Supported features compared to xtables
Last update: 2016/Jan/11
This page tracks the list of supported and unsupported extensions with comments and suggestions.
Unsupported extensions
matches: xt
bpf
- consider native interface
cluster
- consider native interface
rateest
- consider native interface
string
- consider native interface
time
- consider native interface
u32
- raw expressions?
targets: xt
CHECKSUM
- add nft_payload.
- To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
- See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
- See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090
CONNSECMARK
- nft_ct
CT
- nft_ct_target. Refer to Matching_connection_tracking_stateful_metainformation.
IDLETIMER
- consider native interfac
LED
- consider native (need this?)
NETMAP
- nft_nat.
RATEEST
- consider native interface
SECMARK
- nft_meta_target
SET
- consider native interface
SYNPROXY
- consider native interface
TCPOPTSTRIP
- consider native interface, need to extend nft_exthdr.c
targets: ipv4
TTL
targets: ipv6
NPT
- consider native interface
targets: bridge
arpreply
- consider native interface
watchers: bridge
log
- nft_log
nflog
- nft_log
targets: arp
TODO
Supported extensions
matches: xt
addrtype
- nft_fib, starting with 4.10 kernel
cgroup
- nft_meta.
[Awaits support for cgroup2]
comment
- Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira).
connbytes
- nft_ct, 4.5 kernel
connlabel
- nft_meta, since 3.16 (Florian Westphal).
connlimit
- consider native interface. Refer to Meters.
connmark
- nft_meta.
conntrack
- nft_ct.
cpu
- nft_meta, since 3.18 (Valentina Giusti/Ana Rey).
dccp
- nft_payload.
[Unsupported option : dccp-option]
devgroup
- nft_meta, since 3.18 (Ana Rey).
dscp
- nft_payload.
ecn
- nft_payload.
esp
- nft_payload.
hashlimit
- meter statement. Refer to Meters.
helper
- nft_ct.
ipcomp
- nft_payload.
[Unsupported option : compres]
iprange
- nft_payload, through native range support. To emulate iptables --ports you need two rules.
ipvs
- consider native interface. Refer to Load balancing.
length
- nft_meta.
limit
- nft_limit. Refer to Stateful objects.
mac
- nft_payload.
mark
- nft_meta.
multiport
- nft_payload.
[Unsupported option : ports]
nfacct
- consider native interface. Refer to Stateful objects.
osf
- consider native interface
owner
- nft_meta.
[Unsupported option : socket-exists]
pkttype
- nft_meta
sctp
- nft_payload.
[Unsupported option: --chunk-types]
socket
- consider native interface
statistic
- nft_numgen. Refer to Load balancing.
policy
- consider native interface. Refer to Configuring_chains#Base_chain_policy.
recent
- consider native interface. Refer to Sets.
set
- Use native nf_tables set infrastructure.
state
- nft_ct
tcp
- nft_payload
tcpmss
- nft_exthdr, since 4.14
udp
- nft_payload
targets: xt
CLASSIFY
- nft_meta, since 3.14 (Tomasz Bursztyka).
CONNMARK
MARK
- nft_meta, since 3.14 (Tomasz Bursztyka).
NFLOG
- nft_log, since 3.17 (Pablo Neira).
NFQUEUE
- nft_queue, since 3.14 (Eric Leblond). Bridge support still missing.
TEE
- nft_dup, since 4.3 (Pablo Neira)
TRACE
- nft_meta, since 3.14 (Tomasz Bursztyka).
TCPMSS
- nft_exthdr, since 4.14
matches: ipv4
ah
- nft_payload + nft_cmp
icmp
- nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
realm
- nft_meta, through NFT_META_RTCLASSID.
rp_filter
- nft_fib, starting with 4.10 kernel
ttl
matches: ipv6
rp_filter
- nft_fib, starting with 4.10 kernel
ah
- nft_payload + nft_cmp.
eui64
- nft_payload + nft_cmp.
frag
- nft_exthdr + nft_cmp.
hbh
- nft_exthdr + nft_cmp.
HBH options are not supported yet. [Unsupported option: --hbh-opts]
hl
- nft_payload.
icmp6
- nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
ipv6header
- nft_exthdr + nft_cmp.
mh
- nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
rt
- nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]
targets: ipv4
ECN
- nft_payload
DNAT
- nft_nat, since 3.13 (Tomasz Bursztyka).
LOG
- nft_log, since 3.17 (Pablo Neira).
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
MASQUERADE
- nft_masq, since 3.18 (Arturo Borrero).
REDIRECT
- nft_redirect, since 3.19 (Arturo Borrero).
REJECT
- nft_reject_ipv4, since 3.13 (Patrick McHardy/Eric Leblond).
- nft_reject_inet, since 3.14 (Patrick McHardy).
- nft_reject_bridge, since 3.18 (Pablo Neira)
SNAT
- nft_nat, since 3.13 (Tomasz Bursztyka).
targets: ipv6
DNAT
- nft_nat, since 3.13 (Tomasz Bursztyka).
LOG
- nft_log, since 3.17 (Pablo Neira).
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
MASQUERADE
- nft_masq, since 3.18 (Arturo Borrero).
REDIRECT
- nft_redirect, since 3.19 (Arturo Borrero).
REJECT
- nft_reject_ipv6, since 3.14 (Patrick McHardy/Eric Leblond)
- nft_reject_inet, since 3.14 (Patrick McHardy).
- nft_reject_bridge, since 3.18 (Pablo Neira)
SNAT
- nft_nat, since 3.13 (Tomasz Bursztyka).
matches: bridge
802.3
- nft_payload
among
- sets
arp
- nft_payload
ip
- nft_payload
ip6
- nft_payload
limit
- nft_limit
mark
- nft_mark
pkttype
- nft_meta
stp
- nft_payload
vlan
- nft_payload
targets: bridge
dnat
- nft_payload
snat
- nft_payload
redirect
- nft_payload + nft_meta (pkttype set unicast)
mark
- nft_mark
Deprecated extensions
matches
physdev
- br_netfilter aims to be deprecated by nftables.
quota
- nfacct already provides quota support.
tos
- deprecated by dscp
targets
CLUSTERIP
- deprecated by cluster match.
TOS
- deprecated by DSCP
targets: ipv4
ULOG
- Removed from tree since 3.17.