nftables wiki - User contributions [en]

GeoIP matching

2020-08-03T10:31:33Z

Jose: Update github clone link

You can use a external script '''nft_geoip.py''', at [https://github.com/JMGuisadoG/nftables-geoip nftables-geoip], to generate mappings between countries and marks that can be later included into your ruleset.

== How to get the script ==

Clone [https://github.com/pvxe/nftables-geoip nftables-geoip repo]

== How to use the script ==

''You can use'' <code lang="bash"> ./nft_geoip --help </code> ''to show the script help''

The script need two .csv files.

* A country data csv (location.csv), its path can be specified with <code lang="bash"> --file-location </code> option
* A geoip data csv (dbip.csv), its path can be specified with <code lang="bash"> --file-address </code> option

=== location.csv ===

The script ships with this file. A modified .csv that contains country data needed to generate the maps.

=== dbip.csv ===

This .csv '''is not shipped''' and needed to be retrieved before using the script. There exist the option <code lang="bash"> --download </code> to do so.

== Generating the geoip maps ==

To generate the mappings in the current directory (assuming you don't have the dbip.csv file)

./nft_geoip.py --file-location location.csv --download

You can specify a different (existing) output directory with <code lang="bash"> --output-dir </code>

== Output files ==

rwxr-xr-x 2 foobar foobar 4,0K ene 4 19:38 .
drwxr-xr-x 5 foobar foobar 4,0K ene 4 19:38 ..
-rw-r--r-- 1 foobar foobar 22M ene 4 19:38 dbip.csv
-rw-r--r-- 1 foobar foobar 956 ene 4 19:38 geoip-def-africa.nft
-rw-r--r-- 1 foobar foobar 8,3K ene 4 19:38 geoip-def-all.nft
-rw-r--r-- 1 foobar foobar 902 ene 4 19:38 geoip-def-americas.nft
-rw-r--r-- 1 foobar foobar 15 ene 4 19:38 geoip-def-antarctica.nft
-rw-r--r-- 1 foobar foobar 808 ene 4 19:38 geoip-def-asia.nft
-rw-r--r-- 1 foobar foobar 810 ene 4 19:38 geoip-def-europe.nft
-rw-r--r-- 1 foobar foobar 461 ene 4 19:38 geoip-def-oceania.nft
-rw-r--r-- 1 foobar foobar 8,8M ene 4 19:38 geoip-ipv4.nft
-rw-r--r-- 1 foobar foobar 16M ene 4 19:38 geoip-ipv6.nft

When everything is finished you will find the following files in your output directory

* '''geoip-def-all.nft'''

Containing all definitions. (eg. <code lang="bash"> define $CA = 124 </code>) the variable name is its
It also contains a map between country marks and its corresponding continent mark.

* '''geoip-def-{continent}.nft'''

Subset of definitions for countries of a given continent. To be used as marks.

* '''geoip-ipv4.nft'''

Containing the map between ipv4 ranges and its geoip data. <code lang="bash">@geoip4</code>

* '''geoip-ipv6.nft'''

Containing the map between ipv6 ranges and its geoip data. <code lang="bash">@geoip6</code>

== Marking packets with its country code ==

meta mark set ip saddr map @geoip4

meta mark set ip6 saddr map @geoip6

== Matching packets by its country code ==

'''You can only use the country definitions inside your ruleset file and not inside an interactive nft shell'''

For example, to match packets marked with the Canada mark.

meta mark $CA

See the relevant section in [https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation#Matching_packets_by_packet_mark Matching packet metainformation]

== Examples ==

=== Marking input ipv4 packets and counting Spanish traffic ===

table filter {
include "./geoip-def-all.nft"
include "./geoip-ipv4.nft"

chain input {
type filter hook input priority filter; policy accept;
meta mark set ip saddr map @geoip4
meta mark $ES counter
}
}

Supported features compared to xtables

2020-02-05T14:06:00Z

Jose: Fix "recent" order position inside xt matches

Last update: Aug/2018

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====
* nft_meta, since 3.16.
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18.
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18.
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== policy ====
* nft_xfrm, since 5.0
==== recent ====
* consider native interface. Refer to [[Sets]].
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14

