nftables wiki - User contributions [en]

What is nftables?

2024-12-03T15:49:34Z

Nevola: zevenet repository is obsolete

= What is nftables? =

'''nftables''' is the modern Linux kernel packet classification framework. New code should use it instead of the legacy
{ip,ip6,arp,eb}_tables (xtables) infrastructure. For existing codebases that have not yet converted, the legacy xtables infrastructure is still maintained as of 2021. Automated tools assist the xtables to nftables conversion process.

'''nftables''' in a nutshell:

* It is available in Linux kernels >= 3.13.

* It comes with a new command line utility ''nft'' whose syntax is different to iptables.

* It also comes with a compatibility layer that allows you to run iptables commands over the new nftables kernel framework.

* It provides a generic set infrastructure that allows you to construct maps and concatenations. You can use these new structures to arrange your ruleset in a multidimensional tree which '''drastically''' reduces the number of rules that need to be inspected until reaching the final action on a packet.

= Why nftables? =

We like iptables after all, this tool has been serving us (and will likely keep serving still for a while in many deployments) to filter out traffic on both per-packet and per-flow basis, log suspicious traffic activity, perform NAT and many other things. It comes with more than a hundred of extensions that have been contributed along the last 15 years!.

Nevertheless, the iptables framework suffers from limitations that cannot be easily worked around:

* Avoid code duplication and inconsistencies: Many of the iptables extensions are protocol specific, so there is no a consolidated way to match packet fields, instead we have one extension for each protocol that it supports. This bloats the codebase with very similar code to perform a similar task: payload matching.

* Faster packet classification through enhanced generic set and map infrastructure.

* Simplified dual stack IPv4/IPv6 administration, through the new inet family that allows you to register base chains that see both IPv4 and IPv6 traffic.

* Better dynamic ruleset updates support.

* Provide a Netlink API for third party applications, just as other Linux Networking and Netfilter subsystem do.

* Address syntax inconsistencies and provide nicer and more compact syntax.

These, among other things not listed here, triggered the nftables development which was originally presented to the Netfilter community in the 6th Netfilter Workshop in Paris (France).

= Main differences with iptables =

Some key differences between nftables and iptables from the user point of view are:

* '''nftables uses a new syntax'''. The ''iptables'' command line tool uses a getopt_long()-based parser where keys are always preceded by double minus, eg. ''--key'' or one single minus, eg. ''-p tcp''. In contrast, nftables uses a compact syntax inspired by ''tcpdump''.

* '''Tables and chains are fully configurable.''' ''iptables'' has multiple pre-defined tables and base chains, all of which are registered even if you only need one of them. There have been reports of even unused base chains harming performance. With nftables there are no pre-defined tables or chains. Each table is explicitly defined, and contains only the objects (chains, sets, maps, flowtables and stateful objects) that you explicitly add to it. Now you register only the base chains that you need. You choose table and chain names and netfilter hook priorities that efficiently implement your specific packet processing pipeline.

* '''A single nftables rule can take multiple actions.''' Instead of the matches and single target action used in iptables, an nftables rule consists of zero or more expressions followed by one or more statements. Each expression tests whether a packet matches a specific payload field or packet/flow metadata. Multiple expressions are linearly evaluated from left to right: if the first expression matches, then the next expression is evaluated and so on. If we reach the final expression, then the packet matches all of the expressions in the rule, and the rule's statements are executed. Each statement takes an action, such as setting the netfilter mark, counting the packet, logging the packet, or rendering a verdict such as accepting or dropping the packet or jumping to another chain. As with expressions, multiple statements are linearly evaluated from left to right: a single rule can take multiple actions by using multiple statements. Do note that a verdict statement by its nature ends the rule.

* '''No built-in counter per chain and rule.''' In nftables counters are optional, you can enable them as needed.

* '''Better support for dynamic ruleset updates.''' In contrast to the monolithic blob used by iptables, nftables rulesets are represented internally in a linked list. Now adding or deleting a rule leaves the rest of the ruleset untouched, simplifying maintenance of internal state information.

* '''Simplified dual stack IPv4/IPv6 administration.''' The nftables ''inet'' family allows you to register base chains that see both IPv4 and IPv6 traffic. It is no longer necessary to rely on scripts to duplicate your ruleset.

* '''New generic [[sets|set]] infrastructure'''. This infrastructure integrates tightly into the nftables core and allows advanced configurations such as [[maps]], [[Verdict_Maps_(vmaps) | verdict maps]] and [[intervals]] to achieve performance-oriented packet classification. The most important thing is that you can use ''any'' supported selector to classify traffic.

* '''Support for [[concatenations]].''' Since Linux kernel 4.1, you can concatenate several keys and combine them with [[maps]] and [[Verdict_Maps_(vmaps) | verdict maps]]. The idea is to build a tuple whose values are hashed to obtain the action to be performed nearly O(1).

* '''Support new protocols without a kernel upgrade'''. Kernel upgrades can be a time-consuming and daunting task, especially if you have to maintain more than a single firewall in your network. Distribution kernels usually lag the newest release. With the new nftables virtual machine approach, supporting a new protocol will often not require a new kernel, just a relatively simple [[List_of_updates_in_the_nft_command_line_tool|''nft'' userspace software update]].

= Adoption =

The Netfilter project and community is focused on replacing the iptables framework with nftables, adding new features and refreshing some workflows along the way.

Many upstream projects use iptables to handle filtering, NAT, mangling and other networking tasks. This page tracks '''nftables adoption''' in the wider community.

== Cases ==

Known cases and examples we could heard of. '''TODO: extend with more current data'''.

All major Linux distributions contains the nftables framework ready to use. Check [[Nftables from distributions]].

=== system / firewalling / management ===

==== Supporting nftables ====

The following projects are known to either directly support nftables or have authors actively working on nftables integration.

* https://www.fail2ban.org/ -- the fail2ban tool already includes native support for nftables.
* https://firewalld.org/ -- firewalld by RedHat is currently developing a native integration with nftables.
* https://suricata-ids.org/ -- suricata can work natively with nftables ([https://home.regit.org/2014/02/suricata-and-nftables/ link])
* https://keepalived.org/ -- keepalived works natively with nftables ([https://github.com/acassen/keepalived/issues/924])

==== Supporting iptables only ====

The following projects are known to only support iptables/iptables-nft, with no plans to support nftables in the future.

* http://ferm.foo-projects.org/ -- [https://github.com/MaxKellermann/ferm/issues/35#issuecomment-386091563 citation]
* https://shorewall.org/ -- [https://sourceforge.net/p/shorewall/mailman/message/35458915/ citation]

=== virtualization / cloud / infrastructure ===

* https://github.com/relianoid/nftlb -- nftlb by [https://www.relianoid.com Relianoid ADC] is a nftables-based loadbalancer which can outperform LVS by 10x
* https://www.docker.com/ -- Some discussion happened in the Docker community regarding a native integration with nftables, which could ease some of their use cases ([https://github.com/moby/moby/issues/26824 link]) ([https://github.com/robbertkl/docker-ipv6nat/issues/17 link]) ([https://stephank.nl/p/2017-06-05-ipv6-on-production-docker.html running docker with IPv6 using nftables])
* https://kubernetes.io/ -- Kubernetes does not support nftables yes, but some discussion happened already ([https://github.com/kubernetes/kubernetes/issues/45385 link]). Compat tools may be used to trick kubernetes into using nftables transparently.
* http://openstack.org/ -- Openstack does not support nftables yet. Compat tools may be used to trick neutron and other components into using nftables transparently.
* https://libvirt.org/ -- there are reports of people running libvirt with nftables for bridge filtering for virtual machines
* https://saltstack.com/ -- SaltStack includes native support for nftables ([https://docs.saltstack.com/en/latest/ref/states/all/salt.states.nftables.html link]).
* https://coreos.com/ -- the CoreOS ecosystem includes native support for nftables ([https://github.com/coreos/coreos-overlay/pull/2662 link])

=== others ===

* https://openwrt.org/ -- there are reports of people running nftables rather than iptables in openwrt systems
* https://www.cica.es/ -- this regional [https://en.wikipedia.org/wiki/National_research_and_education_network NREN] uses nftables in the datacenter for their perimetral firewalls ([http://workshop.netfilter.org/2017/wiki/index.php/Developer_days.html#nftables_at_CICA.2C_our_experience slides])
* [[Nftables from distributions]] -- all major Linux distribution already include nftables ready to use
* https://www.nano-editor.org/ -- The nano editor includes syntax highlighting for nftables in files with .nft name extension or nft shebang
* https://github.com/nfnty/vim-nftables -- the VIM editor includes syntax highlighting for nftables
* [https://github.com/ipr-cnrs Institut de Physique de Rennes] -- this french research entity seems to be using nftables with ansible ([https://github.com/ipr-cnrs/nftables link])
* VPN -- nftables can be combined with other software packages like OpenVPN to build great VPN solutions ([http://ral-arturo.org/2017/04/07/openvpn-debian-stretch.html link])
* [https://github.com/mdlayher/netlink netlink golang package] -- the Golang Netlink package got batching support to be able to work with nftables ([https://github.com/mdlayher/netlink/issues/81 link])
* [https://github.com/google/nftables nftables golang library] -- This nftables golang integration library was made by Google

= See also =

* [[Moving from iptables to nftables]]
* [[Moving from ipset to nftables]]
* [[List of updates since Linux kernel 3.13]]
* [[Supported features compared to xtables]]
* [[List of available translations via iptables-translate tool]]

Adoption

2024-12-03T15:47:29Z

Nevola: zevenet repository is obsolete

The Netfilter project and community is focused on replacing the iptables framework with nftables, adding new features and refreshing some workflows along the way.

Many upstream projects use iptables to handle filtering, NAT, mangling and other networking tasks. This page tracks '''nftables adoption''' in the wider community.

= Cases =

Known cases and examples we could heard of. '''TODO: extend with more current data'''.

All major Linux distributions contains the nftables framework ready to use. Check [[Nftables from distributions]].

== system / firewalling / management ==

=== Supporting nftables ===

The following projects are known to either directly support nftables or have authors actively working on nftables integration.

* https://www.fail2ban.org/ -- the fail2ban tool already includes native support for nftables.
* https://firewalld.org/ -- firewalld by RedHat is currently developing a native integration with nftables.
* https://suricata-ids.org/ -- suricata can work natively with nftables ([https://home.regit.org/2014/02/suricata-and-nftables/ link])
* https://keepalived.org/ -- keepalived works natively with nftables ([https://github.com/acassen/keepalived/issues/924])

=== Supporting iptables only ===

The following projects are known to only support iptables/iptables-nft, with no plans to support nftables in the future.

* http://ferm.foo-projects.org/ -- [https://github.com/MaxKellermann/ferm/issues/35#issuecomment-386091563 citation]
* https://shorewall.org/ -- [https://sourceforge.net/p/shorewall/mailman/message/35458915/ citation]

== virtualization / cloud / infrastructure ==

* https://github.com/relianoid/nftlb -- nftlb by [https://www.relianoid.com Relianoid ADC] is a nftables-based loadbalancer
* https://www.docker.com/ -- Some discussion happened in the Docker community regarding a native integration with nftables, which could ease some of their use cases ([https://github.com/moby/moby/issues/26824 link]) ([https://github.com/robbertkl/docker-ipv6nat/issues/17 link]) ([https://stephank.nl/p/2017-06-05-ipv6-on-production-docker.html running docker with IPv6 using nftables])
* https://kubernetes.io/ -- Kubernetes does not support nftables yes, but some discussion happened already ([https://github.com/kubernetes/kubernetes/issues/45385 link]). Compat tools may be used to trick kubernetes into using nftables transparently.
* http://openstack.org/ -- Openstack does not support nftables yet. Compat tools may be used to trick neutron and other components into using nftables transparently.
* https://libvirt.org/ -- there are reports of people running libvirt with nftables for bridge filtering for virtual machines
* https://saltstack.com/ -- SaltStack includes native support for nftables ([https://docs.saltstack.com/en/latest/ref/states/all/salt.states.nftables.html link]).
* https://coreos.com/ -- the CoreOS ecosystem includes native support for nftables ([https://github.com/coreos/coreos-overlay/pull/2662 link])

== others ==

* https://openwrt.org/ -- there are reports of people running nftables rather than iptables in openwrt systems
* https://www.cica.es/ -- this regional [https://en.wikipedia.org/wiki/National_research_and_education_network NREN] uses nftables in the datacenter for their perimetral firewalls ([http://workshop.netfilter.org/2017/wiki/index.php/Developer_days.html#nftables_at_CICA.2C_our_experience slides])
* [[Nftables from distributions]] -- all major Linux distribution already include nftables ready to use
* https://www.nano-editor.org/ -- The nano editor includes syntax highlighting for nftables in files with .nft name extension or nft shebang
* https://github.com/nfnty/vim-nftables -- the VIM editor includes syntax highlighting for nftables
* [https://github.com/ipr-cnrs Institut de Physique de Rennes] -- this french research entity seems to be using nftables with ansible ([https://github.com/ipr-cnrs/nftables link])
* VPN -- nftables can be combined with other software packages like OpenVPN to build great VPN solutions ([http://ral-arturo.org/2017/04/07/openvpn-debian-stretch.html link])
* [https://github.com/mdlayher/netlink netlink golang package] -- the Golang Netlink package got batching support to be able to work with nftables ([https://github.com/mdlayher/netlink/issues/81 link])
* [https://github.com/google/nftables nftables golang library] -- This nftables golang integration library was made by Google

= See also =

* [[Moving from iptables to nftables]]
* [[Moving from ipset to nftables]]
* [[List of updates since Linux kernel 3.13]]
* [[Supported features compared to xtables]]
* [[List of available translations via iptables-translate tool]]

Scripting

2021-02-19T18:47:12Z

Nevola: /* Including files */ According to the comment, it was expected a directory not a file

Many people like to maintain their ruleset in shell scripts, this allows them to add comments and arrange rules in more human-friendly way. This is problematic though since shell scripts break atomicity when applying the ruleset, thus, the filtering policy is applied in an inconsistent way during the ruleset loading time.

