nftables is a netfilter project that aims to replace the existing ip-, ip6-, arp-, and ebtables framework. It provides a new packet filtering framework, a new userspace utility (nft), and a compatibility layer for ip- and ip6tables. It uses the existing hooks, connection tracking system, userspace queueing component, and logging subsystem of netfilter.
The first release is available in Linux 3.13, which is currently in the [testing] repo (), and nftables (the userspace components) is available in the [community-testing] repo ( ) and on the AUR in package AUR.
nftables consists of three main components: a kernel implementation, the libnl netlink communication and the nftables userspace frontend. The kernel provides a netlink configuration interface, as well as runtime ruleset evaluation using a small classification language interpreter. libnl contains the low-level functions for communicating with the kernel, the nftables frontend is what the user interacts with.
nftables' userspace utility nft now performs most of the ruleset evaluation before handing rulesets to the kernel. Because of this, nftables provides no default tables or chains, though a user can emulate an iptables-like setup.
It works in a fashion similar to ifconfig or ip. The commands are a long structured sequence. For example:
nft add rule ip6 filter input ip saddr ::1 accept
add is the command. rule is a subcommand of add. ip6 is an argument of rule, telling it to use the ip6 family. filter and input are arguments of rule specifying the table and chain to use, respectively. The rest that follows is a rule definition, which includes matches (ip), their parameters (saddr), parameter arguments (::1), and jumps (accept).
The following commands are available in nft:
list tables [family] table [family] <name> add table [family] <name> [chain definitions] chain [family] <table> <name> rule [family] <table> <chain> <rule definition> insert rule [family] <table> <chain> <rule definition> delete table [family] <name> chain [family] <table> <name> rule [family] <table> <handle> table [family] <name> [chain definitions] (shortcut for `add table`) flush [family] <table> <chain>
family is optional, but it will default to ip.
The purpose of tables is to hold chains. In nftables, tables can have one of four families specified, which unifies the various iptables utilities into one:
ip (iptables) ip6 (ip6tables) arp (arptables) bridge (ebtables)
ip is the default family.
You can list your current tables in a family with the list command.
# nft list tables # nft list tables ip6
You can list a full table definition by specifying a table name:
# nft list table foo # nft list table ip6 foo
Tables can be added via two commands, one just a shortcut for the other. Here is an example of how to add an ip table called foo and an ip6 table called foo:
# nft add table foo # nft table ip6 foo
You can have two tables with the same name so long as they are in different families.
Tables can only be deleted if there are no chains in them.
# nft delete table foo # nft delete table ip6 foo
To get an iptables-like chain setup, you'll first need to use the ipv4 filter file provided:
# nft -f /etc/nftables/ipv4-filter
To list the resulting chain:
# nft list table filter
Drop output to a destination:
# nft add rule ip filter output ip daddr 220.127.116.11 drop
Drop packet to port 80:
# nft add rule ip filter input tcp dport 80 drop
Delete all rules in a chain:
# nft delete rule filter output