==== time ====
* nft_meta, upcoming 5.4

==== udp ====
* nft_payload

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18.
==== CLASSIFY ====
* nft_meta, since 3.14.
==== CONNMARK ====
* nft_ct
==== CONNSECMARK ====
* nft_ct, since 4.20
==== DSCP ====
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash.
==== MARK ====
* nft_meta, since 3.14.
==== NFLOG ====
* nft_log, since 3.17.
==== NFQUEUE ====
* nft_queue, since 3.14.
==== SECMARK ====
* nft_meta, since 4.20

==== SYNPROXY ====
* nft_synproxy, since 5.3

==== TEE ====
* nft_dup, since 4.3.
==== TPROXY ====
* nft_tproxy, since 4.19

==== TRACE ====
* nft_meta, since 3.14.

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

List of available translations via iptables-translate tool

2020-02-05T13:27:52Z

Jose: Add owner to translatable extensions. See commit 3d7d1afe4 in iptables-extensions repo

The following '''matches and targets''' (in alphabetic order) can be fully translated via iptables-translate tool:
== Translatable extensions ==
=== Matches ===
====xt====

* addrtype
* ipcomp
* comment
* connlabel
* connmark
* conntrack
* cpu
* dccp
* devgroup
* dscp
* ecn
* esp
* helper
* iprange
* length
* limit
* mac
* mark
* owner
* pkttype
* state
* tcp
* udp

====ip====

* ah
* realm
* ttl

====ip6====

* ah
* frag
* hbh
* hl
* mh

=== Targets ===

====xt====
* CLASSIFY
* NFLOG
* NFQUEUE
* MARK
* TEE
* TRACE

====ip====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

====ip6====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

Following '''matches''' and '''targets''' are yet to be translated:

== Partially translatable extensions ==

=== Matches ===
====xt====
* multiport
[Waiting for support of --ports]
* owner
[Waiting for support of --socket-exists]
* sctp
[Waiting for support of --chunk-types]
* time
[Waiting for support of --monthdays]

====ip====
*icmp
[Waiting for support of packet types]

====ip6====
*icmp6
[Waiting for support of packet types]
* rt
[Waiting for support of --rt-0-res, --rt-0-addrs, --rt-0-not-strict] (partial translations available)

=== Targets ===
====xt====

* CONNMARK
[Waiting for support of --save-mark, --restore-mark, --set-mark and --set-xmark] (partial translations available) 
If --set-mark is used you must only specify the mark. 
If --set-xmark is used you must specify the mark and the mask.

====ip====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)
====ip6====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)

== Untranslatable extensions ==

=== Matches ===

====xt====
* cgroup
[Waiting for support of cgroup2 path-based in nft]
* set
[Waiting for support]
: Suggestions for adding support:
:* Add counters to each element of a set. A counter contains the number of packets that matched an element and the total number of bytes. There must be the option of enabling or disabling the update of counters' values at will. Also counters' values must be accesible in order to do comparisons.
:* Sets must include different types of elements. Sets must have support for the "nomatch" flag.
[[User:Robgc|Robgc]] ([[User talk:Robgc|talk]]) 21:48, 21 September 2016 (CEST)

====ip6====
* ipv6header

List of available translations via iptables-translate tool

2020-02-05T09:29:39Z

Jose: Add addrtype extension. See commit 9f972f45

The following '''matches and targets''' (in alphabetic order) can be fully translated via iptables-translate tool:
== Translatable extensions ==
=== Matches ===
====xt====

* addrtype
* ipcomp
* comment
* connlabel
* connmark
* conntrack
* cpu
* dccp
* devgroup
* dscp
* ecn
* esp
* helper
* iprange
* length
* limit
* mac
* mark
* pkttype
* state
* tcp
* udp

====ip====

* ah
* realm
* ttl

====ip6====

* ah
* frag
* hbh
* hl
* mh

=== Targets ===

====xt====
* CLASSIFY
* NFLOG
* NFQUEUE
* MARK
* TEE
* TRACE

====ip====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

====ip6====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

Following '''matches''' and '''targets''' are yet to be translated:

== Partially translatable extensions ==

=== Matches ===
====xt====
* multiport
[Waiting for support of --ports]
* owner
[Waiting for support of --socket-exists]
* sctp
[Waiting for support of --chunk-types]
* time
[Waiting for support of --monthdays]

====ip====
*icmp
[Waiting for support of packet types]

====ip6====
*icmp6
[Waiting for support of packet types]
* rt
[Waiting for support of --rt-0-res, --rt-0-addrs, --rt-0-not-strict] (partial translations available)

=== Targets ===
====xt====

* CONNMARK
[Waiting for support of --save-mark, --restore-mark, --set-mark and --set-xmark] (partial translations available) 
If --set-mark is used you must only specify the mark. 
If --set-xmark is used you must specify the mark and the mask.

