How to use nftables

Nftables is a new software product that seek to change the existing approach to packet filtering. To this package working with packages in the network was carried out using tools (iptables, ip6tables, arptables, entables). This framework is available from Linux kernel 3.13 and allows you to run commands with the old syntax of iptables. By default, using the new syntax of the command Builder. Mainly use concepts such as collections, rules for use of the card and the concatenation (gluing).

In today’s article we will understand how to use nftables. This software product allows to filter every packet and flow data, perform the NAT translation, to record suspicious activity in traffic. When you create rule sets to avoid duplication of settings. Nftables allows you to filter and record simultaneously both IPv4 and IPv6 traffic, thanks to a new family inet rules.

Framework nftables

Before we proceed to examine how you are configuring iptables, let’s deal with the basic concepts.

Set (set) – the set of similar values for the rule keys with a common name or design consisting of the brackets. Allows us to describe the dictionaries and maps. Allows to use a single rule in the case where iptables would have to use the chain rule. For example:

  • Set port {22, 23}
  • A set of protocols: {telnet, http, https}

Map (maps) – the map is used for matching the processed information with rule-based – value pairs key. Creation of maps based on the use of infrastructure sets (set). There are two types of maps – accurate maps (literal maps) and maps of the jury (verdict maps). We will consider only exact card.

An accurate map is a set of pairs (sets) criteriamany: action. For example:

nft add rule ip nat PREROUTING policy dnat tcp dport map { 80 :, 8888 : }

This rule is using the card performs redirection (DNAT) with TCP port 80 on the destination IP destination address of and port 8888 on IP address

Intervals (intervals) – are described using a syntax value value Interval represents the range of values. For example: indicates the IP address range 1-1023 indicates the port range of the Internet Protocol. Here is an example of the rules:

nft add rule inet table1 chain_input ip daddr drop

This rule specifies to drop all packets for family inet rules in table1 in the chain chain_input with IPv4 destination address to from

The main differences with iptables

  • The syntax of Iptables is built in such a way that the key rules is always preceded by a double or single dash. In contrast, nftables uses a different syntax, borrowed from tcpdump.
  • In iptables you get ready a number of tables with a fixed set of already configured them in chains of rules. Which led to the loss of productivity due to the existence of unused chains. In nftables tables and chains are fully customizable.
  • In nftables expression is the basic building block of the rule. In this regard, a rule is a sequence of expressions that are executed sequentially from left to right.
  • In nftables, you can specify several actions in one rule.
  • No default of the counter chains and rules. You can turn it on at will.
  • Best support to update the rules in the process.
  • Simultaneous administration of both IPv4 and IPv6 stacks, thanks to a new family inet allowing chain rules, seeing at the same time the traffic from both Protocol stacks.
  • Generating sets and maps infrastructure. This new feature allows you to use additional configurations, such as dictionaries, maps, and timeframe, for achievement-oriented performance of packet classification.
  • Support concatenate (adhesions). Starting with Linux kernel 4.1, you can combine several different keys and combine them with dictionaries and maps. The idea is to build flower meanings, hachirogata to obtain high performance in the execution of the rules.
  • Connection support new protocols, without upgrading the kernel. To update nftables is almost always enough to update the package, without any extra action.

Structure storage nftables rules

In General it seems the iptables:

  • Table – contain a reference to the containers of the chain rule.
  • Chain – contains rule sets that are executed in sequence
  • Rule – semantic design, allowing you to select the actions that should be implemented with the described rule set data

Family nftables (families)

The entire infrastructure nftables is designed to work with different address families (families) of different protocols (IPv4, IPv6, ARP, MAC). Previously for the treatment of different families of addresses used different tools iptables, ip6tables, arptables, ebtables. Now with the introduction of the concept of family is processed within a single software product. At the moment there are the following families:

  • the ip table of this family will see the traffic (packets) IPv4;
  • ip6 – tables of this family will see the traffic (packets) of the IPv6 Protocol;
  • inet – in tables of this family will handle the traffic (packets) IPv4 and IPv6. Rules for ipv4 will not affect the IPv6 packets. Rules matching both Protocol will affect the packets of the two protocols;
  • arp – table of this family see the arp traffic Protocol;
  • bridge – in tables will be to see packets switched on the L2 level of the OSI. This family of analogue ebtables;
  • netdev is a family, which has no analogues in x_tables. It sees all the packets, which have only been transmitted by the driver in the Protocol stack.

Installing nftables

In some distributions nftables is already installed (RedHat 8, CentOS 8) by default. In 10.2, Debian installation is done very simple:

sudo apt-get install nftables

Examples of the use of nftables

Now consider the examples of nftables. Team nft is the administrating utility of the framework nftables in the management of data streams. With the help of it is the configuration of nftables. Use the command line interface. Allows you to create new rules to nftables, delete the old one and browse the already created threads and the rules table.

1. Create table in nftables

When creating the table (table) must be defined by a family (family) addresses. For example, let’s create a table name test_table, which fulfills simultaneously the IPv4 packets and IPv6:

sudo nft add table inet test_table

Chains in nftables

Chains (chain) are containers for rules. There are two types of chains:

The base chain (thebase chain) – can be used as an entry point for packets from the Protocol stack.

Regular chain (regular chain) – can be used with the action jump goal. Used for better organization of the many rules. When you create the chain be aware that the table to which we want to add a pattern must already exist.

sudo nft add chain inet [table] [chain] {set}

For example:

sudo nft add chain inet test_table test_chain {type filter hook input priority 0 ; policy accept ; }

Note: so the shell doesn’t interpret the ; as the end of the command, you must escape the semicolon in the following way ;

This chain is filtering incoming packets. Priority (priority) specifies the order in which processes nftables chains with the same value hook. The policy parameter sets the default action for rules in the chain. In this case, we set action accept (accept the packet).

3. Adding a rule

Add a rule (rule) in a custom configuration, you can use the following syntax:

sudo nft add rule [family] [table] [chain] [expression] [action]

For example:

sudo nft add rule inet table1 chain_input ip saddr drop

This rule is added to the table named table1 in the chain chain_input and drops the packets with the ip source address of departure.

4. Deleting a rule

To delete a rule, nftables command is used with the following syntax:

sudo nft delete rule [family] [table] [chain] handle [number]

For example:

sudo nft delete rule inet table1 chain_input handle 3

5. Removal of the chain

The chain is removed with the following command:

sudo nft delete chain [family] [table] [chain]

For example:

sudo nft delete chain inet table1 chain_input

6. Deleting a table

The table can be removed from the design with the following syntax:

sudo nft delete table [family] [table]

For example:

sudo nft delete table inet table1


Today we met a modern tool for editing firewall rules. And also figured out how you configure Nftables on Debian 10. Nftables introduces many new semantic structures for a more competent organization of the rules — set, map, family. Also, this package contains many improvements compared to the set of tools for firewall x_tables. In this article, we met with the nft tool, is used to control the entire set of firewall rules.

Because the default nftables does not contain any tables and chains, we’ve learned to create our first table and the chain for the entire set of rules for our firewall. Now we can set the priority for processing subsets of the rules in the chain, set the default action for rules in the chain. In addition, we learned how to add rules. Since the structure of tables and chains in nftables configured arbitrarily, we learned to remove the chain and the table.


(Visited 1,044 times, 1 visits today)