Supported features compared to xtables: Difference between revisions

From nftables wiki
Jump to navigation Jump to search
(→‎CHECKSUM: add more info)
No edit summary
Line 12: Line 12:
* consider native interface                                                       
* consider native interface                                                       
==== connlimit ====                                                               
==== connlimit ====                                                               
* consider native interface                                                                                              
* consider native interface. Refer to [[Meters]].
==== ipvs ====                                                                   
==== ipvs ====                                                                   
* consider native interface                                                    
* consider native interface. Refer to [[Load balancing]].
==== nfacct ====                                                                 
==== nfacct ====                                                                 
* consider native interface                                                    
* consider native interface. Refer to [[Stateful objects]].
==== osf ====                                                                     
==== osf ====                                                                     
* consider native interface                                                       
* consider native interface                                                       
==== policy ====                                                                 
==== policy ====                                                                 
* consider native interface                                                    
* consider native interface. Refer to [[Configuring_chains#Base_chain_policy]].
==== rateest ====                                                                 
==== rateest ====                                                                 
* consider native interface                                                       
* consider native interface                                                       
==== recent ====                                                                 
==== recent ====                                                                 
* consider native interface                                                    
* consider native interface. Refer to [[Sets]].
==== socket ====                                                                 
==== socket ====                                                                 
* consider native interface                                                       
* consider native interface                                                       
Line 47: Line 47:
* nft_meta.                                                                       
* nft_meta.                                                                       
==== CT ====                                                                     
==== CT ====                                                                     
* nft_meta_target
* nft_meta_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== DSCP ====
==== DSCP ====
* add nft_mangle
* add nft_mangle. Refer to [[Quick_reference-nftables_in_10_minutes#Ip]].
==== HL ====
==== HL ====
* add nft_mangle                                                                
* add nft_mangle. Refer to [[Quick_reference-nftables_in_10_minutes#Ip6]].
==== HMARK ====                                                                   
==== HMARK ====                                                                   
* consider native interface                                                       
* consider native interface                                                       
Line 132: Line 132:
* nft_payload.                                                                   
* nft_payload.                                                                   
==== hashlimit ====                                                               
==== hashlimit ====                                                               
* flow statement
* meter statement. Refer to [[Meters]].


==== helper ====                                                                 
==== helper ====                                                                 
Line 145: Line 145:
* nft_meta.                                                                       
* nft_meta.                                                                       
==== limit ====                                                                   
==== limit ====                                                                   
* nft_limit.                                                                    
* nft_limit. Refer to [[Stateful objects]].
==== mac ====                                                                     
==== mac ====                                                                     
* nft_payload.                                                                   
* nft_payload.                                                                   
Line 209: Line 209:
==== ttl ====
==== ttl ====


[http://www.example.com link title]=== matches: ipv6 ===                                                             
=== matches: ipv6 ===                                                             
              
              
==== rp_filter ====
==== rp_filter ====

Revision as of 22:18, 16 August 2018

Last update: 2016/Jan/11

This page tracks the list of supported and unsupported extensions with comments and suggestions.

Unsupported extensions

matches: xt

bpf

  • consider native interface

cluster

  • consider native interface

connlimit

  • consider native interface. Refer to Meters.

ipvs

nfacct

osf

  • consider native interface

policy

rateest

  • consider native interface

recent

  • consider native interface. Refer to Sets.

socket

  • consider native interface

string

  • consider native interface

time

  • consider native interface

u32

  • raw expressions?

targets: xt

AUDIT

  • add nft_audit.

CHECKSUM

CONNSECMARK

  • nft_meta.

CT

DSCP

HL

HMARK

  • consider native interface

IDLETIMER

  • consider native interface

LED

  • consider native (need this?)

NETMAP

  • nft_nat.

RATEEST

  • consider native interface

SECMARK

  • nft_meta_target

SET

  • consider native interface

SYNPROXY

  • consider native interface

TCPOPTSTRIP

  • consider native interface

TPROXY

  • consider native interface

targets: ipv4

TTL

targets: ipv6

NPT

  • consider native interface

targets: bridge

arpreply

  • consider native interface

watchers: bridge

log

  • nft_log

nflog

  • nft_log

targets: arp

TODO

Supported extensions

matches: xt

addrtype

  • nft_fib, starting with 4.10 kernel

cgroup

  • nft_meta.

[Awaits support for cgroup2]

comment

  • Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira).

connbytes

  • nft_ct, 4.5 kernel

connlabel

  • nft_meta, since 3.16 (Florian Westphal).

connmark

  • nft_meta.

conntrack

  • nft_ct.

cpu

  • nft_meta, since 3.18 (Valentina Giusti/Ana Rey).

dccp

  • nft_payload.