====ip====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)
====ip6====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)

== Untranslatable extensions ==

=== Matches ===

====xt====
* cgroup
[Waiting for support of cgroup2 path-based in nft]
* set
[Waiting for support]
: Suggestions for adding support:
:* Add counters to each element of a set. A counter contains the number of packets that matched an element and the total number of bytes. There must be the option of enabling or disabling the update of counters' values at will. Also counters' values must be accesible in order to do comparisons.
:* Sets must include different types of elements. Sets must have support for the "nomatch" flag.
[[User:Robgc|Robgc]] ([[User talk:Robgc|talk]]) 21:48, 21 September 2016 (CEST)

====ip6====
* ipv6header

List of available translations via iptables-translate tool

2020-02-04T16:01:00Z

Jose: Add time extension. See commit ac5794e3

The following '''matches and targets''' (in alphabetic order) can be fully translated via iptables-translate tool:
== Translatable extensions ==
=== Matches ===
====xt====

* ipcomp
* comment
* connlabel
* connmark
* conntrack
* cpu
* dccp
* devgroup
* dscp
* ecn
* esp
* helper
* iprange
* length
* limit
* mac
* mark
* pkttype
* state
* tcp
* udp

====ip====

* ah
* realm
* ttl

====ip6====

* ah
* frag
* hbh
* hl
* mh

=== Targets ===

====xt====
* CLASSIFY
* NFLOG
* NFQUEUE
* MARK
* TEE
* TRACE

====ip====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

====ip6====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

Following '''matches''' and '''targets''' are yet to be translated:

== Partially translatable extensions ==

=== Matches ===
====xt====
* multiport
[Waiting for support of --ports]
* owner
[Waiting for support of --socket-exists]
* sctp
[Waiting for support of --chunk-types]
* time
[Waiting for support of --monthdays]

====ip====
*icmp
[Waiting for support of packet types]

====ip6====
*icmp6
[Waiting for support of packet types]
* rt
[Waiting for support of --rt-0-res, --rt-0-addrs, --rt-0-not-strict] (partial translations available)

=== Targets ===
====xt====

* CONNMARK
[Waiting for support of --save-mark, --restore-mark, --set-mark and --set-xmark] (partial translations available) 
If --set-mark is used you must only specify the mark. 
If --set-xmark is used you must specify the mark and the mask.

====ip====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)
====ip6====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)

== Untranslatable extensions ==

=== Matches ===

====xt====
* cgroup
[Waiting for support of cgroup2 path-based in nft]
* set
[Waiting for support]
: Suggestions for adding support:
:* Add counters to each element of a set. A counter contains the number of packets that matched an element and the total number of bytes. There must be the option of enabling or disabling the update of counters' values at will. Also counters' values must be accesible in order to do comparisons.
:* Sets must include different types of elements. Sets must have support for the "nomatch" flag.
[[User:Robgc|Robgc]] ([[User talk:Robgc|talk]]) 21:48, 21 September 2016 (CEST)

====ip6====
* ipv6header

List of available translations via iptables-translate tool

2020-01-28T14:27:11Z

Jose: Move dccp to translatable extensions. iptables-translate already supports --dccp-option. See commit c94a998

The following '''matches and targets''' (in alphabetic order) can be fully translated via iptables-translate tool:
== Translatable extensions ==
=== Matches ===
====xt====

* ipcomp
* comment
* connlabel
* connmark
* conntrack
* cpu
* dccp
* devgroup
* dscp
* ecn
* esp
* helper
* iprange
* length
* limit
* mac
* mark
* pkttype
* state
* tcp
* udp

