Difference between revisions of "Supported features compared to xtables"
m (move secmark/connsecmark target to supported section.) |
|||
(18 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
Last update: | Last update: Aug/2018 | ||
This page tracks the list of supported and unsupported extensions with comments and suggestions. | This page tracks the list of supported and unsupported extensions with comments and suggestions. | ||
Line 10: | Line 10: | ||
* consider native interface | * consider native interface | ||
==== cluster ==== | ==== cluster ==== | ||
* consider native interface | * consider native interface | ||
==== rateest ==== | ==== rateest ==== | ||
* consider native interface | * consider native interface | ||
==== string ==== | ==== string ==== | ||
* consider native interface | * consider native interface | ||
==== time ==== | ==== time ==== | ||
* consider native interface | * consider native interface | ||
Line 37: | Line 21: | ||
=== targets: xt === | === targets: xt === | ||
==== CHECKSUM ==== | |||
* add nft_payload. | |||
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays. | |||
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html | |||
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090 | |||
==== CT ==== | ==== CT ==== | ||
* | * nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]]. | ||
==== IDLETIMER ==== | ==== IDLETIMER ==== | ||
* consider native interface | * consider native interface | ||
==== LED ==== | ==== LED ==== | ||
* consider native (need this?) | * consider native (need this?) | ||
Line 60: | Line 38: | ||
==== RATEEST ==== | ==== RATEEST ==== | ||
* consider native interface | * consider native interface | ||
==== SET ==== | ==== SET ==== | ||
* consider native interface | * consider native interface | ||
==== SYNPROXY ==== | ==== SYNPROXY ==== | ||
* consider native interface | * consider native interface | ||
==== TCPOPTSTRIP ==== | ==== TCPOPTSTRIP ==== | ||
* consider native interface | * consider native interface, need to extend nft_exthdr.c | ||
=== targets: ipv4 === | === targets: ipv4 === | ||
Line 86: | Line 58: | ||
==== arpreply ==== | ==== arpreply ==== | ||
* consider native interface | * consider native interface | ||
=== watchers: bridge === | === watchers: bridge === | ||
Line 114: | Line 74: | ||
=== matches: xt === | === matches: xt === | ||
==== addrtype ==== | ==== addrtype ==== | ||
* nft_fib, starting with 4.10 kernel | * nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]]. | ||
==== cgroup ==== | ==== cgroup ==== | ||
* nft_meta. | * nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]]. | ||
[Awaits support for cgroup2] | [Awaits support for cgroup2] | ||
==== comment ==== | ==== comment ==== | ||
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). | * Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]]. | ||
==== connbytes ==== | ==== connbytes ==== | ||
* nft_ct, 4.5 kernel | * nft_ct, 4.5 kernel. Refer to [[Meters]]. | ||
==== connlabel ==== | ==== connlabel ==== | ||
* nft_meta, since 3.16 | * nft_meta, since 3.16. | ||
==== connlimit ==== | |||
* consider native interface. Refer to [[Meters]]. | |||
==== connmark ==== | ==== connmark ==== | ||
* nft_meta. | * nft_meta. | ||
Line 131: | Line 93: | ||
* nft_ct. | * nft_ct. | ||
==== cpu ==== | ==== cpu ==== | ||
* nft_meta, since 3.18 | * nft_meta, since 3.18. | ||
==== dccp ==== | ==== dccp ==== | ||
* nft_payload. | * nft_payload. | ||
[Unsupported option : dccp-option] | [Unsupported option : dccp-option] | ||
==== devgroup ==== | ==== devgroup ==== | ||
* nft_meta, since 3.18 | * nft_meta, since 3.18. | ||
==== dscp ==== | ==== dscp ==== | ||
