter input tcp dport {telnet, http, https} accept
% nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
</source>

= Named sets =

You can create the named sets with the following command:

<source lang="bash">
% nft add set ip filter blackhole { type ipv4_addr\;}
</source>

Note that ''blackhole'' is the name of the set in this case. The ''type'' option indicates the data type that this set stores, which is an IPv4 address in this case. Current maximum name length is 16 characters.

<source lang="bash">
% nft add element ip filter blackhole { 192.168.3.4 }
% nft add element ip filter blackhole { 192.168.1.4, 192.168.1.5 }
</source>

Then, you can use it from the rule:

<source lang="bash">
% nft add rule ip input ip saddr @blackhole drop
</source>

Named sets can be updated anytime, so you can add and delete element from them.

= Named sets specifications =

Sets specifications are:

* '''type''', is obligatory and determines the data type of the set elements. Supported data types currently are:
** ''ipv4_addr'': IPv4 address
** ''ipv6_addr'': IPv6 address.
** ''ether_addr'': Ethernet address.
** ''inet_proto'': Inet protocol type.
** ''inet_service'': Internet service (read tcp port for example)
** ''mark'': Mark type.

* '''timeout''', it determines how long an element stays in the set. The time string respects the format: ''"v1dv2hv3mv4s"'':

<source lang="bash">
% nft add table filter
% nft add set filter ports {type inet_service \; timeout 3h45s \;}
</source>

These commands create a table named ''filter'' and add a set named ''ports'' to it, where elements are deleted after 3 hours and 45 seconds of being added.

* '''flags''', the available flags are:
** ''constant'' - set content may not change while bound
** ''interval'' - set contains intervals
** ''timeout'' - elements can be added with a timeout

Multiple flags should be separated by comma:

<source lang="bash">
% nft add set filter flags_set {type ipv4_addr\; flags constant, interval\;}
</source>

* '''gc-interval''', stands for garbage collection interval, can only be used if ''timeout'' or ''flags timeout'' are active. The interval follows the same format of ''timeouts'' time string ''"v1dv2hv3mv4s"''.

* '''elements''', initialize the set with some elements in it:

<source lang="bash">
% nft add set filter daddrs {type ipv4_addr \; flags timeout \; elements={192.168.1.1 timeout 10s, 192.168.1.2 timeout 30s} \;}
</source>

This command creates a set name ''daddrs'' with elements ''192.168.1.1'', which stays in it for 10s, and ''192.168.1.2'', which stays for 30s.

* '''size''', limits the maximum number of elements of the set. To create a set with maximum 2 elements type:

<source lang="bash">
% nft add set filter saddrs {type ipv4_addr \; size 2 \;}
</source>

* '''policy''', determines set selection policy. Available values are:
** ''performance'' [default]
** ''memory''

= Listing named sets =

You can list the content of a named set via:

<source lang="bash">
% nft list set filter myset
</source>

Netfilter hooks

2019-06-27T14:29:33Z

Fw: /* Ingress hook */

If you are familiar with Netfilter, don't worry, most of the infrastructure remains the same. ''nftables'' reuses the existing hook infrastructure, [http://people.netfilter.org/pablo/docs/login.pdf Connection Tracking System], NAT engine, logging infrastructure, userspace queueing and so on. Therefore, '''we have only replaced the packet classification framework'''.

For those unfamiliar with Netfilter, we provide ASCII art to represent our hooks:

Local
process
^ | .-----------.
.-----------. | | | Routing |
| |-----> input / \---> | Decision |----> output \
--> prerouting --->| Routing | .-----------. \
| Decision | --> postrouting
| | /
| |---------------> forward ---------------------------
.-----------.

Basically, traffic flowing to the local machine in the input path see the prerouting and input hooks. Then, the traffic that is generated by local processes follows the output and postrouting path.

If you configure your Linux box to behave as router, do not forget to enable forwarding via:

echo 1 > /proc/sys/net/ipv4/ip_forward

And then, the packets that are not addressed to your local system will be seen from the forward hook. In summary, packets that are not addressed to local processes follow this path: prerouting, forward and postrouting.

= Ingress hook =

Since Linux kernel 4.2, Netfilter also comes with an ingress hook that you can use from nftables. So the big picture now look like this:

.-----------.
| |-----> input ...
---> ingress ---> prerouting --->| Routing |
| Decision |
| |
| |-----> forward ...
.-----------.

You can use this new ingress hook to filter traffic from Layer 2. This new hook comes before prerouting, so this allows you to enforce very early filtering policies. This new hook basically provides an alternative to '''tc''' ingress filtering. You still need tc for traffic shaping/queue management.

Configuring chains

2019-01-31T22:51:27Z

Fw: drop is terminal.

As in ''iptables'', you attach your [[Simple rule management|rules]] to chains. However, contrary to the ''iptables'' modus operandi, the ''nftables'' infrastructure comes with no predefined chains, so you need to register your base chains in first place before you can add any rule. This allows very flexible configurations.

= Adding base chains =

The syntax to add base chains is the following:

<source lang="bash">
% nft add chain [<family>] <table-name> <chain-name> { type <type> hook <hook> priority <value> \; [policy <policy>] }
</source>

Base chains are those that are registered into the [[Netfilter hooks]], ie. these chains see packets flowing through your Linux TCP/IP stack.

The following example show how you can add new base chains to the ''foo'' table through the following command:

<source lang="bash">
% nft add chain ip foo input { type filter hook input priority 0 \; }
</source>

'''Important''': You have to escape the semicolon if you are running this command from ''bash''.

This command registers the ''input'' chain, that it attached to the ''input'' hook so it will see packets that are addressed to the local processes.

The ''priority'' is important since it determines the ordering of the chains, thus, if you have several chains in the ''input'' hook, you can decide which one sees packets before another.

If you want to use ''nftables'' to filter traffic for desktop Linux computers, ie. a computer which does not forward traffic, you can also register the output chain:

<source lang="bash">
% nft add chain ip foo output { type filter hook output priority 0 \; }
</source>

Now you are ready to filter incoming (directed to local processes) and outgoing (generated by local processes) traffic.

'''Important note''': If you don't include the chain configuration that is specified enclosed in the curly braces, you are creating a non-base chain that will not see any packets (similar to ''iptables -N chain-name'').

Since nftables 0.5, you can also specify the default policy for base chains as in ''iptables'':

<source lang="bash">
% nft add chain ip foo output { type filter hook output priority 0 \; policy accept\; }
</source>

As in ''iptables'', the two possible default policies are ''accept'' and ''drop''.

