Difference between revisions of "Nftables"

From ArchWiki
Jump to: navigation, search
(fix numerous style guide and grammar issues; reword some parts for clarity; fix typos)
m (See also: remove the [LWN.net] tags from the links)
Line 94: Line 94:
  
 
==See also==
 
==See also==
* [http://lwn.net/Articles/324251/ First release of nftables [LWN.net]]
+
* [https://lwn.net/Articles/324251/ First release of nftables]
 
* [https://home.regit.org/netfilter-en/nftables-quick-howto/ nftables quick howto]
 
* [https://home.regit.org/netfilter-en/nftables-quick-howto/ nftables quick howto]
* [https://lwn.net/Articles/564095/ The return of nftables [LWM.net]]
+
* [https://lwn.net/Articles/564095/ The return of nftables]

Revision as of 21:50, 27 January 2014

Related articles

nftables is a netfilter project that aims to replace the existing ip-, ip6-, arp-, and ebtables framework. It provides a new packet filtering framework, a new user-space utility (nft), and a compatibility layer for ip- and ip6tables. It uses the existing hooks, connection tracking system, user-space queueing component, and logging subsystem of netfilter.

The first release is available in Linux 3.13, which is currently in the [testing] repository (linux), and nftables (the user-space components) is available in the [community-testing] repository (nftables), and on the AUR in package nftables-gitAUR.

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: nftables is an entirely new utility, and lacks sufficient documentation on this wiki, as well as elsewhere. (Discuss in Talk:Nftables#)

Overview

nftables consists of three main components: a kernel implementation, the libnl netlink communication and the nftables user-space front-end. The kernel provides a netlink configuration interface, as well as run-time rule-set evaluation using a small classification language interpreter. libnl contains the low-level functions for communicating with the kernel; the nftables front-end is what the user interacts with.

nft

nftables' user-space utility nft now performs most of the rule-set evaluation before handing rule-sets to the kernel. Because of this, nftables provides no default tables or chains; although, a user can emulate an iptables-like setup.

It works in a fashion similar to ifconfig or iproute2. The commands are a long structured sequence. For example:

nft add rule ip6 filter input ip saddr ::1 accept

add is the command. rule is a subcommand of add. ip6 is an argument of rule, telling it to use the ip6 family. filter and input are arguments of rule specifying the table and chain to use, respectively. The rest that follows is a rule definition, which includes matches (ip), their parameters (saddr), parameter arguments (::1), and jumps (accept).

The following commands are available in nft:

list
   tables [family]
   table [family] <name>

 add
   table [family] <name> [chain definitions]
   chain [family] <table> <name>
   rule [family] <table> <chain> <rule definition>

 insert
   rule [family] <table> <chain> <rule definition>

 delete
   table [family] <name>
   chain [family] <table> <name>
   rule [family] <table> <handle>

 table [family] <name> [chain definitions] (shortcut for `add table`)

 flush [family] <table> <chain>

family is optional, but it will default to ip.

Tables

The purpose of tables is to hold chains. In nftables, tables can have one of four families specified, which unifies the various iptables utilities into one:

ip     (iptables)
ip6    (ip6tables)
arp    (arptables)
bridge (ebtables)

ip is the default family.

Listing

You can list your current tables in a family with the nft list command.

# nft list tables
# nft list tables ip6

You can list a full table definition by specifying a table name:

# nft list table foo
# nft list table ip6 foo

Creation

Tables can be added via two commands — one just being a shortcut for the other. Here is an example of how to add an ip table called foo and an ip6 table called foo:

# nft add table foo
# nft table ip6 foo

You can have two tables with the same name as long as they are in different families.

Deletion

Tables can only be deleted if there are no chains in them.

# nft delete table foo
# nft delete table ip6 foo

Usage

To get an iptables-like chain set up, you will first need to use the provided IPv4 filter file:

# nft -f /etc/nftables/ipv4-filter

To list the resulting chain:

# nft list table filter

Drop output to a destination:

# nft add rule ip filter output ip daddr 1.2.3.4 drop

Drop packets destined for local port 80:

# nft add rule ip filter input tcp dport 80 drop

Delete all rules in a chain:

# nft delete rule filter output

See also