Fortunately, nftables provides a native scripting environment to address these concerns which basically allows you to include other ruleset files, define variables and add comments. You have to restore the content of this native script through the ''nft -f my-ruleset.file'' command.

To create a nftables script, you have to add the following header to your script file:

<source lang="bash">
#!/usr/sbin/nft -f
</source>

= Adding comments =

You can add comments to your file using the '#' character. Everything after the '#' will be ignored.

<source lang="bash">
#!/usr/sbin/nft -f

#
# table declaration
#
add table filter

#
# chain declaration
#
add chain filter input { type filter hook input priority 0; policy drop; }

#
# rule declaration
#
add rule filter input ct state established,related counter accept
</source>

= Including files =

Other files can be included by using the include statement. The directories to be searched for include files can be specified using the '''-I/--includepath''' option. You can override this behavior either by prepending ‘./’ to your path to force inclusion of
files located in the current working directory (i.e. relative path) or / for file location expressed as an absolute path.

If '''-I/--includepath''' is not specified, then nft relies on the default directory that is specified at compile time. You can retrieve this default directory via '''-h/--help''' option.

Include statements support the usual shell wildcard symbols (\*,?,[]). Having no matches for an include statement is not an error, if wildcard symbols are used in the include statement.

This allows having potentially empty include directories for statements like include "/etc/firewall/rules/".
The wildcard matches are loaded in alphabetical order.

'''NOTE:''' Files beginning with dot (.) are not matched by include statements.

<source lang="bash">
#!/usr/sbin/nft -f

# include a single file using the default search path
include "ipv4-nat.ruleset"

# include all files ending in *.nft in the default search path
include "*.nft"

# include all files in a given directory using an absolute path
include "/etc/nftables/"
</source>

= Defining variables =

You can use the ''define'' keyword to define variables, the following example shows a very simple ruleset to account the traffic that comes from 8.8.8.8 (the popular Google DNS server):

<source lang="bash">
#!/usr/sbin/nft -f

define google_dns = 8.8.8.8

add table filter
add chain filter input { type filter hook input priority 0; }
add rule filter input ip saddr $google_dns counter
</source>

You can also define a variable for sets:

<source lang="bash">
#!/usr/sbin/nft -f

define ntp_servers = { 84.77.40.132, 176.31.53.99, 81.19.96.148, 138.100.62.8 }

add table filter
add chain filter input { type filter hook input priority 0; }
add rule filter input ip saddr $ntp_servers counter
</source>

Don't forget that brackets have special semantics when used from rules, since they indicate that this variable represents a set. Therefore, avoid things like:

<source lang="bash">
define google_dns = { 8.8.8.8 }
</source>

It is simply overkill to define a set that only stores one single element, instead use the singleton definition:

<source lang="bash">
define google_dns = 8.8.8.8
</source>

= File formats =

''nft -f <filename>'' accepts 2 formats, the first is the format seen in the output of ''nft list table''. The second is using the same syntax of calling the ''nft'' binary several times, but in an atomic fashion.

Example of nftables output format:

<source lang="bash">
#!/usr/sbin/nft -f

define ntp_servers = { 84.77.40.132, 176.31.53.99, 81.19.96.148, 138.100.62.8 }

#flush table nat
table ip nat {
chain prerouting {
type filter hook prerouting priority 0; policy accept;
ip saddr $ntp_servers counter
}

chain postrouting {
type filter hook postrouting priority 100; policy accept;
}
}
</source>

Example of scripted config format:

<source lang="bash">
#!/usr/sbin/nft -f

define ntp_servers = { 84.77.40.132, 176.31.53.99, 81.19.96.148, 138.100.62.8 }

add table filter
add chain filter input { type filter hook input priority 0; }
add rule filter input ip saddr $ntp_servers counter
</source>

You can freely translate between the two formats, as the syntax is mostly the same (only the organization differs).
Depending on your use case, you may want to use one format or other when building your firewall.

= See also =

This related information is very useful when dealing with nftables scripts:

* [[Atomic rule replacement]]
* [[Operations at ruleset level]]

Nftables from distributions

2021-02-09T19:29:44Z

Nevola: /* ubuntu */ fix typo

Most major Linux distributions have support for nftables:
* they include a kernel with nf_tables support
* they include userspace support

Normally, you can get nftables working just by installing the software using the corresponding package manager.

Be aware that distributions commonly don't use the absolute last version of nftables or the linux kernel.
If you need latest version of the framework, you may need [[Building and installing nftables from sources]].

For reference, here are some links where you can get distribution-specific info about nftables.

== debian ==
Debian includes latests nftables also in 'stable-backports', so you don't need to run 'testing' to get nftables.

* wiki page: https://wiki.debian.org/nftables
* kernel package: https://tracker.debian.org/pkg/linux
* libnftnl: https://tracker.debian.org/pkg/libnftnl
* nft utility: https://tracker.debian.org/pkg/nftables

By the way, nf_tables is the default iptables backend starting with Debian Buster.

== arch linux ==
* wiki page: https://wiki.archlinux.org/index.php/Nftables
* kernel package: https://www.archlinux.org/packages/core/x86_64/linux/
* nft utility: https://www.archlinux.org/packages/extra/x86_64/nftables/
* libnftnl: https://www.archlinux.org/packages/extra/x86_64/libnftnl/

== ubuntu ==
* kernel package: https://launchpad.net/ubuntu/+source/linux
* nft utility: https://launchpad.net/ubuntu/+source/nftables
* libnftnl: https://launchpad.net/ubuntu/+source/libnftnl

== fedora ==
* kernel package: https://src.fedoraproject.org/rpms/kernel
* nft utlity: https://src.fedoraproject.org/rpms/nftables
* libnftnl: https://src.fedoraproject.org/rpms/libnftnl

Building and installing nftables from sources

2021-02-09T18:57:28Z

Nevola: /* Installing from git */ fix git URL

nftables requires several userspace libraries, the 'nft' userspace command line utility and the kernel modules.

If you are using a major linux distribution, you may consider using [[nftables from distributions]].

= Installing userspace libraries =

You have to install the following userspace libraries:

* [http://www.netfilter.org/projects/libmnl libmnl ], this library provides the interfaces to communicate kernel and userspace via Netlink. ''It is very likely that your distribution already provides a package for libmnl that you can use''. If you decide to use your distributor package, make sure you install the development package as well.

* [http://www.netfilter.org/projects/libnftnl libnftnl], this library provides the low-level API to transform netlink messages to objects.

You also need ''libgmp'' and ''libreadline'', most distributions already provide packages for these two libraries, so make sure you install the development extensions of this packages to successfully compile ''nftables''.

If you plan to give a test to ''nftables'', we recommend you to use git snapshots for ''libnftnl'' and ''nft''.

== Installing userspace libraries from git ==

To install ''libnftnl'', to can type these magic spells:

<source lang="bash">
$ git clone git://git.netfilter.org/libnftnl
$ cd libnftnl
$ sh autogen.sh
$ ./configure
$ make
$ sudo make install
</source>
If you are working behind proxy than it might possible that you are not able to clone using git protocol so try to clone using "http/https:" instead "git:"
<br > Reasons:- 1) The git protocol, by default, uses the port 9418. It might possible that your traffic is blocked on that port.
<br > 2) Also take help and can relate from the [http://stackoverflow.com/a/28494985 solution]

If you have any compilation problem, please report them to the [https://www.netfilter.org/mailinglists.html netfilter developer mailing list] providing as much detailed information as possible.

== Installing userspace libraries from snapshots ==

You can retrieve daily snapshots of this library from the [ftp://ftp.netfilter.org/pub/libnftnl/snapshot/ Netfilter FTP]. Then, to install it you have to:

<source lang="bash">
$ wget ftp://ftp.netfilter.org/pub/libnftnl/snapshot/libnftnl-20140217.tar.bz2
$ tar xvjf libnftnl-20140217.tar.bz2
$ ./configure
$ make
$ sudo make install
</source>

= Installing userspace nft command line utility =

This is the command line utility that provides a user interface to configure ''nftables''.

== Installing from git ==

Just type these commands:

<source lang="bash">
% git clone git://git.netfilter.org/nftables
% cd nftables
% sh autogen.sh
% ./configure
% make
% make install
</source>

You should check that ''nft'' is installed in your system by typing:

<source lang="bash">
% nft
nft: no command specified
</source>

That means ''nft'' has been correctly installed.

= Installing Linux kernel with nftables support =

Prerequisites: nftables is available in Linux kernels since version 3.13 but this is software under development, so we encourage you to run the latest stable kernel.

== Validating your installation ==

You can validate that your installation is working by checking if you can install the 'nf_tables' kernel module.

<source lang="bash">
% modprobe nf_tables
</source>

Then, you can check that's actually there via ''lsmod'':

<source lang="bash">
# lsmod | grep nf_tables
nf_tables 42349 0
</source>

Make sure you also have loaded the family support, eg.

<source lang="bash">
% modprobe nf_tables_ipv4
</source>

The ''lsmod'' command should show something like:

<source lang="bash">
# lsmod | grep nf_tables
nf_tables_ipv4 12869 0
nf_tables 42349 1 nf_tables_ipv4
</source>

Other family modules are ''nf_tables_ipv6'', ''nf_tables_bridge'', ''nf_tables_arp'' and (since Linux kernel >= 3.14) ''nf_tables_inet''.

These modules provide the corresponding [[Configuring_tables|table]] and the filter [[Configuring_chains|chain]] support for the given family.

You could also check which modules are supported by your current kernel. How to to do this, depends on your distro:
* on debian, look in /boot/config-XXX-YYY, where XXX is your kernel package version, and YYY is your arch, e.g. /boot/config-4.2.0-1-amd64
* on Arch, look in /proc/config.gz. As this is compressed, use a command such as zcat or zgrep.

In the debian example below, CONFIG_NFT_REDIR_IPV4 and CONFIG_NFT_REDIR_IPV6 are not set, so you can't use [http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)#Redirect redirect] in the ruleset:

<source lang="bash">
% grep CONFIG_NFT_ /boot/config-4.2.0-1-amd64
CONFIG_NFT_EXTHDR=m
CONFIG_NFT_META=m
CONFIG_NFT_CT=m
CONFIG_NFT_RBTREE=m
CONFIG_NFT_HASH=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m
CONFIG_NFT_COMPAT=m
CONFIG_NFT_CHAIN_ROUTE_IPV4=m
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_CHAIN_NAT_IPV4=m
CONFIG_NFT_MASQ_IPV4=m
# CONFIG_NFT_REDIR_IPV4 is not set
CONFIG_NFT_CHAIN_ROUTE_IPV6=m
CONFIG_NFT_REJECT_IPV6=m
CONFIG_NFT_CHAIN_NAT_IPV6=m
CONFIG_NFT_MASQ_IPV6=m
# CONFIG_NFT_REDIR_IPV6 is not set
CONFIG_NFT_BRIDGE_META=m
CONFIG_NFT_BRIDGE_REJECT=m
</source>

== Installing from git ==

This is slower as you will retrieve the Linux kernel git tree for nftables:

<source lang="bash">
$ git clone git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
</source>

After retrieving the git tree, you have to follow the same steps described in the installation from sources.

But you will get the most recent changes for the ''nftables'' kernel code there.

When configuring the kernel, be sure to enable all the nftables modules (choose 'm' or 'y'). This is an example:

<source lang="bash">
$ make oldconfig

Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES) [M/y/?] m
Netfilter nf_tables support (NF_TABLES) [N/m] (NEW) m
Netfilter nf_tables payload module (NFT_PAYLOAD) [N/m] (NEW) m
Netfilter nf_tables IPv6 exthdr module (NFT_EXTHDR) [N/m] (NEW) m
Netfilter nf_tables meta module (NFT_META) [N/m] (NEW) m
Netfilter nf_tables conntrack module (NFT_CT) [N/m] (NEW) m
Netfilter nf_tables rbtree set module (NFT_RBTREE) [N/m] (NEW) m
Netfilter nf_tables hash set module (NFT_HASH) [N/m] (NEW) m
Netfilter nf_tables counter module (NFT_COUNTER) [N/m] (NEW) m
Netfilter nf_tables log module (NFT_LOG) [N/m] (NEW) m
Netfilter nf_tables limit module (NFT_LIMIT) [N/m] (NEW) m
Netfilter nf_tables nat module (NFT_NAT) [N/m] (NEW) m
Netfilter x_tables over nf_tables module (NFT_COMPAT) [N/m/?] (NEW) m

IPv4 nf_tables support (NF_TABLES_IPV4) [N/m] (NEW) m
nf_tables IPv4 reject support (NFT_REJECT_IPV4) [N/m] (NEW) m
IPv4 nf_tables route chain support (NFT_CHAIN_ROUTE_IPV4) [N/m] (NEW) m
IPv4 nf_tables nat chain support (NFT_CHAIN_NAT_IPV4) [N/m] (NEW) m

IPv6 nf_tables support (NF_TABLES_IPV6) [M/n] m
IPv6 nf_tables route chain support (NFT_CHAIN_ROUTE_IPV6) [M/n] m
IPv6 nf_tables nat chain support (NFT_CHAIN_NAT_IPV6) [M/n] m

Ethernet Bridge nf_tables support (NF_TABLES_BRIDGE) [N/m/y] (NEW) m
</source>

Quick reference-nftables in 10 minutes

2020-05-22T10:01:48Z

Nevola: /* Reject */ Add link to local page.