When adding a chain on '''ingress''' hook, it is mandatory to specify the device where the chain will be attached:
<source lang="bash">
% nft add chain netdev foo dev0filter { type filter hook ingress device eth0 priority 0 \; }
</source>

== Base chain types ==

The possible chain types are:

* '''filter''', which is obviously used to filter packets. This is supported by the arp, bridge, ip, ip6 and inet table families.
* '''route''', which is used to reroute packets if any relevant IP header field or the packet mark is modified. If you are familiar with ''iptables'', this chain type provides equivalent semantics to the ''mangle'' table but only for the ''output'' hook (for other hooks use type ''filter'' instead). This is supported by the ip and ip6 table families.
* '''nat''', which is used to perform Networking Address Translation (NAT). The first packet that belongs to a flow always hits this chain, follow up packets not. Therefore, never use this chain for filtering. This is supported by the ip and ip6 table families.

== Base chain hooks ==

The possible hooks that you can use when you configure your chain are:

* '''prerouting''': the routing decision for those packets didn't happen yet, so you don't know if they are addressed to the local or remote systems.
* '''input''': It happens after the routing decision, you can see packets that are directed to the local system and processes running in system.
* '''forward''': It also happens after the routing decision, you can see packet that are not directed to the local machine.
* '''output''': to catch packets that are originated from processes in the local machine.
* '''postrouting''': After the routing decision for packets leaving the local system.
* '''ingress''' (only available at the ''netdev'' family): Since Linux kernel 4.2, you can filter traffic way before prerouting, after the packet is passed up from the NIC driver. So you have an alternative to ''tc''.

== Base chain priority ==

The priority can be used to order the chains or to put them before or after some Netfilter internal operations. For example, a chain on the ''prerouting'' hook with the priority ''-300'' will be placed before connection tracking operations.

For reference, here's the list of different priority used in iptables:

* NF_IP_PRI_CONNTRACK_DEFRAG (-400): priority of defragmentation
* NF_IP_PRI_RAW (-300): traditional priority of the raw table placed before connection tracking operation
* NF_IP_PRI_SELINUX_FIRST (-225): SELinux operations
* NF_IP_PRI_CONNTRACK (-200): Connection tracking operations
* NF_IP_PRI_MANGLE (-150): mangle operation
* NF_IP_PRI_NAT_DST (-100): destination NAT
* NF_IP_PRI_FILTER (0): filtering operation, the filter table
* NF_IP_PRI_SECURITY (50): Place of security table where secmark can be set for example
* NF_IP_PRI_NAT_SRC (100): source NAT
* NF_IP_PRI_SELINUX_LAST (225): SELinux at packet exit
* NF_IP_PRI_CONNTRACK_HELPER (300): connection tracking at exit

'''NOTE''': if a packet gets accepted and there is another base chain in the same hook which is ordered with a later priority, the packet will be evaluated '''again'''.
That is, packets will traverse chains in a given hook, until it is dropped or no more base chains exist. Drops take instant effect, no further rules or chains are evaluated.

Example ruleset of this behavior:

<pre>
table inet filter {
# this chain is evaluated first due to priority
chain ssh {
type filter hook input priority 0; policy accept;
# ssh packet accepted
tcp dport ssh accept
}

# this chain is evaluated last due to priority
chain input {
type filter hook input priority 1; policy drop;
# the same ssh packet is dropped here by means of default policy
}
}
</pre>

If priority of the 'input chain' above would be changed to -1, all packets would
be dropped.

== Base chain policy ==

This is the default verdict that will be applied to packets reaching the end of the chain (i.e, no more rules to be evaluated against).
Currently there are 2 policies: '''accept''' or '''drop'''.

* The ''accept'' verdict means that the packet will keep traversing the network stack.
* The ''drop'' verdict means that the packet is discarded if the packet reaches the end of the base chain.

= Adding non-base chains =

You can also create non-base chains as in ''iptables'' via:

<source lang="bash">
% nft add chain ip foo test
</source>

Note that this chain does '''not''' see any traffic as it is not attached to any hook, but it can be very useful to arrange your rule-set in a tree of chains by using the [[jumping to chain|jump to chain]] action.

= Deleting chains =

You can delete the chains that you don't need, eg.

<source lang="bash">
% nft delete chain ip foo input
</source>

The only condition is that the chain you want to delete needs to be empty, otherwise the kernel will tell you that such chain is in used.

<source lang="bash">
% nft delete chain ip foo input
<cmdline>:1:1-28: Error: Could not delete chain: Device or resource busy
delete chain ip foo input
^^^^^^^^^^^^^^^^^^^^^^^^^
</source>

You will have to [[Simple rule management|flush the ruleset]] in that chain before you can remove the chain.

= Flushing chain =

You can also flush the content of a chain. If you want to flush all the rule in the chain ''input'' of the ''foo'' table, you have to type:

<source lang="bash">
nft flush chain foo input
</source>

= Example configuration: Filtering traffic for your standalone computer =

You can create a table with two base chains to define rule to filter traffic coming to and leaving from your computer, asumming IPv4 connectivity:

<source lang="bash">
% nft add table ip filter
% nft add chain ip filter input { type filter hook input priority 0 \; }
% nft add chain ip filter output { type filter hook output priority 0 \; }
</source>

Now, you can start attaching [[Simple rule management|rules]] to these two base chains. Note that you don't need the ''forward'' chain in this case since this example assumes that you're configuring nftables to filter traffic for a standalone computer that doesn't behave as router.

Supported features compared to xtables

2019-01-03T10:13:04Z

Fw: move secmark/connsecmark target to supported section.

Last update: Aug/2018

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== time ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== SET ====
* consider native interface
==== SYNPROXY ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====
* nft_meta, since 3.16.
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18.
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18.
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== policy ====
* nft_xfrm, upcoming linux 4.20 (5.0?)
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].
==== recent ====
* consider native interface. Refer to [[Sets]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14
==== udp ====
* nft_payload

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18.
==== CLASSIFY ====
* nft_meta, since 3.14.
==== CONNMARK ====
* nft_ct
==== CONNSECMARK ====
* nft_ct, since 4.20
==== DSCP ====
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash.
==== MARK ====
* nft_meta, since 3.14.
==== NFLOG ====
* nft_log, since 3.17.
==== NFQUEUE ====
* nft_queue, since 3.14.
==== SECMARK ====
* nft_meta, since 4.20
==== TEE ====
* nft_dup, since 4.3.
==== TPROXY ====
* nft_tproxy, upcoming release (4.19)
==== TRACE ====
* nft_meta, since 3.14.

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Configuring chains

2018-11-14T16:08:05Z

Fw: /* Base chain priority */

As in ''iptables'', you attach your [[Simple rule management|rules]] to chains. However, contrary to the ''iptables'' modus operandi, the ''nftables'' infrastructure comes with no predefined chains, so you need to register your base chains in first place before you can add any rule. This allows very flexible configurations.

