nftables

NFtables: The NetFilter

Tables Handler

Hierarchy
Tables > Chains > Rules

Tables have a family, and a name. Different families can have different tables. Tables contain
chains that contain a series of rules.

Tables can contain objects, notably sets, maps and counters.

Tables
Command Meaning

nft add table <family> <type> Add a table of family and type

nft delete table <family> <type> Delete a table of family and type

nft flush table <family> <type> Flush the entire ruleset from a table

nft list table <family> <type> [-a] List contents (showing rule numbers or not)

Table of a given family are only allowed certain chain types.

Family filter route nat

ip ✅ ✅ ✅

ip6 ✅ ✅ ✅

inet ✅ ❌ ❌
 Family filter route nat

arp ✅ ❌ ❌

bridge ❌ ❌ ❌

netdev ❌ ❌ ❌

Chains
Command Meaning

nft add chain <table> <name> { type <type> hook <hook> Create the chain with that type, hook, priority, and policy
[device <device>] priority <priority>; policy <policy>; }

nft list chain <table> <name> [-a] List the contents of a chain [with handler numbers]

nft delete chain <table> <name> Delete a chain

nft flush chain <table> <name> Flush the chain

nft rename chain <table> <oldname> <newname> Rename a chain

Where the type can be filter , route and nat as shown above. A chain must follow the type of its
parent table.

Chain Hook
The hook is the corresponding chain endpoint that is being hooked, much like in iptables(6) before:

Table family\Table Type filter route nat

ip prerouting , input , forward , output prerouting , input , output ,

output , postrouting postrouting

ip6 prerouting , input , forward , output prerouting , input , output ,

output , postrouting postrouting

inet ingress , prerouting , input , output prerouting , input , output ,

forward , output , postrouting postrouting

arp input , output

bridge prerouting , input , forward ,

output , postrouting

netdev ingress

Chain Priority
The priority either orders the chains, or declares specific options, such as :

Priority Value Meaning (prior event)

-400 Fragment/Defragment packets

-300 The raw table is placed, as it is traditionally, before

conntrack

-225 Run SELINUX policies first

-200 Run conntrack before prerouting and output

-150 Performs mangle operations first

-100 Performs DNAT operations first

0 Filtering chain

50 Security chain (to set secmark for example

100 SNAT chain

255 SELinux packet exit

300 Connection tracking performed

Other values exist but are less useful.

Policies
The chain policy defines the final verdict on the packet. By default, we accept packets. The only
other value at the moment is drop .

Rules
Rules contain a statement of filtering and intent that is inspected and potentially executed in part
or completely. A rule with a target stops the inspection process of the packet through the chain.

Command Meaning

nft add rule <table> <chain> <rule> Add a rule to a table's chain

nft insert rule <table> <chain> [position <pos>] <rule> Insert a rule at a position (by default 0)

nft replace rule <table> <chain> handle <handle> <rule> Replace the rule with a handler with a new one

nft delete rule <table> <chain> handle <handle> <rule> Delete a rule with the given handler

Rules are series of matches and statements. Matches may be, among others
 Match Meaning

icmp type echo-reply Match ICMP echo packets

icmp sequence <seq> Match a given ICMP sequence number

icmpv6 type nd-router-advert Match ICMPv6 router advertisement packets

ether saddr <mac> Match a given source MAC

ether type vlan Ethernet type VLAN

vlan id 150 VLAN must be 150

ct state established,related Conntrack state is "established" or "related"

ip protocol icmp IP packet carries an ICMP packet

ct mark set 0x11 Set the connection tracking mark

meta mark 0x4 Compares the metadata (firewall) mark to 4

udp dport 53 Matches UDP with destination port 53

tcp sport 22 Matches TCP packets with source port 22

tcp sequence != 33-45 Matches TCP packets which sequence number isn't
between 33 and 45 included

ip6 hoplimit 1 IPv6 HL is equal to 1

ip tll set 64 Set IPv4 TTL to 64

ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } Source IPv4 belongs in a given set

iifname "eth0.1" Input interface is "eth0.1"

oifname "eth0.150" Output interface is "eth0.150"

Meanwhile, statements can be terminal, or non-terminal.