Find below some basic concepts to know before using nftables.

'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.

'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].

'''rule''' refers to an action to be configured within a ''chain''.

= nft command line =

''nft'' is the command line tool in order to interact with nftables at userspace.

== Tables ==

'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''.

<source lang="bash">
% nft list tables [<family>]
% nft list table [<family>] <name> [-n] [-a]
% nft (add | delete | flush) table [<family>] <name>
</source>

The argument ''-n'' shows the addresses and other information that uses names in numeric format. The ''-a'' argument is used to display the ''handle''.

== Chains ==

'''type''' refers to the kind of chain to be created. Possible types are:

* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.

'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].

* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.
* The hooks for ''arp'' family are: '' input'', ''output''.
* The ''bridge'' family handles ethernet packets traversing bridge devices.
* The hook for ''netdev'' is: ''ingress''.

'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.

'''policy''' is the default verdict statement to control the flow in the chain. Possible values are: ''accept'', ''drop'', ''queue'', ''continue'', ''return''.

<source lang="bash">
% nft (add | create) chain [<family>] <table> <name> [ { type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] } ]
% nft (delete | list | flush) chain [<family>] <table> <name>
% nft rename chain [<family>] <table> <name> <newname>
</source>

== Rules ==

'''handle''' is an internal number that identifies a certain ''rule''.

'''position''' is an internal number that is used to insert a ''rule'' before a certain ''handle''.

<source lang="bash">
% nft add rule [<family>] <table> <chain> <matches> <statements>
% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements>
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements>
% nft delete rule [<family>] <table> <chain> [handle <handle>]
</source>

=== Matches ===

'''matches''' are clues used to access to certain packet information and create filters according to them.

==== Ip ====

{| class="wikitable"
!colspan="6"|ip match
|-
| | ''dscp <value>''
|
|<source lang="bash">
ip dscp cs1
ip dscp != cs1
ip dscp 0x38
ip dscp != 0x20
ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21,
af22, af23, af31, af32, af33, af41, af42, af43, ef}
</source>
|-
| ''length <length>''
| Total packet length
|<source lang="bash">
ip length 232
ip length != 233
ip length 333-435
ip length != 333-453
ip length { 333, 553, 673, 838}
</source>
|-
| ''id <id>''
| IP ID
|<source lang="bash">
ip id 22
ip id != 233
ip id 33-45
ip id != 33-45
ip id { 33, 55, 67, 88 }
</source>
|-
| ''frag-off <value>''
| Fragmentation offset
|<source lang="bash">
ip frag-off 222
ip frag-off != 233
ip frag-off 33-45
ip frag-off != 33-45
ip frag-off { 33, 55, 67, 88 }
</source>
|-
| ''ttl <ttl>''
| Time to live
|<source lang="bash">
ip ttl 0
ip ttl 233
ip ttl 33-55
ip ttl != 45-50
ip ttl { 43, 53, 45 }
ip ttl { 33-55 }
</source>
|-
| ''protocol <protocol>''
| Upper layer protocol
|<source lang="bash">
ip protocol tcp
ip protocol 6
ip protocol != tcp
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }
</source>
|-
| ''checksum <checksum>''
| IP header checksum
|<source lang="bash">
ip checksum 13172
ip checksum 22
ip checksum != 233
ip checksum 33-45
ip checksum != 33-45
ip checksum { 33, 55, 67, 88 }
ip checksum { 33-55 }
</source>
|-
| ''saddr <ip source address>''
| Source address
|<source lang="bash">
ip saddr 192.168.2.0/24
ip saddr != 192.168.2.0/24
ip saddr 192.168.3.1 ip daddr 192.168.3.100
ip saddr != 1.1.1.1
ip saddr 1.1.1.1
ip saddr & 0xff == 1
ip saddr & 0.0.0.255 < 0.0.0.127
</source>
|-
| ''daddr <ip destination address>''
| Destination address
|<source lang="bash">
ip daddr 192.168.0.1
ip daddr != 192.168.0.1
ip daddr 192.168.0.1-192.168.0.250
ip daddr 10.0.0.0-10.255.255.255
ip daddr 172.16.0.0-172.31.255.255
ip daddr 192.168.3.1-192.168.4.250
ip daddr != 192.168.0.1-192.168.0.250
ip daddr { 192.168.0.1-192.168.0.250 }
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }
</source>
|-
| ''version <version>''
| Ip Header version
|<source lang="bash">
ip version 4
</source>
|-
| ''hdrlength <header length>''
| IP header length
|<source lang="bash">
ip hdrlength 0
ip hdrlength 15
</source>
|}

==== Ip6 ====

{| class="wikitable"
!colspan="6"|ip6 match
|-
| ''dscp <value>''
|
|<source lang="bash">
ip6 dscp cs1
ip6 dscp != cs1
ip6 dscp 0x38
ip6 dscp != 0x20
ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
</source>
|-
| ''flowlabel <label>''
| Flow label
|<source lang="bash">
ip6 flowlabel 22
ip6 flowlabel != 233
ip6 flowlabel { 33, 55, 67, 88 }
ip6 flowlabel { 33-55 }
</source>
|-
| ''length <length>''
| Payload length
|<source lang="bash">
ip6 length 232
ip6 length != 233
ip6 length 333-435
ip6 length != 333-453
ip6 length { 333, 553, 673, 838}
</source>
|-
| ''nexthdr <header>''
| Next header type (Upper layer protocol number)
|<source lang="bash">
ip6 nexthdr {esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6}
ip6 nexthdr esp
ip6 nexthdr != esp
ip6 nexthdr { 33-44 }
ip6 nexthdr 33-44
ip6 nexthdr != 33-44
</source>
|-
| ''hoplimit <hoplimit>''
| Hop limit
|<source lang="bash">
ip6 hoplimit 1
ip6 hoplimit != 233
ip6 hoplimit 33-45
ip6 hoplimit != 33-45
ip6 hoplimit {33, 55, 67, 88}
ip6 hoplimit {33-55}
</source>
|-
| ''saddr <ip source address>''
| Source Address
|<source lang="bash">
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234
ip6 saddr ::/64
ip6 saddr ::1 ip6 daddr ::2
</source>
|-
| ''daddr <ip destination address>''
| Destination Address
|<source lang="bash">
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234
</source>
|-
| ''version <version>''
| IP header version
|<source lang="bash">
ip6 version 6
</source>
|}

==== Tcp ====

{| class="wikitable"
!colspan="6"|tcp match
|-
| ''dport <destination port>''
| Destination port
|<source lang="bash">
tcp dport 22
tcp dport != 33-45
tcp dport { 33-55 }
tcp dport {telnet, http, https }
tcp dport vmap { 22 : accept, 23 : drop }
tcp dport vmap { 25:accept, 28:drop }
</source>
|-
| ''sport < source port>''
| Source port
|<source lang="bash">
tcp sport 22
tcp sport != 33-45
tcp sport { 33, 55, 67, 88}
tcp sport { 33-55}
tcp sport vmap { 25:accept, 28:drop }
tcp sport 1024 tcp dport 22
</source>
|-
| ''sequence <value>''
| Sequence number
|<source lang="bash">
tcp sequence 22
tcp sequence != 33-45
</source>
|-
| ''ackseq <value>''
| Acknowledgement number
|<source lang="bash">
tcp ackseq 22
tcp ackseq != 33-45
tcp ackseq { 33, 55, 67, 88 }
tcp ackseq { 33-55 }
</source>
|-
| ''flags <flags>''
| TCP flags
|<source lang="bash">
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr}
tcp flags cwr
tcp flags != cwr
</source>
|-
| ''window <value>''
| Window
|<source lang="bash">
tcp window 22
tcp window != 33-45
tcp window { 33, 55, 67, 88 }
tcp window { 33-55 }
</source>
|-
| ''checksum <checksum>''
| IP header checksum
|<source lang="bash">
tcp checksum 22
tcp checksum != 33-45
tcp checksum { 33, 55, 67, 88 }
tcp checksum { 33-55 }
</source>
|-
| ''urgptr <pointer>''
| Urgent pointer
|<source lang="bash">
tcp urgptr 22
tcp urgptr != 33-45
tcp urgptr { 33, 55, 67, 88 }
</source>
|-
| ''doff <offset>''
| Data offset
|<source lang="bash">
tcp doff 8
</source>
|}

==== Udp ====

{| class="wikitable"
!colspan="6"|udp match
|-
| ''dport <destination port>''
| Destination port
|<source lang="bash">
udp dport 22
udp dport != 33-45
udp dport { 33-55 }
udp dport {telnet, http, https }
udp dport vmap { 22 : accept, 23 : drop }
udp dport vmap { 25:accept, 28:drop }
</source>
|-
| ''sport < source port>''
| Source port
|<source lang="bash">
udp sport 22
udp sport != 33-45
udp sport { 33, 55, 67, 88}
udp sport { 33-55}
udp sport vmap { 25:accept, 28:drop }
udp sport 1024 tcp dport 22
</source>
|-
| ''length <length>''
| Total packet length
|<source lang="bash">
udp length 6666
udp length != 50-65
udp length { 50, 65 }
udp length { 35-50 }
</source>
|-
| ''checksum <checksum>''
| UDP checksum
|<source lang="bash">
udp checksum 22
udp checksum != 33-45
udp checksum { 33, 55, 67, 88 }
udp checksum { 33-55 }
</source>
|}

==== Udplite ====

{| class="wikitable"
!colspan="6"|udplite match
|-
| ''dport <destination port>''
| Destination port
|<source lang="bash">
udplite dport 22
udplite dport != 33-45
udplite dport { 33-55 }
udplite dport {telnet, http, https }
udplite dport vmap { 22 : accept, 23 : drop }
udplite dport vmap { 25:accept, 28:drop }
</source>
|-
| ''sport < source port>''
| Source port
|<source lang="bash">
udplite sport 22
udplite sport != 33-45
udplite sport { 33, 55, 67, 88}
udplite sport { 33-55}
udplite sport vmap { 25:accept, 28:drop }
udplite sport 1024 tcp dport 22
</source>
|-
| ''checksum <checksum>''
| Checksum
|<source lang="bash">
udplite checksum 22
udplite checksum != 33-45
udplite checksum { 33, 55, 67, 88 }
udplite checksum { 33-55 }
</source>
|}

==== Sctp ====

{| class="wikitable"
!colspan="6"|sctp match
|-
| ''dport <destination port>''
| Destination port
|<source lang="bash">
sctp dport 22
sctp dport != 33-45
sctp dport { 33-55 }
sctp dport {telnet, http, https }
sctp dport vmap { 22 : accept, 23 : drop }
sctp dport vmap { 25:accept, 28:drop }
</source>
|-
| ''sport < source port>''
| Source port
|<source lang="bash">
sctp sport 22
sctp sport != 33-45
sctp sport { 33, 55, 67, 88}
sctp sport { 33-55}
sctp sport vmap { 25:accept, 28:drop }
sctp sport 1024 tcp dport 22
</source>
|-
| ''checksum <checksum>''
| Checksum
|<source lang="bash">
sctp checksum 22
sctp checksum != 33-45
sctp checksum { 33, 55, 67, 88 }
sctp checksum { 33-55 }
</source>
|-
| ''vtag <tag>''
| Verification tag
|<source lang="bash">
sctp vtag 22
sctp vtag != 33-45
sctp vtag { 33, 55, 67, 88 }
sctp vtag { 33-55 }
</source>
|}

==== Dccp ====

{| class="wikitable"
!colspan="6"|dccp match
|-
| ''dport <destination port>''
| Destination port
|<source lang="bash">
dccp dport 22
dccp dport != 33-45
dccp dport { 33-55 }
dccp dport {telnet, http, https }
dccp dport vmap { 22 : accept, 23 : drop }
dccp dport vmap { 25:accept, 28:drop }
</source>
|-
| ''sport < source port>''
| Source port
|<source lang="bash">
dccp sport 22
dccp sport != 33-45
dccp sport { 33, 55, 67, 88}
dccp sport { 33-55}
dccp sport vmap { 25:accept, 28:drop }
dccp sport 1024 tcp dport 22
</source>
|-
| ''type <type>''
| Type of packet
|<source lang="bash">
dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
dccp type request
dccp type != request
</source>
|}

==== Ah ====

{| class="wikitable"
!colspan="6"|ah match
|-
| ''hdrlength <length>''
| AH header length
|<source lang="bash">
ah hdrlength 11-23
ah hdrlength != 11-23
ah hdrlength {11, 23, 44 }
</source>
|-
| ''reserved <value>''
|
|<source lang="bash">
ah reserved 22
ah reserved != 33-45
ah reserved {23, 100 }
ah reserved { 33-55 }
</source>
|-
| ''spi <value>''
|
|<source lang="bash">
ah spi 111
ah spi != 111-222
ah spi {111, 122 }
</source>
|-
| ''sequence <sequence>''
| Sequence Number
|<source lang="bash">
ah sequence 123
ah sequence {23, 25, 33}
ah sequence != 23-33
</source>
|}

==== Esp ====

{| class="wikitable"
!colspan="6"|esp match
|-
| ''spi <value>''
|
|<source lang="bash">
esp spi 111
esp spi != 111-222
esp spi {111, 122 }
</source>
|-
| ''sequence <sequence>''
| Sequence Number
|<source lang="bash">
esp sequence 123
esp sequence {23, 25, 33}
esp sequence != 23-33
</source>
|}

==== Comp ====

{| class="wikitable"
!colspan="6"|comp match
|-
| ''nexthdr <protocol>''
| Next header protocol (Upper layer protocol)
|<source lang="bash">
comp nexthdr != esp
comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp}
</source>
|-
| ''flags <flags>''
| Flags
|<source lang="bash">
comp flags 0x0
comp flags != 0x33-0x45
comp flags {0x33, 0x55, 0x67, 0x88}
</source>
|-
| ''cpi <value>''
| Compression Parameter Index
|<source lang="bash">
comp cpi 22
comp cpi != 33-45
comp cpi {33, 55, 67, 88}
</source>
|}

