http://wiki.nftables.org/wiki-nftables/api.php?action=feedcontributions&user=AlexanderAlemayhu&feedformat=atomnftables wiki - User contributions [en]2024-03-28T22:33:53ZUser contributionsMediaWiki 1.36.4http://wiki.nftables.org/wiki-nftables/index.php?title=Main_Page&diff=343Main Page2018-08-20T13:32:02Z<p>AlexanderAlemayhu: Add netfilter workshop from 0x12</p>
<hr />
<div>Welcome to the ''nftables'' HOWTO documentation page. Here you will find documentation on how to build, install, configure and use nftables.<br />
<br />
If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>.<br />
<br />
= Introduction =<br />
<br />
* [[What is nftables?]]<br />
* [[Why nftables?]]<br />
* [[Main differences with iptables]]<br />
* [[Netfilter hooks]] and integration with existing Netfilter components.<br />
* [[Adoption]]<br />
* [[Legacy xtables tools]]<br />
<br />
= Getting started =<br />
<br />
* [[Building and installing nftables from sources]]<br />
* Using [[nftables from distributions]]<br />
* [[Troubleshooting|Troubleshooting and FAQ]]<br />
* [[Quick reference-nftables in 10 minutes|Quick reference, nftables in 10 minutes]]<br />
* [[nftables families|Understanding nftables families]]<br />
<br />
= Basic operation =<br />
<br />
* [[Configuring tables]]<br />
* [[Configuring chains]]<br />
* [[Simple rule management]]<br />
* [[Atomic rule replacement]]<br />
* [[Error reporting from the command line]]<br />
* [[Building rules through expressions]]<br />
* [[Operations at ruleset level]]<br />
* [[Monitoring ruleset updates]]<br />
* [[Scripting]]<br />
* [[Ruleset debug/tracing]]<br />
* [[Moving from iptables to nftables]]<br />
* [[Moving from ipset to nftables]]<br />
<br />
= Supported selectors for packet matching =<br />
<br />
* [[Matching packet header fields]]<br />
* [[Matching packet metainformation]]<br />
* [[Matching connection tracking stateful metainformation]]<br />
* [[Rate limiting matchings]]<br />
* [[Routing information]]<br />
<br />
= Possible actions on packets =<br />
<br />
* [[Accepting and dropping packets]]<br />
* [[Jumping to chain]]<br />
* [[Rejecting traffic]]<br />
* [[Logging traffic]]<br />
* [[Performing Network Address Translation (NAT)]]<br />
* [[Setting packet metainformation]]<br />
* [[Queueing to userspace]]<br />
* [[Duplicating packets]]<br />
* [[Mangle packet header fields]]<br />
* [[Mangle TCP options]]<br />
* [[Counters]]<br />
* [[Load balancing]]<br />
* [[Setting packet connection tracking metainformation]]<br />
<br />
Note that, unlike ''iptables'', you can perform several actions in one single rule.<br />
<br />
= Advanced data structures for performance packet classification =<br />
<br />
You will have to redesign your rule-set to benefit from these new nice features:<br />
<br />
* [[Sets]]<br />
* [[Dictionaries]]<br />
* [[Intervals]]<br />
* [[Maps]]<br />
* [[Concatenations]]<br />
* [[Meters|Metering]] (formerly known as flow tables before nftables 0.8.1 release)<br />
* [[Updating sets from the packet path]]<br />
* [[Element timeouts]]<br />
* [[Math operations]]<br />
* [[Stateful objects]]<br />
<br />
If you are already using [[ipset]] in your ''iptables'' rule-set, that transition may be a bit more simple to you.<br />
<br />
= Examples =<br />
<br />
* [[Simple ruleset for a workstation]]<br />
* [[Bridge filtering]]<br />
* [[Multiple NATs using nftables maps]]<br />
* [[Classic perimetral firewall example]]<br />
* [[Port knocking example]]<br />
<br />
= Development progress =<br />
<br />
* [[List of updates since Linux kernel 3.13]]<br />
* [[Supported features compared to xtables|Supported features compared to {ip,ip6,eb,arp}tables]]<br />
* [[List of available translations via iptables-translate tool]]<br />
<br />
= External links =<br />
<br />
Watch some videos:<br />
<br />
* Watch [https://www.youtube.com/watch?v=FXTRRwXi3b4 Getting a grasp of nftables], thanks to [https://www.nluug.nl/index-en.html NLUUG association] for recording this.<br />
