Supported features compared to xtables: Difference between revisions
(TCPMSS is now supported) |
(linked to my ad-hoc script updating the xlate sample links) |
||
(34 intermediate revisions by 6 users not shown) | |||
Line 1: | Line 1: | ||
Last update: | Last update: Mar/2022 | ||
This page tracks the list of supported and unsupported extensions with comments and suggestions. | This page tracks the list of supported and unsupported extensions with comments and suggestions. | ||
=== targets: xt === | == Unsupported extensions == | ||
=== matches: xt === | |||
==== bpf ==== | |||
* consider native interface | |||
==== rateest ==== | |||
* consider native interface | |||
==== string ==== | |||
* consider native interface | |||
==== u32 ==== | |||
* raw expressions? | |||
=== targets: xt === | |||
==== CHECKSUM ==== | |||
* add nft_payload. | |||
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays. | |||
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html | |||
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090 | |||
==== CT ==== | |||
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]]. | |||
==== IDLETIMER ==== | |||
* consider native interface | |||
==== LED ==== | |||
* consider native (need this?) | |||
==== RATEEST ==== | |||
* consider native interface | |||
==== TCPOPTSTRIP ==== | |||
* consider native interface, need to extend nft_exthdr.c | |||
=== targets: ipv4 === | |||
==== TTL ==== | ==== TTL ==== | ||
=== targets: ipv6 === | === targets: ipv6 === | ||
==== NPT ==== | ==== NPT ==== | ||
* consider native interface | * consider native interface | ||
Line 85: | Line 49: | ||
* consider native interface | * consider native interface | ||
=== | === targets: arp === | ||
TODO | |||
== | == Supported extensions == | ||
(Links updated via [http://nwl.cc/~n0-1/update_nftables_wiki_xlate_links.sh script].) | |||
=== | === matches: xt === | ||
==== addrtype ==== | |||
* nft_fib, starting with 4.10 kernel. Refer to [[Matching routing information]]. | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_addrtype.txlate Examples from iptables-translate testsuite] | |||
==== cgroup ==== | ==== cgroup ==== | ||
* nft_meta. | * nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]]. | ||
[Awaits support for cgroup2] | * [https://git.netfilter.org/iptables/tree/extensions/libxt_cgroup.txlate Examples from iptables-translate testsuite] | ||
[Awaits support for cgroup2] | |||
==== cluster ==== | |||
* nft_hash | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_cluster.txlate Examples from iptables-translate testsuite] | |||
==== comment ==== | ==== comment ==== | ||
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). | * Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_headers#Matching_UDP.2FTCP_headers_in_the_same_rule|matching UDP/TCP headers in the same rule]]. | ||
==== connbytes ==== | * [https://git.netfilter.org/iptables/tree/extensions/libxt_comment.txlate Examples from iptables-translate testsuite] | ||
* nft_ct, 4.5 kernel | |||
==== connlabel ==== | ==== connbytes ==== | ||
* nft_meta, since 3.16 | * nft_ct, 4.5 kernel. Refer to [[Meters]]. | ||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_connbytes.txlate Examples from iptables-translate testsuite] | |||
==== connlabel ==== | |||
* nft_meta, since 3.16. | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_connlabel.txlate Examples from iptables-translate testsuite] | |||
==== connlimit ==== | |||
* consider native interface. Refer to [[Meters]]. | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_connlimit.txlate Examples from iptables-translate testsuite] | |||
==== connmark ==== | ==== connmark ==== | ||
* nft_meta. | * nft_meta. | ||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_connmark.txlate Examples from iptables-translate testsuite] | |||
