Difference between revisions of "Nftables"

From ArchWiki
Jump to: navigation, search
(Expanded on nftables, added information about nft, and added the tables section for manipulating tables)
(fix numerous style guide and grammar issues; reword some parts for clarity; fix typos)
Line 5: Line 5:
 
{{Related|iptables}}
 
{{Related|iptables}}
 
{{Related articles end}}
 
{{Related articles end}}
 +
[http://netfilter.org/projects/nftables/ nftables] is a netfilter project that aims to replace the existing ip-, ip6-, arp-, and ebtables framework. It provides a new packet filtering framework, a new user-space utility (nft), and a compatibility layer for ip- and ip6tables. It uses the existing hooks, connection tracking system, user-space queueing component, and logging subsystem of netfilter.
  
[http://netfilter.org/projects/nftables/ nftables] is a netfilter project that aims to replace the existing ip-, ip6-, arp-, and ebtables framework. It provides a new packet filtering framework, a new userspace utility (nft), and a compatibility layer for ip- and ip6tables. It uses the existing hooks, connection tracking system, userspace queueing component, and logging subsystem of netfilter.
+
The first release is available in Linux 3.13, which is currently in the [testing] repository ({{Pkg|linux}}), and nftables (the user-space components) is available in the [community-testing] repository ({{Pkg|nftables}}), and on the [[AUR]] in package {{AUR|nftables-git}}.
 
+
The first release is available in Linux 3.13, which is currently in the [testing] repo ({{Pkg|linux}}), and nftables (the userspace components) is available in the [community-testing] repo ({{Pkg|nftables}}) and on the AUR in package {{AUR|nftables-git}}.
+
  
 
{{Expansion|nftables is an entirely new utility, and lacks sufficient documentation on this wiki, as well as elsewhere.}}
 
{{Expansion|nftables is an entirely new utility, and lacks sufficient documentation on this wiki, as well as elsewhere.}}
  
 
==Overview==
 
==Overview==
 
+
nftables consists of three main components: a kernel implementation, the libnl netlink communication and the nftables user-space front-end. The kernel provides a netlink configuration interface, as well as run-time rule-set evaluation using a small classification language interpreter. libnl contains the low-level functions for communicating with the kernel; the nftables front-end is what the user interacts with.
nftables consists of three main components: a kernel implementation, the libnl netlink communication and the nftables userspace frontend. The kernel provides a netlink configuration interface, as well as runtime ruleset evaluation using a small classification language interpreter. libnl contains the low-level functions for communicating with the kernel, the nftables frontend is what the user interacts with.
+
  
 
==nft==
 
==nft==
 +
nftables' user-space utility '''nft''' now performs most of the rule-set evaluation before handing rule-sets to the kernel. Because of this, nftables provides no default tables or chains; although, a user can emulate an iptables-like setup.
  
nftables' userspace utility '''nft''' now performs most of the ruleset evaluation before handing rulesets to the kernel. Because of this, nftables provides no default tables or chains, though a user can emulate an iptables-like setup.
+
It works in a fashion similar to ifconfig or iproute2. The commands are a long structured sequence. For example:
 
+
It works in a fashion similar to ifconfig or ip. The commands are a long structured sequence. For example:
+
 
  nft add rule ip6 filter input ip saddr ::1 accept
 
  nft add rule ip6 filter input ip saddr ::1 accept
 
'''add''' is the command. '''rule''' is a subcommand of '''add'''. '''ip6''' is an argument of '''rule''', telling it to use the ip6 family. '''filter''' and '''input''' are arguments of '''rule''' specifying the table and chain to use, respectively. The rest that follows is a rule definition, which includes matches ('''ip'''), their parameters ('''saddr'''), parameter arguments ('''::1'''), and jumps ('''accept''').
 
'''add''' is the command. '''rule''' is a subcommand of '''add'''. '''ip6''' is an argument of '''rule''', telling it to use the ip6 family. '''filter''' and '''input''' are arguments of '''rule''' specifying the table and chain to use, respectively. The rest that follows is a rule definition, which includes matches ('''ip'''), their parameters ('''saddr'''), parameter arguments ('''::1'''), and jumps ('''accept''').
Line 46: Line 43:
 
  flush [family] <table> <chain></nowiki>
 
  flush [family] <table> <chain></nowiki>
 
'''family''' is optional, but it will default to '''ip'''.
 
'''family''' is optional, but it will default to '''ip'''.
 
  
 
==Tables==
 
==Tables==
Line 57: Line 53:
  
 
===Listing===
 
===Listing===
You can list your current tables in a family with the '''list''' command.
+
You can list your current tables in a family with the {{ic|nft list}} command.
 
  # nft list tables
 
  # nft list tables
 
  # nft list tables ip6
 
  # nft list tables ip6
Line 66: Line 62:
  
 
===Creation===
 
===Creation===
Tables can be added via two commands, one just a shortcut for the other. Here is an example of how to add an ip table called foo and an ip6 table called foo:
+
Tables can be added via two commands &mdash; one just being a shortcut for the other. Here is an example of how to add an ip table called foo and an ip6 table called foo:
 
  # nft add table foo
 
  # nft add table foo
 
  # nft table ip6 foo
 
  # nft table ip6 foo
You can have two tables with the same name so long as they are in different families.
+
You can have two tables with the same name as long as they are in different families.
  