* Watch [https://www.youtube.com/watch?v=CaYp0d2wiuU#t=1m47s The ultimate packet classifier for GNU/Linux], thanks to the FSFE for paying my trip to Barcelona and for recommending me as speaker to the KDE Spanish branch.<br />
* [https://www.youtube.com/watch?v=Sy0JDX451ns Florian Westphal - Why nftables?]<br />
* Watch [https://www.youtube.com/watch?v=qXVOA2MKA1s Netdev 2.1 - Netfilter workshop]<br />
* Watch [https://youtu.be/iCj10vEKPrw Netdev 2.2 - Netfilter mini-workshop]<br />
* Watch [https://youtu.be/0hqfzp6tpZo Netdev 0x12 - Netfilter mini-workshop]<br />
* Watch [https://www.youtube.com/watch?v=0wQfSfDVN94 NLUUG - Goodbye iptables, Hello nftables]<br />
* Watch [https://www.youtube.com/watch?v=Uf5ULkEWPL0 LCA2018 - nftables from a user perspective]<br />
<br />
Additional documentations and articles:<br />
<br />
* Tutorial [https://zasdfgbnm.github.io/2017/09/07/Extending-nftables/ Extending nftables by Xiang Gao]<br />
* Article [http://ral-arturo.org/2017/05/05/debian-stretch-stable-nftables.html New in Debian stable Stretch: nftables]<br />
<br />
= Thanks =<br />
<br />
To the NLnet foundation for initial sponsorship of this HOWTO:<br />
<br />
[https://nlnet.nl https://nlnet.nl/image/logo.gif]<br />
<br />
To Eric Leblond, for boostrapping the [https://home.regit.org/netfilter-en/nftables-quick-howto/ Nftables quick howto] in 2013.</div>AlexanderAlemayhuhttp://wiki.nftables.org/wiki-nftables/index.php?title=Main_Page&diff=334Main Page2018-08-16T05:50:46Z<p>AlexanderAlemayhu: Add netfilter workshop from netdev 2.2</p>
<hr />
<div>Welcome to the ''nftables'' HOWTO documentation page. Here you will find documentation on how to build, install, configure and use nftables.<br />
<br />
If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>.<br />
<br />
= Introduction =<br />
<br />
* [[What is nftables?]]<br />
* [[Why nftables?]]<br />
* [[Main differences with iptables]]<br />
* [[Netfilter hooks]] and integration with existing Netfilter components.<br />
* [[Adoption]]<br />
* [[Legacy xtables tools]]<br />
<br />
= Getting started =<br />
<br />
* [[Building and installing nftables from sources]]<br />
* Using [[nftables from distributions]]<br />
* [[Troubleshooting|Troubleshooting and FAQ]]<br />
* [[Quick reference-nftables in 10 minutes|Quick reference, nftables in 10 minutes]]<br />
* [[nftables families|Understanding nftables families]]<br />
<br />
= Basic operation =<br />
<br />
* [[Configuring tables]]<br />
* [[Configuring chains]]<br />
* [[Simple rule management]]<br />
* [[Atomic rule replacement]]<br />
* [[Error reporting from the command line]]<br />
* [[Building rules through expressions]]<br />
* [[Operations at ruleset level]]<br />
* [[Monitoring ruleset updates]]<br />
* [[Scripting]]<br />
* [[Ruleset debug/tracing]]<br />
* [[Moving from iptables to nftables]]<br />
* [[Moving from ipset to nftables]]<br />
<br />
= Supported selectors for packet matching =<br />
<br />
* [[Matching packet header fields]]<br />
* [[Matching packet metainformation]]<br />
* [[Matching connection tracking stateful metainformation]]<br />
* [[Rate limiting matchings]]<br />
* [[Routing information]]<br />
<br />
= Possible actions on packets =<br />
<br />
* [[Accepting and dropping packets]]<br />
* [[Jumping to chain]]<br />
* [[Rejecting traffic]]<br />
* [[Logging traffic]]<br />
* [[Performing Network Address Translation (NAT)]]<br />
* [[Setting packet metainformation]]<br />
* [[Queueing to userspace]]<br />
* [[Duplicating packets]]<br />
* [[Mangle packet header fields]]<br />
* [[Mangle TCP options]]<br />
* [[Counters]]<br />
* [[Load balancing]]<br />
* [[Setting packet connection tracking metainformation]]<br />
<br />
Note that, unlike ''iptables'', you can perform several actions in one single rule.<br />
<br />
= Advanced data structures for performance packet classification =<br />
<br />