==== conntrack ==== | ==== conntrack ==== | ||
* nft_ct. | * nft_ct. | ||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_conntrack.txlate Examples from iptables-translate testsuite] | |||
==== cpu ==== | ==== cpu ==== | ||
* nft_meta, since 3.18 | * nft_meta, since 3.18. | ||
==== dccp ==== | * [https://git.netfilter.org/iptables/tree/extensions/libxt_cpu.txlate Examples from iptables-translate testsuite] | ||
* nft_payload. | ==== dccp ==== | ||
* nft_payload. | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_dccp.txlate Examples from iptables-translate testsuite] | |||
[Unsupported option : dccp-option] | [Unsupported option : dccp-option] | ||
==== devgroup ==== | ==== devgroup ==== | ||
* nft_meta, since 3.18 | * nft_meta, since 3.18. | ||
==== dscp ==== | * [https://git.netfilter.org/iptables/tree/extensions/libxt_devgroup.txlate Examples from iptables-translate testsuite] | ||
==== dscp ==== | |||
* nft_payload. | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_dscp.txlate Examples from iptables-translate testsuite] | |||
==== ecn ==== | |||
* nft_payload. | * nft_payload. | ||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_ecn.txlate Examples from iptables-translate testsuite] | |||
* | ==== esp ==== | ||
==== esp ==== | * nft_payload. | ||
* nft_payload. | * [https://git.netfilter.org/iptables/tree/extensions/libxt_esp.txlate Examples from iptables-translate testsuite] | ||
==== hashlimit ==== | ==== hashlimit ==== | ||
* | * meter statement. Refer to [[Meters]]. | ||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_hashlimit.txlate Examples from iptables-translate testsuite] | |||
==== helper ==== | ==== helper ==== | ||
* nft_ct. | * nft_ct. | ||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_helper.txlate Examples from iptables-translate testsuite] | |||
==== ipcomp ==== | ==== ipcomp ==== | ||
* nft_payload. | * nft_payload. | ||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_ipcomp.txlate Examples from iptables-translate testsuite] | |||
[Unsupported option : compres] | [Unsupported option : compres] | ||
==== iprange ==== | ==== iprange ==== | ||
* nft_payload, through native range support. To emulate iptables --ports you need two rules. | * nft_payload, through native range support. To emulate iptables --ports you need two rules. | ||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_iprange.txlate Examples from iptables-translate testsuite] | |||
* | ==== ipvs ==== | ||
==== | * consider native interface. Refer to [[Load balancing]]. | ||
* | ==== length ==== | ||
==== | * nft_meta. | ||
* | * [https://git.netfilter.org/iptables/tree/extensions/libxt_length.txlate Examples from iptables-translate testsuite] | ||
==== limit ==== | |||
* | * nft_limit. Refer to [[Stateful objects]]. | ||
==== | * [https://git.netfilter.org/iptables/tree/extensions/libxt_limit.txlate Examples from iptables-translate testsuite] | ||
* | ==== mac ==== | ||
[ | * nft_payload. | ||
==== | * [https://git.netfilter.org/iptables/tree/extensions/libxt_mac.txlate Examples from iptables-translate testsuite] | ||
* | ==== mark ==== | ||
[ | * nft_meta. | ||
==== | * [https://git.netfilter.org/iptables/tree/extensions/libxt_mark.txlate Examples from iptables-translate testsuite] | ||
* nft_meta | ==== multiport ==== | ||
* | |||
==== | |||
* nft_payload. | * nft_payload. | ||
[Unsupported option: --chunk-types] | * [https://git.netfilter.org/iptables/tree/extensions/libxt_multiport.txlate Examples from iptables-translate testsuite] | ||
==== nfacct ==== | |||
* consider native interface. Refer to [[Stateful objects]]. | |||
==== osf ==== | |||
* consider native interface | |||