==== Icmp ====

{| class="wikitable"
!colspan="6"|icmp match
|-
| ''type <type>''
| ICMP packet type
|<source lang="bash">
icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation}
</source>
|-
| ''code <code>''
| ICMP packet code
|<source lang="bash">
icmp code 111
icmp code != 33-55
icmp code { 2, 4, 54, 33, 56}
</source>
|-
| ''checksum <value>''
| ICMP packet checksum
|<source lang="bash">
icmp checksum 12343
icmp checksum != 11-343
icmp checksum { 1111, 222, 343 }
</source>
|-
| ''id <value>''
| ICMP packet id
|<source lang="bash">
icmp id 12343
icmp id != 11-343
icmp id { 1111, 222, 343 }
</source>
|-
| ''sequence <value>''
| ICMP packet sequence
|<source lang="bash">
icmp sequence 12343
icmp sequence != 11-343
icmp sequence { 1111, 222, 343 }
</source>
|-
| ''mtu <value>''
| ICMP packet mtu
|<source lang="bash">
icmp mtu 12343
icmp mtu != 11-343
icmp mtu { 1111, 222, 343 }
</source>
|-
| ''gateway <value>''
| ICMP packet gateway
|<source lang="bash">
icmp gateway 12343
icmp gateway != 11-343
icmp gateway { 1111, 222, 343 }
</source>
|}

==== Icmpv6 ====

{| class="wikitable"
!colspan="6"|icmpv6 match
|-
| ''type <type>''
| ICMPv6 packet type
|<source lang="bash">
icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect, parameter-problem, router-renumbering}
</source>
|-
| ''code <code>''
| ICMPv6 packet code
|<source lang="bash">
icmpv6 code 4
icmpv6 code 3-66
icmpv6 code {5, 6, 7}
</source>
|-
| ''checksum <value>''
| ICMPv6 packet checksum
|<source lang="bash">
icmpv6 checksum 12343
icmpv6 checksum != 11-343
icmpv6 checksum { 1111, 222, 343 }
</source>
|-
| ''id <value>''
| ICMPv6 packet id
|<source lang="bash">
icmpv6 id 12343
icmpv6 id != 11-343
icmpv6 id { 1111, 222, 343 }
</source>
|-
| ''sequence <value>''
| ICMPv6 packet sequence
|<source lang="bash">
icmpv6 sequence 12343
icmpv6 sequence != 11-343
icmpv6 sequence { 1111, 222, 343 }
</source>
|-
| ''mtu <value>''
| ICMPv6 packet mtu
|<source lang="bash">
icmpv6 mtu 12343
icmpv6 mtu != 11-343
icmpv6 mtu { 1111, 222, 343 }
</source>
|-
| ''max-delay <value>''
| ICMPv6 packet max delay
|<source lang="bash">
icmpv6 max-delay 33-45
icmpv6 max-delay != 33-45
icmpv6 max-delay {33, 55, 67, 88}
</source>
|}

==== Ether ====

{| class="wikitable"
!colspan="6"|ether match
|-
| ''saddr <mac address>''
| Source mac address
|<source lang="bash">
ether saddr 00:0f:54:0c:11:04
</source>
|-
| ''type <type>''
|
|<source lang="bash">
ether type vlan
</source>
|}

==== Dst ====

{| class="wikitable"
!colspan="6"|dst match
|-
| ''nexthdr <proto>''
| Next protocol header
|<source lang="bash">
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
dst nexthdr 22
dst nexthdr != 33-45
</source>
|-
| ''hdrlength <length>''
| Header Length
|<source lang="bash">
dst hdrlength 22
dst hdrlength != 33-45
dst hdrlength { 33, 55, 67, 88 }
</source>
|}

==== Frag ====

{| class="wikitable"
!colspan="6"|frag match
|-
| ''nexthdr <proto>''
| Next protocol header
|<source lang="bash">
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp}
frag nexthdr 6
frag nexthdr != 50-51
</source>
|-
| ''reserved <value>''
|
|<source lang="bash">
frag reserved 22
frag reserved != 33-45
frag reserved { 33, 55, 67, 88}
</source>
|-
| ''frag-off <value>''
|
|<source lang="bash">
frag frag-off 22
frag frag-off != 33-45
frag frag-off { 33, 55, 67, 88}
</source>
|-
| ''more-fragments <value>''
|
|<source lang="bash">
frag more-fragments 0
frag more-fragments 0
</source>
|-
| ''id <value>''
|
|<source lang="bash">
frag id 1
frag id 33-45
</source>
|}

==== Hbh ====

{| class="wikitable"
!colspan="6"|hbh match
|-
| ''nexthdr <proto>''
| Next protocol header
|<source lang="bash">
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6}
hbh nexthdr 22
hbh nexthdr != 33-45
</source>
|-
| ''hdrlength <length>''
| Header Length
|<source lang="bash">
hbh hdrlength 22
hbh hdrlength != 33-45
hbh hdrlength { 33, 55, 67, 88 }
</source>
|}

==== Mh ====

{| class="wikitable"
!colspan="6"|mh match
|-
| ''nexthdr <proto>''
| Next protocol header
|<source lang="bash">
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }
mh nexthdr 22
mh nexthdr != 33-45
</source>
|-
| ''hdrlength <length>''
| Header Length
|<source lang="bash">
mh hdrlength 22
mh hdrlength != 33-45
mh hdrlength { 33, 55, 67, 88 }
</source>
|-
| ''type <type>''
|
|<source lang="bash">
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}
mh type home-agent-switch-message
mh type != home-agent-switch-message
</source>
|-
| ''reserved <value>''
|
|<source lang="bash">
mh reserved 22
mh reserved != 33-45
mh reserved { 33, 55, 67, 88}
</source>
|-
| ''checksum <value>''
|
|<source lang="bash">
mh checksum 22
mh checksum != 33-45
mh checksum { 33, 55, 67, 88}
</source>
|}

==== Rt ====

{| class="wikitable"
!colspan="6"|rt match
|-
| ''nexthdr <proto>''
| Next protocol header
|<source lang="bash">
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }
rt nexthdr 22
rt nexthdr != 33-45
</source>
|-
| ''hdrlength <length>''
| Header Length
|<source lang="bash">
rt hdrlength 22
rt hdrlength != 33-45
rt hdrlength { 33, 55, 67, 88 }
</source>
|-
| ''type <type>''
|
|<source lang="bash">
rt type 22
rt type != 33-45
rt type { 33, 55, 67, 88 }
</source>
|-
| ''seg-left <value>''
|
|<source lang="bash">
rt seg-left 22
rt seg-left != 33-45
rt seg-left { 33, 55, 67, 88}
</source>
|}

==== Vlan ====

{| class="wikitable"
!colspan="6"|vlan match
|-
| ''id <value>''
| Vlan tag ID
|<source lang="bash">
vlan id 4094
vlan id 0
</source>
|-
| ''cfi <value>''
|
|<source lang="bash">
vlan cfi 0
vlan cfi 1
</source>
|-
| ''pcp <value>''
|
|<source lang="bash">
vlan pcp 7
vlan pcp 3
</source>
|}

==== Arp ====

{| class="wikitable"
!colspan="6"|arp match
|-
| ''ptype <value>''
| Payload type
|<source lang="bash">
arp ptype 0x0800
</source>
|-
| ''htype <value>''
| Header type
|<source lang="bash">
arp htype 1
arp htype != 33-45
arp htype { 33, 55, 67, 88}
</source>
|-
| ''hlen <length>''
| Header Length
|<source lang="bash">
arp hlen 1
arp hlen != 33-45
arp hlen { 33, 55, 67, 88}
</source>
|-
| ''plen <length>''
| Payload length
|<source lang="bash">
arp plen 1
arp plen != 33-45
arp plen { 33, 55, 67, 88}
</source>
|-
| ''operation <value>''
|
|<source lang="bash">
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}
</source>
|}

==== Ct ====

{| class="wikitable"
!colspan="6"|ct match
|-
| ''state <state>''
| State of the connection
|<source lang="bash">
ct state { new, established, related, untracked }
ct state != related
ct state established
ct state 8
</source>
|-
| ''direction <value>''
| Direction of the packet relative to the connection
|<source lang="bash">
ct direction original
ct direction != original
ct direction {reply, original}
</source>
|-
| ''status <status>''
| Status of the connection
|<source lang="bash">
ct status expected
ct status != expected
ct status {expected,seen-reply,assured,confirmed,snat,dnat,dying}
</source>
|-
| ''mark [set] <mark>''
| Mark of the connection
|<source lang="bash">
ct mark 0
ct mark or 0x23 == 0x11
ct mark or 0x3 != 0x1
ct mark and 0x23 == 0x11
ct mark and 0x3 != 0x1
ct mark xor 0x23 == 0x11
ct mark xor 0x3 != 0x1
ct mark 0x00000032
ct mark != 0x00000032
ct mark 0x00000032-0x00000045
ct mark != 0x00000032-0x00000045
ct mark {0x32, 0x2222, 0x42de3}
ct mark {0x32-0x2222, 0x4444-0x42de3}
ct mark set 0x11 xor 0x1331
ct mark set 0x11333 and 0x11
ct mark set 0x12 or 0x11
ct mark set 0x11
ct mark set mark
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }
</source>
|-
| ''expiration <time>''
| Connection expiration time
|<source lang="bash">
ct expiration 30
ct expiration 30s
ct expiration != 233
ct expiration != 3m53s
ct expiration 33-45
ct expiration 33s-45s
ct expiration != 33-45
ct expiration != 33s-45s
ct expiration {33, 55, 67, 88}
ct expiration { 1m7s, 33s, 55s, 1m28s}
</source>
|-
| ''helper "<helper>"''
| Helper associated with the connection
|<source lang="bash">
ct helper "ftp"
</source>
|-
| | ''[original | reply] bytes <value>''
|
|<source lang="bash">
ct original bytes > 100000
ct bytes > 100000
</source>
|-
| | ''[original | reply] packets <value>''
|
|<source lang="bash">
ct reply packets < 100
</source>
|-
| | ''[original | reply] saddr <ip source address>''
|
|<source lang="bash">
ct original saddr 192.168.0.1
ct reply saddr 192.168.0.1
ct original saddr 192.168.1.0/24
ct reply saddr 192.168.1.0/24
</source>
|-
| | ''[original | reply] daddr <ip destination address>''
|
|<source lang="bash">
ct original daddr 192.168.0.1
ct reply daddr 192.168.0.1
ct original daddr 192.168.1.0/24
ct reply daddr 192.168.1.0/24
</source>
|-
| | ''[original | reply] l3proto <protocol>''
|
|<source lang="bash">
ct original l3proto ipv4
</source>
|-
| | ''[original | reply] protocol <protocol>''
|
|<source lang="bash">
ct original protocol 6
</source>
|-
| | ''[original | reply] proto-dst <port>''
|
|<source lang="bash">
ct original proto-dst 22
</source>
|-
| | ''[original | reply] proto-src <port>''
|
|<source lang="bash">
ct reply proto-src 53
</source>
|}

==== Meta ====

[[Matching packet metainformation|''meta'']] matches packet by metainformation.

