Building and installing nftables from sources

From nftables wiki
Jump to: navigation, search

nftables requires several userspace libraries, the 'nft' userspace command line utility and the kernel modules.

If you are using a major linux distribution, you may consider using nftables from distributions.

Installing userspace libraries

You have to install the following userspace libraries:

  • libmnl , this library provides the interfaces to communicate kernel and userspace via Netlink. It is very likely that your distribution already provides a package for libmnl that you can use. If you decide to use your distributor package, make sure you install the development package as well.
  • libnftnl (formerly known as libnftables), this library provides the low-level API to transform netlink messages to objects.

You also need libgmp and libreadline, most distributions already provide packages for these two libraries, so make sure you install the development extensions of this packages to successfully compile nftables.

If you plan to give a test to nftables, we recommend you to use git snapshots for libnftnl and nft.

Installing userspace libraries from git

To install libnftnl, to can type these magic spells:

$ git clone git://git.netfilter.org/libnftnl
$ cd libnftnl
$ sh autogen.sh
$ ./configure
$ make
$ sudo make install

If you have any compilation problem, please report them to the netfilter developer mailing list providing as much detailed information as possible.

Installing userspace libraries from snapshots

You can retrieve daily snapshots of this library from the Netfilter FTP. Then, to install it you have to:

$ wget ftp://ftp.netfilter.org/pub/libnftnl/snapshot/libnftnl-20140217.tar.bz2
$ tar xvjf libnftnl-20140217.tar.bz2
$ ./configure
$ make
$ sudo make install

Installing userspace nft command line utility

This is the command line utility that provides a user interface to configure nftables.

Installing from git

Just type these commands:

% git clone git://git.netfilter.org/nftables
% cd nftables
% sh autogen.sh
% ./configure
% make
% make install

You should check that nft is installed in your system by typing:

% nft
nft: no command specified

That means nft has been correctly installed.

Installing Linux kernel with nftables support

Prerequisites: nftables is available in Linux kernels since version 3.13 but this is software under development, so we encourage you to run the latest stable kernel.

Validating your installation

You can validate that your installation is working by checking if you can install the 'nf_tables' kernel module.

% modprobe nf_tables

Then, you can check that's actually there via lsmod:

# lsmod | grep nf_tables
nf_tables              42349  0

dmesg should show the following message:

% dmesg
...
[13939.468020] nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>

Make sure you also have loaded the family support, eg.

% modprobe nf_tables_ipv4

The lsmod command should show something like:

# lsmod | grep nf_tables
nf_tables_ipv4         12869  0 
nf_tables              42349  1 nf_tables_ipv4

Other family modules are nf_tables_ipv6, nf_tables_bridge, nf_tables_arp and (since Linux kernel >= 3.14) nf_tables_inet.

These modules provide the corresponding table and the filter chain support for the given family.

You could also check which modules are supported by your current kernel. How to to do this, depends on your distro:

  • on debian, look in /boot/config-XXX-YYY, where XXX is your kernel package version, and YYY is your arch, e.g. /boot/config-4.2.0-1-amd64
  • on Arch, look in /proc/config.gz. As this is compressed, use a command such as zcat or zgrep.

In the debian example below, CONFIG_NFT_REDIR_IPV4 and CONFIG_NFT_REDIR_IPV6 are not set, so you can't use redirect in the ruleset:

% grep CONFIG_NFT_ /boot/config-4.2.0-1-amd64
CONFIG_NFT_EXTHDR=m
CONFIG_NFT_META=m
CONFIG_NFT_CT=m
CONFIG_NFT_RBTREE=m
CONFIG_NFT_HASH=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m
CONFIG_NFT_COMPAT=m
CONFIG_NFT_CHAIN_ROUTE_IPV4=m
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_CHAIN_NAT_IPV4=m
CONFIG_NFT_MASQ_IPV4=m
# CONFIG_NFT_REDIR_IPV4 is not set
CONFIG_NFT_CHAIN_ROUTE_IPV6=m
CONFIG_NFT_REJECT_IPV6=m
CONFIG_NFT_CHAIN_NAT_IPV6=m
CONFIG_NFT_MASQ_IPV6=m
# CONFIG_NFT_REDIR_IPV6 is not set
CONFIG_NFT_BRIDGE_META=m
CONFIG_NFT_BRIDGE_REJECT=m

Installing from git

This is slower as you will retrieve the Linux kernel git tree for nftables:

$ git clone git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables.git

After retrieving the git tree, you have to follow the same steps that described in the installation from sources.

But you will get the most recent changes for the nftables kernel code there.

When configuring the kernel, be sure to enable all the nftables modules (choose 'm' or 'y'). This is an example:

$ make oldconfig

Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES) [M/y/?] m
Netfilter nf_tables support (NF_TABLES) [N/m] (NEW) m
  Netfilter nf_tables payload module (NFT_PAYLOAD) [N/m] (NEW) m
  Netfilter nf_tables IPv6 exthdr module (NFT_EXTHDR) [N/m] (NEW) m
  Netfilter nf_tables meta module (NFT_META) [N/m] (NEW) m
  Netfilter nf_tables conntrack module (NFT_CT) [N/m] (NEW) m
  Netfilter nf_tables rbtree set module (NFT_RBTREE) [N/m] (NEW) m
  Netfilter nf_tables hash set module (NFT_HASH) [N/m] (NEW) m
  Netfilter nf_tables counter module (NFT_COUNTER) [N/m] (NEW) m
  Netfilter nf_tables log module (NFT_LOG) [N/m] (NEW) m
  Netfilter nf_tables limit module (NFT_LIMIT) [N/m] (NEW) m
  Netfilter nf_tables nat module (NFT_NAT) [N/m] (NEW) m
  Netfilter x_tables over nf_tables module (NFT_COMPAT) [N/m/?] (NEW) m

IPv4 nf_tables support (NF_TABLES_IPV4) [N/m] (NEW) m
  nf_tables IPv4 reject support (NFT_REJECT_IPV4) [N/m] (NEW) m
  IPv4 nf_tables route chain support (NFT_CHAIN_ROUTE_IPV4) [N/m] (NEW) m
  IPv4 nf_tables nat chain support (NFT_CHAIN_NAT_IPV4) [N/m] (NEW) m

IPv6 nf_tables support (NF_TABLES_IPV6) [M/n] m
  IPv6 nf_tables route chain support (NFT_CHAIN_ROUTE_IPV6) [M/n] m
  IPv6 nf_tables nat chain support (NFT_CHAIN_NAT_IPV6) [M/n] m

Ethernet Bridge nf_tables support (NF_TABLES_BRIDGE) [N/m/y] (NEW) m