==== owner ==== | |||
* nft_meta. | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_owner.txlate Examples from iptables-translate testsuite] | |||
[Unsupported option : socket-exists] | |||
==== pkttype ==== | |||
* nft_meta | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_pkttype.txlate Examples from iptables-translate testsuite] | |||
==== policy ==== | |||
* nft_xfrm, since 5.0 | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_policy.txlate Examples from iptables-translate testsuite] | |||
==== recent ==== | |||
* consider native interface. Refer to [[Sets]]. | |||
==== sctp ==== | |||
* nft_payload | |||
* nft_exthdr for --chunk-types | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_sctp.txlate Examples from iptables-translate testsuite] | |||
==== socket ==== | |||
* consider native interface | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_socket.txlate Examples from iptables-translate testsuite] | |||
==== statistic ==== | |||
* nft_numgen. Refer to [[Load balancing]]. | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_statistic.txlate Examples from iptables-translate testsuite] | |||
==== set ==== | ==== set ==== | ||
* Use native nf_tables set infrastructure. | * Use native nf_tables set infrastructure. | ||
==== state ==== | ==== state ==== | ||
* nft_ct | * nft_ct | ||
==== tcp ==== | ==== tcp ==== | ||
* nft_payload | * nft_payload | ||
==== udp ==== | * [https://git.netfilter.org/iptables/tree/extensions/libxt_tcp.txlate Examples from iptables-translate testsuite] | ||
==== tcpmss ==== | |||
* nft_exthdr, since 4.14 | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_tcpmss.txlate Examples from iptables-translate testsuite] | |||
==== time ==== | |||
* nft_meta, since 5.4 | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_time.txlate Examples from iptables-translate testsuite] | |||
==== udp ==== | |||
* nft_payload | * nft_payload | ||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_udp.txlate Examples from iptables-translate testsuite] | |||
=== targets: xt === | |||
==== AUDIT ==== | |||
* nft_log, since 4.18. | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_AUDIT.txlate Examples from iptables-translate testsuite] | |||
==== CLASSIFY ==== | |||
* nft_meta, since 3.14. | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_CLASSIFY.txlate Examples from iptables-translate testsuite] | |||
==== CONNMARK ==== | |||
* nft_ct | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_CONNMARK.txlate Examples from iptables-translate testsuite] | |||
==== CONNSECMARK ==== | |||
* nft_ct, since 4.20 | |||
==== DSCP ==== | |||
* nft_payload | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_DSCP.txlate Examples from iptables-translate testsuite] | |||
==== HL ==== | |||
* nft_payload | |||
==== HMARK ==== | |||
* nft_meta + nft_hash. | |||
==== MARK ==== | |||
* nft_meta, since 3.14. | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_MARK.txlate Examples from iptables-translate testsuite] | |||
==== NETMAP ==== | |||
* nft_nat, upcoming 5.8 | |||
==== NFLOG ==== | |||
* nft_log, since 3.17. | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_NFLOG.txlate Examples from iptables-translate testsuite] | |||
==== NFQUEUE ==== | |||
* nft_queue, since 3.14. | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_NFQUEUE.txlate Examples from iptables-translate testsuite] | |||
==== SECMARK ==== | |||
* nft_meta, since 4.20 | |||
==== SYNPROXY ==== | |||
* nft_synproxy, since 5.3 | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_SYNPROXY.txlate Examples from iptables-translate testsuite] | |||
==== TEE ==== | ==== TEE ==== | ||
* nft_dup, since 4.3 | * nft_dup, since 4.3. | ||