 
===Deletion===
 
===Deletion===
Line 77: Line 73:
  
 
==Usage==
 
==Usage==
 
+
To get an [[iptables]]-like chain set up, you will first need to use the provided IPv4 filter file:
To get an [[iptables]]-like chain setup, you'll first need to use the ipv4 filter file provided:
+
  
 
  # nft -f /etc/nftables/ipv4-filter
 
  # nft -f /etc/nftables/ipv4-filter
Line 90: Line 85:
 
  # nft add rule ip filter output ip daddr 1.2.3.4 drop
 
  # nft add rule ip filter output ip daddr 1.2.3.4 drop
  
Drop packet to port 80:
+
Drop packets destined for local port 80:
  
 
  # nft add rule ip filter input tcp dport 80 drop
 
  # nft add rule ip filter input tcp dport 80 drop
Line 98: Line 93:
 
  # nft delete rule filter output
 
  # nft delete rule filter output
  
==Further reading==
+
==See also==
 
+
* [http://lwn.net/Articles/324251/ First release of nftables [LWN.net]]
* [http://lwn.net/Articles/324251/ First releast of nftables [LWN.net]]
+
 
* [https://home.regit.org/netfilter-en/nftables-quick-howto/ nftables quick howto]
 
* [https://home.regit.org/netfilter-en/nftables-quick-howto/ nftables quick howto]
 
* [https://lwn.net/Articles/564095/ The return of nftables [LWM.net]]
 
* [https://lwn.net/Articles/564095/ The return of nftables [LWM.net]]

Revision as of 21:49, 27 January 2014

Related articles

nftables is a netfilter project that aims to replace the existing ip-, ip6-, arp-, and ebtables framework. It provides a new packet filtering framework, a new user-space utility (nft), and a compatibility layer for ip- and ip6tables. It uses the existing hooks, connection tracking system, user-space queueing component, and logging subsystem of netfilter.

The first release is available in Linux 3.13, which is currently in the [testing] repository (linux), and nftables (the user-space components) is available in the [community-testing] repository (nftables), and on the AUR in package nftables-gitAUR.

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: nftables is an entirely new utility, and lacks sufficient documentation on this wiki, as well as elsewhere. (Discuss in Talk:Nftables#)

Overview

nftables consists of three main components: a kernel implementation, the libnl netlink communication and the nftables user-space front-end. The kernel provides a netlink configuration interface, as well as run-time rule-set evaluation using a small classification language interpreter. libnl contains the low-level functions for communicating with the kernel; the nftables front-end is what the user interacts with.

nft

nftables' user-space utility nft now performs most of the rule-set evaluation before handing rule-sets to the kernel. Because of this, nftables provides no default tables or chains; although, a user can emulate an iptables-like setup.

It works in a fashion similar to ifconfig or iproute2. The commands are a long structured sequence. For example:

nft add rule ip6 filter input ip saddr ::1 accept

add is the command. rule is a subcommand of add. ip6 is an argument of rule, telling it to use the ip6 family. filter and input are arguments of rule specifying the table and chain to use, respectively. The rest that follows is a rule definition, which includes matches (ip), their parameters (saddr), parameter arguments (::1), and jumps (accept).

The following commands are available in nft:

list
   tables [family]
   table [family] <name>

 add
   table [family] <name> [chain definitions]
   chain [family] <table> <name>
   rule [family] <table> <chain> <rule definition>

 insert
   rule [family] <table> <chain> <rule definition>

 delete
   table [family] <name>
   chain [family] <table> <name>
   rule [family] <table> <handle>

 table [family] <name> [chain definitions] (shortcut for `add table`)

 flush [family] <table> <chain>

family is optional, but it will default to ip.

Tables

The purpose of tables is to hold chains. In nftables, tables can have one of four families specified, which unifies the various iptables utilities into one:

ip     (iptables)
ip6    (ip6tables)
arp    (arptables)
bridge (ebtables)

ip is the default family.

Listing

You can list your current tables in a family with the nft list command.

# nft list tables
# nft list tables ip6

You can list a full table definition by specifying a table name:

# nft list table foo
# nft list table ip6 foo

Creation

Tables can be added via two commands — one just being a shortcut for the other. Here is an example of how to add an ip table called foo and an ip6 table called foo:

# nft add table foo
# nft table ip6 foo

You can have two tables with the same name as long as they are in different families.

Deletion

Tables can only be deleted if there are no chains in them.

# nft delete table foo
# nft delete table ip6 foo

Usage

To get an iptables-like chain set up, you will first need to use the provided IPv4 filter file:

# nft -f /etc/nftables/ipv4-filter

To list the resulting chain:

# nft list table filter

Drop output to a destination:

# nft add rule ip filter output ip daddr 1.2.3.4 drop

Drop packets destined for local port 80:

# nft add rule ip filter input tcp dport 80 drop

Delete all rules in a chain:

# nft delete rule filter output

See also