Terminal Statement Meaning

reject with icmp host-unreachable Reject packet, send corresponding ICMP

dnat to 10.8.1.2 Perform DNAT to the given host

snat to 172.16.4.2 Perform SNAT to the given host

accept Accept packet

drop Drop the packet

return Return from the current chain

jump <chain> Jump to another chain

Non-terminal Statement Meaning

log level crit Log to a given level

 Non-terminal Statement Meaning

log prefix aaaaa Log with a prefix

counter name "refused_input" Increment given counter with packet

add @collect { ip daddr } Add source IPv4 to the collection "collect"

Inspecting
Use the list and show commands to inspect elements

Command Description

nft list tables [<selector>] List all tables

nft list chains [<selector>] List all chains in the system

nft list ruleset [<selector>] List all rules in their chains

nft list sets [<selector>] List all existing sets

nft list counters [<selector>] List all counters

nft list table <family> <type> Show the entire contents of a single table

nft list chain <family> <type> <chain> Show the entire contents of a single chain

nft list counter <family> <type> <counter> Show the values of the counter

nft list set <family> <type> <set> Show the contents of the set

In the content listing commands with rules, add -a to get the handle numbers to remove rules.

A selector can be <family> with a family for all commands. Object commands (sets and counters)
can also take table <family> <type> .

Sets
Sets are very powerful and can even help you store things fast. Sets can be anonymous, or named.

Anonymous sets are bound to a rule, have no name, and cannot be updated. A set can virtually
contain anything.

Example set Meaning

{22, 53} Ports

{192.168.42.2-192.168.42.102, 192.168.42.104} A set of 102 IPv4 addresses

 Example set Meaning

{http, telnet, https} Protocols, but with names

{ nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor- ICMPv6 types

advert }

Named sets can be updated, initialized, and have comments.

Command Meaning

nft add rule ip6 filter input tcp dport {telnet, http, https} accept Accept IPv6 TCP destined to telnet, http or https

nft add set ip nat my_new_set { type ipv4_addr; comment "Some Create a named set of IPv4 in the ip nat table
IPv4"; }

nft delete set ip nat collect Delete the set "collect" from ip nat

nft add rule ip filter input ip saddr @blackhole drop Add a rule to drop IPs in a set

nft add rule ip nat postrouting add @collect { ip daddr } Add the destination address to a set

Counters
Counters can also be anonymous or named, with the same restrictions. They show a number of
packets and bytes.

Command Meaning

nft add counter ip nat prerouting out_of_route Add a counter called out_of_route to chain ip nat prerouting

nft add rule ip filter input tcp dport 22 counter accept Add a rule that filters incoming SSH, counts it
anonymously, and accept

nft add rule ip filter input counter tcp dport 22 accept Add a rule that counts all packets then filters and accept

nft list counter inet filter refused_input Show the contents of the counter "refused_input" of table
"inet filter"

nft add rule inet filter input counter name "refused_input" Add a rule that just counts to a named counter

nft reset counter inet filter refused_input Reset the values of the given counter

nft reset counters table inet filter Reset all counters in table "inet filter"

Maps
Maps are objects like counters and sets, but with key-value storage.

Command Meaning
nft list maps List all maps in the ruleset

nft add map inet nat gate_marks { type ether_addr: mark\; } Add a map of MACs to marks in "inet nat"

nft list map inet nat gate_marks List the contents of the map

nft delete map inet nat gate_marks Delete a map

nft add rule ip nat PREROUTING add @post_map { ether saddr: ip Add a rule to add a pair of source MAC-source IPv4 in a
saddr }
map called "post_map"

Revision #5
Created 9 August 2022 09:54:31 by Amelia
Updated 16 September 2022 23:08:22 by Amelia