====ip====

* ah
* realm
* ttl

====ip6====

* ah
* frag
* hbh
* hl
* mh

=== Targets ===

====xt====
* CLASSIFY
* NFLOG
* NFQUEUE
* MARK
* TEE
* TRACE

====ip====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

====ip6====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

Following '''matches''' and '''targets''' are yet to be translated:

== Partially translatable extensions ==

=== Matches ===
====xt====
* multiport
[Waiting for support of --ports]
* owner
[Waiting for support of --socket-exists]
* sctp
[Waiting for support of --chunk-types]

====ip====
*icmp
[Waiting for support of packet types]

====ip6====
*icmp6
[Waiting for support of packet types]
* rt
[Waiting for support of --rt-0-res, --rt-0-addrs, --rt-0-not-strict] (partial translations available)

=== Targets ===
====xt====

* CONNMARK
[Waiting for support of --save-mark, --restore-mark, --set-mark and --set-xmark] (partial translations available) 
If --set-mark is used you must only specify the mark. 
If --set-xmark is used you must specify the mark and the mask.

====ip====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)
====ip6====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)

== Untranslatable extensions ==

=== Matches ===

====xt====
* cgroup
[Waiting for support of cgroup2 path-based in nft]
* set
[Waiting for support]
: Suggestions for adding support:
:* Add counters to each element of a set. A counter contains the number of packets that matched an element and the total number of bytes. There must be the option of enabling or disabling the update of counters' values at will. Also counters' values must be accesible in order to do comparisons.
:* Sets must include different types of elements. Sets must have support for the "nomatch" flag.
[[User:Robgc|Robgc]] ([[User talk:Robgc|talk]]) 21:48, 21 September 2016 (CEST)

====ip6====
* ipv6header

List of available translations via iptables-translate tool

2020-01-28T12:38:28Z

Jose: move ecn to supported matches. ecn match translation support was added in commit 147a891f8

The following '''matches and targets''' (in alphabetic order) can be fully translated via iptables-translate tool:
== Translatable extensions ==
=== Matches ===
====xt====

* ipcomp
* comment
* connlabel
* connmark
* conntrack
* cpu
* devgroup
* dscp
* ecn
* esp
* helper
* iprange
* length
* limit
* mac
* mark
* pkttype
* state
* tcp
* udp

====ip====

* ah
* realm
* ttl

====ip6====

* ah
* frag
* hbh
* hl
* mh

=== Targets ===

====xt====
* CLASSIFY
* NFLOG
* NFQUEUE
* MARK
* TEE
* TRACE

====ip====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

====ip6====

* DNAT
* MASQUERADE
* REDIRECT
* REJECT
* SNAT

Following '''matches''' and '''targets''' are yet to be translated:

== Partially translatable extensions ==

=== Matches ===
====xt====
* dccp
[Waiting for support of --dccp-option]
* multiport
[Waiting for support of --ports]
* owner
[Waiting for support of --socket-exists]
* sctp
[Waiting for support of --chunk-types]

====ip====
*icmp
[Waiting for support of packet types]

====ip6====
*icmp6
[Waiting for support of packet types]
* rt
[Waiting for support of --rt-0-res, --rt-0-addrs, --rt-0-not-strict] (partial translations available)

=== Targets ===
====xt====

* CONNMARK
[Waiting for support of --save-mark, --restore-mark, --set-mark and --set-xmark] (partial translations available) 
If --set-mark is used you must only specify the mark. 
If --set-xmark is used you must specify the mark and the mask.

====ip====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)
====ip6====
* LOG
[Waiting for support of log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] (partial translations available)

== Untranslatable extensions ==

=== Matches ===

====xt====
* cgroup
[Waiting for support of cgroup2 path-based in nft]
* set
[Waiting for support]
: Suggestions for adding support:
:* Add counters to each element of a set. A counter contains the number of packets that matched an element and the total number of bytes. There must be the option of enabling or disabling the update of counters' values at will. Also counters' values must be accesible in order to do comparisons.
:* Sets must include different types of elements. Sets must have support for the "nomatch" flag.
[[User:Robgc|Robgc]] ([[User talk:Robgc|talk]]) 21:48, 21 September 2016 (CEST)

====ip6====
* ipv6header

Main Page

2020-01-19T13:10:02Z

Jose: Add GeoIP matching example

Welcome to the ''nftables'' HOWTO documentation page. Here you will find documentation on how to build, install, configure and use nftables.