==== | * [https://git.netfilter.org/iptables/tree/extensions/libxt_TEE.txlate Examples from iptables-translate testsuite] | ||
* | ==== TPROXY ==== | ||
* nft_tproxy, since 4.19 | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_TPROXY.txlate Examples from iptables-translate testsuite] | |||
==== TCPMSS ==== | ==== TRACE ==== | ||
* nft_meta, since 3.14. | |||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_TRACE.txlate Examples from iptables-translate testsuite] | |||
==== TCPMSS ==== | |||
* nft_exthdr, since 4.14 | * nft_exthdr, since 4.14 | ||
* [https://git.netfilter.org/iptables/tree/extensions/libxt_TCPMSS.txlate Examples from iptables-translate testsuite] | |||
=== matches: ipv4 === | === matches: ipv4 === | ||
==== ah ==== | ==== ah ==== | ||
* nft_payload + nft_cmp | * nft_payload + nft_cmp | ||
* [https://git.netfilter.org/iptables/tree/extensions/libipt_ah.txlate Examples from iptables-translate testsuite] | |||
==== icmp ==== | ==== icmp ==== | ||
* nft_payload + nft_cmp. | * nft_payload + nft_cmp. | ||
* [https://git.netfilter.org/iptables/tree/extensions/libipt_icmp.txlate Examples from iptables-translate testsuite] | |||
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ] | [Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ] | ||
==== realm ==== | ==== realm ==== | ||
* nft_meta, through NFT_META_RTCLASSID. | * nft_meta, through NFT_META_RTCLASSID. | ||
* [https://git.netfilter.org/iptables/tree/extensions/libipt_realm.txlate Examples from iptables-translate testsuite] | |||
==== rp_filter ==== | ==== rp_filter ==== | ||
* nft_fib, starting with 4.10 kernel | * nft_fib, starting with 4.10 kernel | ||
==== ttl ==== | ==== ttl ==== | ||
* nft_payload | |||
* [https://git.netfilter.org/iptables/tree/extensions/libipt_ttl.txlate Examples from iptables-translate testsuite] | |||
=== matches: ipv6 === | |||
==== rp_filter ==== | ==== rp_filter ==== | ||
* nft_fib, starting with 4.10 kernel | * nft_fib, starting with 4.10 kernel | ||
==== ah ==== | ==== ah ==== | ||
* nft_payload + nft_cmp. | * nft_payload + nft_cmp. | ||
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_ah.txlate Examples from iptables-translate testsuite] | |||
==== eui64 ==== | ==== eui64 ==== | ||
* nft_payload + nft_cmp. | * nft_payload + nft_cmp. | ||
==== frag ==== | ==== frag ==== | ||
* nft_exthdr + nft_cmp. | * nft_exthdr + nft_cmp. | ||
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_frag.txlate Examples from iptables-translate testsuite] | |||
==== hbh ==== | ==== hbh ==== | ||
* nft_exthdr + nft_cmp. | * nft_exthdr + nft_cmp. | ||
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_hbh.txlate Examples from iptables-translate testsuite] | |||
HBH options are not supported yet. | HBH options are not supported yet. | ||
[Unsupported option: --hbh-opts] | [Unsupported option: --hbh-opts] | ||
==== hl ==== | ==== hl ==== | ||
* nft_payload. | * nft_payload. | ||
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_hl.txlate Examples from iptables-translate testsuite] | |||
==== icmp6 ==== | ==== icmp6 ==== | ||
* nft_payload + nft_cmp. | * nft_payload + nft_cmp. | ||
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_icmp6.txlate Examples from iptables-translate testsuite] | |||
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option] | [Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option] | ||
==== ipv6header ==== | ==== ipv6header ==== | ||
Line 226: | Line 283: | ||
==== mh ==== | ==== mh ==== | ||
* nft_exthdr + nft_cmp. | * nft_exthdr + nft_cmp. | ||
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_mh.txlate Examples from iptables-translate testsuite] | |||
[Needs bug fixation for option mh-type with range] | [Needs bug fixation for option mh-type with range] | ||
==== rt ==== | ==== rt ==== | ||