{| class="wikitable"
!colspan="6"|meta match
|-
| ''iifname <input interface name>''
| Input interface name
|<source lang="bash">
meta iifname "eth0"
meta iifname != "eth0"
meta iifname {"eth0", "lo"}
meta iifname "eth*"
</source>
|-
| ''oifname <output interface name>''
| Output interface name
|<source lang="bash">
meta oifname "eth0"
meta oifname != "eth0"
meta oifname {"eth0", "lo"}
meta oifname "eth*"
</source>
|-
| ''iif <input interface index>''
| Input interface index
|<source lang="bash">
meta iif eth0
meta iif != eth0
</source>
|-
| ''oif <output interface index>''
| Output interface index
|<source lang="bash">
meta oif lo
meta oif != lo
meta oif {eth0, lo}
</source>
|-
| ''iiftype <input interface type>''
| Input interface type
|<source lang="bash">
meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}
meta iiftype != ether
meta iiftype ether
</source>
|-
| ''oiftype <output interface type>''
| Output interface hardware type
|<source lang="bash">
meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}
meta oiftype != ether
meta oiftype ether
</source>
|-
| ''length <length>''
| Length of the packet in bytes
|<source lang="bash">
meta length 1000
meta length != 1000
meta length > 1000
meta length 33-45
meta length != 33-45
meta length { 33, 55, 67, 88 }
meta length { 33-55, 67-88 }
</source>
|-
| ''protocol <protocol>''
| ethertype protocol
|<source lang="bash">
meta protocol ip
meta protocol != ip
meta protocol { ip, arp, ip6, vlan }
</source>
|-
| ''nfproto <protocol>''
|
|<source lang="bash">
meta nfproto ipv4
meta nfproto != ipv6
meta nfproto { ipv4, ipv6 }
</source>
|-
| ''l4proto <protocol>''
|
|<source lang="bash">
meta l4proto 22
meta l4proto != 233
meta l4proto 33-45
meta l4proto { 33, 55, 67, 88 }
meta l4proto { 33-55 }
</source>
|-
| ''mark [set] <mark>''
| Packet mark
|<source lang="bash">
meta mark 0x4
meta mark 0x00000032
meta mark and 0x03 == 0x01
meta mark and 0x03 != 0x01
meta mark != 0x10
meta mark or 0x03 == 0x01
meta mark or 0x03 != 0x01
meta mark xor 0x03 == 0x01
meta mark xor 0x03 != 0x01
meta mark set 0xffffffc8 xor 0x16
meta mark set 0x16 and 0x16
meta mark set 0xffffffe9 or 0x16
meta mark set 0xffffffde and 0x16
meta mark set 0x32 or 0xfffff
meta mark set 0xfffe xor 0x16
</source>
|-
| ''priority [set] <priority>''
| tc class id
|<source lang="bash">
meta priority none
meta priority 0x1:0x1
meta priority 0x1:0xffff
meta priority 0xffff:0xffff
meta priority set 0x1:0x1
meta priority set 0x1:0xffff
meta priority set 0xffff:0xffff
</source>
|-
| ''skuid <user id>''
| UID associated with originating socket
|<source lang="bash">
meta skuid {bin, root, daemon}
meta skuid root
meta skuid != root
meta skuid lt 3000
meta skuid gt 3000
meta skuid eq 3000
meta skuid 3001-3005
meta skuid != 2001-2005
meta skuid { 2001-2005 }
</source>
|-
| ''skgid <group id>''
| GID associated with originating socket
|<source lang="bash">
meta skgid {bin, root, daemon}
meta skgid root
meta skgid != root
meta skgid lt 3000
meta skgid gt 3000
meta skgid eq 3000
meta skgid 3001-3005
meta skgid != 2001-2005
meta skgid { 2001-2005 }
</source>
|-
| ''rtclassid <class>''
| Routing realm
|<source lang="bash">
meta rtclassid cosmos
</source>
|-
| ''pkttype <type>''
| Packet type
|<source lang="bash">
meta pkttype broadcast
meta pkttype != broadcast
meta pkttype { broadcast, unicast, multicast}
</source>
|-
| ''cpu <cpu index>''
| CPU ID
|<source lang="bash">
meta cpu 1
meta cpu != 1
meta cpu 1-3
meta cpu != 1-2
meta cpu { 2,3 }
meta cpu { 2-3, 5-7 }
</source>
|-
| ''iifgroup <input group>''
| Input interface group
|<source lang="bash">
meta iifgroup 0
meta iifgroup != 0
meta iifgroup default
meta iifgroup != default
meta iifgroup {default}
meta iifgroup { 11,33 }
meta iifgroup {11-33}
</source>
|-
| ''oifgroup <group>''
| Output interface group
|<source lang="bash">
meta oifgroup 0
meta oifgroup != 0
meta oifgroup default
meta oifgroup != default
meta oifgroup {default}
meta oifgroup { 11,33 }
meta oifgroup {11-33}
</source>
|-
| ''cgroup <group>''
|
|<source lang="bash">
meta cgroup 1048577
meta cgroup != 1048577
meta cgroup { 1048577, 1048578 }
meta cgroup 1048577-1048578
meta cgroup != 1048577-1048578
meta cgroup {1048577-1048578}
</source>
|}

=== Statements ===

'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.

==== Verdict statements ====

The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:

* ''accept'': Accept the packet and stop the remain rules evaluation.
* ''drop'': Drop the packet and stop the remain rules evaluation.
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.
* ''continue'': Continue the ruleset evaluation with the next rule.
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement

==== Log ====

{| class="wikitable"
!colspan="6"|log statement
|-
| ''level [over] <value> <unit> [burst <value> <unit>]''
| Log level
|<source lang="bash">
log
log level emerg
log level alert
log level crit
log level err
log level warn
log level notice
log level info
log level debug
</source>
|-
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''
|
|<source lang="bash">
log prefix aaaaa-aaaaaa group 2 snaplen 33
log group 2 queue-threshold 2
log group 2 snaplen 33
</source>
|}

==== Reject ====

The default '''reject''' will be the ICMP type '''port-unreachable'''. The '''icmpx''' is only used for inet family support.

More information on the [[Rejecting_traffic]] page.

{| class="wikitable"
!colspan="6"|reject statement
|-
| ''with <protocol> type <type>''
|
|<source lang="bash">
reject
reject with icmp type host-unreachable
reject with icmp type net-unreachable
reject with icmp type prot-unreachable
reject with icmp type port-unreachable
reject with icmp type net-prohibited
reject with icmp type host-prohibited
reject with icmp type admin-prohibited
reject with icmpv6 type no-route
reject with icmpv6 type admin-prohibited
reject with icmpv6 type addr-unreachable
reject with icmpv6 type port-unreachable
reject with icmpx type host-unreachable
reject with icmpx type no-route
reject with icmpx type admin-prohibited
reject with icmpx type port-unreachable
ip protocol tcp reject with tcp reset
</source>
|}

==== Counter ====

{| class="wikitable"
!colspan="6"|counter statement
|-
| ''packets <packets> bytes <bytes>''
|
|<source lang="bash">
counter
counter packets 0 bytes 0
</source>
|}

==== Limit ====

{| class="wikitable"
!colspan="6"|limit statement
|-
| ''rate [over] <value> <unit> [burst <value> <unit>]''
| Rate limit
|<source lang="bash">
limit rate 400/minute
limit rate 400/hour
limit rate over 40/day
limit rate over 400/week
limit rate over 1023/second burst 10 packets
limit rate 1025 kbytes/second
limit rate 1023000 mbytes/second
limit rate 1025 bytes/second burst 512 bytes
limit rate 1025 kbytes/second burst 1023 kbytes
limit rate 1025 mbytes/second burst 1025 kbytes
limit rate 1025000 mbytes/second burst 1023 mbytes
</source>
|}

==== Nat ====

{| class="wikitable"
!colspan="6"|nat statement
|-
| ''dnat <destination address>''
| Destination address translation
|<source lang="bash">
dnat 192.168.3.2
dnat ct mark map { 0x00000014 : 1.2.3.4}
</source>
|-
| ''snat <ip source address>''
| Source address translation
|<source lang="bash">
snat 192.168.3.2
snat 2001:838:35f:1::-2001:838:35f:2:::100
</source>
|-
| ''masquerade [<type>] [to :<port>]''
| Masquerade
|<source lang="bash">
masquerade
masquerade persistent,fully-random,random
masquerade to :1024
masquerade to :1024-2048
</source>
|}

==== Queue ====

{| class="wikitable"
!colspan="6"|queue statement
|-
| ''num <value> <scheduler>''
|
|<source lang="bash">
queue
queue num 2
queue num 2-3
queue num 4-5 fanout bypass
queue num 4-5 fanout
queue num 4-5 bypass
</source>
|}

== Extras ==

=== Export Configuration ===

<source lang="bash">
% nft export (xml | json)
</source>

=== Monitor Events ===

Monitor events from Netlink creating filters.

<source lang="bash">
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]
</source>

= Nft scripting =

== List ruleset ==

<source lang="bash">
% nft list ruleset
</source>

== Flush ruleset ==

<source lang="bash">
% nft flush ruleset
</source>

== Load ruleset ==

Create a command batch file and load it with the nft interpreter,

<source lang="bash">
% echo "flush ruleset" > /etc/nftables.rules
% echo "add table filter" >> /etc/nftables.rules
% echo "add chain filter input" >> /etc/nftables.rules
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules
% nft -f /etc/nftables.rules
</source>

or create an executable nft script file,

<source lang="bash">
% cat << EOF > /etc/nftables.rules
> #!/usr/local/sbin/nft -f
> flush ruleset
> add table filter
> add chain filter input
> add rule filter input meta iifname lo accept
> EOF
% chmod u+x /etc/nftables.rules
% /etc/nftables.rules
</source>

or create an executable nft script file from an already created ruleset,

<source lang="bash">
% nft list ruleset > /etc/nftables.rules
% nft flush ruleset
% nft -f /etc/nftables.rules
</source>

= Examples =

== Simple IP/IPv6 Firewall ==

<source lang="bash">
flush ruleset

table firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# loopback interface
iifname lo accept

# icmp
icmp type echo-request accept

# open tcp ports: sshd (22), httpd (80)
tcp dport {ssh, http} accept
}
}

table ip6 firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# invalid connections
ct state invalid drop

# loopback interface
iifname lo accept

# icmp
# routers may also want: mld-listener-query, nd-router-solicit
icmpv6 type {echo-request,nd-neighbor-solicit} accept

# open tcp ports: sshd (22), httpd (80)
tcp dport {ssh, http} accept
}
}
</source>

Rejecting traffic

2020-05-22T09:59:24Z

Nevola: fix typo, include default option and improve formatting

'''Note''': Full reject support is available since Linux kernel 3.18.

The following rule shows how to reject any traffic from the network:

<source lang="bash">
% nft add rule filter input reject
</source>

If you don't specify any reason, an ICMP/ICMPv6 port unreachable packet is sent to the origin.

You can narrow down this through the [[matching connection tracking stateful metainformation|ct]] selector, so this only rejects traffic coming to the local machine which was '''not''' originated from us.

<source lang="bash">
% nft add rule filter input ct state new reject
</source>

You can also specify the reject reason. For example:

<source lang="bash">
% nft add rule filter input reject with icmp type host-unreachable
</source>

For ICMP, you can use the following reject reasons:

* '''net-unreachable''': Destination network unreachable
* '''host-unreachable''': Destination host unreachable
* '''prot-unreachable''': Destination protocol unreachable
* '''port-unreachable''': Destination port unreachable (this is the default)
* '''net-prohibited''': Network administratively prohibited
* '''host-prohibited''': Host administratively prohibited
* '''admin-prohibited''': Communication administratively prohibited

You can also reject IPv6 traffic indicating the reject reason, for example:

<source lang="bash">
% nft add rule ip6 filter input reject with icmpv6 type no-route
</source>

For ICMPv6, you can use the following reasons:

* '''no-route''': No route to destination.
* '''admin-prohibited''': Communication with destination administratively prohibited
* '''addr-unreachable''': Address unreachable
* '''port-unreachable''': Port unreachable

From the inet family, you can use an abstraction, the so-called ''icmpx'', to reject the IPv4 and IPv6 traffic
using one single rule. For example:

<source lang="bash">
% nft add rule inet filter input reject with icmpx type no-route
</source>

This rule rejects IPv4 traffic with the reason "net unreachable" and the IPv6 traffic with the reason "no route". The mapping is shown in the following table:

{| border="1"
|'''ICMPX REASON'''
|'''ICMPv6'''
|'''ICMPv4'''
|-
|admin-prohibited
|admin-prohibited
|admin-prohibited
|-
|port-unreachable
|port-unreachable
|port-unreachable
|-
|no-route
|no-route
|net-unreachable
|-
|host-unreachable
|addr-unreachable
|host-unreachable
|}

Quick reference-nftables in 10 minutes

2020-05-22T09:50:42Z

Nevola: /* Reject */

Find below some basic concepts to know before using nftables.

'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.

'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].

'''rule''' refers to an action to be configured within a ''chain''.

= nft command line =

''nft'' is the command line tool in order to interact with nftables at userspace.

== Tables ==

'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''.

<source lang="bash">
% nft list tables [<family>]
% nft list table [<family>] <name> [-n] [-a]
% nft (add | delete | flush) table [<family>] <name>
</source>

The argument ''-n'' shows the addresses and other information that uses names in numeric format. The ''-a'' argument is used to display the ''handle''.

== Chains ==

'''type''' refers to the kind of chain to be created. Possible types are:

* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.

'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].

* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.
* The hooks for ''arp'' family are: '' input'', ''output''.
* The ''bridge'' family handles ethernet packets traversing bridge devices.
* The hook for ''netdev'' is: ''ingress''.

'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.

'''policy''' is the default verdict statement to control the flow in the chain. Possible values are: ''accept'', ''drop'', ''queue'', ''continue'', ''return''.

<source lang="bash">
% nft (add | create) chain [<family>] <table> <name> [ { type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] } ]
% nft (delete | list | flush) chain [<family>] <table> <name>
% nft rename chain [<family>] <table> <name> <newname>
</source>

== Rules ==

'''handle''' is an internal number that identifies a certain ''rule''.

'''position''' is an internal number that is used to insert a ''rule'' before a certain ''handle''.

<source lang="bash">
% nft add rule [<family>] <table> <chain> <matches> <statements>
% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements>
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements>
% nft delete rule [<family>] <table> <chain> [handle <handle>]
</source>

=== Matches ===

'''matches''' are clues used to access to certain packet information and create filters according to them.