You will have to redesign your rule-set to benefit from these new nice features:<br />
<br />
* [[Sets]]<br />
* [[Dictionaries]]<br />
* [[Intervals]]<br />
* [[Maps]]<br />
* [[Concatenations]]<br />
* [[Meters|Metering]] (formerly known as flow tables before nftables 0.8.1 release)<br />
* [[Updating sets from the packet path]]<br />
* [[Element timeouts]]<br />
* [[Math operations]]<br />
* [[Stateful objects]]<br />
<br />
If you are already using [[ipset]] in your ''iptables'' rule-set, that transition may be a bit more simple to you.<br />
<br />
= Examples =<br />
<br />
* [[Simple ruleset for a workstation]]<br />
* [[Bridge filtering]]<br />
* [[Multiple NATs using nftables maps]]<br />
* [[Classic perimetral firewall example]]<br />
* [[Port knocking example]]<br />
<br />
= Development progress =<br />
<br />
* [[List of updates since Linux kernel 3.13]]<br />
* [[Supported features compared to xtables|Supported features compared to {ip,ip6,eb,arp}tables]]<br />
* [[List of available translations via iptables-translate tool]]<br />
<br />
= External links =<br />
<br />
Watch some videos:<br />
<br />
* Watch [https://www.youtube.com/watch?v=FXTRRwXi3b4 Getting a grasp of nftables], thanks to [https://www.nluug.nl/index-en.html NLUUG association] for recording this.<br />
* Watch [https://www.youtube.com/watch?v=CaYp0d2wiuU#t=1m47s The ultimate packet classifier for GNU/Linux], thanks to the FSFE for paying my trip to Barcelona and for recommending me as speaker to the KDE Spanish branch.<br />
* [https://www.youtube.com/watch?v=Sy0JDX451ns Florian Westphal - Why nftables?]<br />
* Watch [https://www.youtube.com/watch?v=qXVOA2MKA1s Netdev 2.1 - Netfilter workshop]<br />
* Watch [https://youtu.be/iCj10vEKPrw Netdev 2.2 - Netfilter mini-workshop]<br />
* Watch [https://www.youtube.com/watch?v=0wQfSfDVN94 NLUUG - Goodbye iptables, Hello nftables]<br />
* Watch [https://www.youtube.com/watch?v=Uf5ULkEWPL0 LCA2018 - nftables from a user perspective]<br />
<br />
Additional documentations and articles:<br />
<br />
* Tutorial [https://zasdfgbnm.github.io/2017/09/07/Extending-nftables/ Extending nftables by Xiang Gao]<br />
* Article [http://ral-arturo.org/2017/05/05/debian-stretch-stable-nftables.html New in Debian stable Stretch: nftables]<br />
<br />
= Thanks =<br />
<br />
To the NLnet foundation for initial sponsorship of this HOWTO:<br />
<br />
[https://nlnet.nl https://nlnet.nl/image/logo.gif]<br />
<br />
To Eric Leblond, for boostrapping the [https://home.regit.org/netfilter-en/nftables-quick-howto/ Nftables quick howto] in 2013.</div>AlexanderAlemayhuhttp://wiki.nftables.org/wiki-nftables/index.php?title=Main_Page&diff=244Main Page2018-01-24T09:48:04Z<p>AlexanderAlemayhu: Removing soon to be broken link</p>
<hr />
<div>Welcome to the ''nftables'' HOWTO documentation page. Here you will find documentation on how to build, install, configure and use nftables.<br />
<br />
If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>.<br />
<br />
= Introduction =<br />
<br />
* [[What is nftables?]]<br />
* [[Why nftables?]]<br />
* [[Main differences with iptables]]<br />
* [[Netfilter hooks]] and integration with existing Netfilter components.<br />
<br />
= Getting started =<br />
<br />
* [[Building and installing nftables from sources]]<br />
* Using [[nftables from distributions]]<br />
* [[Troubleshooting|Troubleshooting and FAQ]]<br />
* [[Quick reference-nftables in 10 minutes|Quick reference, nftables in 10 minutes]]<br />
* [[nftables families|Understanding nftables families]]<br />
<br />
= Basic operation =<br />
<br />
* [[Configuring tables]]<br />
* [[Configuring chains]]<br />
* [[Simple rule management]]<br />
* [[Atomic rule replacement]]<br />
* [[Error reporting from the command line]]<br />
* [[Building rules through expressions]]<br />
* [[Operations at ruleset level]]<br />
* [[Monitoring ruleset updates]]<br />
* [[Scripting]]<br />
* [[Ruleset debug/tracing]]<br />
* [[Moving from iptables to nftables]]<br />