[Unsupported option : dccp-option]

devgroup

  • nft_meta, since 3.18 (Ana Rey).

dscp

  • nft_payload.

ecn

  • nft_payload.

esp

  • nft_payload.

hashlimit

  • meter statement. Refer to Meters.

helper

  • nft_ct.

ipcomp

  • nft_payload.

[Unsupported option : compres]

iprange

  • nft_payload, through native range support. To emulate iptables --ports you need two rules.

length

  • nft_meta.

limit

mac

  • nft_payload.

mark

  • nft_meta.

multiport

  • nft_payload.

[Unsupported option : ports]

owner

  • nft_meta.

[Unsupported option : socket-exists]

pkttype

  • nft_meta

statistic

  • nft_numgen

sctp

  • nft_payload.

[Unsupported option: --chunk-types]

set

  • Use native nf_tables set infrastructure.

state

  • nft_ct

tcp

  • nft_payload

tcpmss

  • nft_exthdr, since 4.14

udp

  • nft_payload

targets: xt

CLASSIFY

  • nft_meta, since 3.14 (Tomasz Bursztyka).

CONNMARK

MARK

  • nft_meta, since 3.14 (Tomasz Bursztyka).

NFLOG

  • nft_log, since 3.17 (Pablo Neira).

NFQUEUE

  • nft_queue, since 3.14 (Eric Leblond). Bridge support still missing.

TEE

  • nft_dup, since 4.3 (Pablo Neira)

TRACE

  • nft_meta, since 3.14 (Tomasz Bursztyka).

TCPMSS

  • nft_exthdr, since 4.14

matches: ipv4

ah

  • nft_payload + nft_cmp

icmp

  • nft_payload + nft_cmp.

[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]

realm

  • nft_meta, through NFT_META_RTCLASSID.

rp_filter

  • nft_fib, starting with 4.10 kernel

ttl

matches: ipv6

rp_filter

  • nft_fib, starting with 4.10 kernel

ah

  • nft_payload + nft_cmp.

eui64

  • nft_payload + nft_cmp.

frag

  • nft_exthdr + nft_cmp.

hbh

  • nft_exthdr + nft_cmp.

HBH options are not supported yet. [Unsupported option: --hbh-opts]

hl

  • nft_payload.

icmp6

  • nft_payload + nft_cmp.

[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]

ipv6header

  • nft_exthdr + nft_cmp.

mh

  • nft_exthdr + nft_cmp.

[Needs bug fixation for option mh-type with range]

rt

  • nft_exthdr + nft_cmp

[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

targets: ipv4

ECN

  • nft_payload

DNAT

  • nft_nat, since 3.13 (Tomasz Bursztyka).

LOG

  • nft_log, since 3.17 (Pablo Neira).

[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]

MASQUERADE

  • nft_masq, since 3.18 (Arturo Borrero).

REDIRECT

  • nft_redirect, since 3.19 (Arturo Borrero).

REJECT

  • nft_reject_ipv4, since 3.13 (Patrick McHardy/Eric Leblond).
  • nft_reject_inet, since 3.14 (Patrick McHardy).
  • nft_reject_bridge, since 3.18 (Pablo Neira)

SNAT

  • nft_nat, since 3.13 (Tomasz Bursztyka).

targets: ipv6

DNAT

  • nft_nat, since 3.13 (Tomasz Bursztyka).

LOG

  • nft_log, since 3.17 (Pablo Neira).

[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]

MASQUERADE

  • nft_masq, since 3.18 (Arturo Borrero).

REDIRECT

  • nft_redirect, since 3.19 (Arturo Borrero).

REJECT

  • nft_reject_ipv6, since 3.14 (Patrick McHardy/Eric Leblond)
  • nft_reject_inet, since 3.14 (Patrick McHardy).
  • nft_reject_bridge, since 3.18 (Pablo Neira)

SNAT

  • nft_nat, since 3.13 (Tomasz Bursztyka).

matches: bridge

802.3

  • nft_payload

among

  • sets

arp

  • nft_payload

ip

  • nft_payload

ip6

  • nft_payload

limit

  • nft_limit

mark

  • nft_mark

pkttype

  • nft_meta

stp

  • nft_payload

vlan

  • nft_payload


targets: bridge

dnat

  • nft_payload

snat

  • nft_payload

redirect

  • nft_payload + nft_meta (pkttype set unicast)

mark

  • nft_mark

Deprecated extensions

matches

physdev

  • br_netfilter aims to be deprecated by nftables.

quota

  • nfacct already provides quota support.

tos

  • deprecated by dscp

targets

CLUSTERIP

  • deprecated by cluster match.

TOS

  • deprecated by DSCP

targets: ipv4

ULOG

  • Removed from tree since 3.17.