==== Ip ====

{| class="wikitable"
!colspan="6"|ip match
|-
| | ''dscp <value>''
|
|<source lang="bash">
ip dscp cs1
ip dscp != cs1
ip dscp 0x38
ip dscp != 0x20
ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21,
af22, af23, af31, af32, af33, af41, af42, af43, ef}
</source>
|-
| ''length <length>''
| Total packet length
|<source lang="bash">
ip length 232
ip length != 233
ip length 333-435
ip length != 333-453
ip length { 333, 553, 673, 838}
</source>
|-
| ''id <id>''
| IP ID
|<source lang="bash">
ip id 22
ip id != 233
ip id 33-45
ip id != 33-45
ip id { 33, 55, 67, 88 }
</source>
|-
| ''frag-off <value>''
| Fragmentation offset
|<source lang="bash">
ip frag-off 222
ip frag-off != 233
ip frag-off 33-45
ip frag-off != 33-45
ip frag-off { 33, 55, 67, 88 }
</source>
|-
| ''ttl <ttl>''
| Time to live
|<source lang="bash">
ip ttl 0
ip ttl 233
ip ttl 33-55
ip ttl != 45-50
ip ttl { 43, 53, 45 }
ip ttl { 33-55 }
</source>
|-
| ''protocol <protocol>''
| Upper layer protocol
|<source lang="bash">
ip protocol tcp
ip protocol 6
ip protocol != tcp
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }
</source>
|-
| ''checksum <checksum>''
| IP header checksum
|<source lang="bash">
ip checksum 13172
ip checksum 22
ip checksum != 233
ip checksum 33-45
ip checksum != 33-45
ip checksum { 33, 55, 67, 88 }
ip checksum { 33-55 }
</source>
|-
| ''saddr <ip source address>''
| Source address
|<source lang="bash">
ip saddr 192.168.2.0/24
ip saddr != 192.168.2.0/24
ip saddr 192.168.3.1 ip daddr 192.168.3.100
ip saddr != 1.1.1.1
ip saddr 1.1.1.1
ip saddr & 0xff == 1
ip saddr & 0.0.0.255 < 0.0.0.127
</source>
|-
| ''daddr <ip destination address>''
| Destination address
|<source lang="bash">
ip daddr 192.168.0.1
ip daddr != 192.168.0.1
ip daddr 192.168.0.1-192.168.0.250
ip daddr 10.0.0.0-10.255.255.255
ip daddr 172.16.0.0-172.31.255.255
ip daddr 192.168.3.1-192.168.4.250
ip daddr != 192.168.0.1-192.168.0.250
ip daddr { 192.168.0.1-192.168.0.250 }
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }
</source>
|-
| ''version <version>''
| Ip Header version
|<source lang="bash">
ip version 4
</source>
|-
| ''hdrlength <header length>''
| IP header length
|<source lang="bash">
ip hdrlength 0
ip hdrlength 15
</source>
|}

==== Ip6 ====

{| class="wikitable"
!colspan="6"|ip6 match
|-
| ''dscp <value>''
|
|<source lang="bash">
ip6 dscp cs1
ip6 dscp != cs1
ip6 dscp 0x38
ip6 dscp != 0x20
ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
</source>
|-
| ''flowlabel <label>''
| Flow label
|<source lang="bash">
ip6 flowlabel 22
ip6 flowlabel != 233
ip6 flowlabel { 33, 55, 67, 88 }
ip6 flowlabel { 33-55 }
</source>
|-
| ''length <length>''
| Payload length
|<source lang="bash">
ip6 length 232
ip6 length != 233
ip6 length 333-435
ip6 length != 333-453
ip6 length { 333, 553, 673, 838}
</source>
|-
| ''nexthdr <header>''
| Next header type (Upper layer protocol number)
|<source lang="bash">
ip6 nexthdr {esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6}
ip6 nexthdr esp
ip6 nexthdr != esp
ip6 nexthdr { 33-44 }
ip6 nexthdr 33-44
ip6 nexthdr != 33-44
</source>
|-
| ''hoplimit <hoplimit>''
| Hop limit
|<source lang="bash">
ip6 hoplimit 1
ip6 hoplimit != 233
ip6 hoplimit 33-45
ip6 hoplimit != 33-45
ip6 hoplimit {33, 55, 67, 88}
ip6 hoplimit {33-55}
</source>
|-
| ''saddr <ip source address>''
| Source Address
|<source lang="bash">
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234
ip6 saddr ::/64
ip6 saddr ::1 ip6 daddr ::2
</source>
|-
| ''daddr <ip destination address>''
| Destination Address
|<source lang="bash">
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234
</source>
|-
| ''version <version>''
| IP header version
|<source lang="bash">
ip6 version 6
</source>
|}

==== Tcp ====

{| class="wikitable"
!colspan="6"|tcp match
|-
| ''dport <destination port>''
| Destination port
|<source lang="bash">
tcp dport 22
tcp dport != 33-45
tcp dport { 33-55 }
tcp dport {telnet, http, https }
tcp dport vmap { 22 : accept, 23 : drop }
tcp dport vmap { 25:accept, 28:drop }
</source>
|-
| ''sport < source port>''
| Source port
|<source lang="bash">
tcp sport 22
tcp sport != 33-45
tcp sport { 33, 55, 67, 88}
tcp sport { 33-55}
tcp sport vmap { 25:accept, 28:drop }
tcp sport 1024 tcp dport 22
</source>
|-
| ''sequence <value>''
| Sequence number
|<source lang="bash">
tcp sequence 22
tcp sequence != 33-45
</source>
|-
| ''ackseq <value>''
| Acknowledgement number
|<source lang="bash">
tcp ackseq 22
tcp ackseq != 33-45
tcp ackseq { 33, 55, 67, 88 }
tcp ackseq { 33-55 }
</source>
|-
| ''flags <flags>''
| TCP flags
|<source lang="bash">
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr}
tcp flags cwr
tcp flags != cwr
</source>
|-
| ''window <value>''
| Window
|<source lang="bash">
tcp window 22
tcp window != 33-45
tcp window { 33, 55, 67, 88 }
tcp window { 33-55 }
</source>
|-
| ''checksum <checksum>''
| IP header checksum
|<source lang="bash">
tcp checksum 22
tcp checksum != 33-45
tcp checksum { 33, 55, 67, 88 }
tcp checksum { 33-55 }
</source>
|-
| ''urgptr <pointer>''
| Urgent pointer
|<source lang="bash">
tcp urgptr 22
tcp urgptr != 33-45
tcp urgptr { 33, 55, 67, 88 }
</source>
|-
| ''doff <offset>''
| Data offset
|<source lang="bash">
tcp doff 8
</source>
|}

==== Udp ====

{| class="wikitable"
!colspan="6"|udp match
|-
| ''dport <destination port>''
| Destination port
|<source lang="bash">
udp dport 22
udp dport != 33-45
udp dport { 33-55 }
udp dport {telnet, http, https }
udp dport vmap { 22 : accept, 23 : drop }
udp dport vmap { 25:accept, 28:drop }
</source>
|-
| ''sport < source port>''
| Source port
|<source lang="bash">
udp sport 22
udp sport != 33-45
udp sport { 33, 55, 67, 88}
udp sport { 33-55}
udp sport vmap { 25:accept, 28:drop }
udp sport 1024 tcp dport 22
</source>
|-
| ''length <length>''
| Total packet length
|<source lang="bash">
udp length 6666
udp length != 50-65
udp length { 50, 65 }
udp length { 35-50 }
</source>
|-
| ''checksum <checksum>''
| UDP checksum
|<source lang="bash">
udp checksum 22
udp checksum != 33-45
udp checksum { 33, 55, 67, 88 }
udp checksum { 33-55 }
</source>
|}

==== Udplite ====

{| class="wikitable"
!colspan="6"|udplite match
|-
| ''dport <destination port>''
| Destination port
|<source lang="bash">
udplite dport 22
udplite dport != 33-45
udplite dport { 33-55 }
udplite dport {telnet, http, https }
udplite dport vmap { 22 : accept, 23 : drop }
udplite dport vmap { 25:accept, 28:drop }
</source>
|-
| ''sport < source port>''
| Source port
|<source lang="bash">
udplite sport 22
udplite sport != 33-45
udplite sport { 33, 55, 67, 88}
udplite sport { 33-55}
udplite sport vmap { 25:accept, 28:drop }
udplite sport 1024 tcp dport 22
</source>
|-
| ''checksum <checksum>''
| Checksum
|<source lang="bash">
udplite checksum 22
udplite checksum != 33-45
udplite checksum { 33, 55, 67, 88 }
udplite checksum { 33-55 }
</source>
|}

==== Sctp ====

{| class="wikitable"
!colspan="6"|sctp match
|-
| ''dport <destination port>''
| Destination port
|<source lang="bash">
sctp dport 22
sctp dport != 33-45
sctp dport { 33-55 }
sctp dport {telnet, http, https }
sctp dport vmap { 22 : accept, 23 : drop }
sctp dport vmap { 25:accept, 28:drop }
</source>
|-
| ''sport < source port>''
| Source port
|<source lang="bash">
sctp sport 22
sctp sport != 33-45
sctp sport { 33, 55, 67, 88}
sctp sport { 33-55}
sctp sport vmap { 25:accept, 28:drop }
sctp sport 1024 tcp dport 22
</source>
|-
| ''checksum <checksum>''
| Checksum
|<source lang="bash">
sctp checksum 22
sctp checksum != 33-45
sctp checksum { 33, 55, 67, 88 }
sctp checksum { 33-55 }
</source>
|-
| ''vtag <tag>''
| Verification tag
|<source lang="bash">
sctp vtag 22
sctp vtag != 33-45
sctp vtag { 33, 55, 67, 88 }
sctp vtag { 33-55 }
</source>
|}

==== Dccp ====

{| class="wikitable"
!colspan="6"|dccp match
|-
| ''dport <destination port>''
| Destination port
|<source lang="bash">
dccp dport 22
dccp dport != 33-45
dccp dport { 33-55 }
dccp dport {telnet, http, https }
dccp dport vmap { 22 : accept, 23 : drop }
dccp dport vmap { 25:accept, 28:drop }
</source>
|-
| ''sport < source port>''
| Source port
|<source lang="bash">
dccp sport 22
dccp sport != 33-45
dccp sport { 33, 55, 67, 88}
dccp sport { 33-55}
dccp sport vmap { 25:accept, 28:drop }
dccp sport 1024 tcp dport 22
</source>
|-
| ''type <type>''
| Type of packet
|<source lang="bash">
dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
dccp type request
dccp type != request
</source>
|}

==== Ah ====

{| class="wikitable"
!colspan="6"|ah match
|-
| ''hdrlength <length>''
| AH header length
|<source lang="bash">
ah hdrlength 11-23
ah hdrlength != 11-23
ah hdrlength {11, 23, 44 }
</source>
|-
| ''reserved <value>''
|
|<source lang="bash">
ah reserved 22
ah reserved != 33-45
ah reserved {23, 100 }
ah reserved { 33-55 }
</source>
|-
| ''spi <value>''
|
|<source lang="bash">
ah spi 111
ah spi != 111-222
ah spi {111, 122 }
</source>
|-
| ''sequence <sequence>''
| Sequence Number
|<source lang="bash">
ah sequence 123
ah sequence {23, 25, 33}
ah sequence != 23-33
</source>
|}

==== Esp ====

{| class="wikitable"
!colspan="6"|esp match
|-
| ''spi <value>''
|
|<source lang="bash">
esp spi 111
esp spi != 111-222
esp spi {111, 122 }
</source>
|-
| ''sequence <sequence>''
| Sequence Number
|<source lang="bash">
esp sequence 123
esp sequence {23, 25, 33}
esp sequence != 23-33
</source>
|}

==== Comp ====

{| class="wikitable"
!colspan="6"|comp match
|-
| ''nexthdr <protocol>''
| Next header protocol (Upper layer protocol)
|<source lang="bash">
comp nexthdr != esp
comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp}
</source>
|-
| ''flags <flags>''
| Flags
|<source lang="bash">
comp flags 0x0
comp flags != 0x33-0x45
comp flags {0x33, 0x55, 0x67, 0x88}
</source>
|-
| ''cpi <value>''
| Compression Parameter Index
|<source lang="bash">
comp cpi 22
comp cpi != 33-45
comp cpi {33, 55, 67, 88}
</source>
|}

==== Icmp ====

{| class="wikitable"
!colspan="6"|icmp match
|-
| ''type <type>''
| ICMP packet type
|<source lang="bash">
icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation}
</source>
|-
| ''code <code>''
| ICMP packet code
|<source lang="bash">
icmp code 111
icmp code != 33-55
icmp code { 2, 4, 54, 33, 56}
</source>
|-
| ''checksum <value>''
| ICMP packet checksum
|<source lang="bash">
icmp checksum 12343
icmp checksum != 11-343
icmp checksum { 1111, 222, 343 }
</source>
|-
| ''id <value>''
| ICMP packet id
|<source lang="bash">
icmp id 12343
icmp id != 11-343
icmp id { 1111, 222, 343 }
</source>
|-
| ''sequence <value>''
| ICMP packet sequence
|<source lang="bash">
icmp sequence 12343
icmp sequence != 11-343
icmp sequence { 1111, 222, 343 }
</source>
|-
| ''mtu <value>''
| ICMP packet mtu
|<source lang="bash">
icmp mtu 12343
icmp mtu != 11-343
icmp mtu { 1111, 222, 343 }
</source>
|-
| ''gateway <value>''
| ICMP packet gateway
|<source lang="bash">
icmp gateway 12343
icmp gateway != 11-343
icmp gateway { 1111, 222, 343 }
</source>
|}

==== Icmpv6 ====

{| class="wikitable"
!colspan="6"|icmpv6 match
|-
| ''type <type>''
| ICMPv6 packet type
|<source lang="bash">
icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect, parameter-problem, router-renumbering}
</source>
|-
| ''code <code>''
| ICMPv6 packet code
|<source lang="bash">
icmpv6 code 4
icmpv6 code 3-66
icmpv6 code {5, 6, 7}
</source>
|-
| ''checksum <value>''
| ICMPv6 packet checksum
|<source lang="bash">
icmpv6 checksum 12343
icmpv6 checksum != 11-343
icmpv6 checksum { 1111, 222, 343 }
</source>
|-
| ''id <value>''
| ICMPv6 packet id
|<source lang="bash">
icmpv6 id 12343
icmpv6 id != 11-343
icmpv6 id { 1111, 222, 343 }
</source>
|-
| ''sequence <value>''
| ICMPv6 packet sequence
|<source lang="bash">
icmpv6 sequence 12343
icmpv6 sequence != 11-343
icmpv6 sequence { 1111, 222, 343 }
</source>
|-
| ''mtu <value>''
| ICMPv6 packet mtu
|<source lang="bash">
icmpv6 mtu 12343
icmpv6 mtu != 11-343
icmpv6 mtu { 1111, 222, 343 }
</source>
|-
| ''max-delay <value>''
| ICMPv6 packet max delay
|<source lang="bash">
icmpv6 max-delay 33-45
icmpv6 max-delay != 33-45
icmpv6 max-delay {33, 55, 67, 88}
</source>
|}