<br />
= Supported selectors for packet matching =<br />
<br />
* [[Matching packet header fields]]<br />
* [[Matching packet metainformation]]<br />
* [[Matching connection tracking stateful metainformation]]<br />
* [[Rate limiting matchings]]<br />
* [[Routing information]]<br />
<br />
= Possible actions on packets =<br />
<br />
* [[Accepting and dropping packets]]<br />
* [[Jumping to chain]]<br />
* [[Rejecting traffic]]<br />
* [[Logging traffic]]<br />
* [[Performing Network Address Translation (NAT)]]<br />
* [[Setting packet metainformation]]<br />
* [[Queueing to userspace]]<br />
* [[Duplicating packets]]<br />
* [[Mangle packet header fields]]<br />
* [[Mangle TCP options]]<br />
* [[Counters]]<br />
* [[Load balancing]]<br />
* [[Setting packet connection tracking metainformation]]<br />
<br />
Note that, unlike ''iptables'', you can perform several actions in one single rule.<br />
<br />
= Advanced data structures for performance packet classification =<br />
<br />
You will have to redesign your rule-set to benefit from these new nice features:<br />
<br />
* [[Sets]]<br />
* [[Dictionaries]]<br />
* [[Intervals]]<br />
* [[Maps]]<br />
* [[Concatenations]]<br />
* [[Meters|Metering]] (formerly known as flow tables before nftables 0.8.1 release)<br />
* [[Updating sets from the packet path]]<br />
* [[Element timeouts]]<br />
* [[Math operations]]<br />
* [[Stateful objects]]<br />
<br />
If you are already using [[ipset]] in your ''iptables'' rule-set, that transition may be a bit more simple to you.<br />
<br />
= Examples =<br />
<br />
* [[Simple ruleset for a workstation]]<br />
* [[Bridge filtering]]<br />
* [[Multiple NATs using nftables maps]]<br />
* [[Classic perimetral firewall example]]<br />
<br />
= Development progress =<br />
<br />
* [[List of updates since Linux kernel 3.13]]<br />
* [[Supported features compared to xtables|Supported features compared to {ip,ip6,eb,arp}tables]]<br />
* [[List of available translations via iptables-translate tool]]<br />
<br />
= External links =<br />
<br />
Watch some videos:<br />
<br />
* Watch [https://www.youtube.com/watch?v=FXTRRwXi3b4 Getting a grasp of nftables], thanks to [https://www.nluug.nl/index-en.html NLUUG association] for recording this.<br />
* Watch [https://www.youtube.com/watch?v=CaYp0d2wiuU#t=1m47s The ultimate packet classifier for GNU/Linux], thanks to the FSFE for paying my trip to Barcelona and for recommending me as speaker to the KDE Spanish branch.<br />
* [https://www.youtube.com/watch?v=Sy0JDX451ns Florian Westphal - Why nftables?]<br />
* Watch [https://www.youtube.com/watch?v=qXVOA2MKA1s Netdev 2.1 - Netfilter workshop]<br />
* Watch [https://www.youtube.com/watch?v=0wQfSfDVN94 NLUUG - Goodbye iptables, Hello nftables]<br />
<br />
Additional documentations and articles:<br />
<br />
* Tutorial [https://zasdfgbnm.github.io/2017/09/07/Extending-nftables/ Extending nftables by Xiang Gao]<br />
* Article [http://ral-arturo.org/2017/05/05/debian-stretch-stable-nftables.html New in Debian stable Stretch: nftables]<br />
<br />
= Thanks =<br />
<br />
To the NLnet foundation for initial sponsorship of this HOWTO:<br />
<br />
[https://nlnet.nl https://nlnet.nl/image/logo.gif]<br />
<br />
To Eric Leblond, for boostrapping the [https://home.regit.org/netfilter-en/nftables-quick-howto/ Nftables quick howto] in 2013.</div>AlexanderAlemayhuhttp://wiki.nftables.org/wiki-nftables/index.php?title=Main_Page&diff=130Main Page2017-04-06T20:55:21Z<p>AlexanderAlemayhu: Add short talk by fw.</p>
<hr />
<div>Welcome to the ''nftables'' HOWTO documentation page. Here you will find documentation on how to build, install, configure and use nftables.<br />
<br />
This documentation was initially started by Eric Leblond, known as the [https://home.regit.org/netfilter-en/nftables-quick-howto/ nftables quick HOWTO], and it has been extended and enhanced by Pablo Neira Ayuso.<br />
<br />
If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>.<br />
