brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-08 21:34:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
b2dca0da8efd947f948734183097353f896ba974
oam/knowledge base/nftables.md

4.2 KiB
Raw Blame History

nftables

Successor to iptables.
Replaces the existing iptables, ip6tables, arptables, and ebtables framework.

Leverages the Linux kernel, and the newer nft userspace command line utility.
Provides a compatibility layer for the iptables framework.

  1. TL;DR
  2. Further readings
    1. Sources

TL;DR

Built on rules which specify actions.
Rules are attached to chains.
Chains can contain a collection of rules, are stored inside tables, and are registered in netfilter's hooks.
Tables are specific for one of the layer 3 protocols.

Differently from iptables, there are no predefined tables or chains.

nft supports replacing atomic rules by using nft -f.
This allows to conveniently manage rules using files.

Warning

When loading rules with nft -f, failures will result in none of the file's rules being loaded.
Calling nft repeatedly (in a shell script or similar) will fail on specific rules.

Usage 
# List tables.
nft list tables
nft list tables 'family_type'

# List all rules.
nft --handle list ruleset
nft -a list ruleset

# List chains and rules in tables.
nft list table 'family_type' 'table_name'

# List chains.
nft list chains
nft list chains 'family_type'

# List rules in chains.
nft list chain 'family_type' 'table_name' 'chain_name'

# Dry run commands.
nft --check …
nft -c …

# Be verbose.
nft --echo …
nft -e …

# Add chains.
nft add chain 'family_type' 'table_name' 'chain_name' \
  "{ type 'chain_type' hook 'hook_type' priority 'priority_value' ; policy 'policy' ;}"

# Edit chains.
nft chain 'family_type' 'table_name' 'chain_name' \
  "{ [ type 'chain_type' hook 'hook_type' device 'device_name' priority 'priority_value' ; policy 'policy_type' ; ] }"

# Add rules to chains.
nft add rule 'family_type' 'table_name' 'chain_name' 'handle' 'handle_value' 'statement'

# Delete rules.
nft delete rule inet 'base_table' 'input_filter' handle 3

# Clear rules from chains.
nft flush chain 'family_type' 'table_name' 'chain_name'

# Clear rules from tables.
nft flush table 'family_type' 'table_name'

# Delete chains.
# Chains can *only* be deleted if they contain no rules *and* they are not used as jump targets.
nft delete chain 'family_type' 'table_name' 'chain_name'

# Delete tables.
nft delete table 'inet' 'net_table'

# Remove the whole ruleset.
# This leaves the system with no firewall.
nft flush ruleset

# Dump the current ruleset.
nft --stateless list ruleset > '/path/to/nftables.dump'
nft -s list ruleset > '/path/to/nftables.dump'

# Read commands from files.
nft --file 'path/to/file'
nft -f 'path/to/file'
Real world use cases 
# List tables.
nft list tables
nft list tables 'ip'

# List tables' contents.
sudo nft list table 'ip' 'filter'

# Add tables for the IPv4 and IPv6 layers.
nft add table 'inet' 'net_table'

# Add tables for the ARP layer.
nft add table 'arp' 'arp_table'

# List chains.
nft list chains
nft list chains 'ip'

# List rules in chains.
nft list chain 'inet' 'base_table' 'input_filter'

# Add a base chain called 'input_filter' to the inet 'base_table' table.
# Register it to the 'input' hook with priority 0 and type 'filter'.
nft add chain 'inet' 'base_table' 'input_filter' "{type filter hook input priority 0;}"

# Edit chains.
nft chain 'inet' 'my_table' 'my_input' '{ policy drop ; }'

# Add rules to chains.
nft add rule 'inet' 'base_table' 'input_filter' tcp dport 80 drop

# Delete chains.
nft delete chain 'inet' 'base_table' 'input_filter'

Further readings

Sources