If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>.

= Introduction =

* [[What is nftables?]]
* [[Why nftables?]]
* [[Main differences with iptables]]
* [[Netfilter hooks]] and integration with existing Netfilter components.
* [[Adoption]]
* [[Legacy xtables tools]]
* [[How to obtain help/support]]

= Getting started =

* [[Building and installing nftables from sources]]
* Using [[nftables from distributions]]
* [[Troubleshooting|Troubleshooting and FAQ]]
* [[Quick reference-nftables in 10 minutes|Quick reference, nftables in 10 minutes]]
* [[nftables families|Understanding nftables families]]

= Basic operation =

* [[Configuring tables]]
* [[Configuring chains]]
* [[Simple rule management]]
* [[Atomic rule replacement]]
* [[Error reporting from the command line]]
* [[Building rules through expressions]]
* [[Operations at ruleset level]]
* [[Monitoring ruleset updates]]
* [[Scripting]]
* [[Ruleset debug/tracing]]
* [[Moving from iptables to nftables]]
* [[Moving from ipset to nftables]]

= Supported selectors for packet matching =

* [[Matching packet header fields]]
* [[Matching packet metainformation]]
* [[Matching connection tracking stateful metainformation]]
* [[Rate limiting matchings]]
* [[Routing information]]

= Possible actions on packets =

* [[Accepting and dropping packets]]
* [[Jumping to chain]]
* [[Rejecting traffic]]
* [[Logging traffic]]
* [[Performing Network Address Translation (NAT)]]
* [[Setting packet metainformation]]
* [[Queueing to userspace]]
* [[Duplicating packets]]
* [[Mangle packet header fields]]
* [[Mangle TCP options]]
* [[Counters]]
* [[Load balancing]]
* [[Setting packet connection tracking metainformation]]

Note that, unlike ''iptables'', you can perform several actions in one single rule.

= Advanced data structures for performance packet classification =

You will have to redesign your rule-set to benefit from these new nice features:

* [[Sets]]
* [[Dictionaries]]
* [[Intervals]]
* [[Maps]]
* [[Concatenations]]
* [[Meters|Metering]] (formerly known as flow tables before nftables 0.8.1 release)
* [[Updating sets from the packet path]]
* [[Element timeouts]]
* [[Math operations]]
* [[Stateful objects]]
* [[Flowtable]] (the fastpath network stack bypass)

If you are already using [[ipset]] in your ''iptables'' rule-set, that transition may be a bit more simple to you.

= Examples =

* [[Simple ruleset for a workstation]]
* [[Bridge filtering]]
* [[Multiple NATs using nftables maps]]
* [[Classic perimetral firewall example]]
* [[Port knocking example]]
* [[Classification to tc structure example]]
* [[Using configuration management systems]] (like puppet, ansible, etc)
* [[GeoIP matching]]

= Development =

Check [[Portal:DeveloperDocs|Portal:DeveloperDocs - documentation for netfilter developers]].

Some hints on the general development progress:

* [[List of updates since Linux kernel 3.13]]
* [[Supported features compared to xtables|Supported features compared to {ip,ip6,eb,arp}tables]]
* [[List of available translations via iptables-translate tool]]

= External links =

Watch some videos:

* Watch [https://www.youtube.com/watch?v=FXTRRwXi3b4 Getting a grasp of nftables], thanks to [https://www.nluug.nl/index-en.html NLUUG association] for recording this.
* Watch [https://www.youtube.com/watch?v=CaYp0d2wiuU#t=1m47s The ultimate packet classifier for GNU/Linux], thanks to the FSFE for paying my trip to Barcelona and for recommending me as speaker to the KDE Spanish branch.
* [https://www.youtube.com/watch?v=Sy0JDX451ns Florian Westphal - Why nftables?]
* Watch [https://www.youtube.com/watch?v=qXVOA2MKA1s Netdev 2.1 - Netfilter workshop]
* Watch [https://youtu.be/iCj10vEKPrw Netdev 2.2 - Netf‌ilter mini-workshop]
* Watch [https://youtu.be/0hqfzp6tpZo Netdev 0x12 - Netf‌ilter mini-workshop]
* Watch [https://www.youtube.com/watch?v=0wQfSfDVN94 NLUUG - Goodbye iptables, Hello nftables]
* Watch [https://www.youtube.com/watch?v=Uf5ULkEWPL0 LCA2018 - nftables from a user perspective]

