Nftables families

From nftables wiki
Revision as of 13:35, 9 November 2017 by Arturo (talk | contribs) (Create page with basic content)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

nftables families are a new concept introduced with this technology which was previously missing in the iptables world. You may already know that the nftables framework is designed to work with all typical address families (IPv4, IPv6, ARP). In the past, all the families were handled by different tools: iptables, ip6tables, arptables, ebtables.

By now, the nftables families are:

  • ip: tables of this family will see IPv4 traffic/packets
  • ip6: tables of this family will see IPv6 traffic/packets
  • inet: tables of this family will see both IPv4/IPv6 traffic/packets, designed to improve dual stack support
  • arp: tables of this family will see ARP-level (i.e, L2) traffic, before any L3 handling is done by the kernel.
  • bridge: tables of this family will see traffic/packets traversing bridges (i.e. switching). No assumptions are made about L3 protocols.
  • netdev: tables of this family will see raw packets at L2 directly from the attached NIC. No assumptions are made about L2/L3 protocols.

Please note that what traffic/packets you see and at which point in the network stack depends on the chain hook you are using.

You can create tables/chains/sets/rules in any family with the nft command line interface, out of the box, no need for different tools.

For those that come from the x_tables world, we can create some similarities:

  • ip family <-> iptables
  • ip6 family <-> ip6tables
  • inet <-> mixing iptables and ip6tables rules in the same box
  • arp <-> arptables
  • bridge <-> ebtables, plus some x_tables modules like physdev
  • netdev <-> no equivalent in x_tables

Additional families may be added in the future for extended nftables functionalities.