Supported features compared to xtables: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
(update some supported matches) |
||
| Line 11: | Line 11: | ||
==== cluster ==== | ==== cluster ==== | ||
* consider native interface | * consider native interface | ||
==== rateest ==== | ==== rateest ==== | ||
* consider native interface | * consider native interface | ||
==== string ==== | ==== string ==== | ||
| Line 102: | Line 88: | ||
=== matches: xt === | === matches: xt === | ||
==== addrtype ==== | ==== addrtype ==== | ||
* nft_fib, starting with 4.10 kernel | * nft_fib, starting with 4.10 kernel | ||
| Line 114: | Line 100: | ||
==== connlabel ==== | ==== connlabel ==== | ||
* nft_meta, since 3.16 (Florian Westphal). | * nft_meta, since 3.16 (Florian Westphal). | ||
==== connlimit ==== | |||
* consider native interface. Refer to [[Meters]]. | |||
==== connmark ==== | ==== connmark ==== | ||
* nft_meta. | * nft_meta. | ||
| Line 133: | Line 121: | ||
==== hashlimit ==== | ==== hashlimit ==== | ||
* meter statement. Refer to [[Meters]]. | * meter statement. Refer to [[Meters]]. | ||
==== helper ==== | ==== helper ==== | ||
* nft_ct. | * nft_ct. | ||
==== ipcomp ==== | ==== ipcomp ==== | ||
* nft_payload. | * nft_payload. | ||
| Line 142: | Line 128: | ||
==== iprange ==== | ==== iprange ==== | ||
* nft_payload, through native range support. To emulate iptables --ports you need two rules. | * nft_payload, through native range support. To emulate iptables --ports you need two rules. | ||
==== ipvs ==== | |||
* consider native interface. Refer to [[Load balancing]]. | |||
==== length ==== | ==== length ==== | ||
* nft_meta. | * nft_meta. | ||
| Line 153: | Line 141: | ||
* nft_payload. | * nft_payload. | ||
[Unsupported option : ports] | [Unsupported option : ports] | ||
==== nfacct ==== | |||
* consider native interface. Refer to [[Stateful objects]]. | |||
==== osf ==== | |||
* consider native interface | |||
==== owner ==== | ==== owner ==== | ||
* nft_meta. | * nft_meta. | ||
| Line 158: | Line 150: | ||
==== pkttype ==== | ==== pkttype ==== | ||
* nft_meta | * nft_meta | ||
==== sctp ==== | ==== sctp ==== | ||
* nft_payload. | * nft_payload. | ||
[Unsupported option: --chunk-types] | [Unsupported option: --chunk-types] | ||
==== socket ==== | |||
* consider native interface | |||
==== statistic ==== | |||
* nft_numgen. Refer to [[Load balancing]]. | |||
==== policy ==== | |||
* consider native interface. Refer to [[Configuring_chains#Base_chain_policy]]. | |||
==== recent ==== | |||
* consider native interface. Refer to [[Sets]]. | |||
==== set ==== | ==== set ==== | ||
* Use native nf_tables set infrastructure. | * Use native nf_tables set infrastructure. | ||
| Line 170: | Line 167: | ||
==== tcp ==== | ==== tcp ==== | ||
* nft_payload | * nft_payload | ||
==== tcpmss ==== | ==== tcpmss ==== | ||
* nft_exthdr, since 4.14 | * nft_exthdr, since 4.14 | ||
==== udp ==== | ==== udp ==== | ||
* nft_payload | * nft_payload | ||
Revision as of 22:37, 18 August 2018
Last update: 2016/Jan/11
This page tracks the list of supported and unsupported extensions with comments and suggestions.
Unsupported extensions
matches: xt
bpf
- consider native interface
cluster
- consider native interface
rateest
- consider native interface
string
- consider native interface
time
- consider native interface
u32
- raw expressions?
targets: xt
AUDIT
- add nft_audit.
CHECKSUM
- add nft_payload.
- To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
- See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
- See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090
CONNSECMARK
- nft_meta.
CT
- nft_meta_target. Refer to Matching_connection_tracking_stateful_metainformation.
DSCP
- add nft_mangle. Refer to Quick_reference-nftables_in_10_minutes#Ip.
HL
- add nft_mangle. Refer to Quick_reference-nftables_in_10_minutes#Ip6.
HMARK
- consider native interface
IDLETIMER
- consider native interface
LED
- consider native (need this?)
NETMAP
- nft_nat.
RATEEST
- consider native interface
SECMARK
- nft_meta_target
SET
- consider native interface
SYNPROXY
- consider native interface
TCPOPTSTRIP
- consider native interface
TPROXY
- consider native interface
targets: ipv4
TTL
targets: ipv6
NPT
- consider native interface
targets: bridge
arpreply
- consider native interface
watchers: bridge
log
- nft_log
nflog
- nft_log
targets: arp
TODO
Supported extensions
matches: xt
addrtype
- nft_fib, starting with 4.10 kernel
cgroup
- nft_meta.