= Adding base chains =

The syntax to add base chains is the following:

<source lang="bash">
% nft add chain [<family>] <table-name> <chain-name> { type <type> hook <hook> priority <value> \; [policy <policy>] }
</source>

Base chains are those that are registered into the [[Netfilter hooks]], ie. these chains see packets flowing through your Linux TCP/IP stack.

The following example show how you can add new base chains to the ''foo'' table through the following command:

<source lang="bash">
% nft add chain ip foo input { type filter hook input priority 0 \; }
</source>

'''Important''': You have to escape the semicolon if you are running this command from ''bash''.

This command registers the ''input'' chain, that it attached to the ''input'' hook so it will see packets that are addressed to the local processes.

The ''priority'' is important since it determines the ordering of the chains, thus, if you have several chains in the ''input'' hook, you can decide which one sees packets before another.

If you want to use ''nftables'' to filter traffic for desktop Linux computers, ie. a computer which does not forward traffic, you can also register the output chain:

<source lang="bash">
% nft add chain ip foo output { type filter hook output priority 0 \; }
</source>

Now you are ready to filter incoming (directed to local processes) and outgoing (generated by local processes) traffic.

'''Important note''': If you don't include the chain configuration that is specified enclosed in the curly braces, you are creating a non-base chain that will not see any packets (similar to ''iptables -N chain-name'').

Since nftables 0.5, you can also specify the default policy for base chains as in ''iptables'':

<source lang="bash">
% nft add chain ip foo output { type filter hook output priority 0 \; policy accept\; }
</source>

As in ''iptables'', the two possible default policies are ''accept'' and ''drop''.

When adding a chain on '''ingress''' hook, it is mandatory to specify the device where the chain will be attached:
<source lang="bash">
% nft add chain netdev foo dev0filter { type filter hook ingress device eth0 priority 0 \; }
</source>

== Base chain types ==

The possible chain types are:

* '''filter''', which is obviously used to filter packets. This is supported by the arp, bridge, ip, ip6 and inet table families.
* '''route''', which is used to reroute packets if any relevant IP header field or the packet mark is modified. If you are familiar with ''iptables'', this chain type provides equivalent semantics to the ''mangle'' table but only for the ''output'' hook (for other hooks use type ''filter'' instead). This is supported by the ip and ip6 table families.
* '''nat''', which is used to perform Networking Address Translation (NAT). The first packet that belongs to a flow always hits this chain, follow up packets not. Therefore, never use this chain for filtering. This is supported by the ip and ip6 table families.

== Base chain hooks ==

The possible hooks that you can use when you configure your chain are:

* '''prerouting''': the routing decision for those packets didn't happen yet, so you don't know if they are addressed to the local or remote systems.
* '''input''': It happens after the routing decision, you can see packets that are directed to the local system and processes running in system.
* '''forward''': It also happens after the routing decision, you can see packet that are not directed to the local machine.
* '''output''': to catch packets that are originated from processes in the local machine.
* '''postrouting''': After the routing decision for packets leaving the local system.
* '''ingress''' (only available at the ''netdev'' family): Since Linux kernel 4.2, you can filter traffic way before prerouting, after the packet is passed up from the NIC driver. So you have an alternative to ''tc''.

== Base chain priority ==

The priority can be used to order the chains or to put them before or after some Netfilter internal operations. For example, a chain on the ''prerouting'' hook with the priority ''-300'' will be placed before connection tracking operations.

For reference, here's the list of different priority used in iptables:

* NF_IP_PRI_CONNTRACK_DEFRAG (-400): priority of defragmentation
* NF_IP_PRI_RAW (-300): traditional priority of the raw table placed before connection tracking operation
* NF_IP_PRI_SELINUX_FIRST (-225): SELinux operations
* NF_IP_PRI_CONNTRACK (-200): Connection tracking operations
* NF_IP_PRI_MANGLE (-150): mangle operation
* NF_IP_PRI_NAT_DST (-100): destination NAT
* NF_IP_PRI_FILTER (0): filtering operation, the filter table
* NF_IP_PRI_SECURITY (50): Place of security table where secmark can be set for example
* NF_IP_PRI_NAT_SRC (100): source NAT
* NF_IP_PRI_SELINUX_LAST (225): SELinux at packet exit
* NF_IP_PRI_CONNTRACK_HELPER (300): connection tracking at exit

'''NOTE''': if a packet gets accepted and there is another base chain in the same hook which is ordered with a later priority, the packet will be evaluated '''again'''.
That is, packets will traverse chains in a given hook, until it is dropped or no more base chains exist. Drops take instant effect, no further rules or chains are evaluated.

Example ruleset of this behavior:

<pre>
table inet filter {
# this chain is evaluated first due to priority
chain ssh {
type filter hook input priority 0; policy accept;
# ssh packet accepted
tcp dport ssh accept
}

# this chain is evaluated last due to priority
chain input {
type filter hook input priority 1; policy drop;
# the same ssh packet is dropped here by means of default policy
}
}
</pre>

If priority of the 'input chain' above would be changed to -1, all packets would
be dropped.

== Base chain policy ==

This is the default verdict that will be applied to packets reaching the end of the chain (i.e, no more rules to be evaluated against).
Currently there are 2 policies: '''accept''' or '''drop'''.

* The ''accept'' verdict means that the packet will keep traversing the network stack.
* The ''drop'' verdict means that the packet is discarded when this hook traversal is ended if no other verdict is applied later on (for example, in a higher priority chain in the same hook).

= Adding non-base chains =

You can also create non-base chains as in ''iptables'' via:

<source lang="bash">
% nft add chain ip foo test
</source>

Note that this chain does '''not''' see any traffic as it is not attached to any hook, but it can be very useful to arrange your rule-set in a tree of chains by using the [[jumping to chain|jump to chain]] action.

= Deleting chains =

You can delete the chains that you don't need, eg.

<source lang="bash">
% nft delete chain ip foo input
</source>

The only condition is that the chain you want to delete needs to be empty, otherwise the kernel will tell you that such chain is in used.

<source lang="bash">
% nft delete chain ip foo input
<cmdline>:1:1-28: Error: Could not delete chain: Device or resource busy
delete chain ip foo input
^^^^^^^^^^^^^^^^^^^^^^^^^
</source>

You will have to [[Simple rule management|flush the ruleset]] in that chain before you can remove the chain.

= Flushing chain =

You can also flush the content of a chain. If you want to flush all the rule in the chain ''input'' of the ''foo'' table, you have to type:

<source lang="bash">
nft flush chain foo input
</source>

= Example configuration: Filtering traffic for your standalone computer =

You can create a table with two base chains to define rule to filter traffic coming to and leaving from your computer, asumming IPv4 connectivity:

<source lang="bash">
% nft add table ip filter
% nft add chain ip filter input { type filter hook input priority 0 \; }
% nft add chain ip filter output { type filter hook output priority 0 \; }
</source>

Now, you can start attaching [[Simple rule management|rules]] to these two base chains. Note that you don't need the ''forward'' chain in this case since this example assumes that you're configuring nftables to filter traffic for a standalone computer that doesn't behave as router.

