nftables is a netfilter project that aims to replace the existing ip-, ip6-, arp-, and ebtables framework. It provides a new packet filtering framework, a new user-space utility (nft), and a compatibility layer for ip- and ip6tables. It uses the existing hooks, connection tracking system, user-space queueing component, and logging subsystem of netfilter.
The first release is available in Linux 3.13, which is currently in the [testing] repository (AUR in package AUR.), and nftables (the user-space components) is available in the [community-testing] repository ( ), and on the
nftables consists of three main components: a kernel implementation, the libnl netlink communication and the nftables user-space front-end. The kernel provides a netlink configuration interface, as well as run-time rule-set evaluation using a small classification language interpreter. libnl contains the low-level functions for communicating with the kernel; the nftables front-end is what the user interacts with.
nftables' user-space utility nft now performs most of the rule-set evaluation before handing rule-sets to the kernel. Because of this, nftables provides no default tables or chains; although, a user can emulate an iptables-like setup.
It works in a fashion similar to ifconfig or iproute2. The commands are a long structured sequence. For example:
nft add rule ip6 filter input ip saddr ::1 accept
add is the command. rule is a subcommand of add. ip6 is an argument of rule, telling it to use the ip6 family. filter and input are arguments of rule specifying the table and chain to use, respectively. The rest that follows is a rule definition, which includes matches (ip), their parameters (saddr), parameter arguments (::1), and jumps (accept).
The following commands are available in nft:
list tables [family] table [family] <name> add table [family] <name> [chain definitions] chain [family] <table> <name> rule [family] <table> <chain> <rule definition> insert rule [family] <table> <chain> <rule definition> delete table [family] <name> chain [family] <table> <name> rule [family] <table> <handle> table [family] <name> [chain definitions] (shortcut for `add table`) flush [family] <table> <chain>
family is optional, but it will default to ip.
The purpose of tables is to hold chains. In nftables, tables can have one of four families specified, which unifies the various iptables utilities into one:
ip (iptables) ip6 (ip6tables) arp (arptables) bridge (ebtables)
ip is the default family.
You can list your current tables in a family with the
nft list command.
# nft list tables # nft list tables ip6
You can list a full table definition by specifying a table name:
# nft list table foo # nft list table ip6 foo
Tables can be added via two commands — one just being a shortcut for the other. Here is an example of how to add an ip table called foo and an ip6 table called foo:
# nft add table foo # nft table ip6 foo
You can have two tables with the same name as long as they are in different families.
Tables can only be deleted if there are no chains in them.
# nft delete table foo # nft delete table ip6 foo
To get an iptables-like chain set up, you will first need to use the provided IPv4 filter file:
# nft -f /etc/nftables/ipv4-filter
To list the resulting chain:
# nft list table filter
Drop output to a destination:
# nft add rule ip filter output ip daddr 126.96.36.199 drop
Drop packets destined for local port 80:
# nft add rule ip filter input tcp dport 80 drop
Delete all rules in a chain:
# nft delete rule filter output