<br />
Note that this documentation is still under development, so '''consider this work in progress'''.<br />
<br />
= Introduction =<br />
<br />
* [[What is nftables?]]<br />
* [[Why nftables?]]<br />
* [[Main differences with iptables]]<br />
* [[Netfilter hooks]] and integration with existing Netfilter components.<br />
<br />
= Getting started =<br />
<br />
* [[Building and installing nftables from sources]]<br />
* Using [[nftables from distributions]]<br />
* [[Troubleshooting|Troubleshooting and FAQ]]<br />
* [[Quick reference-nftables in 10 minutes|Quick reference, nftables in 10 minutes]]<br />
* [https://2nft.alemayhu.com/ Translate your iptables rules from a web app]<br />
<br />
= Basic operation =<br />
<br />
* [[Configuring tables]]<br />
* [[Configuring chains]]<br />
* [[Simple rule management]]<br />
* [[Atomic rule replacement]]<br />
* [[Error reporting from the command line]]<br />
* [[Building rules through expressions]]<br />
* [[Operations at ruleset level]]<br />
* [[Monitoring ruleset updates]]<br />
* [[Scripting]]<br />
* [[Ruleset debug/tracing]]<br />
* [[Moving from iptables to nftables]]<br />
<br />
= Supported selectors for packet matching =<br />
<br />
* [[Matching packet header fields]]<br />
* [[Matching packet metainformation]]<br />
* [[Matching connection tracking stateful metainformation]]<br />
* [[Rate limiting matchings]]<br />
* [[Routing information]]<br />
<br />
= Possible actions on packets =<br />
<br />
* [[Accepting and dropping packets]]<br />
* [[Jumping to chain]]<br />
* [[Rejecting traffic]]<br />
* [[Logging traffic]]<br />
* [[Performing Network Address Translation (NAT)]]<br />
* [[Setting packet metainformation]]<br />
* [[Queueing to userspace]]<br />
* [[Duplicating packets]]<br />
* [[Mangle packet header fields]]<br />
* [[Counters]]<br />
* [[Load balancing]]<br />
<br />
Note that, unlike ''iptables'', you can perform several actions in one single rule.<br />
<br />
= Advanced data structures for performance packet classification =<br />
<br />
You will have to redesign your rule-set to benefit from these new nice features:<br />
<br />
* [[Sets]]<br />
* [[Dictionaries]]<br />
* [[Intervals]]<br />
* [[Maps]]<br />
* [[Concatenations]]<br />
* [[Flow tables]]<br />
* [[Updating sets from the packet path]]<br />
* [[Element timeouts]]<br />
* [[Math operations]]<br />
* [[Stateful objects]]<br />
<br />
If you are already using [[ipset]] in your ''iptables'' rule-set, that transition may be a bit more simple to you.<br />
<br />
= Examples =<br />
<br />
* [[Simple ruleset for a workstation]]<br />
* [[Bridge filtering]]<br />
* [[Multiple NATs using nftables maps]]<br />
* [[Classic perimetral firewall example]]<br />
<br />
= Development progress =<br />
<br />
* [[List of updates since Linux kernel 3.13]]<br />
* [[Supported features compared to xtables|Supported features compared to {ip,ip6,eb,arp}tables]]<br />
* [[List of available translations via iptables-translate tool]]<br />
<br />
= Videos =<br />
<br />
* Watch [https://www.youtube.com/watch?v=FXTRRwXi3b4 Getting a grasp of nftables], thanks to [https://www.nluug.nl/index-en.html NLUUG association] for recording this.<br />
* [https://www.youtube.com/watch?v=Sy0JDX451ns Florian Westphal - Why nftables?]<br />
<br />
= Thanks =<br />
<br />
To the NLnet foundation for initial sponsorship of this HOWTO:<br />
<br />
[https://nlnet.nl https://nlnet.nl/image/logo.gif]</div>AlexanderAlemayhuhttp://wiki.nftables.org/wiki-nftables/index.php?title=Main_Page&diff=123Main Page2017-03-10T16:45:16Z<p>AlexanderAlemayhu: add 2nft to 'Getting started' (if that is the wrong section please move it)</p>
<hr />
<div>Welcome to the ''nftables'' HOWTO documentation page. Here you will find documentation on how to build, install, configure and use nftables.<br />
<br />
