From ArchWiki
Revision as of 16:22, 21 January 2014 by Demon (talk | contribs)
Jump to: navigation, search

nftables is the candidate for replacing iptables as the main Linux firewall utility from Linux kernel version 3.13 and on.

Currently, nftables is available in the Community repo (nftables) and on the AUR in package nftables-gitAUR.

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: nftables is an entirely new utility, and lacks sufficient documentation on this wiki, as well as elsewhere. (Discuss in Talk:Nftables#)


nftables consists of three main components: a kernel implementation, the libnl netlink communication and the nftables userspace frontend. The kernel provides a netlink configuration interface, as well as runtime ruleset evaluation using a small classification language interpreter. libnl contains the low-level functions for communicating with the kernel, the nftables frontend is what the user interacts with.


Drop output to a destination:

# nft add rule ip filter output ip daddr drop

Drop packet to port 80:

# nft add rule ip filter input tcp dport 80 drop

Delete all rules in a chain:

# nft delete rule filter output

Further reading