Main Page: Difference between revisions
Jump to navigation
Jump to search
m (→Getting started: Fix link format) |
(Added a couple of sections and reorganized links for better flow. Eliminated a little redundant cruft.) |
||
| Line 2: | Line 2: | ||
If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>. | If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>. | ||
= [[News]] = | = [[News]] = | ||
= Introduction = | = Introduction = | ||
* [[What is nftables?]] | * [[What is nftables?]] | ||
* [[How to obtain help/support]] | * [[How to obtain help/support]] | ||
= Reference = | |||
* [[Quick reference-nftables in 10 minutes|Quick reference, nftables in 10 minutes]] | * [[Quick reference-nftables in 10 minutes|Quick reference, nftables in 10 minutes]] | ||
* [[Netfilter hooks]] and integration with existing Netfilter components. | |||
* [[nftables families|Understanding nftables families]] | * [[nftables families|Understanding nftables families]] | ||
* [[Troubleshooting|Troubleshooting and FAQ]] | |||
= Installing nftables = | |||
* [[nftables from distributions|Using nftables from distributions]] | |||
* [[Building and installing nftables from sources]] | |||
= Upgrading from xtables to nftables = | |||
* [[Legacy xtables tools]] | |||
* [[Moving from iptables to nftables]] | |||
* [[Moving from ipset to nftables]] | |||
= Basic operation = | = Basic operation = | ||
* [[Configuring tables]] | * [[Configuring tables]] | ||
* [[Configuring chains]] | * [[Configuring chains]] | ||
| Line 32: | Line 41: | ||
* [[Scripting]] | * [[Scripting]] | ||
* [[Ruleset debug/tracing]] | * [[Ruleset debug/tracing]] | ||
* [[Output text modifiers]] | * [[Output text modifiers]] | ||
= Supported selectors for packet matching = | = Supported selectors for packet matching = | ||
* [[Matching packet header fields]] | * [[Matching packet header fields]] | ||
* [[Matching packet metainformation]] | * [[Matching packet metainformation]] | ||
| Line 43: | Line 50: | ||
* [[Rate limiting matchings]] | * [[Rate limiting matchings]] | ||
* [[Routing information]] | * [[Routing information]] | ||
= Possible actions on packets = | = Possible actions on packets = | ||
* [[Accepting and dropping packets]] | * [[Accepting and dropping packets]] | ||
* [[Jumping to chain]] | * [[Jumping to chain]] | ||
| Line 61: | Line 68: | ||
* [[Setting packet connection tracking metainformation]] | * [[Setting packet connection tracking metainformation]] | ||
= Advanced data structures for performance packet classification = | = Advanced data structures for performance packet classification = | ||
* [[Sets]] | * [[Sets]] | ||
* [[Intervals]] | * [[Intervals]] | ||
| Line 79: | Line 82: | ||
* [[Flowtable]] (the fastpath network stack bypass) | * [[Flowtable]] (the fastpath network stack bypass) | ||
= Examples = | = Examples = | ||
* [[Simple ruleset for a workstation]] | * [[Simple ruleset for a workstation]] | ||
* [[Simple ruleset for a server]] | * [[Simple ruleset for a server]] | ||
| Line 92: | Line 93: | ||
* [[Using configuration management systems]] (like puppet, ansible, etc) | * [[Using configuration management systems]] (like puppet, ansible, etc) | ||
* [[GeoIP matching]] | * [[GeoIP matching]] | ||
= Development = | = Development = | ||
| Line 103: | Line 105: | ||
* [[Supported features compared to xtables|Supported features compared to {ip,ip6,eb,arp}tables]] | * [[Supported features compared to xtables|Supported features compared to {ip,ip6,eb,arp}tables]] | ||
* [[List of available translations via iptables-translate tool]] | * [[List of available translations via iptables-translate tool]] | ||
= External links = | = External links = | ||
| Line 126: | Line 129: | ||
* Article [http://ral-arturo.org/2017/05/05/debian-stretch-stable-nftables.html New in Debian stable Stretch: nftables] | * Article [http://ral-arturo.org/2017/05/05/debian-stretch-stable-nftables.html New in Debian stable Stretch: nftables] | ||
* Article [https://ral-arturo.org/2020/11/22/python-nftables-tutorial.html How to use nftables from python] and git repository [https://github.com/aborrero/python-nftables-tutorial python-nftables-tutorial.git] | * Article [https://ral-arturo.org/2020/11/22/python-nftables-tutorial.html How to use nftables from python] and git repository [https://github.com/aborrero/python-nftables-tutorial python-nftables-tutorial.git] | ||
= Thanks = | = Thanks = | ||
Revision as of 16:10, 2 April 2021
Welcome to the nftables HOWTO documentation page. Here you will find documentation on how to build, install, configure and use nftables.
