From ArchWiki
Revision as of 17:25, 27 January 2014 by Sudokode (talk | contribs) (Expanded on nftables, added information about nft, and added the tables section for manipulating tables)
Jump to navigation Jump to search

nftables is a netfilter project that aims to replace the existing ip-, ip6-, arp-, and ebtables framework. It provides a new packet filtering framework, a new userspace utility (nft), and a compatibility layer for ip- and ip6tables. It uses the existing hooks, connection tracking system, userspace queueing component, and logging subsystem of netfilter.

The first release is available in Linux 3.13, which is currently in the [testing] repo (linux), and nftables (the userspace components) is available in the [community-testing] repo (nftables) and on the AUR in package nftables-gitAUR.

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: nftables is an entirely new utility, and lacks sufficient documentation on this wiki, as well as elsewhere. (Discuss in Talk:Nftables#)


nftables consists of three main components: a kernel implementation, the libnl netlink communication and the nftables userspace frontend. The kernel provides a netlink configuration interface, as well as runtime ruleset evaluation using a small classification language interpreter. libnl contains the low-level functions for communicating with the kernel, the nftables frontend is what the user interacts with.


nftables' userspace utility nft now performs most of the ruleset evaluation before handing rulesets to the kernel. Because of this, nftables provides no default tables or chains, though a user can emulate an iptables-like setup.

It works in a fashion similar to ifconfig or ip. The commands are a long structured sequence. For example:

nft add rule ip6 filter input ip saddr ::1 accept

add is the command. rule is a subcommand of add. ip6 is an argument of rule, telling it to use the ip6 family. filter and input are arguments of rule specifying the table and chain to use, respectively. The rest that follows is a rule definition, which includes matches (ip), their parameters (saddr), parameter arguments (::1), and jumps (accept).

The following commands are available in nft:

   tables [family]
   table [family] <name>

   table [family] <name> [chain definitions]
   chain [family] <table> <name>
   rule [family] <table> <chain> <rule definition>

   rule [family] <table> <chain> <rule definition>

   table [family] <name>
   chain [family] <table> <name>
   rule [family] <table> <handle>

 table [family] <name> [chain definitions] (shortcut for `add table`)

 flush [family] <table> <chain>

family is optional, but it will default to ip.


The purpose of tables is to hold chains. In nftables, tables can have one of four families specified, which unifies the various iptables utilities into one:

ip     (iptables)
ip6    (ip6tables)
arp    (arptables)
bridge (ebtables)

ip is the default family.


You can list your current tables in a family with the list command.

# nft list tables
# nft list tables ip6

You can list a full table definition by specifying a table name:

# nft list table foo
# nft list table ip6 foo


Tables can be added via two commands, one just a shortcut for the other. Here is an example of how to add an ip table called foo and an ip6 table called foo:

# nft add table foo
# nft table ip6 foo

You can have two tables with the same name so long as they are in different families.


Tables can only be deleted if there are no chains in them.

# nft delete table foo
# nft delete table ip6 foo


To get an iptables-like chain setup, you'll first need to use the ipv4 filter file provided:

# nft -f /etc/nftables/ipv4-filter

To list the resulting chain:

# nft list table filter

Drop output to a destination:

# nft add rule ip filter output ip daddr drop

Drop packet to port 80:

# nft add rule ip filter input tcp dport 80 drop

Delete all rules in a chain:

# nft delete rule filter output

Further reading