Supported features compared to xtables: Difference between revisions

From nftables wiki
Jump to navigation Jump to search
(Review the list, update details, add links to xlate-test cases for samples)
(linked to my ad-hoc script updating the xlate sample links)
 
(One intermediate revision by the same user not shown)
Line 54: Line 54:


== Supported extensions ==
== Supported extensions ==
(Links updated via [http://nwl.cc/~n0-1/update_nftables_wiki_xlate_links.sh script].)


=== matches: xt ===
=== matches: xt ===
Line 160: Line 161:
==== socket ====
==== socket ====
* consider native interface
* consider native interface
* [https://git.netfilter.org/iptables/tree/extensions/libxt_socket.txlate Examples from iptables-translate testsuite]
==== statistic ====
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].
* nft_numgen. Refer to [[Load balancing]].
Line 172: Line 174:
==== tcpmss ====
==== tcpmss ====
* nft_exthdr, since 4.14
* nft_exthdr, since 4.14
* [https://git.netfilter.org/iptables/tree/extensions/libxt_tcpmss.txlate Examples from iptables-translate testsuite]


==== time ====
==== time ====
Line 224: Line 227:
==== TPROXY ====
==== TPROXY ====
* nft_tproxy, since 4.19
* nft_tproxy, since 4.19
* [https://git.netfilter.org/iptables/tree/extensions/libxt_TPROXY.txlate Examples from iptables-translate testsuite]


==== TRACE ====
==== TRACE ====
Line 231: Line 235:
==== TCPMSS ====
==== TCPMSS ====
* nft_exthdr, since 4.14
* nft_exthdr, since 4.14
* [https://git.netfilter.org/iptables/tree/extensions/libxt_TCPMSS.txlate Examples from iptables-translate testsuite]


=== matches: ipv4 ===
=== matches: ipv4 ===

Latest revision as of 11:38, 14 September 2024

Last update: Mar/2022

This page tracks the list of supported and unsupported extensions with comments and suggestions.

Unsupported extensions

matches: xt

bpf

  • consider native interface

rateest

  • consider native interface

string

  • consider native interface

u32

  • raw expressions?

targets: xt

CHECKSUM

CT

IDLETIMER

  • consider native interface

LED

  • consider native (need this?)

RATEEST

  • consider native interface

TCPOPTSTRIP

  • consider native interface, need to extend nft_exthdr.c

targets: ipv4

TTL

targets: ipv6

NPT

  • consider native interface

targets: bridge

arpreply

  • consider native interface

targets: arp

TODO

Supported extensions

(Links updated via script.)

matches: xt

addrtype

cgroup

[Awaits support for cgroup2]

cluster

comment

connbytes

connlabel

connlimit

connmark

conntrack

cpu

dccp

[Unsupported option : dccp-option]

devgroup

dscp

ecn

esp

hashlimit

helper

ipcomp

[Unsupported option : compres]

iprange

ipvs

length

limit

mac

mark

multiport

nfacct

osf

  • consider native interface

owner

[Unsupported option : socket-exists]

pkttype

policy

recent

  • consider native interface. Refer to Sets.

sctp

socket

statistic

set

  • Use native nf_tables set infrastructure.

state

  • nft_ct

tcp

tcpmss

time

udp

targets: xt

AUDIT

CLASSIFY

CONNMARK

CONNSECMARK

  • nft_ct, since 4.20

DSCP

HL

  • nft_payload

HMARK

  • nft_meta + nft_hash.

MARK

NETMAP

  • nft_nat, upcoming 5.8

NFLOG

NFQUEUE

SECMARK

  • nft_meta, since 4.20

SYNPROXY

TEE

TPROXY

TRACE

TCPMSS

matches: ipv4

ah

icmp

[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]

realm

rp_filter

  • nft_fib, starting with 4.10 kernel

ttl

matches: ipv6

rp_filter

  • nft_fib, starting with 4.10 kernel

ah

eui64

  • nft_payload + nft_cmp.

frag

hbh

HBH options are not supported yet. [Unsupported option: --hbh-opts]

hl

icmp6

[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]

ipv6header

  • nft_exthdr + nft_cmp.

mh

[Needs bug fixation for option mh-type with range]

rt

[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

targets: ipv4

ECN

  • nft_payload

DNAT

LOG

[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]

MASQUERADE

REDIRECT

REJECT

SNAT

targets: ipv6

DNAT

LOG

[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]

MASQUERADE

REDIRECT

REJECT

SNAT

matches: bridge

802.3

  • nft_payload

among

  • sets

arp

  • nft_payload

ip

ip6

limit

mark

pkttype

stp

  • nft_payload

vlan


targets: bridge

dnat

snat

redirect

  • nft_payload + nft_meta (pkttype set unicast)

mark


watchers: bridge

log

nflog

Deprecated extensions

matches

physdev

  • br_netfilter aims to be deprecated by nftables.

quota

  • nfacct already provides quota support.

tos

  • deprecated by dscp

targets

CLUSTERIP

  • deprecated by cluster match.

TOS

  • deprecated by DSCP

targets: ipv4

ULOG

  • Removed from tree since 3.17.