Difference between revisions of "Nftables"

From ArchWiki
Jump to: navigation, search
(Usage)
Line 17: Line 17:
  
 
==Usage==
 
==Usage==
 +
 +
To get an [[iptables]]-like chain setup, you'll first need to use the ipv4 filter file provided:
 +
 +
# nft -f /etc/nftables/ipv4-filter
  
 
Drop output to a destination:
 
Drop output to a destination:

Revision as of 23:01, 21 January 2014

Related articles

nftables is the candidate for replacing iptables as the main Linux firewall utility from Linux kernel version 3.13 and on.

Currently, nftables is available in the Community repo (nftables) and on the AUR in package nftables-gitAUR.

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: nftables is an entirely new utility, and lacks sufficient documentation on this wiki, as well as elsewhere. (Discuss in Talk:Nftables#)

Overview

nftables consists of three main components: a kernel implementation, the libnl netlink communication and the nftables userspace frontend. The kernel provides a netlink configuration interface, as well as runtime ruleset evaluation using a small classification language interpreter. libnl contains the low-level functions for communicating with the kernel, the nftables frontend is what the user interacts with.

Usage

To get an iptables-like chain setup, you'll first need to use the ipv4 filter file provided:

# nft -f /etc/nftables/ipv4-filter

Drop output to a destination:

# nft add rule ip filter output ip daddr 1.2.3.4 drop

Drop packet to port 80:

# nft add rule ip filter input tcp dport 80 drop

Delete all rules in a chain:

# nft delete rule filter output

Further reading