Configuring chains

2018-11-14T15:15:18Z

Fw: drops are instant, there is no re-evaluation by other hooks.

As in ''iptables'', you attach your [[Simple rule management|rules]] to chains. However, contrary to the ''iptables'' modus operandi, the ''nftables'' infrastructure comes with no predefined chains, so you need to register your base chains in first place before you can add any rule. This allows very flexible configurations.

= Adding base chains =

The syntax to add base chains is the following:

<source lang="bash">
% nft add chain [<family>] <table-name> <chain-name> { type <type> hook <hook> priority <value> \; [policy <policy>] }
</source>

Base chains are those that are registered into the [[Netfilter hooks]], ie. these chains see packets flowing through your Linux TCP/IP stack.

The following example show how you can add new base chains to the ''foo'' table through the following command:

<source lang="bash">
% nft add chain ip foo input { type filter hook input priority 0 \; }
</source>

'''Important''': You have to escape the semicolon if you are running this command from ''bash''.

This command registers the ''input'' chain, that it attached to the ''input'' hook so it will see packets that are addressed to the local processes.

The ''priority'' is important since it determines the ordering of the chains, thus, if you have several chains in the ''input'' hook, you can decide which one sees packets before another.

If you want to use ''nftables'' to filter traffic for desktop Linux computers, ie. a computer which does not forward traffic, you can also register the output chain:

<source lang="bash">
% nft add chain ip foo output { type filter hook output priority 0 \; }
</source>

Now you are ready to filter incoming (directed to local processes) and outgoing (generated by local processes) traffic.

'''Important note''': If you don't include the chain configuration that is specified enclosed in the curly braces, you are creating a non-base chain that will not see any packets (similar to ''iptables -N chain-name'').

Since nftables 0.5, you can also specify the default policy for base chains as in ''iptables'':

<source lang="bash">
% nft add chain ip foo output { type filter hook output priority 0 \; policy accept\; }
</source>

As in ''iptables'', the two possible default policies are ''accept'' and ''drop''.

When adding a chain on '''ingress''' hook, it is mandatory to specify the device where the chain will be attached:
<source lang="bash">
% nft add chain netdev foo dev0filter { type filter hook ingress device eth0 priority 0 \; }
</source>

== Base chain types ==

The possible chain types are:

* '''filter''', which is obviously used to filter packets. This is supported by the arp, bridge, ip, ip6 and inet table families.
* '''route''', which is used to reroute packets if any relevant IP header field or the packet mark is modified. If you are familiar with ''iptables'', this chain type provides equivalent semantics to the ''mangle'' table but only for the ''output'' hook (for other hooks use type ''filter'' instead). This is supported by the ip and ip6 table families.
* '''nat''', which is used to perform Networking Address Translation (NAT). The first packet that belongs to a flow always hits this chain, follow up packets not. Therefore, never use this chain for filtering. This is supported by the ip and ip6 table families.

== Base chain hooks ==

The possible hooks that you can use when you configure your chain are:

* '''prerouting''': the routing decision for those packets didn't happen yet, so you don't know if they are addressed to the local or remote systems.
* '''input''': It happens after the routing decision, you can see packets that are directed to the local system and processes running in system.
* '''forward''': It also happens after the routing decision, you can see packet that are not directed to the local machine.
* '''output''': to catch packets that are originated from processes in the local machine.
* '''postrouting''': After the routing decision for packets leaving the local system.
* '''ingress''' (only available at the ''netdev'' family): Since Linux kernel 4.2, you can filter traffic way before prerouting, after the packet is passed up from the NIC driver. So you have an alternative to ''tc''.

== Base chain priority ==

The priority can be used to order the chains or to put them before or after some Netfilter internal operations. For example, a chain on the ''prerouting'' hook with the priority ''-300'' will be placed before connection tracking operations.

For reference, here's the list of different priority used in iptables:

* NF_IP_PRI_CONNTRACK_DEFRAG (-400): priority of defragmentation
* NF_IP_PRI_RAW (-300): traditional priority of the raw table placed before connection tracking operation
* NF_IP_PRI_SELINUX_FIRST (-225): SELinux operations
* NF_IP_PRI_CONNTRACK (-200): Connection tracking operations
* NF_IP_PRI_MANGLE (-150): mangle operation
* NF_IP_PRI_NAT_DST (-100): destination NAT
* NF_IP_PRI_FILTER (0): filtering operation, the filter table
* NF_IP_PRI_SECURITY (50): Place of security table where secmark can be set for example
* NF_IP_PRI_NAT_SRC (100): source NAT
* NF_IP_PRI_SELINUX_LAST (225): SELinux at packet exit
* NF_IP_PRI_CONNTRACK_HELPER (300): connection tracking at exit

'''NOTE''': if a packet gets accepted and there is another base chain in the same hook which is ordered with a later priority, the packet will be evaluated '''again'''.
This is, the packet will traverse all the chains in a given hook, until it is dropped or no more base chains exist.

Example ruleset of this behavior:

<pre>
table inet filter {
# this chain is evaluated first due to priority
chain ssh {
type filter hook input priority 0; policy accept;
# ssh packet accepted
tcp dport ssh accept
}

# this chain is evaluated last due to priority
chain input {
type filter hook input priority 1; policy drop;
# the same ssh packet is dropped here by means of default policy
}
}
</pre>

== Base chain policy ==

This is the default verdict that will be applied to packets reaching the end of the chain (i.e, no more rules to be evaluated against).
Currently there are 2 policies: '''accept''' or '''drop'''.

* The ''accept'' verdict means that the packet will keep traversing the network stack.
* The ''drop'' verdict means that the packet is discarded when this hook traversal is ended if no other verdict is applied later on (for example, in a higher priority chain in the same hook).

= Adding non-base chains =

You can also create non-base chains as in ''iptables'' via:

<source lang="bash">
% nft add chain ip foo test
</source>

Note that this chain does '''not''' see any traffic as it is not attached to any hook, but it can be very useful to arrange your rule-set in a tree of chains by using the [[jumping to chain|jump to chain]] action.

= Deleting chains =

You can delete the chains that you don't need, eg.

<source lang="bash">
% nft delete chain ip foo input
</source>

The only condition is that the chain you want to delete needs to be empty, otherwise the kernel will tell you that such chain is in used.

<source lang="bash">
% nft delete chain ip foo input
<cmdline>:1:1-28: Error: Could not delete chain: Device or resource busy
delete chain ip foo input
^^^^^^^^^^^^^^^^^^^^^^^^^
</source>

You will have to [[Simple rule management|flush the ruleset]] in that chain before you can remove the chain.

