Difference between revisions of "Supported features compared to xtables"

From nftables wiki
Jump to navigation Jump to search
(time is now supported)
(Review the list, update details, add links to xlate-test cases for samples)
 
(15 intermediate revisions by 4 users not shown)
Line 1: Line 1:
Last update: Aug/2018
Last update: Mar/2022
                                                                               
 
This page tracks the list of supported and unsupported extensions with comments and suggestions.
This page tracks the list of supported and unsupported extensions with comments and suggestions.
                                                                               
== Unsupported extensions ==                                                   
                                                                               
=== matches: xt ===                                                             
                                                                               
==== bpf ====                                                                   
* consider native interface                                                     
==== cluster ====                                                               
* consider native interface                                                     
==== rateest ====                                                               
* consider native interface                                                     
==== string ====                                                               
* consider native interface                                                     
==== u32 ====                                                                   
* raw expressions?                                                             


=== targets: xt ===                                                            
== Unsupported extensions ==
                                                       
 
==== CHECKSUM ====                                                              
=== matches: xt ===
 
==== bpf ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== u32 ====
* raw expressions?
 
=== targets: xt ===
 
==== CHECKSUM ====
* add nft_payload.
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
Line 26: Line 24:
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090


==== CT ====                                                                    
==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].                                            
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====                                                            
==== IDLETIMER ====
* consider native interface
* consider native interface
==== LED ====                                                                  
==== LED ====
* consider native (need this?)                                                  
* consider native (need this?)
==== NETMAP ====                                                               
==== RATEEST ====
* nft_nat.                                                                     
* consider native interface
==== RATEEST ====                                                              
==== TCPOPTSTRIP ====
* consider native interface                                                     
==== SET ====                                                               
* consider native interface  
==== TCPOPTSTRIP ====                                                          
* consider native interface, need to extend nft_exthdr.c
* consider native interface, need to extend nft_exthdr.c


=== targets: ipv4 ===                                                          
=== targets: ipv4 ===
                                                                               
 
==== TTL ====
==== TTL ====
                                                                               
 
=== targets: ipv6 ===                                                          
=== targets: ipv6 ===
                                                                               
 
==== NPT ====                                                                  
==== NPT ====
* consider native interface
* consider native interface


Line 54: Line 48:
==== arpreply ====
==== arpreply ====
* consider native interface
* consider native interface
=== watchers: bridge ===
==== log ====
* nft_log
==== nflog ====
* nft_log


=== targets: arp ===
=== targets: arp ===
Line 67: Line 53:
TODO
TODO


== Supported extensions ==                                                      
== Supported extensions ==
                                                                               
 
=== matches: xt ===                                                            
=== matches: xt ===


==== addrtype ====
==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
* nft_fib, starting with 4.10 kernel. Refer to [[Matching routing information]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_addrtype.txlate Examples from iptables-translate testsuite]
 
==== cgroup ====
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]                                                                            
* [https://git.netfilter.org/iptables/tree/extensions/libxt_cgroup.txlate Examples from iptables-translate testsuite]
[Awaits support for cgroup2]
 
==== cluster ====
* nft_hash
* [https://git.netfilter.org/iptables/tree/extensions/libxt_cluster.txlate Examples from iptables-translate testsuite]
 
==== comment ====
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_headers#Matching_UDP.2FTCP_headers_in_the_same_rule|matching UDP/TCP headers in the same rule]].
==== connbytes ====                                                            
* [https://git.netfilter.org/iptables/tree/extensions/libxt_comment.txlate Examples from iptables-translate testsuite]
 
