From b2dca0da8efd947f948734183097353f896ba974 Mon Sep 17 00:00:00 2001
From: Michele Cereda <cereda.michele@gmail.com>
Date: Tue, 30 Dec 2025 13:58:57 +0100
Subject: [PATCH] chore(kb): revise articles about network traffic filtering

---
 .vscode/settings.json      |   1 +
 knowledge base/iptables.md |   6 ++-
 knowledge base/nftables.md | 100 ++++++++++++++++++++++++++++++-------
 3 files changed, 89 insertions(+), 18 deletions(-)

diff --git a/.vscode/settings.json b/.vscode/settings.json
index 7c29c48..f9f69d3 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -240,6 +240,7 @@
         "nats",
         "netcat",
         "nfsmount",
+        "nftables",
         "nindent",
         "nixos",
         "nixpkgs",
diff --git a/knowledge base/iptables.md b/knowledge base/iptables.md
index f525547..954d69a 100644
--- a/knowledge base/iptables.md	
+++ b/knowledge base/iptables.md	
@@ -85,6 +85,8 @@ iptables-restore '/etc/iptables/rules.v4'
 ## Further readings
 
 - [`nftables`][nftables]
+- [How to set up a stateful firewall with iptables]
+- [Simple stateful firewall]
 
 ### Sources
 
@@ -103,5 +105,7 @@ iptables-restore '/etc/iptables/rules.v4'
 <!-- Files -->
 <!-- Upstream -->
 <!-- Others -->
-[Iptables basics]: https://www.worldstream.com/nl/article/iptables-basics/
 [Archlinux wiki]: https://wiki.archlinux.org/title/Iptables
+[How to set up a stateful firewall with iptables]: https://evilshit.wordpress.com/2013/12/17/how-to-set-up-a-stateful-firewall-with-iptables/
+[Iptables basics]: https://www.worldstream.com/nl/article/iptables-basics/
+[Simple stateful firewall]: https://wiki.archlinux.org/title/Simple_stateful_firewall
diff --git a/knowledge base/nftables.md b/knowledge base/nftables.md
index a455f8c..6779675 100644
--- a/knowledge base/nftables.md	
+++ b/knowledge base/nftables.md	
@@ -42,57 +42,121 @@ This allows to conveniently manage rules using files.
 ```sh
 # List tables.
 nft list tables
-nft list tables inet
-
-# Add tables for the IPv4 and IPv6 layers.
-nft add table inet 'net_table'
-
-# Add tables for the ARP layer.
-nft add table arp 'arp_table'
-
-# Add a base chain called 'input_filter' to the inet 'base_table' table.
-# Register it to the 'input' hook with priority 0 and type 'filter'.
-nft add chain inet 'base_table' 'input_filter' "{type filter hook input priority 0;}"
+nft list tables 'family_type'
 
 # List all rules.
+nft --handle list ruleset
 nft -a list ruleset
 
+# List chains and rules in tables.
+nft list table 'family_type' 'table_name'
+
+# List chains.
+nft list chains
+nft list chains 'family_type'
+
 # List rules in chains.
-nft list chain inet 'base_table' 'input_filter'
+nft list chain 'family_type' 'table_name' 'chain_name'
+
+# Dry run commands.
+nft --check …
+nft -c …
+
+# Be verbose.
+nft --echo …
+nft -e …
+
+# Add chains.
+nft add chain 'family_type' 'table_name' 'chain_name' \
+  "{ type 'chain_type' hook 'hook_type' priority 'priority_value' ; policy 'policy' ;}"
+
+# Edit chains.
+nft chain 'family_type' 'table_name' 'chain_name' \
+  "{ [ type 'chain_type' hook 'hook_type' device 'device_name' priority 'priority_value' ; policy 'policy_type' ; ] }"
 
 # Add rules to chains.
-nft add rule inet 'base_table' 'input_filter' tcp dport 80 drop
+nft add rule 'family_type' 'table_name' 'chain_name' 'handle' 'handle_value' 'statement'
 
 # Delete rules.
 nft delete rule inet 'base_table' 'input_filter' handle 3
 
+# Clear rules from chains.
+nft flush chain 'family_type' 'table_name' 'chain_name'
+
+# Clear rules from tables.
+nft flush table 'family_type' 'table_name'
+
 # Delete chains.
 # Chains can *only* be deleted if they contain no rules *and* they are not used as jump targets.
-nft delete chain inet base_table input_filter
+nft delete chain 'family_type' 'table_name' 'chain_name'
 
 # Delete tables.
-nft delete table inet 'net_table'
+nft delete table 'inet' 'net_table'
+
+# Remove the whole ruleset.
+# This leaves the system with no firewall.
+nft flush ruleset
+
+# Dump the current ruleset.
+nft --stateless list ruleset > '/path/to/nftables.dump'
+nft -s list ruleset > '/path/to/nftables.dump'
+
+# Read commands from files.
+nft --file 'path/to/file'
+nft -f 'path/to/file'
 ```
 
 </details>
 
-<!-- Uncomment if used
 <details>
   <summary>Real world use cases</summary>
 
 ```sh
+# List tables.
+nft list tables
+nft list tables 'ip'
+
+# List tables' contents.
+sudo nft list table 'ip' 'filter'
+
+# Add tables for the IPv4 and IPv6 layers.
+nft add table 'inet' 'net_table'
+
+# Add tables for the ARP layer.
+nft add table 'arp' 'arp_table'
+
+# List chains.
+nft list chains
+nft list chains 'ip'
+
+# List rules in chains.
+nft list chain 'inet' 'base_table' 'input_filter'
+
+# Add a base chain called 'input_filter' to the inet 'base_table' table.
+# Register it to the 'input' hook with priority 0 and type 'filter'.
+nft add chain 'inet' 'base_table' 'input_filter' "{type filter hook input priority 0;}"
+
+# Edit chains.
+nft chain 'inet' 'my_table' 'my_input' '{ policy drop ; }'
+
+# Add rules to chains.
+nft add rule 'inet' 'base_table' 'input_filter' tcp dport 80 drop
+
+# Delete chains.
+nft delete chain 'inet' 'base_table' 'input_filter'
 ```
 
 </details>
--->
 
 ## Further readings
 
 - [`iptables`][iptables]
+- [How to Create Secure Stateful Firewall Rules with nftables on Linux]
 
 ### Sources
 
 - [Gentoo wiki]
+- [Arch wiki]
 
 <!--
   Reference
@@ -106,4 +170,6 @@ nft delete table inet 'net_table'
 <!-- Files -->
 <!-- Upstream -->
 <!-- Others -->
+[Arch wiki]: https://wiki.archlinux.org/title/Nftables
 [Gentoo wiki]: https://wiki.gentoo.org/wiki/Nftables
+[How to Create Secure Stateful Firewall Rules with nftables on Linux]: https://www.pc-freak.net/blog/mastering-stateful-firewall-rules-nftables-ultimate-guide/