* nft_exthdr + nft_cmp | * nft_exthdr + nft_cmp | ||
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_rt.txlate Examples from iptables-translate testsuite] | |||
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict] | [Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict] | ||
=== targets: ipv4 === | === targets: ipv4 === | ||
==== ECN ==== | ==== ECN ==== | ||
* nft_payload | * nft_payload | ||
==== DNAT ==== | ==== DNAT ==== | ||
* nft_nat, since 3.13 | * nft_nat, since 3.13. | ||
==== LOG ==== | * [https://git.netfilter.org/iptables/tree/extensions/libipt_DNAT.txlate Examples from iptables-translate testsuite] | ||
* nft_log, since 3.17 | ==== LOG ==== | ||
* nft_log, since 3.17. | |||
* [https://git.netfilter.org/iptables/tree/extensions/libipt_LOG.txlate Examples from iptables-translate testsuite] | |||
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] | [Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] | ||
==== MASQUERADE ==== | ==== MASQUERADE ==== | ||
* nft_masq, since 3.18 | * nft_masq, since 3.18. | ||
* [https://git.netfilter.org/iptables/tree/extensions/libipt_MASQUERADE.txlate Examples from iptables-translate testsuite] | |||
==== REDIRECT ==== | ==== REDIRECT ==== | ||
* nft_redirect, since 3.19 | * nft_redirect, since 3.19. | ||
* [https://git.netfilter.org/iptables/tree/extensions/libipt_REDIRECT.txlate Examples from iptables-translate testsuite] | |||
==== REJECT ==== | ==== REJECT ==== | ||
* nft_reject_ipv4, since 3.13 | * nft_reject_ipv4, since 3.13. | ||
* nft_reject_inet, since 3.14 | * nft_reject_inet, since 3.14. | ||
* nft_reject_bridge, since 3.18 | * nft_reject_bridge, since 3.18. | ||
==== SNAT ==== | * [https://git.netfilter.org/iptables/tree/extensions/libipt_REJECT.txlate Examples from iptables-translate testsuite] | ||
* nft_nat, since 3.13 | ==== SNAT ==== | ||
* nft_nat, since 3.13. | |||
* [https://git.netfilter.org/iptables/tree/extensions/libipt_SNAT.txlate Examples from iptables-translate testsuite] | |||
=== targets: ipv6 === | === targets: ipv6 === | ||
==== DNAT ==== | ==== DNAT ==== | ||
* nft_nat, since 3.13 | * nft_nat, since 3.13. | ||
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_DNAT.txlate Examples from iptables-translate testsuite] | |||
==== LOG ==== | ==== LOG ==== | ||
* nft_log, since 3.17 | * nft_log, since 3.17. | ||
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_LOG.txlate Examples from iptables-translate testsuite] | |||
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] | [Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] | ||
==== MASQUERADE ==== | ==== MASQUERADE ==== | ||
* nft_masq, since 3.18 | * nft_masq, since 3.18. | ||
==== REDIRECT ==== | * [https://git.netfilter.org/iptables/tree/extensions/libip6t_MASQUERADE.txlate Examples from iptables-translate testsuite] | ||
* nft_redirect, since 3.19 | ==== REDIRECT ==== | ||
* nft_redirect, since 3.19. | |||
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_REDIRECT.txlate Examples from iptables-translate testsuite] | |||
==== REJECT ==== | ==== REJECT ==== | ||
* nft_reject_ipv6, since 3.14 | * nft_reject_ipv6, since 3.14. | ||
* nft_reject_inet, since 3.14 | * nft_reject_inet, since 3.14. | ||
* nft_reject_bridge, since 3.18 | * nft_reject_bridge, since 3.18. | ||
==== SNAT ==== | * [https://git.netfilter.org/iptables/tree/extensions/libip6t_REJECT.txlate Examples from iptables-translate testsuite] | ||
* nft_nat, since 3.13 | ==== SNAT ==== | ||
* nft_nat, since 3.13. | |||
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_SNAT.txlate Examples from iptables-translate testsuite] | |||
=== matches: bridge === | === matches: bridge === | ||
Line 283: | Line 354: | ||
==== ip ==== | ==== ip ==== | ||
* nft_payload | * nft_payload | ||