==== Ether ====

{| class="wikitable"
!colspan="6"|ether match
|-
| ''saddr <mac address>''
| Source mac address
|<source lang="bash">
ether saddr 00:0f:54:0c:11:04
</source>
|-
| ''type <type>''
|
|<source lang="bash">
ether type vlan
</source>
|}

==== Dst ====

{| class="wikitable"
!colspan="6"|dst match
|-
| ''nexthdr <proto>''
| Next protocol header
|<source lang="bash">
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
dst nexthdr 22
dst nexthdr != 33-45
</source>
|-
| ''hdrlength <length>''
| Header Length
|<source lang="bash">
dst hdrlength 22
dst hdrlength != 33-45
dst hdrlength { 33, 55, 67, 88 }
</source>
|}

==== Frag ====

{| class="wikitable"
!colspan="6"|frag match
|-
| ''nexthdr <proto>''
| Next protocol header
|<source lang="bash">
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp}
frag nexthdr 6
frag nexthdr != 50-51
</source>
|-
| ''reserved <value>''
|
|<source lang="bash">
frag reserved 22
frag reserved != 33-45
frag reserved { 33, 55, 67, 88}
</source>
|-
| ''frag-off <value>''
|
|<source lang="bash">
frag frag-off 22
frag frag-off != 33-45
frag frag-off { 33, 55, 67, 88}
</source>
|-
| ''more-fragments <value>''
|
|<source lang="bash">
frag more-fragments 0
frag more-fragments 0
</source>
|-
| ''id <value>''
|
|<source lang="bash">
frag id 1
frag id 33-45
</source>
|}

==== Hbh ====

{| class="wikitable"
!colspan="6"|hbh match
|-
| ''nexthdr <proto>''
| Next protocol header
|<source lang="bash">
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6}
hbh nexthdr 22
hbh nexthdr != 33-45
</source>
|-
| ''hdrlength <length>''
| Header Length
|<source lang="bash">
hbh hdrlength 22
hbh hdrlength != 33-45
hbh hdrlength { 33, 55, 67, 88 }
</source>
|}

==== Mh ====

{| class="wikitable"
!colspan="6"|mh match
|-
| ''nexthdr <proto>''
| Next protocol header
|<source lang="bash">
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }
mh nexthdr 22
mh nexthdr != 33-45
</source>
|-
| ''hdrlength <length>''
| Header Length
|<source lang="bash">
mh hdrlength 22
mh hdrlength != 33-45
mh hdrlength { 33, 55, 67, 88 }
</source>
|-
| ''type <type>''
|
|<source lang="bash">
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}
mh type home-agent-switch-message
mh type != home-agent-switch-message
</source>
|-
| ''reserved <value>''
|
|<source lang="bash">
mh reserved 22
mh reserved != 33-45
mh reserved { 33, 55, 67, 88}
</source>
|-
| ''checksum <value>''
|
|<source lang="bash">
mh checksum 22
mh checksum != 33-45
mh checksum { 33, 55, 67, 88}
</source>
|}

==== Rt ====

{| class="wikitable"
!colspan="6"|rt match
|-
| ''nexthdr <proto>''
| Next protocol header
|<source lang="bash">
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }
rt nexthdr 22
rt nexthdr != 33-45
</source>
|-
| ''hdrlength <length>''
| Header Length
|<source lang="bash">
rt hdrlength 22
rt hdrlength != 33-45
rt hdrlength { 33, 55, 67, 88 }
</source>
|-
| ''type <type>''
|
|<source lang="bash">
rt type 22
rt type != 33-45
rt type { 33, 55, 67, 88 }
</source>
|-
| ''seg-left <value>''
|
|<source lang="bash">
rt seg-left 22
rt seg-left != 33-45
rt seg-left { 33, 55, 67, 88}
</source>
|}

==== Vlan ====

{| class="wikitable"
!colspan="6"|vlan match
|-
| ''id <value>''
| Vlan tag ID
|<source lang="bash">
vlan id 4094
vlan id 0
</source>
|-
| ''cfi <value>''
|
|<source lang="bash">
vlan cfi 0
vlan cfi 1
</source>
|-
| ''pcp <value>''
|
|<source lang="bash">
vlan pcp 7
vlan pcp 3
</source>
|}

==== Arp ====

{| class="wikitable"
!colspan="6"|arp match
|-
| ''ptype <value>''
| Payload type
|<source lang="bash">
arp ptype 0x0800
</source>
|-
| ''htype <value>''
| Header type
|<source lang="bash">
arp htype 1
arp htype != 33-45
arp htype { 33, 55, 67, 88}
</source>
|-
| ''hlen <length>''
| Header Length
|<source lang="bash">
arp hlen 1
arp hlen != 33-45
arp hlen { 33, 55, 67, 88}
</source>
|-
| ''plen <length>''
| Payload length
|<source lang="bash">
arp plen 1
arp plen != 33-45
arp plen { 33, 55, 67, 88}
</source>
|-
| ''operation <value>''
|
|<source lang="bash">
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}
</source>
|}

==== Ct ====

{| class="wikitable"
!colspan="6"|ct match
|-
| ''state <state>''
| State of the connection
|<source lang="bash">
ct state { new, established, related, untracked }
ct state != related
ct state established
ct state 8
</source>
|-
| ''direction <value>''
| Direction of the packet relative to the connection
|<source lang="bash">
ct direction original
ct direction != original
ct direction {reply, original}
</source>
|-
| ''status <status>''
| Status of the connection
|<source lang="bash">
ct status expected
ct status != expected
ct status {expected,seen-reply,assured,confirmed,snat,dnat,dying}
</source>
|-
| ''mark [set] <mark>''
| Mark of the connection
|<source lang="bash">
ct mark 0
ct mark or 0x23 == 0x11
ct mark or 0x3 != 0x1
ct mark and 0x23 == 0x11
ct mark and 0x3 != 0x1
ct mark xor 0x23 == 0x11
ct mark xor 0x3 != 0x1
ct mark 0x00000032
ct mark != 0x00000032
ct mark 0x00000032-0x00000045
ct mark != 0x00000032-0x00000045
ct mark {0x32, 0x2222, 0x42de3}
ct mark {0x32-0x2222, 0x4444-0x42de3}
ct mark set 0x11 xor 0x1331
ct mark set 0x11333 and 0x11
ct mark set 0x12 or 0x11
ct mark set 0x11
ct mark set mark
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }
</source>
|-
| ''expiration <time>''
| Connection expiration time
|<source lang="bash">
ct expiration 30
ct expiration 30s
ct expiration != 233
ct expiration != 3m53s
ct expiration 33-45
ct expiration 33s-45s
ct expiration != 33-45
ct expiration != 33s-45s
ct expiration {33, 55, 67, 88}
ct expiration { 1m7s, 33s, 55s, 1m28s}
</source>
|-
| ''helper "<helper>"''
| Helper associated with the connection
|<source lang="bash">
ct helper "ftp"
</source>
|-
| | ''[original | reply] bytes <value>''
|
|<source lang="bash">
ct original bytes > 100000
ct bytes > 100000
</source>
|-
| | ''[original | reply] packets <value>''
|
|<source lang="bash">
ct reply packets < 100
</source>
|-
| | ''[original | reply] saddr <ip source address>''
|
|<source lang="bash">
ct original saddr 192.168.0.1
ct reply saddr 192.168.0.1
ct original saddr 192.168.1.0/24
ct reply saddr 192.168.1.0/24
</source>
|-
| | ''[original | reply] daddr <ip destination address>''
|
|<source lang="bash">
ct original daddr 192.168.0.1
ct reply daddr 192.168.0.1
ct original daddr 192.168.1.0/24
ct reply daddr 192.168.1.0/24
</source>
|-
| | ''[original | reply] l3proto <protocol>''
|
|<source lang="bash">
ct original l3proto ipv4
</source>
|-
| | ''[original | reply] protocol <protocol>''
|
|<source lang="bash">
ct original protocol 6
</source>
|-
| | ''[original | reply] proto-dst <port>''
|
|<source lang="bash">
ct original proto-dst 22
</source>
|-
| | ''[original | reply] proto-src <port>''
|
|<source lang="bash">
ct reply proto-src 53
</source>
|}

==== Meta ====

[[Matching packet metainformation|''meta'']] matches packet by metainformation.

{| class="wikitable"
!colspan="6"|meta match
|-
| ''iifname <input interface name>''
| Input interface name
|<source lang="bash">
meta iifname "eth0"
meta iifname != "eth0"
meta iifname {"eth0", "lo"}
meta iifname "eth*"
</source>
|-
| ''oifname <output interface name>''
| Output interface name
|<source lang="bash">
meta oifname "eth0"
meta oifname != "eth0"
meta oifname {"eth0", "lo"}
meta oifname "eth*"
</source>
|-
| ''iif <input interface index>''
| Input interface index
|<source lang="bash">
meta iif eth0
meta iif != eth0
</source>
|-
| ''oif <output interface index>''
| Output interface index
|<source lang="bash">
meta oif lo
meta oif != lo
meta oif {eth0, lo}
</source>
|-
| ''iiftype <input interface type>''
| Input interface type
|<source lang="bash">
meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}
meta iiftype != ether
meta iiftype ether
</source>
|-
| ''oiftype <output interface type>''
| Output interface hardware type
|<source lang="bash">
meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}
meta oiftype != ether
meta oiftype ether
</source>
|-
| ''length <length>''
| Length of the packet in bytes
|<source lang="bash">
meta length 1000
meta length != 1000
meta length > 1000
meta length 33-45
meta length != 33-45
meta length { 33, 55, 67, 88 }
meta length { 33-55, 67-88 }
</source>
|-
| ''protocol <protocol>''
| ethertype protocol
|<source lang="bash">
meta protocol ip
meta protocol != ip
meta protocol { ip, arp, ip6, vlan }
</source>
|-
| ''nfproto <protocol>''
|
|<source lang="bash">
meta nfproto ipv4
meta nfproto != ipv6
meta nfproto { ipv4, ipv6 }
</source>
|-
| ''l4proto <protocol>''
|
|<source lang="bash">
meta l4proto 22
meta l4proto != 233
meta l4proto 33-45
meta l4proto { 33, 55, 67, 88 }
meta l4proto { 33-55 }
</source>
|-
| ''mark [set] <mark>''
| Packet mark
|<source lang="bash">
meta mark 0x4
meta mark 0x00000032
meta mark and 0x03 == 0x01
meta mark and 0x03 != 0x01
meta mark != 0x10
meta mark or 0x03 == 0x01
meta mark or 0x03 != 0x01
meta mark xor 0x03 == 0x01
meta mark xor 0x03 != 0x01
meta mark set 0xffffffc8 xor 0x16
meta mark set 0x16 and 0x16
meta mark set 0xffffffe9 or 0x16
meta mark set 0xffffffde and 0x16
meta mark set 0x32 or 0xfffff
meta mark set 0xfffe xor 0x16
</source>
|-
| ''priority [set] <priority>''
| tc class id
|<source lang="bash">
meta priority none
meta priority 0x1:0x1
meta priority 0x1:0xffff
meta priority 0xffff:0xffff
meta priority set 0x1:0x1
meta priority set 0x1:0xffff
meta priority set 0xffff:0xffff
</source>
|-
| ''skuid <user id>''
| UID associated with originating socket
|<source lang="bash">
meta skuid {bin, root, daemon}
meta skuid root
meta skuid != root
meta skuid lt 3000
meta skuid gt 3000
meta skuid eq 3000
meta skuid 3001-3005
meta skuid != 2001-2005
meta skuid { 2001-2005 }
</source>
|-
| ''skgid <group id>''
| GID associated with originating socket
|<source lang="bash">
meta skgid {bin, root, daemon}
meta skgid root
meta skgid != root
meta skgid lt 3000
meta skgid gt 3000
meta skgid eq 3000
meta skgid 3001-3005
meta skgid != 2001-2005
meta skgid { 2001-2005 }
</source>
|-
| ''rtclassid <class>''
| Routing realm
|<source lang="bash">
meta rtclassid cosmos
</source>
|-
| ''pkttype <type>''
| Packet type
|<source lang="bash">
meta pkttype broadcast
meta pkttype != broadcast
meta pkttype { broadcast, unicast, multicast}
</source>
|-
| ''cpu <cpu index>''
| CPU ID
|<source lang="bash">
meta cpu 1
meta cpu != 1
meta cpu 1-3
meta cpu != 1-2
meta cpu { 2,3 }
meta cpu { 2-3, 5-7 }
</source>
|-
| ''iifgroup <input group>''
| Input interface group
|<source lang="bash">
meta iifgroup 0
meta iifgroup != 0
meta iifgroup default
meta iifgroup != default
meta iifgroup {default}
meta iifgroup { 11,33 }
meta iifgroup {11-33}
</source>
|-
| ''oifgroup <group>''
| Output interface group
|<source lang="bash">
meta oifgroup 0
meta oifgroup != 0
meta oifgroup default
meta oifgroup != default
meta oifgroup {default}
meta oifgroup { 11,33 }
meta oifgroup {11-33}
</source>
|-
| ''cgroup <group>''
|
|<source lang="bash">
meta cgroup 1048577
meta cgroup != 1048577
meta cgroup { 1048577, 1048578 }
meta cgroup 1048577-1048578
meta cgroup != 1048577-1048578
meta cgroup {1048577-1048578}
</source>
|}

=== Statements ===

'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.

