From ArchWiki
Revision as of 23:01, 21 January 2014 by Yuvadm (talk | contribs) (Usage)
Jump to: navigation, search

nftables is the candidate for replacing iptables as the main Linux firewall utility from Linux kernel version 3.13 and on.

Currently, nftables is available in the Community repo (nftables) and on the AUR in package nftables-gitAUR.

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: nftables is an entirely new utility, and lacks sufficient documentation on this wiki, as well as elsewhere. (Discuss in Talk:Nftables#)


nftables consists of three main components: a kernel implementation, the libnl netlink communication and the nftables userspace frontend. The kernel provides a netlink configuration interface, as well as runtime ruleset evaluation using a small classification language interpreter. libnl contains the low-level functions for communicating with the kernel, the nftables frontend is what the user interacts with.


To get an iptables-like chain setup, you'll first need to use the ipv4 filter file provided:

# nft -f /etc/nftables/ipv4-filter

To list the resulting chain:

# nft list table filter

Drop output to a destination:

# nft add rule ip filter output ip daddr drop

Drop packet to port 80:

# nft add rule ip filter input tcp dport 80 drop

Delete all rules in a chain:

# nft delete rule filter output

Further reading