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====                                                            
* [https://git.netfilter.org/iptables/tree/extensions/libxt_connbytes.txlate Examples from iptables-translate testsuite]
==== connlabel ====
* nft_meta, since 3.16.
* nft_meta, since 3.16.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_connlabel.txlate Examples from iptables-translate testsuite]
==== connlimit ====
==== connlimit ====
* consider native interface. Refer to [[Meters]].
* consider native interface. Refer to [[Meters]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_connlimit.txlate Examples from iptables-translate testsuite]
==== connmark ====
==== connmark ====
* nft_meta.
* nft_meta.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_connmark.txlate Examples from iptables-translate testsuite]
==== conntrack ====
==== conntrack ====
* nft_ct.
* nft_ct.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_conntrack.txlate Examples from iptables-translate testsuite]
==== cpu ====
==== cpu ====
* nft_meta, since 3.18.
* nft_meta, since 3.18.
==== dccp ====                                                                  
* [https://git.netfilter.org/iptables/tree/extensions/libxt_cpu.txlate Examples from iptables-translate testsuite]
* nft_payload.  
==== dccp ====
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_dccp.txlate Examples from iptables-translate testsuite]
[Unsupported option : dccp-option]
[Unsupported option : dccp-option]
==== devgroup ====                                                              
==== devgroup ====
* nft_meta, since 3.18.
* nft_meta, since 3.18.
==== dscp ====                                            
* [https://git.netfilter.org/iptables/tree/extensions/libxt_devgroup.txlate Examples from iptables-translate testsuite]
==== dscp ====
* nft_payload.
* nft_payload.
==== ecn ====                                                                  
* [https://git.netfilter.org/iptables/tree/extensions/libxt_dscp.txlate Examples from iptables-translate testsuite]
* nft_payload.                                                                  
==== ecn ====
==== esp ====                                                                  
* nft_payload.
* nft_payload.                                                                  
* [https://git.netfilter.org/iptables/tree/extensions/libxt_ecn.txlate Examples from iptables-translate testsuite]
==== hashlimit ====                                                            
==== esp ====
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_esp.txlate Examples from iptables-translate testsuite]
==== hashlimit ====
* meter statement. Refer to [[Meters]].
* meter statement. Refer to [[Meters]].
==== helper ====                                                                
* [https://git.netfilter.org/iptables/tree/extensions/libxt_hashlimit.txlate Examples from iptables-translate testsuite]
==== helper ====
* nft_ct.
* nft_ct.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_helper.txlate Examples from iptables-translate testsuite]
==== ipcomp ====
==== ipcomp ====
* nft_payload.
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_ipcomp.txlate Examples from iptables-translate testsuite]
[Unsupported option : compres]
[Unsupported option : compres]
==== iprange ====                                                              
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.                                                  
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_iprange.txlate Examples from iptables-translate testsuite]
==== ipvs ====
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
* consider native interface. Refer to [[Load balancing]].
==== length ====                                                                
==== length ====
* nft_meta.                                                                    
* nft_meta.
==== limit ====                                                                
* [https://git.netfilter.org/iptables/tree/extensions/libxt_length.txlate Examples from iptables-translate testsuite]
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
* nft_limit. Refer to [[Stateful objects]].
==== mac ====                                                                  
* [https://git.netfilter.org/iptables/tree/extensions/libxt_limit.txlate Examples from iptables-translate testsuite]
* nft_payload.                                                                  
==== mac ====
==== mark ====                                                                  
* nft_payload.
* nft_meta.                                                                    
* [https://git.netfilter.org/iptables/tree/extensions/libxt_mac.txlate Examples from iptables-translate testsuite]
==== multiport ====                                                            
==== mark ====
* nft_payload.  
* nft_meta.
[Unsupported option : ports]                                                                                        
* [https://git.netfilter.org/iptables/tree/extensions/libxt_mark.txlate Examples from iptables-translate testsuite]
==== multiport ====
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_multiport.txlate Examples from iptables-translate testsuite]
==== nfacct ====
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
==== osf ====
* consider native interface
* consider native interface
==== owner ====                                                                
==== owner ====
* nft_meta.  
* nft_meta.
[Unsupported option : socket-exists]                                                                    
* [https://git.netfilter.org/iptables/tree/extensions/libxt_owner.txlate Examples from iptables-translate testsuite]
==== pkttype ====                                                              
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
* nft_meta
* [https://git.netfilter.org/iptables/tree/extensions/libxt_pkttype.txlate Examples from iptables-translate testsuite]
==== policy ====
==== policy ====
* nft_xfrm, upcoming linux 4.20 (5.0?)                                                                                                               
* nft_xfrm, since 5.0
==== sctp ====                                                                  
* [https://git.netfilter.org/iptables/tree/extensions/libxt_policy.txlate Examples from iptables-translate testsuite]
* nft_payload.
==== recent ====
[Unsupported option: --chunk-types]
* consider native interface. Refer to [[Sets]].
==== sctp ====
* nft_payload
* nft_exthdr for --chunk-types
* [https://git.netfilter.org/iptables/tree/extensions/libxt_sctp.txlate Examples from iptables-translate testsuite]
==== socket ====
==== socket ====
* consider native interface
* consider native interface
==== statistic ====
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].
* nft_numgen. Refer to [[Load balancing]].
==== recent ====                                                               
* [https://git.netfilter.org/iptables/tree/extensions/libxt_statistic.txlate Examples from iptables-translate testsuite]
* consider native interface. Refer to [[Sets]].
==== set ====
==== set ====
* Use native nf_tables set infrastructure.                                      
* Use native nf_tables set infrastructure.
==== state ====                                                                
==== state ====
* nft_ct                                                                        
* nft_ct
==== tcp ====
==== tcp ====
* nft_payload
* nft_payload
==== tcpmss ====                                                                
* [https://git.netfilter.org/iptables/tree/extensions/libxt_tcp.txlate Examples from iptables-translate testsuite]
==== tcpmss ====
* nft_exthdr, since 4.14
* nft_exthdr, since 4.14
==== udp ====                                                                
 