* nft_payload. | * nft_payload. | ||
Line 144: | Line 106: | ||
* nft_payload. | * nft_payload. | ||
==== hashlimit ==== | ==== hashlimit ==== | ||
* | * meter statement. Refer to [[Meters]]. | ||
==== helper ==== | ==== helper ==== | ||
* nft_ct. | * nft_ct. | ||
==== ipcomp ==== | ==== ipcomp ==== | ||
* nft_payload. | * nft_payload. | ||
Line 154: | Line 114: | ||
==== iprange ==== | ==== iprange ==== | ||
* nft_payload, through native range support. To emulate iptables --ports you need two rules. | * nft_payload, through native range support. To emulate iptables --ports you need two rules. | ||
==== ipvs ==== | |||
* consider native interface. Refer to [[Load balancing]]. | |||
==== length ==== | ==== length ==== | ||
* nft_meta. | * nft_meta. | ||
==== limit ==== | ==== limit ==== | ||
* nft_limit. | * nft_limit. Refer to [[Stateful objects]]. | ||
==== mac ==== | ==== mac ==== | ||
* nft_payload. | * nft_payload. | ||
Line 165: | Line 127: | ||
* nft_payload. | * nft_payload. | ||
[Unsupported option : ports] | [Unsupported option : ports] | ||
==== nfacct ==== | |||
* consider native interface. Refer to [[Stateful objects]]. | |||
==== osf ==== | |||
* consider native interface | |||
==== owner ==== | ==== owner ==== | ||
* nft_meta. | * nft_meta. | ||
[Unsupported option : socket-exists] | [Unsupported option : socket-exists] | ||
==== pkttype ==== | ==== pkttype ==== | ||
* nft_meta | * nft_meta | ||
==== | ==== policy ==== | ||
* | * nft_xfrm, upcoming linux 4.20 (5.0?) | ||
==== sctp ==== | ==== sctp ==== | ||
* nft_payload. | * nft_payload. | ||
[Unsupported option: --chunk-types] | [Unsupported option: --chunk-types] | ||
==== socket ==== | |||
* consider native interface | |||
==== statistic ==== | |||
* nft_numgen. Refer to [[Load balancing]]. | |||
==== recent ==== | |||
* consider native interface. Refer to [[Sets]]. | |||
==== set ==== | ==== set ==== | ||
* Use native nf_tables set infrastructure. | * Use native nf_tables set infrastructure. | ||
Line 182: | Line 153: | ||
==== tcp ==== | ==== tcp ==== | ||
* nft_payload | * nft_payload | ||
==== tcpmss ==== | |||
* nft_exthdr, since 4.14 | |||
==== udp ==== | ==== udp ==== | ||
* nft_payload | * nft_payload | ||
=== targets: xt === | === targets: xt === | ||
==== AUDIT ==== | |||
* nft_log, since 4.18. | |||
==== CLASSIFY ==== | ==== CLASSIFY ==== | ||
* nft_meta, since 3.14 | * nft_meta, since 3.14. | ||
==== CONNMARK ==== | ==== CONNMARK ==== | ||
* nft_ct | |||
==== CONNSECMARK ==== | |||
* nft_ct, since 4.20 | |||
==== DSCP ==== | |||
==== HL ==== | |||
* nft_payload | |||
==== HMARK ==== | |||
* nft_meta + nft_hash. | |||
==== MARK ==== | ==== MARK ==== | ||
* nft_meta, since 3.14 | * nft_meta, since 3.14. | ||
==== NFLOG ==== | ==== NFLOG ==== | ||
* nft_log, since 3.17 | * nft_log, since 3.17. | ||
==== NFQUEUE ==== | ==== NFQUEUE ==== | ||
* nft_queue, since 3.14 | * nft_queue, since 3.14. | ||
==== SECMARK ==== | |||
* nft_meta, since 4.20 | |||
==== TEE ==== | ==== TEE ==== | ||
* nft_dup, since 4.3 ( | * nft_dup, since 4.3. | ||
==== TPROXY ==== | |||
* nft_tproxy, upcoming release (4.19) | |||
==== TRACE ==== | ==== TRACE ==== | ||
* nft_meta, since 3.14 | * nft_meta, since 3.14. | ||
==== TCPMSS ==== | |||
* nft_exthdr, since 4.14 | |||
=== matches: ipv4 === | === matches: ipv4 === | ||
Line 213: | Line 204: | ||
==== ttl ==== | ==== ttl ==== | ||
=== matches: ipv6 === | |||
==== rp_filter ==== | ==== rp_filter ==== | ||
Line 246: | Line 237: | ||
==== DNAT ==== | ==== DNAT ==== | ||
* nft_nat, since 3.13 | * nft_nat, since 3.13. | ||
==== LOG ==== | ==== LOG ==== | ||
* nft_log, since 3.17 | * nft_log, since 3.17. | ||