= Flushing chain =

You can also flush the content of a chain. If you want to flush all the rule in the chain ''input'' of the ''foo'' table, you have to type:

<source lang="bash">
nft flush chain foo input
</source>

= Example configuration: Filtering traffic for your standalone computer =

You can create a table with two base chains to define rule to filter traffic coming to and leaving from your computer, asumming IPv4 connectivity:

<source lang="bash">
% nft add table ip filter
% nft add chain ip filter input { type filter hook input priority 0 \; }
% nft add chain ip filter output { type filter hook output priority 0 \; }
</source>

Now, you can start attaching [[Simple rule management|rules]] to these two base chains. Note that you don't need the ''forward'' chain in this case since this example assumes that you're configuring nftables to filter traffic for a standalone computer that doesn't behave as router.

Supported features compared to xtables

2018-10-29T17:18:32Z

Fw: /* matches: xt */

Last update: Aug/2018

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== time ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CONNSECMARK ====
* nft_ct
==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== SECMARK ====
* nft_meta_target
==== SET ====
* consider native interface
==== SYNPROXY ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====
* nft_meta, since 3.16.
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18.
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18.
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== policy ====
* nft_xfrm, upcoming linux 4.20 (5.0?)
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].
==== recent ====
* consider native interface. Refer to [[Sets]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14
==== udp ====
* nft_payload

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18.
==== CLASSIFY ====
* nft_meta, since 3.14.
==== CONNMARK ====
* nft_ct
==== DSCP ====
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash.
==== MARK ====
* nft_meta, since 3.14.
==== NFLOG ====
* nft_log, since 3.17.
==== NFQUEUE ====
* nft_queue, since 3.14.
==== TEE ====
* nft_dup, since 4.3.
==== TPROXY ====
* nft_tproxy, upcoming release (4.19)
==== TRACE ====
* nft_meta, since 3.14.

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Supported features compared to xtables

2018-10-29T17:17:09Z

Fw: /* policy */

Last update: Aug/2018

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== time ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CONNSECMARK ====
* nft_ct
==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== SECMARK ====
* nft_meta_target
==== SET ====
* consider native interface
==== SYNPROXY ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====
* nft_meta, since 3.16.
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18.
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18.
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].
==== recent ====
* consider native interface. Refer to [[Sets]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14
==== udp ====
* nft_payload

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18.
==== CLASSIFY ====
* nft_meta, since 3.14.
==== CONNMARK ====
* nft_ct
==== DSCP ====
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash.
==== MARK ====
* nft_meta, since 3.14.
==== NFLOG ====
* nft_log, since 3.17.
==== NFQUEUE ====
* nft_queue, since 3.14.
==== TEE ====
* nft_dup, since 4.3.
==== TPROXY ====
* nft_tproxy, upcoming release (4.19)
==== TRACE ====
* nft_meta, since 3.14.

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Supported features compared to xtables

2018-08-18T22:18:33Z

Fw: update 'date'

Last update: Aug/2018

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== time ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CONNSECMARK ====
* nft_ct
==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interfac
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== SECMARK ====
* nft_meta_target
==== SET ====
* consider native interface
==== SYNPROXY ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====
* nft_meta, since 3.16 (Florian Westphal).
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18 (Valentina Giusti/Ana Rey).
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18 (Ana Rey).
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].
==== policy ====
* consider native interface. Refer to [[Configuring_chains#Base_chain_policy]].
==== recent ====
* consider native interface. Refer to [[Sets]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14
==== udp ====
* nft_payload

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18 (Phil Sutter)
==== CLASSIFY ====
* nft_meta, since 3.14 (Tomasz Bursztyka).
==== CONNMARK ====
* nft_ct
==== DSCP ====
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash (Laura Garcia)
==== MARK ====
* nft_meta, since 3.14 (Tomasz Bursztyka).
==== NFLOG ====
* nft_log, since 3.17 (Pablo Neira).
==== NFQUEUE ====
* nft_queue, since 3.14 (Eric Leblond).
==== TEE ====
* nft_dup, since 4.3 (Pablo Neira)
==== TPROXY ====
* nft_tproxy, upcoming release (4.19)
==== TRACE ====
* nft_meta, since 3.14 (Tomasz Bursztyka).

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).
==== LOG ====
* nft_log, since 3.17 (Pablo Neira).
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18 (Arturo Borrero).
==== REDIRECT ====
* nft_redirect, since 3.19 (Arturo Borrero).

==== REJECT ====
* nft_reject_ipv4, since 3.13 (Patrick McHardy/Eric Leblond).
* nft_reject_inet, since 3.14 (Patrick McHardy).
* nft_reject_bridge, since 3.18 (Pablo Neira)
==== SNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).
==== LOG ====
* nft_log, since 3.17 (Pablo Neira).
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18 (Arturo Borrero).
==== REDIRECT ====
* nft_redirect, since 3.19 (Arturo Borrero).

==== REJECT ====
* nft_reject_ipv6, since 3.14 (Patrick McHardy/Eric Leblond)
* nft_reject_inet, since 3.14 (Patrick McHardy).
* nft_reject_bridge, since 3.18 (Pablo Neira)
==== SNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Supported features compared to xtables

2018-08-18T22:12:02Z

Fw: update list of supported targets and matches

Last update: 2016/Jan/11

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== time ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CONNSECMARK ====
* nft_ct
==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interfac
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== SECMARK ====
* nft_meta_target
==== SET ====
* consider native interface
==== SYNPROXY ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====
* nft_meta, since 3.16 (Florian Westphal).
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18 (Valentina Giusti/Ana Rey).
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18 (Ana Rey).
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].
==== policy ====
* consider native interface. Refer to [[Configuring_chains#Base_chain_policy]].
==== recent ====
* consider native interface. Refer to [[Sets]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14
==== udp ====
* nft_payload

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18 (Phil Sutter)
==== CLASSIFY ====
* nft_meta, since 3.14 (Tomasz Bursztyka).
==== CONNMARK ====
* nft_ct
==== DSCP ====
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash (Laura Garcia)
==== MARK ====
* nft_meta, since 3.14 (Tomasz Bursztyka).
==== NFLOG ====
* nft_log, since 3.17 (Pablo Neira).
==== NFQUEUE ====
* nft_queue, since 3.14 (Eric Leblond).
==== TEE ====
* nft_dup, since 4.3 (Pablo Neira)
==== TPROXY ====
* nft_tproxy, upcoming release (4.19)
==== TRACE ====
* nft_meta, since 3.14 (Tomasz Bursztyka).

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).
==== LOG ====
* nft_log, since 3.17 (Pablo Neira).
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18 (Arturo Borrero).
==== REDIRECT ====
* nft_redirect, since 3.19 (Arturo Borrero).