This documentation was initially started by Eric Leblond, known as the [https://home.regit.org/netfilter-en/nftables-quick-howto/ nftables quick HOWTO], and it has been extended and enhanced by Pablo Neira Ayuso.<br />
<br />
If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>.<br />
<br />
Note that this documentation is still under development, so '''consider this work in progress'''.<br />
<br />
= Introduction =<br />
<br />
* [[What is nftables?]]<br />
* [[Why nftables?]]<br />
* [[Main differences with iptables]]<br />
* [[Netfilter hooks]] and integration with existing Netfilter components.<br />
<br />
= Getting started =<br />
<br />
* [[Building and installing nftables from sources]]<br />
* Using [[nftables from distributions]]<br />
* [[Troubleshooting|Troubleshooting and FAQ]]<br />
* [[Quick reference-nftables in 10 minutes|Quick reference, nftables in 10 minutes]]<br />
* [https://2nft.alemayhu.com/ Translate your iptables rules from a web app]<br />
<br />
= Basic operation =<br />
<br />
* [[Configuring tables]]<br />
* [[Configuring chains]]<br />
* [[Simple rule management]]<br />
* [[Atomic rule replacement]]<br />
* [[Error reporting from the command line]]<br />
* [[Building rules through expressions]]<br />
* [[Operations at ruleset level]]<br />
* [[Monitoring ruleset updates]]<br />
* [[Scripting]]<br />
* [[Ruleset debug/tracing]]<br />
* [[Moving from iptables to nftables]]<br />
<br />
= Supported selectors for packet matching =<br />
<br />
* [[Matching packet header fields]]<br />
* [[Matching packet metainformation]]<br />
* [[Matching connection tracking stateful metainformation]]<br />
* [[Rate limiting matchings]]<br />
* [[Routing information]]<br />
<br />
= Possible actions on packets =<br />
<br />
* [[Accepting and dropping packets]]<br />
* [[Jumping to chain]]<br />
* [[Rejecting traffic]]<br />
* [[Logging traffic]]<br />
* [[Performing Network Address Translation (NAT)]]<br />
* [[Setting packet metainformation]]<br />
* [[Queueing to userspace]]<br />
* [[Duplicating packets]]<br />
* [[Mangle packet header fields]]<br />
* [[Counters]]<br />
* [[Load balancing]]<br />
<br />
Note that, unlike ''iptables'', you can perform several actions in one single rule.<br />
<br />
= Advanced data structures for performance packet classification =<br />
<br />
You will have to redesign your rule-set to benefit from these new nice features:<br />
<br />
* [[Sets]]<br />
* [[Dictionaries]]<br />
* [[Intervals]]<br />
* [[Maps]]<br />
* [[Concatenations]]<br />
* [[Flow tables]]<br />
* [[Updating sets from the packet path]]<br />
* [[Element timeouts]]<br />
* [[Math operations]]<br />
* [[Stateful objects]]<br />
<br />
If you are already using [[ipset]] in your ''iptables'' rule-set, that transition may be a bit more simple to you.<br />
<br />
= Examples =<br />
<br />
* [[Simple ruleset for a workstation]]<br />
* [[Bridge filtering]]<br />
* [[Multiple NATs using nftables maps]]<br />
* [[Classic perimetral firewall example]]<br />
<br />
= Development progress =<br />
<br />
* [[List of updates since Linux kernel 3.13]]<br />
* [[Supported features compared to xtables|Supported features compared to {ip,ip6,eb,arp}tables]]<br />
* [[List of available translations via iptables-translate tool]]<br />
<br />
= Videos =<br />
<br />
* Watch [https://www.youtube.com/watch?v=FXTRRwXi3b4 Getting a grasp of nftables], thanks to [https://www.nluug.nl/index-en.html NLUUG association] for recording this.<br />
<br />
= Thanks =<br />
<br />
To the NLnet foundation for initial sponsorship of this HOWTO:<br />
<br />
[https://nlnet.nl https://nlnet.nl/image/logo.gif]</div>AlexanderAlemayhuhttp://wiki.nftables.org/wiki-nftables/index.php?title=Building_and_installing_nftables_from_sources&diff=61Building and installing nftables from sources2016-10-23T17:30:59Z<p>AlexanderAlemayhu: fix typo</p>
<hr />
<div>nftables requires several userspace libraries, the 'nft' userspace command line utility and the kernel modules.<br />
<br />