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] | [Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] | ||
==== MASQUERADE ==== | ==== MASQUERADE ==== | ||
* nft_masq, since 3.18 | * nft_masq, since 3.18. | ||
==== REDIRECT ==== | ==== REDIRECT ==== | ||
* nft_redirect, since 3.19 | * nft_redirect, since 3.19. | ||
==== REJECT ==== | ==== REJECT ==== | ||
* nft_reject_ipv4, since 3.13 | * nft_reject_ipv4, since 3.13. | ||
* nft_reject_inet, since 3.14 | * nft_reject_inet, since 3.14. | ||
* nft_reject_bridge, since 3.18 | * nft_reject_bridge, since 3.18. | ||
==== SNAT ==== | ==== SNAT ==== | ||
* nft_nat, since 3.13 | * nft_nat, since 3.13. | ||
=== targets: ipv6 === | === targets: ipv6 === | ||
==== DNAT ==== | ==== DNAT ==== | ||
* nft_nat, since 3.13 | * nft_nat, since 3.13. | ||
==== LOG ==== | ==== LOG ==== | ||
* nft_log, since 3.17 | * nft_log, since 3.17. | ||
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] | [Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode] | ||
==== MASQUERADE ==== | ==== MASQUERADE ==== | ||
* nft_masq, since 3.18 | * nft_masq, since 3.18. | ||
==== REDIRECT ==== | ==== REDIRECT ==== | ||
* nft_redirect, since 3.19 | * nft_redirect, since 3.19. | ||
==== REJECT ==== | ==== REJECT ==== | ||
* nft_reject_ipv6, since 3.14 | * nft_reject_ipv6, since 3.14. | ||
* nft_reject_inet, since 3.14 | * nft_reject_inet, since 3.14. | ||
* nft_reject_bridge, since 3.18 | * nft_reject_bridge, since 3.18. | ||
==== SNAT ==== | ==== SNAT ==== | ||
* nft_nat, since 3.13 | * nft_nat, since 3.13. | ||
=== matches: bridge === | === matches: bridge === | ||
Line 311: | Line 302: | ||
==== vlan ==== | ==== vlan ==== | ||
* nft_payload | * nft_payload | ||
=== targets: bridge === | |||
==== dnat ==== | |||
* nft_payload | |||
==== snat ==== | |||
* nft_payload | |||
==== redirect ==== | |||
* nft_payload + nft_meta (pkttype set unicast) | |||
==== mark ==== | |||
* nft_mark | |||
== Deprecated extensions == | == Deprecated extensions == |
Revision as of 12:13, 3 January 2019
Last update: Aug/2018
This page tracks the list of supported and unsupported extensions with comments and suggestions.
Unsupported extensions
matches: xt
bpf
- consider native interface
cluster
- consider native interface
rateest
- consider native interface
string
- consider native interface
time
- consider native interface
u32
- raw expressions?
targets: xt
CHECKSUM
- add nft_payload.
- To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
- See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
- See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090
CT
- nft_ct_target. Refer to Matching_connection_tracking_stateful_metainformation.
IDLETIMER
- consider native interface
LED
- consider native (need this?)
NETMAP
- nft_nat.
RATEEST
- consider native interface
SET
- consider native interface
SYNPROXY
- consider native interface
TCPOPTSTRIP
- consider native interface, need to extend nft_exthdr.c
targets: ipv4
TTL
targets: ipv6
NPT
- consider native interface
targets: bridge
arpreply
- consider native interface
watchers: bridge
log
- nft_log
nflog
- nft_log
targets: arp
TODO
Supported extensions
matches: xt
addrtype
- nft_fib, starting with 4.10 kernel. Refer to Routing_information.
cgroup
- nft_meta. Refer to Quick_reference-nftables_in_10_minutes#Meta.
[Awaits support for cgroup2]
comment
- Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule.
connbytes
- nft_ct, 4.5 kernel. Refer to Meters.
connlabel
- nft_meta, since 3.16.
connlimit
- consider native interface. Refer to Meters.
connmark
- nft_meta.
conntrack
- nft_ct.
cpu
- nft_meta, since 3.18.
dccp
- nft_payload.