Additional documentations and articles:

* Tutorial [https://zasdfgbnm.github.io/2017/09/07/Extending-nftables/ Extending nftables by Xiang Gao]
* Article [http://ral-arturo.org/2017/05/05/debian-stretch-stable-nftables.html New in Debian stable Stretch: nftables]

= Thanks =

To the NLnet foundation for initial sponsorship of this HOWTO:

[https://nlnet.nl https://nlnet.nl/image/logo.gif]

To Eric Leblond, for boostrapping the [https://home.regit.org/netfilter-en/nftables-quick-howto/ Nftables quick howto] in 2013.

GeoIP matching

2020-01-19T13:08:48Z

Jose: Fix ip6 example

You can use a external script '''nft_geoip.py''', at [https://github.com/JMGuisadoG/nftables-geoip nftables-geoip], to generate mappings between countries and marks that can be later included into your ruleset.

== How to get the script ==

Clone [https://github.com/JMGuisadoG/nftables-geoip nftables-geoip repo]

== How to use the script ==

''You can use'' <code lang="bash"> ./nft_geoip --help </code> ''to show the script help''

The script need two .csv files.

* A country data csv (location.csv), its path can be specified with <code lang="bash"> --file-location </code> option
* A geoip data csv (dbip.csv), its path can be specified with <code lang="bash"> --file-address </code> option

=== location.csv ===

The script ships with this file. A modified .csv that contains country data needed to generate the maps.

=== dbip.csv ===

This .csv '''is not shipped''' and needed to be retrieved before using the script. There exist the option <code lang="bash"> --download </code> to do so.

== Generating the geoip maps ==

To generate the mappings in the current directory (assuming you don't have the dbip.csv file)

./nft_geoip.py --file-location location.csv --download

You can specify a different (existing) output directory with <code lang="bash"> --output-dir </code>

== Output files ==

rwxr-xr-x 2 foobar foobar 4,0K ene 4 19:38 .
drwxr-xr-x 5 foobar foobar 4,0K ene 4 19:38 ..
-rw-r--r-- 1 foobar foobar 22M ene 4 19:38 dbip.csv
-rw-r--r-- 1 foobar foobar 956 ene 4 19:38 geoip-def-africa.nft
-rw-r--r-- 1 foobar foobar 8,3K ene 4 19:38 geoip-def-all.nft
-rw-r--r-- 1 foobar foobar 902 ene 4 19:38 geoip-def-americas.nft
-rw-r--r-- 1 foobar foobar 15 ene 4 19:38 geoip-def-antarctica.nft
-rw-r--r-- 1 foobar foobar 808 ene 4 19:38 geoip-def-asia.nft
-rw-r--r-- 1 foobar foobar 810 ene 4 19:38 geoip-def-europe.nft
-rw-r--r-- 1 foobar foobar 461 ene 4 19:38 geoip-def-oceania.nft
-rw-r--r-- 1 foobar foobar 8,8M ene 4 19:38 geoip-ipv4.nft
-rw-r--r-- 1 foobar foobar 16M ene 4 19:38 geoip-ipv6.nft

When everything is finished you will find the following files in your output directory

* '''geoip-def-all.nft'''

Containing all definitions. (eg. <code lang="bash"> define $CA = 124 </code>) the variable name is its
It also contains a map between country marks and its corresponding continent mark.

* '''geoip-def-{continent}.nft'''

Subset of definitions for countries of a given continent. To be used as marks.