* [https://git.netfilter.org/iptables/tree/extensions/libebt_ip.txlate Examples from iptables-translate testsuite] | |||
==== ip6 ==== | ==== ip6 ==== | ||
* nft_payload | * nft_payload | ||
* [https://git.netfilter.org/iptables/tree/extensions/libebt_ip6.txlate Examples from iptables-translate testsuite] | |||
==== limit ==== | ==== limit ==== | ||
* nft_limit | * nft_limit | ||
* [https://git.netfilter.org/iptables/tree/extensions/libebt_limit.txlate Examples from iptables-translate testsuite] | |||
==== mark ==== | ==== mark ==== | ||
* nft_mark | * nft_mark | ||
* [https://git.netfilter.org/iptables/tree/extensions/libebt_mark_m.txlate Examples from iptables-translate testsuite] | |||
==== pkttype ==== | ==== pkttype ==== | ||
* nft_meta | * nft_meta | ||
* [https://git.netfilter.org/iptables/tree/extensions/libebt_pkttype.txlate Examples from iptables-translate testsuite] | |||
==== stp ==== | ==== stp ==== | ||
Line 301: | Line 377: | ||
==== vlan ==== | ==== vlan ==== | ||
* nft_payload | * nft_payload | ||
* [https://git.netfilter.org/iptables/tree/extensions/libebt_vlan.txlate Examples from iptables-translate testsuite] | |||
Line 307: | Line 384: | ||
==== dnat ==== | ==== dnat ==== | ||
* nft_payload | * nft_payload | ||
* [https://git.netfilter.org/iptables/tree/extensions/libebt_dnat.txlate Examples from iptables-translate testsuite] | |||
==== snat ==== | ==== snat ==== | ||
* nft_payload | * nft_payload | ||
* [https://git.netfilter.org/iptables/tree/extensions/libebt_snat.txlate Examples from iptables-translate testsuite] | |||
==== redirect ==== | ==== redirect ==== | ||
Line 316: | Line 395: | ||
==== mark ==== | ==== mark ==== | ||
* nft_mark | * nft_mark | ||
* [https://git.netfilter.org/iptables/tree/extensions/libebt_mark.txlate Examples from iptables-translate testsuite] | |||
=== watchers: bridge === | |||
==== log ==== | |||
* nft_log | |||
* [https://git.netfilter.org/iptables/tree/extensions/libebt_log.txlate Examples from iptables-translate testsuite] | |||
==== nflog ==== | |||
* nft_log | |||
* [https://git.netfilter.org/iptables/tree/extensions/libebt_nflog.txlate Examples from iptables-translate testsuite] | |||
== Deprecated extensions == | == Deprecated extensions == | ||
=== matches === | === matches === | ||
==== physdev ==== | ==== physdev ==== | ||
* br_netfilter aims to be deprecated by nftables. | * br_netfilter aims to be deprecated by nftables. | ||
==== quota ==== | ==== quota ==== | ||
* nfacct already provides quota support. | * nfacct already provides quota support. | ||
==== tos ==== | ==== tos ==== | ||
* deprecated by dscp | * deprecated by dscp | ||
=== targets === | === targets === | ||
==== CLUSTERIP ==== | ==== CLUSTERIP ==== | ||
* deprecated by cluster match. | * deprecated by cluster match. | ||
==== TOS ==== | ==== TOS ==== | ||
* deprecated by DSCP | * deprecated by DSCP | ||
=== targets: ipv4 === | === targets: ipv4 === | ||
==== ULOG ==== | ==== ULOG ==== | ||
* Removed from tree since 3.17. | * Removed from tree since 3.17. |
Latest revision as of 11:38, 14 September 2024
Last update: Mar/2022
This page tracks the list of supported and unsupported extensions with comments and suggestions.
Unsupported extensions
matches: xt
bpf
- consider native interface
rateest
- consider native interface
string
- consider native interface
u32
- raw expressions?
targets: xt
CHECKSUM
- add nft_payload.
- To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
- See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
- See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090
CT
- nft_ct_target. Refer to Matching_connection_tracking_stateful_metainformation.
IDLETIMER
- consider native interface
LED
- consider native (need this?)