[Unsupported option : dccp-option]
devgroup
- nft_meta, since 3.18.
dscp
- nft_payload.
ecn
- nft_payload.
esp
- nft_payload.
hashlimit
- meter statement. Refer to Meters.
helper
- nft_ct.
ipcomp
- nft_payload.
[Unsupported option : compres]
iprange
- nft_payload, through native range support. To emulate iptables --ports you need two rules.
ipvs
- consider native interface. Refer to Load balancing.
length
- nft_meta.
limit
- nft_limit. Refer to Stateful objects.
mac
- nft_payload.
mark
- nft_meta.
multiport
- nft_payload.
[Unsupported option : ports]
nfacct
- consider native interface. Refer to Stateful objects.
osf
- consider native interface
owner
- nft_meta.
[Unsupported option : socket-exists]
pkttype
- nft_meta
policy
- nft_xfrm, upcoming linux 4.20 (5.0?)
sctp
- nft_payload.
[Unsupported option: --chunk-types]
socket
- consider native interface
statistic
- nft_numgen. Refer to Load balancing.
recent
- consider native interface. Refer to Sets.
set
- Use native nf_tables set infrastructure.
state
- nft_ct
tcp
- nft_payload
tcpmss
- nft_exthdr, since 4.14
udp
- nft_payload
targets: xt
AUDIT
- nft_log, since 4.18.
CLASSIFY
- nft_meta, since 3.14.
CONNMARK
- nft_ct
CONNSECMARK
- nft_ct, since 4.20
DSCP
HL
- nft_payload
HMARK
- nft_meta + nft_hash.
MARK
- nft_meta, since 3.14.
NFLOG
- nft_log, since 3.17.
NFQUEUE
- nft_queue, since 3.14.
SECMARK
- nft_meta, since 4.20
TEE
- nft_dup, since 4.3.
TPROXY
- nft_tproxy, upcoming release (4.19)
TRACE
- nft_meta, since 3.14.
TCPMSS
- nft_exthdr, since 4.14
matches: ipv4
ah
- nft_payload + nft_cmp
icmp
- nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
realm
- nft_meta, through NFT_META_RTCLASSID.
rp_filter
- nft_fib, starting with 4.10 kernel
ttl
matches: ipv6
rp_filter
- nft_fib, starting with 4.10 kernel
ah
- nft_payload + nft_cmp.
eui64
- nft_payload + nft_cmp.
frag
- nft_exthdr + nft_cmp.
hbh
- nft_exthdr + nft_cmp.
HBH options are not supported yet. [Unsupported option: --hbh-opts]
hl
- nft_payload.
icmp6
- nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
ipv6header
- nft_exthdr + nft_cmp.
mh
- nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
rt
- nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]
targets: ipv4
ECN
- nft_payload
DNAT
- nft_nat, since 3.13.
LOG
- nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
MASQUERADE
- nft_masq, since 3.18.
REDIRECT
- nft_redirect, since 3.19.
REJECT
- nft_reject_ipv4, since 3.13.
- nft_reject_inet, since 3.14.
- nft_reject_bridge, since 3.18.
SNAT
- nft_nat, since 3.13.
targets: ipv6
DNAT
- nft_nat, since 3.13.
LOG
- nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
MASQUERADE
- nft_masq, since 3.18.
REDIRECT
- nft_redirect, since 3.19.
REJECT
- nft_reject_ipv6, since 3.14.
- nft_reject_inet, since 3.14.
- nft_reject_bridge, since 3.18.
SNAT
- nft_nat, since 3.13.
matches: bridge
802.3
- nft_payload
among
- sets
arp
- nft_payload
ip
- nft_payload
ip6
- nft_payload
limit
- nft_limit
mark
- nft_mark
pkttype
- nft_meta
stp
- nft_payload
vlan
- nft_payload
targets: bridge
dnat
- nft_payload
snat
- nft_payload
redirect
- nft_payload + nft_meta (pkttype set unicast)
mark
- nft_mark
Deprecated extensions
matches
physdev
- br_netfilter aims to be deprecated by nftables.
quota
- nfacct already provides quota support.
tos
- deprecated by dscp
targets
CLUSTERIP
- deprecated by cluster match.
TOS
- deprecated by DSCP
targets: ipv4
ULOG
- Removed from tree since 3.17.