* '''geoip-ipv4.nft'''

Containing the map between ipv4 ranges and its geoip data. <code lang="bash">@geoip4</code>

* '''geoip-ipv6.nft'''

Containing the map between ipv6 ranges and its geoip data. <code lang="bash">@geoip6</code>

== Marking packets with its country code ==

meta mark set ip saddr map @geoip4

meta mark set ip6 saddr map @geoip6

== Matching packets by its country code ==

'''You can only use the country definitions inside your ruleset file and not inside an interactive nft shell'''

For example, to match packets marked with the Canada mark.

meta mark $CA

See the relevant section in [https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation#Matching_packets_by_packet_mark Matching packet metainformation]

== Examples ==

=== Marking input ipv4 packets and counting Spanish traffic ===

table filter {
include "./geoip-def-all.nft"
include "./geoip-ipv4.nft"

chain input {
type filter hook input priority filter; policy accept;
meta mark set ip saddr map @geoip4
meta mark $ES counter
}
}

GeoIP matching

2020-01-19T10:48:36Z

Jose: Create geoip matching page

You can use a external script '''nft_geoip.py''', at [https://github.com/JMGuisadoG/nftables-geoip nftables-geoip], to generate mappings between countries and marks that can be later included into your ruleset.

== How to get the script ==

Clone [https://github.com/JMGuisadoG/nftables-geoip nftables-geoip repo]

== How to use the script ==

''You can use'' <code lang="bash"> ./nft_geoip --help </code> ''to show the script help''

The script need two .csv files.

* A country data csv (location.csv), its path can be specified with <code lang="bash"> --file-location </code> option
* A geoip data csv (dbip.csv), its path can be specified with <code lang="bash"> --file-address </code> option

=== location.csv ===

The script ships with this file. A modified .csv that contains country data needed to generate the maps.

=== dbip.csv ===

This .csv '''is not shipped''' and needed to be retrieved before using the script. There exist the option <code lang="bash"> --download </code> to do so.

== Generating the geoip maps ==

To generate the mappings in the current directory (assuming you don't have the dbip.csv file)

./nft_geoip.py --file-location location.csv --download

You can specify a different (existing) output directory with <code lang="bash"> --output-dir </code>

== Output files ==

rwxr-xr-x 2 foobar foobar 4,0K ene 4 19:38 .
drwxr-xr-x 5 foobar foobar 4,0K ene 4 19:38 ..
-rw-r--r-- 1 foobar foobar 22M ene 4 19:38 dbip.csv
-rw-r--r-- 1 foobar foobar 956 ene 4 19:38 geoip-def-africa.nft
-rw-r--r-- 1 foobar foobar 8,3K ene 4 19:38 geoip-def-all.nft
-rw-r--r-- 1 foobar foobar 902 ene 4 19:38 geoip-def-americas.nft
-rw-r--r-- 1 foobar foobar 15 ene 4 19:38 geoip-def-antarctica.nft
-rw-r--r-- 1 foobar foobar 808 ene 4 19:38 geoip-def-asia.nft
-rw-r--r-- 1 foobar foobar 810 ene 4 19:38 geoip-def-europe.nft
-rw-r--r-- 1 foobar foobar 461 ene 4 19:38 geoip-def-oceania.nft
-rw-r--r-- 1 foobar foobar 8,8M ene 4 19:38 geoip-ipv4.nft
-rw-r--r-- 1 foobar foobar 16M ene 4 19:38 geoip-ipv6.nft

When everything is finished you will find the following files in your output directory

* '''geoip-def-all.nft'''

Containing all definitions. (eg. <code lang="bash"> define $CA = 124 </code>) the variable name is its
It also contains a map between country marks and its corresponding continent mark.

* '''geoip-def-{continent}.nft'''

Subset of definitions for countries of a given continent. To be used as marks.

* '''geoip-ipv4.nft'''

Containing the map between ipv4 ranges and its geoip data. <code lang="bash">@geoip4</code>

* '''geoip-ipv6.nft'''

Containing the map between ipv6 ranges and its geoip data. <code lang="bash">@geoip6</code>

== Marking packets with its country code ==

meta mark set ip saddr map @geoip4

meta mark set ip saddr map @geoip6

== Matching packets by its country code ==

'''You can only use the country definitions inside your ruleset file and not inside an interactive nft shell'''

For example, to match packets marked with the Canada mark.

meta mark $CA

See the relevant section in [https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation#Matching_packets_by_packet_mark Matching packet metainformation]

== Examples ==

=== Marking input ipv4 packets and counting Spanish traffic ===

table filter {
include "./geoip-def-all.nft"
include "./geoip-ipv4.nft"

chain input {
type filter hook input priority filter; policy accept;
meta mark set ip saddr map @geoip4
meta mark $ES counter
}
}