If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>.
News
Introduction
Reference
- Quick reference, nftables in 10 minutes
- Netfilter hooks and integration with existing Netfilter components.
- Understanding nftables families
- Troubleshooting and FAQ
Installing nftables
Upgrading from xtables to nftables
Basic operation
- Configuring tables
- Configuring chains
- Simple rule management
- Atomic rule replacement
- Error reporting from the command line
- Building rules through expressions
- Operations at ruleset level
- Monitoring ruleset updates
- Scripting
- Ruleset debug/tracing
- Output text modifiers
Supported selectors for packet matching
- Matching packet header fields
- Matching packet metainformation
- Matching connection tracking stateful metainformation
- Rate limiting matchings
- Routing information
Possible actions on packets
- Accepting and dropping packets
- Jumping to chain
- Rejecting traffic
- Logging traffic
- Performing Network Address Translation (NAT)
- Setting packet metainformation
- Queueing to userspace
- Duplicating packets
- Mangle packet header fields (including stateless NAT)
- Mangle TCP options
- Counters
- Load balancing
- Conntrack helpers (Layer 7 ALG)
- Setting packet connection tracking metainformation
Advanced data structures for performance packet classification
- Sets
- Intervals
- Maps
- Verdict maps
- Concatenations
- Metering (formerly known as flow tables before nftables 0.8.1 release)
- Updating sets from the packet path
- Element timeouts
- Math operations
- Stateful objects
- Flowtable (the fastpath network stack bypass)
Examples
- Simple ruleset for a workstation
- Simple ruleset for a server
- Bridge filtering
- Multiple NATs using nftables maps
- Classic perimetral firewall example
- Port knocking example
- Classification to tc structure example
- Using configuration management systems (like puppet, ansible, etc)
- GeoIP matching
Development
Check Portal:DeveloperDocs - documentation for netfilter developers.
Some hints on the general development progress:
- List of updates since Linux kernel 3.13
- List of updates in the nft command line tool
- Supported features compared to {ip,ip6,eb,arp}tables
- List of available translations via iptables-translate tool
External links
Watch some videos:
- Watch Getting a grasp of nftables, thanks to NLUUG association for recording this.
- Watch The ultimate packet classifier for GNU/Linux, thanks to the FSFE for paying my trip to Barcelona and for recommending me as speaker to the KDE Spanish branch.
- Florian Westphal - Why nftables?
- Watch NLUUG - Goodbye iptables, Hello nftables
- Watch LCA2018 - nftables from a user perspective
Watch videos to track updates:
- Watch Netdev 2.1 - Netfilter mini-workshop (2017)
- Watch Netdev 2.2 - Netfilter mini-workshop (2018)
- Watch Netdev 0x12 - Netfilter mini-workshop (2019)
- Watch Netdev 0x14 - Netfilter mini-Workshop (2020)
Additional documentations and articles:
- Tutorial Extending nftables by Xiang Gao
- Article New in Debian stable Stretch: nftables
- Article How to use nftables from python and git repository python-nftables-tutorial.git
Thanks
To the NLnet foundation for initial sponsorship of this HOWTO:
To Eric Leblond, for boostrapping the Nftables quick howto in 2013.