Since Linux kernel 4.1, nftables supports concatenations.

This new feature allows you to put two or more selectors together to perform very fast lookups by combining them with sets, dictionaries and maps.

Literal sets

% nft add rule ip filter input ip saddr . ip daddr . ip protocol { 1.1.1.1 . 2.2.2.2 . tcp, 1.1.1.1 . 3.3.3.3 . udp} counter accept

So if the packet is source IP address AND destination IP address AND TCP destination port match:

• 1.1.1.1 and 2.2.2.2 and TCP.

or

• 1.1.1.1 and 3.3.3.3 and UDP.

nftables updates the counter for this rule and then accepts the packet.

Dictionary declarations

The following example creates the whitelist dictionary using a concatenation of two selectors:

% nft add map filter whitelist { type ipv4_addr . inet_service : verdict \; }

Once you create the dictionary, you can use it from a rule that creates the following concatenation:

% nft add rule filter input ip saddr . tcp dport vmap @whitelist

Thus, the rule above looks up for a verdict based on the source IP address AND the TCP destination port.

Since the dictionary is initially empty, you can dynamically populate this dictionary with elements through:

% nft add element filter whitelist { 1.2.3.4 . 22 : accept}

Literal maps

The rule below determines the destination IP address that is used to perform DNAT to the packet based on:

• the source IP address

AND

• the destination TCP port

% nft add rule ip nat prerouting dnat ip saddr . tcp dport map { 1.1.1.1 . 80 : 192.168.1.100, 2.2.2.2 . 8888 : 192.168.1.101 }