==== time ====
* nft_meta, since 5.4
* [https://git.netfilter.org/iptables/tree/extensions/libxt_time.txlate Examples from iptables-translate testsuite]
 
==== udp ====
* nft_payload
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libxt_udp.txlate Examples from iptables-translate testsuite]


=== targets: xt ===                                                            
=== targets: xt ===


==== AUDIT ====                                                            
==== AUDIT ====
* nft_log, since 4.18.
* nft_log, since 4.18.
==== CLASSIFY ====                                                              
* [https://git.netfilter.org/iptables/tree/extensions/libxt_AUDIT.txlate Examples from iptables-translate testsuite]
* nft_meta, since 3.14.  
==== CLASSIFY ====
==== CONNMARK ====                                                                                                                  
* nft_meta, since 3.14.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_CLASSIFY.txlate Examples from iptables-translate testsuite]
==== CONNMARK ====
* nft_ct
* nft_ct
* [https://git.netfilter.org/iptables/tree/extensions/libxt_CONNMARK.txlate Examples from iptables-translate testsuite]
==== CONNSECMARK ====
==== CONNSECMARK ====
* nft_ct, since 4.20
* nft_ct, since 4.20
==== DSCP ====                                                                                                                  
==== DSCP ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libxt_DSCP.txlate Examples from iptables-translate testsuite]
==== HL ====
==== HL ====
* nft_payload
* nft_payload
==== HMARK ====
==== HMARK ====
* nft_meta + nft_hash.
* nft_meta + nft_hash.
==== MARK ====                                                                  
==== MARK ====
* nft_meta, since 3.14.
* nft_meta, since 3.14.
==== NFLOG ====                                                                
* [https://git.netfilter.org/iptables/tree/extensions/libxt_MARK.txlate Examples from iptables-translate testsuite]
* nft_log, since 3.17.                                            
==== NETMAP ====
==== NFQUEUE ====                                                              
* nft_nat, upcoming 5.8
==== NFLOG ====
* nft_log, since 3.17.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_NFLOG.txlate Examples from iptables-translate testsuite]
==== NFQUEUE ====
* nft_queue, since 3.14.
* nft_queue, since 3.14.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_NFQUEUE.txlate Examples from iptables-translate testsuite]
==== SECMARK ====
==== SECMARK ====
* nft_meta, since 4.20
* nft_meta, since 4.20
==== SYNPROXY ====
* nft_synproxy, since 5.3
* [https://git.netfilter.org/iptables/tree/extensions/libxt_SYNPROXY.txlate Examples from iptables-translate testsuite]
==== TEE ====
==== TEE ====
* nft_dup, since 4.3.
* nft_dup, since 4.3.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_TEE.txlate Examples from iptables-translate testsuite]
==== TPROXY ====
==== TPROXY ====
* nft_tproxy, upcoming release (4.19)
* nft_tproxy, since 4.19
==== TRACE ====                                                                
 
