User Tools

Site Tools


doc:howto:nftables

Nftables

Nftables is the packet classification framework inside the Linux kernel available since version 3.13 (released 2014-01-19). Nftables re-uses most parts of the Netfilter framework: it's hook infrastructure, Connection Tracking System, NAT engine, logging infrastructure, userspace queueing, etc. Nftables only replaced the packet classification framework, i.e. those parts of the kernel that deal with run-time evaluation of the packet filtering rule set. So technically is does not replace Netfilter per se, but only the existing {ip,ip6,arp,eb}_tables infrastructure. Yet we distinguish between ipfwadm, ipchains, Netfilter/iptables and Nftables/nft.

Re-using Netfilter's hooks

All of Netfilter's hooks are still present (Netfilter Packet Flow), "tables" serve as containers for "chains", and the "chains" contain individual rules that can perform actions such as dropping a packet, moving to the next rule, or perform a jump to a new chain. But a chain can contain multiple actions, e.g. log and drop.

Configuration

Nftables is configured with the user space utility nft, whereas Netfilter required 4 tools (iptables, ip6tables, ebtables and arptables) to do so. Nft syntax differs from {ip,ip6,eb,arp}tables, it resembles slightly that of tc/tcpdump.

There is a backward compatibility layer that allows you run iptables/ip6tables, using the same syntax, over the nftables infrastructure.

Configuration

Like Netfilter, Nftables is part of the Linux kernel. The IP packet filter rules in the Linux kernel are being configured by the user space command line tool of nftbales: nft. Utilize nft as follows:

Command Table Chain match and TARGET
iptables -t filter -A INPUT-j ACCEPT -p tcp --dport 53 #------------------- accept all incoming packets on TCP port 53 (DNS)
nft add rule ip filter output ip daddr 1.2.3.4 drop
nft add rule ip filter output ip daddr 1.2.3.4 counter drop
nft add rule ip filter input tcp dport 80 drop
nft add rule ip6 filter output ip6 daddr wiki.openwrt.org counter

Nftables and OpenWrt

The OpenWrt developers are aware of the nftables developments, and will migrate as soon as OpenWrt adopts Linux kernel 3.13 or newer.

  • The proper place for documentation of the C-language wrapper firewall is firewall.

Further documentation

doc/howto/nftables.txt · Last modified: 2017/04/25 15:02 by lorley