If you are using a major linux distribution, you may consider using [[nftables from distributions]].<br />
<br />
= Installing userspace libraries =<br />
<br />
You have to install the following userspace libraries:<br />
<br />
* [http://www.netfilter.org/projects/libmnl libmnl ], this library provides the interfaces to communicate kernel and userspace via Netlink. ''It is very likely that your distribution already provides a package for libmnl that you can use''. If you decide to use your distributor package, make sure you install the development package as well.<br />
<br />
* [http://www.netfilter.org/projects/libnftnl libnftnl] (formerly known as libnftables), this library provides the low-level API to transform netlink messages to objects.<br />
<br />
You also need ''libgmp'' and ''libreadline'', most distributions already provide packages for these two libraries, so make sure you install the development extensions of this packages to successfully compile ''nftables''.<br />
<br />
If you plan to give a test to ''nftables'', we recommend you to use git snapshots for ''libnftnl'' and ''nft''.<br />
<br />
== Installing userspace libraries from git ==<br />
<br />
To install ''libnftnl'', to can type these magic spells:<br />
<br />
<source lang="bash"><br />
$ git clone git://git.netfilter.org/libnftnl<br />
$ cd libnftnl<br />
$ sh autogen.sh<br />
$ ./configure<br />
$ make<br />
$ sudo make install<br />
</source><br />
<br />
If you have any compilation problem, please report them to the [https://www.netfilter.org/mailinglists.html netfilter developer mailing list] providing as much detailed information as possible.<br />
<br />
== Installing userspace libraries from snapshots ==<br />
<br />
You can retrieve daily snapshots of this library from the [ftp://ftp.netfilter.org/pub/libnftnl/snapshot/ Netfilter FTP]. Then, to install it you have to:<br />
<br />
<source lang="bash"><br />
$ wget ftp://ftp.netfilter.org/pub/libnftnl/snapshot/libnftnl-20140217.tar.bz2<br />
$ tar xvjf libnftnl-20140217.tar.bz2<br />
$ ./configure<br />
$ make<br />
$ sudo make install<br />
</source><br />
<br />
= Installing userspace nft command line utility =<br />
<br />
This is the command line utility that provides a user interface to configure ''nftables''.<br />
<br />
== Installing from git ==<br />
<br />
Just type these commands:<br />
<br />
<source lang="bash"><br />
% git clone git://git.netfilter.org/nftables<br />
% cd nftables<br />
% sh autogen.sh<br />
% ./configure<br />
% make<br />
% make install<br />
</source><br />
<br />
You should check that ''nft'' is installed in your system by typing:<br />
<br />
<source lang="bash"><br />
% nft<br />
nft: no command specified<br />
</source><br />
<br />
That means ''nft'' has been correctly installed.<br />
<br />
= Installing Linux kernel with nftables support =<br />
<br />
Prerequisites: nftables is available in Linux kernels since version 3.13 but this is software under development, so we encourage you to run the latest stable kernel.<br />
<br />
== Validating your installation ==<br />
<br />
You can validate that your installation is working by checking if you can install the 'nf_tables' kernel module.<br />
<br />
<source lang="bash"><br />
% modprobe nf_tables<br />
</source><br />
<br />
Then, you can check that's actually there via ''lsmod'':<br />
<br />
<source lang="bash"><br />
# lsmod | grep nf_tables<br />
nf_tables 42349 0<br />
</source><br />
<br />
dmesg should show the following message:<br />
<br />
<source lang="bash"><br />
% dmesg<br />
...<br />
[13939.468020] nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net><br />
</source><br />
<br />
Make sure you also have loaded the family support, eg.<br />
<br />
<source lang="bash"><br />
% modprobe nf_tables_ipv4<br />
</source><br />
<br />
The ''lsmod'' command should show something like:<br />
<br />
<source lang="bash"><br />
# lsmod | grep nf_tables<br />
nf_tables_ipv4 12869 0 <br />