==== TRACE ====
* nft_meta, since 3.14.
* nft_meta, since 3.14.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_TRACE.txlate Examples from iptables-translate testsuite]


==== TCPMSS ====                                                                
==== TCPMSS ====
* nft_exthdr, since 4.14
* nft_exthdr, since 4.14


=== matches: ipv4 ===                                                          
=== matches: ipv4 ===
                                                                               
 
==== ah ====                                                                    
==== ah ====
* nft_payload + nft_cmp
* nft_payload + nft_cmp
* [https://git.netfilter.org/iptables/tree/extensions/libipt_ah.txlate Examples from iptables-translate testsuite]
==== icmp ====
==== icmp ====
* nft_payload + nft_cmp.
* nft_payload + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_icmp.txlate Examples from iptables-translate testsuite]
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====                                                                
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.  
* nft_meta, through NFT_META_RTCLASSID.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_realm.txlate Examples from iptables-translate testsuite]
==== rp_filter ====
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
* nft_fib, starting with 4.10 kernel
==== ttl ====
==== ttl ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libipt_ttl.txlate Examples from iptables-translate testsuite]
=== matches: ipv6 ===


=== matches: ipv6 ===                                                           
           
==== rp_filter ====
==== rp_filter ====
* nft_fib, starting with 4.10 kernel                                                                  
* nft_fib, starting with 4.10 kernel
==== ah  ====                                                                  
==== ah  ====
* nft_payload + nft_cmp.
* nft_payload + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_ah.txlate Examples from iptables-translate testsuite]
==== eui64 ====
==== eui64 ====
* nft_payload + nft_cmp.
* nft_payload + nft_cmp.
==== frag ====
==== frag ====
* nft_exthdr + nft_cmp.
* nft_exthdr + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_frag.txlate Examples from iptables-translate testsuite]
==== hbh ====
==== hbh ====
* nft_exthdr + nft_cmp.
* nft_exthdr + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_hbh.txlate Examples from iptables-translate testsuite]
HBH options are not supported yet.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
[Unsupported option: --hbh-opts]
==== hl ====  
==== hl ====
* nft_payload.  
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_hl.txlate Examples from iptables-translate testsuite]
==== icmp6 ====
==== icmp6 ====
* nft_payload + nft_cmp.
* nft_payload + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_icmp6.txlate Examples from iptables-translate testsuite]
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
==== ipv6header ====
Line 223: Line 278:
==== mh ====
==== mh ====
* nft_exthdr + nft_cmp.
* nft_exthdr + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_mh.txlate Examples from iptables-translate testsuite]
[Needs bug fixation for option mh-type with range]
[Needs bug fixation for option mh-type with range]
==== rt ====
==== rt ====
* nft_exthdr + nft_cmp
* nft_exthdr + nft_cmp
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_rt.txlate Examples from iptables-translate testsuite]
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]


=== targets: ipv4 ===
=== targets: ipv4 ===
==== ECN ====                                                                  
==== ECN ====
* nft_payload
* nft_payload


==== DNAT ====  
==== DNAT ====
* nft_nat, since 3.13.  
* nft_nat, since 3.13.
==== LOG ====                                                                  
* [https://git.netfilter.org/iptables/tree/extensions/libipt_DNAT.txlate Examples from iptables-translate testsuite]
* nft_log, since 3.17.
==== LOG ====
* nft_log, since 3.17.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_LOG.txlate Examples from iptables-translate testsuite]
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
==== MASQUERADE ====
* nft_masq, since 3.18.
* nft_masq, since 3.18.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_MASQUERADE.txlate Examples from iptables-translate testsuite]
==== REDIRECT ====
==== REDIRECT ====
* nft_redirect, since 3.19.
* nft_redirect, since 3.19.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_REDIRECT.txlate Examples from iptables-translate testsuite]