==== REJECT ====
* nft_reject_ipv4, since 3.13 (Patrick McHardy/Eric Leblond).
* nft_reject_inet, since 3.14 (Patrick McHardy).
* nft_reject_bridge, since 3.18 (Pablo Neira)
==== SNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).
==== LOG ====
* nft_log, since 3.17 (Pablo Neira).
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18 (Arturo Borrero).
==== REDIRECT ====
* nft_redirect, since 3.19 (Arturo Borrero).

==== REJECT ====
* nft_reject_ipv6, since 3.14 (Patrick McHardy/Eric Leblond)
* nft_reject_inet, since 3.14 (Patrick McHardy).
* nft_reject_bridge, since 3.18 (Pablo Neira)
==== SNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Supported features compared to xtables

2018-08-18T22:03:42Z

Fw: remove implemented targets/matches from unsupported section

Last update: 2016/Jan/11

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== time ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CONNSECMARK ====
* nft_ct
==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interfac
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== SECMARK ====
* nft_meta_target
==== SET ====
* consider native interface
==== SYNPROXY ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel
==== cgroup ====
* nft_meta.
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira).
==== connbytes ====
* nft_ct, 4.5 kernel
==== connlabel ====
* nft_meta, since 3.16 (Florian Westphal).
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18 (Valentina Giusti/Ana Rey).
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18 (Ana Rey).
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].
==== policy ====
* consider native interface. Refer to [[Configuring_chains#Base_chain_policy]].
==== recent ====
* consider native interface. Refer to [[Sets]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14
==== udp ====
* nft_payload

=== targets: xt ===

==== CLASSIFY ====
* nft_meta, since 3.14 (Tomasz Bursztyka).
==== CONNMARK ====
==== MARK ====
* nft_meta, since 3.14 (Tomasz Bursztyka).
==== NFLOG ====
* nft_log, since 3.17 (Pablo Neira).
==== NFQUEUE ====
* nft_queue, since 3.14 (Eric Leblond). '''Bridge support still missing'''.
==== TEE ====
* nft_dup, since 4.3 (Pablo Neira)
==== TRACE ====
* nft_meta, since 3.14 (Tomasz Bursztyka).

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).
==== LOG ====
* nft_log, since 3.17 (Pablo Neira).
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18 (Arturo Borrero).
==== REDIRECT ====
* nft_redirect, since 3.19 (Arturo Borrero).

==== REJECT ====
* nft_reject_ipv4, since 3.13 (Patrick McHardy/Eric Leblond).
* nft_reject_inet, since 3.14 (Patrick McHardy).
* nft_reject_bridge, since 3.18 (Pablo Neira)
==== SNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).
==== LOG ====
* nft_log, since 3.17 (Pablo Neira).
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18 (Arturo Borrero).
==== REDIRECT ====
* nft_redirect, since 3.19 (Arturo Borrero).

==== REJECT ====
* nft_reject_ipv6, since 3.14 (Patrick McHardy/Eric Leblond)
* nft_reject_inet, since 3.14 (Patrick McHardy).
* nft_reject_bridge, since 3.18 (Pablo Neira)
==== SNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

List of available translations via iptables-translate tool

2018-02-18T22:06:33Z

Fw: MARK target seems fully supported

The following '''matches and targets''' (in alphabetic order) can be fully translated via iptables-translate tool:
== Translatable extensions ==
=== Matches ===
====xt====

* ipcomp
* comment
* connlabel
* connmark
* conntrack
* cpu
* devgroup
* dscp
* esp
* helper
* iprange
* length
* limit
* mac
* mark
* pkttype
* state
* tcp
* udp

====ip====

* ah
* realm
* ttl

====ip6====

* ah
* frag
* hbh
* hl
* mh

=== Targets ===

====xt====
* CLASSIFY
* NFLOG
* NFQUEUE
* MARK
* TEE
* TRACE

====ip====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

====ip6====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

Following '''matches''' and '''targets''' are yet to be translated:

== Partially translatable extensions ==

=== Matches ===
====xt====
* dccp
[Waiting for support of --dccp-option]
* ecn
[Waiting for support of --ecn-tcp-ece and --ecn-tcp-cwr]
* multiport
[Waiting for support of --ports]
* owner
[Waiting for support of --socket-exists]
* sctp
[Waiting for support of --chunk-types]

====ip====
*icmp
[Waiting for support of packet types]

====ip6====
*icmp6
[Waiting for support of packet types]
* rt
[Waiting for support of --rt-0-res, --rt-0-addrs, --rt-0-not-strict] (partial translations available)

=== Targets ===
====xt====

* CONNMARK
[Waiting for support of --save-mark, --restore-mark, --set-mark and --set-xmark] (partial translations available) 
If --set-mark is used you must only specify the mark. 
If --set-xmark is used you must specify the mark and the mask.

====ip====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)
====ip6====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)

== Untranslatable extensions ==

=== Matches ===

====xt====
* cgroup
[Waiting for support of cgroup2 path-based in nft]
* set
[Waiting for support]
: Suggestions for adding support:
:* Add counters to each element of a set. A counter contains the number of packets that matched an element and the total number of bytes. There must be the option of enabling or disabling the update of counters' values at will. Also counters' values must be accesible in order to do comparisons.
:* Sets must include different types of elements. Sets must have support for the "nomatch" flag.
[[User:Robgc|Robgc]] ([[User talk:Robgc|talk]]) 21:48, 21 September 2016 (CEST)

====ip6====
* ipv6header

List of available translations via iptables-translate tool

2018-02-18T22:05:58Z

Fw: mark appears fully supported

The following '''matches and targets''' (in alphabetic order) can be fully translated via iptables-translate tool:
== Translatable extensions ==
=== Matches ===
====xt====

* ipcomp
* comment
* connlabel
* connmark
* conntrack
* cpu
* devgroup
* dscp
* esp
* helper
* iprange
* length
* limit
* mac
* mark
* pkttype
* state
* tcp
* udp

====ip====

* ah
* realm
* ttl

====ip6====

* ah
* frag
* hbh
* hl
* mh

=== Targets ===

====xt====
* CLASSIFY
* NFLOG
* NFQUEUE
* TEE
* TRACE

====ip====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

====ip6====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

Following '''matches''' and '''targets''' are yet to be translated:

== Partially translatable extensions ==

=== Matches ===
====xt====
* dccp
[Waiting for support of --dccp-option]
* ecn
[Waiting for support of --ecn-tcp-ece and --ecn-tcp-cwr]
* multiport
[Waiting for support of --ports]
* owner
[Waiting for support of --socket-exists]
* sctp
[Waiting for support of --chunk-types]

====ip====
*icmp
[Waiting for support of packet types]

====ip6====
*icmp6
[Waiting for support of packet types]
* rt
[Waiting for support of --rt-0-res, --rt-0-addrs, --rt-0-not-strict] (partial translations available)

=== Targets ===
====xt====

* CONNMARK
[Waiting for support of --save-mark, --restore-mark, --set-mark and --set-xmark] (partial translations available) 
If --set-mark is used you must only specify the mark. 
If --set-xmark is used you must specify the mark and the mask.