RATEEST
- consider native interface
TCPOPTSTRIP
- consider native interface, need to extend nft_exthdr.c
targets: ipv4
TTL
targets: ipv6
NPT
- consider native interface
targets: bridge
arpreply
- consider native interface
targets: arp
TODO
Supported extensions
(Links updated via script.)
matches: xt
addrtype
- nft_fib, starting with 4.10 kernel. Refer to Matching routing information.
- Examples from iptables-translate testsuite
cgroup
- nft_meta. Refer to Quick_reference-nftables_in_10_minutes#Meta.
- Examples from iptables-translate testsuite
[Awaits support for cgroup2]
cluster
comment
- Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to matching UDP/TCP headers in the same rule.
- Examples from iptables-translate testsuite
connbytes
- nft_ct, 4.5 kernel. Refer to Meters.
- Examples from iptables-translate testsuite
connlabel
- nft_meta, since 3.16.
- Examples from iptables-translate testsuite
connlimit
- consider native interface. Refer to Meters.
- Examples from iptables-translate testsuite
connmark
conntrack
cpu
- nft_meta, since 3.18.
- Examples from iptables-translate testsuite
dccp
- nft_payload.
- Examples from iptables-translate testsuite
[Unsupported option : dccp-option]
devgroup
- nft_meta, since 3.18.
- Examples from iptables-translate testsuite
dscp
- nft_payload.
- Examples from iptables-translate testsuite
ecn
- nft_payload.
- Examples from iptables-translate testsuite
esp
- nft_payload.
- Examples from iptables-translate testsuite
hashlimit
- meter statement. Refer to Meters.
- Examples from iptables-translate testsuite
helper
ipcomp
- nft_payload.
- Examples from iptables-translate testsuite
[Unsupported option : compres]
iprange
- nft_payload, through native range support. To emulate iptables --ports you need two rules.
- Examples from iptables-translate testsuite
ipvs
- consider native interface. Refer to Load balancing.
length
limit
- nft_limit. Refer to Stateful objects.
- Examples from iptables-translate testsuite
mac
- nft_payload.
- Examples from iptables-translate testsuite
mark
multiport
- nft_payload.
- Examples from iptables-translate testsuite
nfacct
- consider native interface. Refer to Stateful objects.
osf
- consider native interface
owner
[Unsupported option : socket-exists]
pkttype
policy
- nft_xfrm, since 5.0
- Examples from iptables-translate testsuite
recent
- consider native interface. Refer to Sets.
sctp
- nft_payload
- nft_exthdr for --chunk-types
- Examples from iptables-translate testsuite
socket
- consider native interface
- Examples from iptables-translate testsuite
statistic
- nft_numgen. Refer to Load balancing.
- Examples from iptables-translate testsuite
set
- Use native nf_tables set infrastructure.
state
- nft_ct
tcp
- nft_payload
- Examples from iptables-translate testsuite
tcpmss
- nft_exthdr, since 4.14
- Examples from iptables-translate testsuite
time
- nft_meta, since 5.4
- Examples from iptables-translate testsuite
udp
- nft_payload
- Examples from iptables-translate testsuite
targets: xt
AUDIT
- nft_log, since 4.18.
- Examples from iptables-translate testsuite
CLASSIFY
- nft_meta, since 3.14.
- Examples from iptables-translate testsuite
CONNMARK
CONNSECMARK
- nft_ct, since 4.20
DSCP
- nft_payload
- Examples from iptables-translate testsuite
HL
- nft_payload
HMARK
- nft_meta + nft_hash.
MARK
- nft_meta, since 3.14.
- Examples from iptables-translate testsuite
NETMAP
- nft_nat, upcoming 5.8
NFLOG
- nft_log, since 3.17.
- Examples from iptables-translate testsuite
NFQUEUE
- nft_queue, since 3.14.
- Examples from iptables-translate testsuite
SECMARK
- nft_meta, since 4.20
SYNPROXY
- nft_synproxy, since 5.3
- Examples from iptables-translate testsuite
TEE
- nft_dup, since 4.3.