==== REJECT ====                                                                
==== REJECT ====
* nft_reject_ipv4, since 3.13.                                        
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
* nft_reject_bridge, since 3.18.
==== SNAT ====                                                          
* [https://git.netfilter.org/iptables/tree/extensions/libipt_REJECT.txlate Examples from iptables-translate testsuite]
==== SNAT ====
* nft_nat, since 3.13.
* nft_nat, since 3.13.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_SNAT.txlate Examples from iptables-translate testsuite]


=== targets: ipv6 ===
=== targets: ipv6 ===
==== DNAT ====
==== DNAT ====
* nft_nat, since 3.13.  
* nft_nat, since 3.13.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_DNAT.txlate Examples from iptables-translate testsuite]
==== LOG ====
==== LOG ====
* nft_log, since 3.17.
* nft_log, since 3.17.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_LOG.txlate Examples from iptables-translate testsuite]
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====                                                            
==== MASQUERADE ====
* nft_masq, since 3.18.
* nft_masq, since 3.18.
==== REDIRECT ====                                                              
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_MASQUERADE.txlate Examples from iptables-translate testsuite]
==== REDIRECT ====
* nft_redirect, since 3.19.
* nft_redirect, since 3.19.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_REDIRECT.txlate Examples from iptables-translate testsuite]


==== REJECT ====                                                                                  
==== REJECT ====
* nft_reject_ipv6, since 3.14.                    
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.  
* nft_reject_bridge, since 3.18.
==== SNAT ====                                                                                                                        
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_REJECT.txlate Examples from iptables-translate testsuite]
==== SNAT ====
* nft_nat, since 3.13.
* nft_nat, since 3.13.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_SNAT.txlate Examples from iptables-translate testsuite]


=== matches: bridge ===
=== matches: bridge ===
Line 280: Line 349:
==== ip ====
==== ip ====
* nft_payload
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libebt_ip.txlate Examples from iptables-translate testsuite]


==== ip6 ====
==== ip6 ====
* nft_payload
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libebt_ip6.txlate Examples from iptables-translate testsuite]


==== limit ====
==== limit ====
* nft_limit
* nft_limit
* [https://git.netfilter.org/iptables/tree/extensions/libebt_limit.txlate Examples from iptables-translate testsuite]


==== mark ====
==== mark ====
* nft_mark
* nft_mark
* [https://git.netfilter.org/iptables/tree/extensions/libebt_mark_m.txlate Examples from iptables-translate testsuite]


==== pkttype ====
==== pkttype ====
* nft_meta
* nft_meta
* [https://git.netfilter.org/iptables/tree/extensions/libebt_pkttype.txlate Examples from iptables-translate testsuite]


==== stp ====
==== stp ====
Line 298: Line 372:
==== vlan ====
==== vlan ====
* nft_payload
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libebt_vlan.txlate Examples from iptables-translate testsuite]




Line 304: Line 379:
==== dnat ====
==== dnat ====
* nft_payload
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libebt_dnat.txlate Examples from iptables-translate testsuite]


==== snat ====
==== snat ====
* nft_payload
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libebt_snat.txlate Examples from iptables-translate testsuite]


==== redirect ====
==== redirect ====
Line 313: Line 390:
==== mark ====
==== mark ====
* nft_mark
* nft_mark
* [https://git.netfilter.org/iptables/tree/extensions/libebt_mark.txlate Examples from iptables-translate testsuite]
=== watchers: bridge ===


== Deprecated extensions ==                                                    
==== log ====
                                                                               
* nft_log
=== matches ===                                                                
* [https://git.netfilter.org/iptables/tree/extensions/libebt_log.txlate Examples from iptables-translate testsuite]
 
==== physdev ====                                                              
==== nflog ====
* br_netfilter aims to be deprecated by nftables.                                                                              
* nft_log
==== quota ====                                                                
* [https://git.netfilter.org/iptables/tree/extensions/libebt_nflog.txlate Examples from iptables-translate testsuite]
* nfacct already provides quota support.
 
