User Tools

Site Tools


doc:howto:nftables

Nftables

nftables is the successor of netfilter. Its user space utility nft replaces the entire {ip,eb,arp,ip6}tables user space tool set. It still uses the netfilter architecture for complex extensions and is part of the netfilter project. The command-line user space utility is called nft and there is an API and library interface to it (libnftables). There is also an iptables to nft handle userspace conversion tool which will ease migration. nftables is a major departure in that there is no need for deep protocol awareness in the kernel modules as everything filter related is handled by a basic virtual machine.

The OpenWrt developers are aware of the nftables developments, and will migrate as soon as OpenWrt adopts a 3.13 kernel. Linux kernel version 3.13 was released 2014-01-20, Linux 3.12 released .. and no merge window yet .. and 4.0 plans?.

  • The proper place for documentation of the C-language wrapper firewall is firewall.

Configuration

Like Netfilter, Nftables is part of the Linux kernel. The IP packet filter rules in the Linux kernel are being configured by the user space command line tool of nftbales: nft. Utilize nft as follows:

nft add rule ip filter output ip daddr 1.2.3.4 drop

nft add rule ip filter output ip daddr 1.2.3.4 counter drop

nft add rule ip filter input tcp dport 80 drop

nft add rule ip6 filter output ip6 daddr home.regit.org counter

Further documantation

doc/howto/nftables.txt · Last modified: 2015/05/02 13:14 by markues