[Awaits support for cgroup2]
comment
- Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira).
connbytes
- nft_ct, 4.5 kernel
connlabel
- nft_meta, since 3.16 (Florian Westphal).
connlimit
- consider native interface. Refer to Meters.
connmark
- nft_meta.
conntrack
- nft_ct.
cpu
- nft_meta, since 3.18 (Valentina Giusti/Ana Rey).
dccp
- nft_payload.
[Unsupported option : dccp-option]
devgroup
- nft_meta, since 3.18 (Ana Rey).
dscp
- nft_payload.
ecn
- nft_payload.
esp
- nft_payload.
hashlimit
- meter statement. Refer to Meters.
helper
- nft_ct.
ipcomp
- nft_payload.
[Unsupported option : compres]
iprange
- nft_payload, through native range support. To emulate iptables --ports you need two rules.
ipvs
- consider native interface. Refer to Load balancing.
length
- nft_meta.
limit
- nft_limit. Refer to Stateful objects.
mac
- nft_payload.
mark
- nft_meta.
multiport
- nft_payload.
[Unsupported option : ports]
nfacct
- consider native interface. Refer to Stateful objects.
osf
- consider native interface
owner
- nft_meta.
[Unsupported option : socket-exists]
pkttype
- nft_meta
sctp
- nft_payload.
[Unsupported option: --chunk-types]
socket
- consider native interface
statistic
- nft_numgen. Refer to Load balancing.
policy
- consider native interface. Refer to Configuring_chains#Base_chain_policy.
recent
- consider native interface. Refer to Sets.
set
- Use native nf_tables set infrastructure.
state
- nft_ct
tcp
- nft_payload
tcpmss
- nft_exthdr, since 4.14
udp
- nft_payload
targets: xt
CLASSIFY
- nft_meta, since 3.14 (Tomasz Bursztyka).
CONNMARK
MARK
- nft_meta, since 3.14 (Tomasz Bursztyka).
NFLOG
- nft_log, since 3.17 (Pablo Neira).
NFQUEUE
- nft_queue, since 3.14 (Eric Leblond). Bridge support still missing.
TEE
- nft_dup, since 4.3 (Pablo Neira)
TRACE
- nft_meta, since 3.14 (Tomasz Bursztyka).
TCPMSS
- nft_exthdr, since 4.14
matches: ipv4
ah
- nft_payload + nft_cmp
icmp
- nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
realm
- nft_meta, through NFT_META_RTCLASSID.
rp_filter
- nft_fib, starting with 4.10 kernel
ttl
matches: ipv6
rp_filter
- nft_fib, starting with 4.10 kernel
ah
- nft_payload + nft_cmp.
eui64
- nft_payload + nft_cmp.
frag
- nft_exthdr + nft_cmp.
hbh
- nft_exthdr + nft_cmp.
HBH options are not supported yet. [Unsupported option: --hbh-opts]
hl
- nft_payload.
icmp6
- nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
ipv6header
- nft_exthdr + nft_cmp.
mh
- nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
rt
- nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]
targets: ipv4
ECN
- nft_payload
DNAT
- nft_nat, since 3.13 (Tomasz Bursztyka).
LOG
- nft_log, since 3.17 (Pablo Neira).
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
MASQUERADE
- nft_masq, since 3.18 (Arturo Borrero).
REDIRECT
- nft_redirect, since 3.19 (Arturo Borrero).
REJECT
- nft_reject_ipv4, since 3.13 (Patrick McHardy/Eric Leblond).
- nft_reject_inet, since 3.14 (Patrick McHardy).
- nft_reject_bridge, since 3.18 (Pablo Neira)
SNAT
- nft_nat, since 3.13 (Tomasz Bursztyka).
targets: ipv6
DNAT
- nft_nat, since 3.13 (Tomasz Bursztyka).
LOG
- nft_log, since 3.17 (Pablo Neira).
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
MASQUERADE
- nft_masq, since 3.18 (Arturo Borrero).
REDIRECT
- nft_redirect, since 3.19 (Arturo Borrero).
REJECT
- nft_reject_ipv6, since 3.14 (Patrick McHardy/Eric Leblond)
- nft_reject_inet, since 3.14 (Patrick McHardy).
- nft_reject_bridge, since 3.18 (Pablo Neira)
SNAT
- nft_nat, since 3.13 (Tomasz Bursztyka).
matches: bridge
802.3
- nft_payload
among
- sets
arp
- nft_payload
ip
- nft_payload
ip6
- nft_payload
limit
- nft_limit
mark
- nft_mark
pkttype
- nft_meta
stp
- nft_payload
vlan
- nft_payload
targets: bridge
dnat
- nft_payload
snat
- nft_payload
redirect
- nft_payload + nft_meta (pkttype set unicast)
mark
- nft_mark
Deprecated extensions
matches
physdev
- br_netfilter aims to be deprecated by nftables.
quota
- nfacct already provides quota support.
tos
- deprecated by dscp
targets
CLUSTERIP
- deprecated by cluster match.
TOS
- deprecated by DSCP
targets: ipv4
ULOG
- Removed from tree since 3.17.