nf_tables 42349 1 nf_tables_ipv4<br />
</source><br />
<br />
Other family modules are ''nf_tables_ipv6'', ''nf_tables_bridge'', ''nf_tables_arp'' and (since Linux kernel >= 3.14) ''nf_tables_inet''.<br />
<br />
These modules provide the corresponding [[Configuring_tables|table]] and the filter [[Configuring_chains|chain]] support for the given family.<br />
<br />
You could also check which modules are supported by your current kernel. How to to do this, depends on your distro:<br />
* on debian, look in /boot/config-XXX-YYY, where XXX is your kernel package version, and YYY is your arch, e.g. /boot/config-4.2.0-1-amd64<br />
* on Arch, look in /proc/config.gz. As this is compressed, use a command such as zcat or zgrep.<br />
<br />
In the debian example below, CONFIG_NFT_REDIR_IPV4 and CONFIG_NFT_REDIR_IPV6 are not set, so you can't use [http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)#Redirect redirect] in the ruleset:<br />
<br />
<source lang="bash"><br />
% grep CONFIG_NFT_ /boot/config-4.2.0-1-amd64<br />
CONFIG_NFT_EXTHDR=m<br />
CONFIG_NFT_META=m<br />
CONFIG_NFT_CT=m<br />
CONFIG_NFT_RBTREE=m<br />
CONFIG_NFT_HASH=m<br />
CONFIG_NFT_COUNTER=m<br />
CONFIG_NFT_LOG=m<br />
CONFIG_NFT_LIMIT=m<br />
CONFIG_NFT_MASQ=m<br />
CONFIG_NFT_REDIR=m<br />
CONFIG_NFT_NAT=m<br />
CONFIG_NFT_QUEUE=m<br />
CONFIG_NFT_REJECT=m<br />
CONFIG_NFT_REJECT_INET=m<br />
CONFIG_NFT_COMPAT=m<br />
CONFIG_NFT_CHAIN_ROUTE_IPV4=m<br />
CONFIG_NFT_REJECT_IPV4=m<br />
CONFIG_NFT_CHAIN_NAT_IPV4=m<br />
CONFIG_NFT_MASQ_IPV4=m<br />
# CONFIG_NFT_REDIR_IPV4 is not set<br />
CONFIG_NFT_CHAIN_ROUTE_IPV6=m<br />
CONFIG_NFT_REJECT_IPV6=m<br />
CONFIG_NFT_CHAIN_NAT_IPV6=m<br />
CONFIG_NFT_MASQ_IPV6=m<br />
# CONFIG_NFT_REDIR_IPV6 is not set<br />
CONFIG_NFT_BRIDGE_META=m<br />
CONFIG_NFT_BRIDGE_REJECT=m<br />
</source><br />
<br />
== Installing from git ==<br />
<br />
This is slower as you will retrieve the Linux kernel git tree for nftables:<br />
<br />
<source lang="bash"><br />
$ git clone git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables.git<br />
</source><br />
<br />
After retrieving the git tree, you have to follow the same steps that described in the installation from sources.<br />
<br />
But you will get the most recent changes for the ''nftables'' kernel code there.<br />
<br />
When configuring the kernel, be sure to enable all the nftables modules (choose 'm' or 'y'). This is an example:<br />
<br />
<source lang="bash"><br />
$ make oldconfig<br />
<br />
Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES) [M/y/?] m<br />
Netfilter nf_tables support (NF_TABLES) [N/m] (NEW) m<br />
Netfilter nf_tables payload module (NFT_PAYLOAD) [N/m] (NEW) m<br />
Netfilter nf_tables IPv6 exthdr module (NFT_EXTHDR) [N/m] (NEW) m<br />
Netfilter nf_tables meta module (NFT_META) [N/m] (NEW) m<br />
Netfilter nf_tables conntrack module (NFT_CT) [N/m] (NEW) m<br />
Netfilter nf_tables rbtree set module (NFT_RBTREE) [N/m] (NEW) m<br />
Netfilter nf_tables hash set module (NFT_HASH) [N/m] (NEW) m<br />
Netfilter nf_tables counter module (NFT_COUNTER) [N/m] (NEW) m<br />
Netfilter nf_tables log module (NFT_LOG) [N/m] (NEW) m<br />
Netfilter nf_tables limit module (NFT_LIMIT) [N/m] (NEW) m<br />
Netfilter nf_tables nat module (NFT_NAT) [N/m] (NEW) m<br />
Netfilter x_tables over nf_tables module (NFT_COMPAT) [N/m/?] (NEW) m<br />
<br />
IPv4 nf_tables support (NF_TABLES_IPV4) [N/m] (NEW) m<br />
nf_tables IPv4 reject support (NFT_REJECT_IPV4) [N/m] (NEW) m<br />
IPv4 nf_tables route chain support (NFT_CHAIN_ROUTE_IPV4) [N/m] (NEW) m<br />
IPv4 nf_tables nat chain support (NFT_CHAIN_NAT_IPV4) [N/m] (NEW) m<br />
<br />
IPv6 nf_tables support (NF_TABLES_IPV6) [M/n] m<br />
IPv6 nf_tables route chain support (NFT_CHAIN_ROUTE_IPV6) [M/n] m<br />
IPv6 nf_tables nat chain support (NFT_CHAIN_NAT_IPV6) [M/n] m<br />
<br />
Ethernet Bridge nf_tables support (NF_TABLES_BRIDGE) [N/m/y] (NEW) m<br />
</source></div>AlexanderAlemayhu