== Deprecated extensions ==
 
=== matches ===
 
==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
==== tos ====
* deprecated by dscp                                      
* deprecated by dscp
                                                                               
 
=== targets ===                                                                
=== targets ===
                                                                               
 
==== CLUSTERIP ====                                                            
==== CLUSTERIP ====
* deprecated by cluster match.                                                  
* deprecated by cluster match.
==== TOS ====                                                                
==== TOS ====
* deprecated by DSCP
* deprecated by DSCP


=== targets: ipv4 ===                                                          
=== targets: ipv4 ===
                                                                               
 
==== ULOG ====                                                                  
==== ULOG ====
* Removed from tree since 3.17.
* Removed from tree since 3.17.

Latest revision as of 18:34, 11 March 2022

Last update: Mar/2022

This page tracks the list of supported and unsupported extensions with comments and suggestions.

Unsupported extensions

matches: xt

bpf

  • consider native interface

rateest

  • consider native interface

string

  • consider native interface

u32

  • raw expressions?

targets: xt

CHECKSUM

CT

IDLETIMER

  • consider native interface

LED

  • consider native (need this?)

RATEEST

  • consider native interface

TCPOPTSTRIP

  • consider native interface, need to extend nft_exthdr.c

targets: ipv4

TTL

targets: ipv6

NPT

  • consider native interface

targets: bridge

arpreply

  • consider native interface

targets: arp

TODO

Supported extensions

matches: xt

addrtype

cgroup

[Awaits support for cgroup2]

cluster

comment

connbytes

connlabel

connlimit

connmark

conntrack

cpu

dccp

[Unsupported option : dccp-option]

devgroup

dscp

ecn

esp

hashlimit

helper

ipcomp

[Unsupported option : compres]

iprange

ipvs

length

limit

mac

mark

multiport

nfacct

osf

  • consider native interface

owner

[Unsupported option : socket-exists]

pkttype

policy

recent

  • consider native interface. Refer to Sets.

sctp

socket

  • consider native interface

statistic

set

  • Use native nf_tables set infrastructure.

state

  • nft_ct

tcp

tcpmss

  • nft_exthdr, since 4.14

time

udp

targets: xt

AUDIT

CLASSIFY

CONNMARK

CONNSECMARK

  • nft_ct, since 4.20

DSCP

HL

  • nft_payload

HMARK

  • nft_meta + nft_hash.

MARK

NETMAP

  • nft_nat, upcoming 5.8

NFLOG

NFQUEUE

SECMARK

  • nft_meta, since 4.20

SYNPROXY

TEE

TPROXY

  • nft_tproxy, since 4.19

TRACE

TCPMSS

  • nft_exthdr, since 4.14

matches: ipv4

ah

icmp

[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]

realm

rp_filter

  • nft_fib, starting with 4.10 kernel

ttl

matches: ipv6

rp_filter

  • nft_fib, starting with 4.10 kernel

ah

eui64

  • nft_payload + nft_cmp.

frag

hbh

HBH options are not supported yet. [Unsupported option: --hbh-opts]

hl

icmp6

[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]

ipv6header

  • nft_exthdr + nft_cmp.

mh

[Needs bug fixation for option mh-type with range]

rt

[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

targets: ipv4

ECN

  • nft_payload

DNAT

LOG

[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]

MASQUERADE

REDIRECT

REJECT

SNAT

targets: ipv6

DNAT

LOG

[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]

MASQUERADE

REDIRECT

REJECT

SNAT

matches: bridge

802.3

  • nft_payload

among

  • sets

arp

  • nft_payload

ip

ip6

limit

mark

pkttype

stp

  • nft_payload

vlan


targets: bridge

dnat

snat

redirect

  • nft_payload + nft_meta (pkttype set unicast)

mark


watchers: bridge

log

nflog

Deprecated extensions

matches

physdev

  • br_netfilter aims to be deprecated by nftables.

quota

  • nfacct already provides quota support.

tos

  • deprecated by dscp

targets

CLUSTERIP

  • deprecated by cluster match.

TOS

  • deprecated by DSCP

targets: ipv4

ULOG

  • Removed from tree since 3.17.