====ip====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)
====ip6====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)

== Untranslatable extensions ==

=== Matches ===

====xt====
* cgroup
[Waiting for support of cgroup2 path-based in nft]
* set
[Waiting for support]
: Suggestions for adding support:
:* Add counters to each element of a set. A counter contains the number of packets that matched an element and the total number of bytes. There must be the option of enabling or disabling the update of counters' values at will. Also counters' values must be accesible in order to do comparisons.
:* Sets must include different types of elements. Sets must have support for the "nomatch" flag.
[[User:Robgc|Robgc]] ([[User talk:Robgc|talk]]) 21:48, 21 September 2016 (CEST)

====ip6====
* ipv6header

List of available translations via iptables-translate tool

2018-02-18T21:41:35Z

Fw: /* Targets */

The following '''matches and targets''' (in alphabetic order) can be fully translated via iptables-translate tool:
== Translatable extensions ==
=== Matches ===
====xt====

* ipcomp
* comment
* connlabel
* connmark
* conntrack
* cpu
* devgroup
* dscp
* esp
* helper
* iprange
* length
* limit
* mac
* mark
* pkttype
* state
* tcp
* udp

====ip====

* ah
* realm
* ttl

====ip6====

* ah
* frag
* hbh
* hl
* mh

=== Targets ===

====xt====
* CLASSIFY
* NFLOG
* NFQUEUE
* TEE
* TRACE

====ip====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

====ip6====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

Following '''matches''' and '''targets''' are yet to be translated:

== Partially translatable extensions ==

=== Matches ===
====xt====
* dccp
[Waiting for support of --dccp-option]
* ecn
[Waiting for support of --ecn-tcp-ece and --ecn-tcp-cwr]
* multiport
[Waiting for support of --ports]
* owner
[Waiting for support of --socket-exists]
* sctp
[Waiting for support of --chunk-types]

====ip====
*icmp
[Waiting for support of packet types]

====ip6====
*icmp6
[Waiting for support of packet types]
* rt
[Waiting for support of --rt-0-res, --rt-0-addrs, --rt-0-not-strict] (partial translations available)

=== Targets ===
====xt====
* MARK
[--set-mark and --set-xmark options are not fully supported] (partial translations available) 
If --set-mark is used you must only specify the mark. 
If --set-xmark is used you must specify the mark and the mask.
* CONNMARK
[Waiting for support of --save-mark, --restore-mark, --set-mark and --set-xmark] (partial translations available) 
If --set-mark is used you must only specify the mark. 
If --set-xmark is used you must specify the mark and the mask.

====ip====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)
====ip6====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)

== Untranslatable extensions ==

=== Matches ===

====xt====
* cgroup
[Waiting for support of cgroup2 path-based in nft]
* set
[Waiting for support]
: Suggestions for adding support:
:* Add counters to each element of a set. A counter contains the number of packets that matched an element and the total number of bytes. There must be the option of enabling or disabling the update of counters' values at will. Also counters' values must be accesible in order to do comparisons.
:* Sets must include different types of elements. Sets must have support for the "nomatch" flag.
[[User:Robgc|Robgc]] ([[User talk:Robgc|talk]]) 21:48, 21 September 2016 (CEST)

====ip6====
* ipv6header

List of available translations via iptables-translate tool

2018-02-18T21:41:18Z

Fw: split partial and untranslateable options.

The following '''matches and targets''' (in alphabetic order) can be fully translated via iptables-translate tool:
== Translatable extensions ==
=== Matches ===
====xt====

* ipcomp
* comment
* connlabel
* connmark
* conntrack
* cpu
* devgroup
* dscp
* esp
* helper
* iprange
* length
* limit
* mac
* mark
* pkttype
* state
* tcp
* udp

====ip====

* ah
* realm
* ttl

====ip6====

* ah
* frag
* hbh
* hl
* mh

=== Targets ===

====xt====
* NFLOG
* NFQUEUE
* TEE
* TRACE

====ip====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

====ip6====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

Following '''matches''' and '''targets''' are yet to be translated:

== Partially translatable extensions ==

=== Matches ===
====xt====
* dccp
[Waiting for support of --dccp-option]
* ecn
[Waiting for support of --ecn-tcp-ece and --ecn-tcp-cwr]
* multiport
[Waiting for support of --ports]
* owner
[Waiting for support of --socket-exists]
* sctp
[Waiting for support of --chunk-types]

====ip====
*icmp
[Waiting for support of packet types]

====ip6====
*icmp6
[Waiting for support of packet types]
* rt
[Waiting for support of --rt-0-res, --rt-0-addrs, --rt-0-not-strict] (partial translations available)

=== Targets ===
====xt====
* MARK
[--set-mark and --set-xmark options are not fully supported] (partial translations available) 
If --set-mark is used you must only specify the mark. 
If --set-xmark is used you must specify the mark and the mask.
* CONNMARK
[Waiting for support of --save-mark, --restore-mark, --set-mark and --set-xmark] (partial translations available) 
If --set-mark is used you must only specify the mark. 
If --set-xmark is used you must specify the mark and the mask.

====ip====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)
====ip6====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)

== Untranslatable extensions ==

=== Matches ===

====xt====
* cgroup
[Waiting for support of cgroup2 path-based in nft]
* set
[Waiting for support]
: Suggestions for adding support:
:* Add counters to each element of a set. A counter contains the number of packets that matched an element and the total number of bytes. There must be the option of enabling or disabling the update of counters' values at will. Also counters' values must be accesible in order to do comparisons.
:* Sets must include different types of elements. Sets must have support for the "nomatch" flag.
[[User:Robgc|Robgc]] ([[User talk:Robgc|talk]]) 21:48, 21 September 2016 (CEST)

====ip6====
* ipv6header

List of available translations via iptables-translate tool

2018-02-18T10:13:36Z

Fw: /* xt */

The following '''matches and targets''' (in alphabetic order) can be fully translated via iptables-translate tool:
== Translatable extensions ==
=== Matches ===
====xt====

* ipcomp
* comment
* connlabel
* connmark
* conntrack
* cpu
* devgroup
* dscp
* esp
* helper
* iprange
* length
* limit
* mac
* mark
* pkttype
* state
* tcp
* udp

====ip====

* ah
* realm
* ttl

====ip6====

* ah
* frag
* hbh
* hl
* mh

=== Targets ===

====xt====
* NFLOG
* NFQUEUE
* TEE
* TRACE

====ip====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

====ip6====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

Following '''matches''' and '''targets''' are yet to be translated:

== Untranslatable extensions ==

=== Matches ===

====xt====
* cgroup
[Waiting for support of cgroup2 path-based in nft]
* dccp
[Waiting for support of --dccp-option] (partial translations available)
* ecn
[Waiting for support of --ecn-tcp-ece and --ecn-tcp-cwr] (partial translations available)
* multiport
[Waiting for support of --ports] (partial translations available)
* owner
[Waiting for support of --socket-exists] (partial translations available)
* sctp
[Waiting for support of --chunk-types] (partial translations available)
* set
[Waiting for support]
: Suggestions for adding support:
:* Add counters to each element of a set. A counter contains the number of packets that matched an element and the total number of bytes. There must be the option of enabling or disabling the update of counters' values at will. Also counters' values must be accesible in order to do comparisons.
:* Sets must include different types of elements. Sets must have support for the "nomatch" flag.
[[User:Robgc|Robgc]] ([[User talk:Robgc|talk]]) 21:48, 21 September 2016 (CEST)

====ip====
*icmp
[Waiting for support of packet types]

====ip6====
*icmp6
[Waiting for support of packet types]
* ipv6header
* rt
[Waiting for support of --rt-0-res, --rt-0-addrs, --rt-0-not-strict] (partial translations available)

=== Targets ===
====xt====
* CLASSIFY
[Requires bug fixing]
* MARK
[--set-mark and --set-xmark options are not fully supported] (partial translations available) 
If --set-mark is used you must only specify the mark. 
If --set-xmark is used you must specify the mark and the mask.
* CONNMARK
[Waiting for support of --save-mark, --restore-mark, --set-mark and --set-xmark] (partial translations available) 
If --set-mark is used you must only specify the mark. 
If --set-xmark is used you must specify the mark and the mask.

====ip====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)
====ip6====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)

List of available translations via iptables-translate tool

2018-02-18T10:13:10Z

Fw: /* Matches */

The following '''matches and targets''' (in alphabetic order) can be fully translated via iptables-translate tool:
== Translatable extensions ==
=== Matches ===
====xt====

* comment
* connlabel
* connmark
* conntrack
* cpu
* devgroup
* dscp
* esp
* helper
* iprange
* length
* limit
* mac
* mark
* pkttype
* state
* tcp
* udp

====ip====

* ah
* realm
* ttl

====ip6====

* ah
* frag
* hbh
* hl
* mh

=== Targets ===

====xt====
* NFLOG
* NFQUEUE
* TEE
* TRACE

====ip====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

====ip6====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

Following '''matches''' and '''targets''' are yet to be translated:

== Untranslatable extensions ==

=== Matches ===

====xt====
* cgroup
[Waiting for support of cgroup2 path-based in nft]
* dccp
[Waiting for support of --dccp-option] (partial translations available)
* ecn
[Waiting for support of --ecn-tcp-ece and --ecn-tcp-cwr] (partial translations available)
* multiport
[Waiting for support of --ports] (partial translations available)
* owner
[Waiting for support of --socket-exists] (partial translations available)
* sctp
[Waiting for support of --chunk-types] (partial translations available)
* set
[Waiting for support]
: Suggestions for adding support:
:* Add counters to each element of a set. A counter contains the number of packets that matched an element and the total number of bytes. There must be the option of enabling or disabling the update of counters' values at will. Also counters' values must be accesible in order to do comparisons.
:* Sets must include different types of elements. Sets must have support for the "nomatch" flag.
[[User:Robgc|Robgc]] ([[User talk:Robgc|talk]]) 21:48, 21 September 2016 (CEST)

====ip====
*icmp
[Waiting for support of packet types]

====ip6====
*icmp6
[Waiting for support of packet types]
* ipv6header
* rt
[Waiting for support of --rt-0-res, --rt-0-addrs, --rt-0-not-strict] (partial translations available)

=== Targets ===
====xt====
* CLASSIFY
[Requires bug fixing]
* MARK
[--set-mark and --set-xmark options are not fully supported] (partial translations available) 
If --set-mark is used you must only specify the mark. 
If --set-xmark is used you must specify the mark and the mask.
* CONNMARK
[Waiting for support of --save-mark, --restore-mark, --set-mark and --set-xmark] (partial translations available) 
If --set-mark is used you must only specify the mark. 
If --set-xmark is used you must specify the mark and the mask.

====ip====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)
====ip6====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)

List of available translations via iptables-translate tool

2018-02-18T08:39:47Z

Fw: /* xt */

The following '''matches and targets''' (in alphabetic order) can be fully translated via iptables-translate tool:
== Translatable extensions ==
=== Matches ===
====xt====

* comment
* connlabel
* connmark
* conntrack
* cpu
* devgroup
* dscp
* esp
* helper
* iprange
* length
* limit
* mac
* mark
* pkttype
* state
* tcp
* udp

====ip====

* ah
* realm
* ttl

====ip6====

* ah
* frag
* hbh
* hl
* mh

=== Targets ===

====xt====
* NFLOG
* NFQUEUE
* TEE
* TRACE

====ip====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

====ip6====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

Following '''matches''' and '''targets''' are yet to be translated:

== Untranslatable extensions ==

=== Matches ===

====xt====
* cgroup
[Waiting for support of cgroup2 path-based in nft]
* dccp
[Waiting for support of --dccp-option] (partial translations available)
* ecn
[Waiting for support of --ecn-tcp-ece and --ecn-tcp-cwr] (partial translations available)
* ipcomp
[Waiting for support of --compres] (partial translations available)
* multiport
[Waiting for support of --ports] (partial translations available)
* owner
[Waiting for support of --socket-exists] (partial translations available)
* sctp
[Waiting for support of --chunk-types] (partial translations available)
* set
[Waiting for support]
: Suggestions for adding support:
:* Add counters to each element of a set. A counter contains the number of packets that matched an element and the total number of bytes. There must be the option of enabling or disabling the update of counters' values at will. Also counters' values must be accesible in order to do comparisons.
:* Sets must include different types of elements. Sets must have support for the "nomatch" flag.
[[User:Robgc|Robgc]] ([[User talk:Robgc|talk]]) 21:48, 21 September 2016 (CEST)

====ip====
*icmp
[Waiting for support of packet types]

====ip6====
*icmp6
[Waiting for support of packet types]
* ipv6header
* rt
[Waiting for support of --rt-0-res, --rt-0-addrs, --rt-0-not-strict] (partial translations available)

=== Targets ===
====xt====
* CLASSIFY
[Requires bug fixing]
* MARK
[--set-mark and --set-xmark options are not fully supported] (partial translations available) 
If --set-mark is used you must only specify the mark. 
If --set-xmark is used you must specify the mark and the mask.
* CONNMARK
[Waiting for support of --save-mark, --restore-mark, --set-mark and --set-xmark] (partial translations available) 
If --set-mark is used you must only specify the mark. 
If --set-xmark is used you must specify the mark and the mask.

====ip====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)
====ip6====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)