- Examples from iptables-translate testsuite
TPROXY
- nft_tproxy, since 4.19
- Examples from iptables-translate testsuite
TRACE
- nft_meta, since 3.14.
- Examples from iptables-translate testsuite
TCPMSS
- nft_exthdr, since 4.14
- Examples from iptables-translate testsuite
matches: ipv4
ah
- nft_payload + nft_cmp
- Examples from iptables-translate testsuite
icmp
- nft_payload + nft_cmp.
- Examples from iptables-translate testsuite
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
realm
- nft_meta, through NFT_META_RTCLASSID.
- Examples from iptables-translate testsuite
rp_filter
- nft_fib, starting with 4.10 kernel
ttl
- nft_payload
- Examples from iptables-translate testsuite
matches: ipv6
rp_filter
- nft_fib, starting with 4.10 kernel
ah
- nft_payload + nft_cmp.
- Examples from iptables-translate testsuite
eui64
- nft_payload + nft_cmp.
frag
- nft_exthdr + nft_cmp.
- Examples from iptables-translate testsuite
hbh
- nft_exthdr + nft_cmp.
- Examples from iptables-translate testsuite
HBH options are not supported yet. [Unsupported option: --hbh-opts]
hl
- nft_payload.
- Examples from iptables-translate testsuite
icmp6
- nft_payload + nft_cmp.
- Examples from iptables-translate testsuite
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
ipv6header
- nft_exthdr + nft_cmp.
mh
- nft_exthdr + nft_cmp.
- Examples from iptables-translate testsuite
[Needs bug fixation for option mh-type with range]
rt
- nft_exthdr + nft_cmp
- Examples from iptables-translate testsuite
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]
targets: ipv4
ECN
- nft_payload
DNAT
- nft_nat, since 3.13.
- Examples from iptables-translate testsuite
LOG
- nft_log, since 3.17.
- Examples from iptables-translate testsuite
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
MASQUERADE
- nft_masq, since 3.18.
- Examples from iptables-translate testsuite
REDIRECT
- nft_redirect, since 3.19.
- Examples from iptables-translate testsuite
REJECT
- nft_reject_ipv4, since 3.13.
- nft_reject_inet, since 3.14.
- nft_reject_bridge, since 3.18.
- Examples from iptables-translate testsuite
SNAT
- nft_nat, since 3.13.
- Examples from iptables-translate testsuite
targets: ipv6
DNAT
- nft_nat, since 3.13.
- Examples from iptables-translate testsuite
LOG
- nft_log, since 3.17.
- Examples from iptables-translate testsuite
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
MASQUERADE
- nft_masq, since 3.18.
- Examples from iptables-translate testsuite
REDIRECT
- nft_redirect, since 3.19.
- Examples from iptables-translate testsuite
REJECT
- nft_reject_ipv6, since 3.14.
- nft_reject_inet, since 3.14.
- nft_reject_bridge, since 3.18.
- Examples from iptables-translate testsuite
SNAT
- nft_nat, since 3.13.
- Examples from iptables-translate testsuite
matches: bridge
802.3
- nft_payload
among
- sets
arp
- nft_payload
ip
- nft_payload
- Examples from iptables-translate testsuite
ip6
- nft_payload
- Examples from iptables-translate testsuite
limit
mark
pkttype
stp
- nft_payload
vlan
- nft_payload
- Examples from iptables-translate testsuite
targets: bridge
dnat
- nft_payload
- Examples from iptables-translate testsuite
snat
- nft_payload
- Examples from iptables-translate testsuite
redirect
- nft_payload + nft_meta (pkttype set unicast)
mark
watchers: bridge
log
nflog
Deprecated extensions
matches
physdev
- br_netfilter aims to be deprecated by nftables.
quota
- nfacct already provides quota support.
tos
- deprecated by dscp
targets
CLUSTERIP
- deprecated by cluster match.
TOS
- deprecated by DSCP
targets: ipv4
ULOG
- Removed from tree since 3.17.