==== Verdict statements ====

The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:

* ''accept'': Accept the packet and stop the remain rules evaluation.
* ''drop'': Drop the packet and stop the remain rules evaluation.
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.
* ''continue'': Continue the ruleset evaluation with the next rule.
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement

==== Log ====

{| class="wikitable"
!colspan="6"|log statement
|-
| ''level [over] <value> <unit> [burst <value> <unit>]''
| Log level
|<source lang="bash">
log
log level emerg
log level alert
log level crit
log level err
log level warn
log level notice
log level info
log level debug
</source>
|-
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''
|
|<source lang="bash">
log prefix aaaaa-aaaaaa group 2 snaplen 33
log group 2 queue-threshold 2
log group 2 snaplen 33
</source>
|}

==== Reject ====

The default '''reject''' will be the ICMP type '''port-unreachable'''. The '''icmpx''' is only used for inet family support.

{| class="wikitable"
!colspan="6"|reject statement
|-
| ''with <protocol> type <type>''
|
|<source lang="bash">
reject
reject with icmp type host-unreachable
reject with icmp type net-unreachable
reject with icmp type prot-unreachable
reject with icmp type port-unreachable
reject with icmp type net-prohibited
reject with icmp type host-prohibited
reject with icmp type admin-prohibited
reject with icmpv6 type no-route
reject with icmpv6 type admin-prohibited
reject with icmpv6 type addr-unreachable
reject with icmpv6 type port-unreachable
reject with icmpx type host-unreachable
reject with icmpx type no-route
reject with icmpx type admin-prohibited
reject with icmpx type port-unreachable
ip protocol tcp reject with tcp reset
</source>
|}

==== Counter ====

{| class="wikitable"
!colspan="6"|counter statement
|-
| ''packets <packets> bytes <bytes>''
|
|<source lang="bash">
counter
counter packets 0 bytes 0
</source>
|}

==== Limit ====

{| class="wikitable"
!colspan="6"|limit statement
|-
| ''rate [over] <value> <unit> [burst <value> <unit>]''
| Rate limit
|<source lang="bash">
limit rate 400/minute
limit rate 400/hour
limit rate over 40/day
limit rate over 400/week
limit rate over 1023/second burst 10 packets
limit rate 1025 kbytes/second
limit rate 1023000 mbytes/second
limit rate 1025 bytes/second burst 512 bytes
limit rate 1025 kbytes/second burst 1023 kbytes
limit rate 1025 mbytes/second burst 1025 kbytes
limit rate 1025000 mbytes/second burst 1023 mbytes
</source>
|}

==== Nat ====

{| class="wikitable"
!colspan="6"|nat statement
|-
| ''dnat <destination address>''
| Destination address translation
|<source lang="bash">
dnat 192.168.3.2
dnat ct mark map { 0x00000014 : 1.2.3.4}
</source>
|-
| ''snat <ip source address>''
| Source address translation
|<source lang="bash">
snat 192.168.3.2
snat 2001:838:35f:1::-2001:838:35f:2:::100
</source>
|-
| ''masquerade [<type>] [to :<port>]''
| Masquerade
|<source lang="bash">
masquerade
masquerade persistent,fully-random,random
masquerade to :1024
masquerade to :1024-2048
</source>
|}

==== Queue ====

{| class="wikitable"
!colspan="6"|queue statement
|-
| ''num <value> <scheduler>''
|
|<source lang="bash">
queue
queue num 2
queue num 2-3
queue num 4-5 fanout bypass
queue num 4-5 fanout
queue num 4-5 bypass
</source>
|}

== Extras ==

=== Export Configuration ===

<source lang="bash">
% nft export (xml | json)
</source>

=== Monitor Events ===

Monitor events from Netlink creating filters.

<source lang="bash">
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]
</source>

= Nft scripting =

== List ruleset ==

<source lang="bash">
% nft list ruleset
</source>

== Flush ruleset ==

<source lang="bash">
% nft flush ruleset
</source>

== Load ruleset ==

Create a command batch file and load it with the nft interpreter,

<source lang="bash">
% echo "flush ruleset" > /etc/nftables.rules
% echo "add table filter" >> /etc/nftables.rules
% echo "add chain filter input" >> /etc/nftables.rules
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules
% nft -f /etc/nftables.rules
</source>

or create an executable nft script file,

<source lang="bash">
% cat << EOF > /etc/nftables.rules
> #!/usr/local/sbin/nft -f
> flush ruleset
> add table filter
> add chain filter input
> add rule filter input meta iifname lo accept
> EOF
% chmod u+x /etc/nftables.rules
% /etc/nftables.rules
</source>

or create an executable nft script file from an already created ruleset,

<source lang="bash">
% nft list ruleset > /etc/nftables.rules
% nft flush ruleset
% nft -f /etc/nftables.rules
</source>

= Examples =

== Simple IP/IPv6 Firewall ==

<source lang="bash">
flush ruleset

table firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# loopback interface
iifname lo accept

# icmp
icmp type echo-request accept

# open tcp ports: sshd (22), httpd (80)
tcp dport {ssh, http} accept
}
}

table ip6 firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# invalid connections
ct state invalid drop

# loopback interface
iifname lo accept

# icmp
# routers may also want: mld-listener-query, nd-router-solicit
icmpv6 type {echo-request,nd-neighbor-solicit} accept

# open tcp ports: sshd (22), httpd (80)
tcp dport {ssh, http} accept
}
}
</source>

Element timeouts

2020-04-06T08:06:29Z

Nevola: complete description of timeout and expires in a set

The '''set''' infrastructure support establishing timeouts. A given timed '''set element''' has 2 attributes:

* '''timeout''': This time value, in seconds (10s), in minutes (12m), in hours (2h) or combination of all of them (2h12m10s), does not change and will be used to reset the '''expires''' value when required.
* '''expires''': This value is a countdown time counter which starts with the '''timeout''' value, and could be reset from the packet path or the element will be deleted when it reaches the 0 value.

Example, with per-element timeout:

<source lang="bash">
% nft add table inet myfilter
% nft add set inet myfilter myset {type ipv4_addr\; flags timeout\; }
% nft add element inet myfilter myset {10.0.0.1 timeout 10s }
% nft list ruleset
table inet myfilter {
set myset {
type ipv4_addr
flags timeout
elements = { 10.0.0.1 timeout 10s expires 8s}
}
}
</source>

'''timeout''' and '''expires''' parameters cannot be modified in this case. The element should be recreated again if you need to reset them.

<source lang="bash">
% nft delete element inet myfilter myset { 10.0.0.1 }
% nft add element inet myfilter myset { 10.0.0.1 timeout 7s expires 5s }
</source>

In order to be able to reset it from packet path among other things you can use this feature by [[Updating sets from the packet path]].

Element timeouts

2020-04-05T17:52:38Z

Nevola:

The '''set''' infrastructure support establishing timeouts. A given '''set element''' which is given a '''timeout''' will be deleted from the '''set''' after the timeout expires.

Example, with per-element timeout:

<source lang="bash">
% nft add table inet myfilter
% nft add set inet myfilter myset {type ipv4_addr\; flags timeout\; }
% nft add element inet myfilter myset {10.0.0.1 timeout 10s }
% nft list ruleset
table inet myfilter {
set myset {
type ipv4_addr
flags timeout
elements = { 10.0.0.1 timeout 10s expires 8s}
}
}
</source>

'''timeout''' and '''expires''' parameters cannot be modified in this case. The element should be recreated again if you need to reset them. In order to be able to reset it from packet path among other things you can use this feature by [[Updating sets from the packet path]].

Meters

2019-08-06T14:09:05Z

Nevola: /* Doing connlimit with nft */ fix small typo

== Meters ==

Meters used to be known as ''flow tables'' before nft v0.8.1 and Linux kernel 4.3, and are a way to use maps with stateful objects.

Among other things, they provide a native replacement for the ''hashlimit'' match in iptables. However, meters are a lot more flexible since you can use any selector, one or many through [[concatenations]].

'''Note that the ''meter'' keyword is obsolete, the dynamic set and map syntax is now preferred for consistency.'''

== Using meters ==

The following commands create a table named ''my_filter_table'', a chain named ''my_input_chain'' which hooks incoming traffic and a rule that uses a meter:

<source lang="bash">
% nft add table my_filter_table
% nft add chain my_filter_table my_input_chain {type filter hook input priority 0\;}
% nft add set my_filter_table my_ssh_meter { type ipv4_addr\; flags dynamic \;}
% nft add rule my_filter_table my_input_chain tcp dport 22 ct state new add @my_ssh_meter { ip saddr limit rate 10/second } accept
</source>

In this example we create a rule to match ''new'' TCP ''ssh'' (port 22) connections, which uses a dynamic set named ''my_ssh_meter'' to limit the traffic rate to 10 connections per second for each source IP address. The available time units on limits are: ''second'', ''minute'', ''hour'', ''day'' and ''week''.

You can also use [[concatenations]] to build selectors:

<source lang="bash">
% nft add set my_filter_table my_ssh_meter { type ipv4_addr . inet_service\; flags timeout, dynamic \;}
% nft add rule my_filter_table my_input_chain tcp dport 22 ct state new add @my_ssh_meter { ip saddr . tcp dport timeout 60s limit rate 10/second } accept
</source>

This rule counts incoming connections (packets with state ''new'') based on the tuple ''(IP source address, TCP destination port)'', the counters are dropped after 60 seconds without update.

== Listing meters ==

To list the content matched by the meter use:

<source lang="bash">
% nft list map my_filter_table my_ssh_meter
table ip my_filter_table {
map my_ssh_meter {
type ipv4_addr . inet_service
size 65535
flags dynamic,timeout
elements = { 64.62.190.36 . 55000 expires 38s : counter packets 2 bytes 220, 83.98.201.47 . 35460 expires 39s : counter packets 10 bytes 5988, 172.217.7.142 . 43254 expires 46s : counter packets 1 bytes 98}
}
}
</source>

== Doing connlimit with nft ==

Since 4.18, there is a new ''ct count'' selector that allows you to count the number of existing connections. This extension uses the information available in the Connection Tracking System table, therefore, the counting of connection is based on the existing entries in the table.

The following example shows how to do ''connlimit'' from nftables:

table ip my_filter_table {
set my_connlimit {
type ipv4_addr
size 65535
flags dynamic
}

chain my_output_chain {
type filter hook output priority filter; policy accept;
ct state new add @my_connlimit { ip daddr ct count over 20 } counter packets 0 bytes 0 drop
}
}

The example above dynamically populates the set ''connlimit'' from the packet path. For the first packet of each connection (ie. packets matching ''ct state new''), this adds an entry into ''connlimit'' set, this entry uses the IPv4 destination address as a key. If the number of connections goes over 20, then packets are dropped.

Since ''connlimit'' is a set, you can perform any operation on it, such as listing and flushing its content.

== Doing iptables hashlimit with nft ==

Meters replace iptables hashlimit in nft. From iptables v1.6.2 onward, you can use the tool '''iptables-translate''' to see how to translate hashlimit rules.

Almost all hashlimit options are available in nft, starting with --hashlimit-mode, it is replaced by the selector in a meter. All modes are available except no mode, a meter demands a selector, an iptables rule without hashlimit-mode isn't supported in nft. A simple rule translation is:

<source lang="bash">
$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200/sec --hashlimit-mode srcip,dstport --hashlimit-name http1 -j DROP
nft add rule ip filter INPUT tcp dport 80 meter http1 { tcp dport . ip saddr limit rate over 200/second } counter drop
</source>

Notice that a meter is named, like hashlimit, and using multiple hashlimit-modes is similar to using a concatenation of selectors. Also, --hashlimit-above is translated to ''limit rate over'', to simulate --hashlimit-upto just omit or replace ''over'' with ''until'' in the rule.

The options --hashlimit-burst and --hashlimit-htable-expire are translated to ''burst'' and ''timeout'' in a meter:

<source lang="bash">
$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP
nft add rule ip filter INPUT tcp dport 80 meter http2 { tcp dport . ip saddr timeout 3s limit rate over 200 kbytes/second burst 1 mbytes} counter drop
</source>

This rule shows how ''timeout'' and ''burst'' are used in a meter, also notice that meters, similarly to hashlimit, accepts limiting rates by bytes frequency instead of packets.

Another hashlimit option is to limit the traffic rate on subnets, of IP source or destination addresses, using the options --hashlimit-srcmask and --hashlimit-dstmask. This feature is available in nft by attaching a subnet mask to a meter selector, attach to ''ip saddr'' for source address and to ''ip daddr'' for destination adress:

<source lang="bash">
$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-upto 200 --hashlimit-mode srcip --hashlimit-name http3 --hashlimit-srcmask 24 -j DROP
nft add rule ip filter INPUT tcp dport 80 meter http3 { ip saddr and 255.255.255.0 limit rate 200/second } counter drop
</source>

This rule will limit packets rate, grouping subnets determined by the first 24 bits of the IP source address, from the incoming packets on port 80.

The remaining options, --hashlimit-htable-max, --hashlimit-htable-size and --hashlimit-htable-gcinterval don't apply to meters.

Meters

2019-08-06T14:07:44Z

Nevola: /* Doing connlimit with nft */ use "my"

== Meters ==

Meters used to be known as ''flow tables'' before nft v0.8.1 and Linux kernel 4.3, and are a way to use maps with stateful objects.

Among other things, they provide a native replacement for the ''hashlimit'' match in iptables. However, meters are a lot more flexible since you can use any selector, one or many through [[concatenations]].

'''Note that the ''meter'' keyword is obsolete, the dynamic set and map syntax is now preferred for consistency.'''

== Using meters ==

The following commands create a table named ''my_filter_table'', a chain named ''my_input_chain'' which hooks incoming traffic and a rule that uses a meter:

<source lang="bash">
% nft add table my_filter_table
% nft add chain my_filter_table my_input_chain {type filter hook input priority 0\;}
% nft add set my_filter_table my_ssh_meter { type ipv4_addr\; flags dynamic \;}
% nft add rule my_filter_table my_input_chain tcp dport 22 ct state new add @my_ssh_meter { ip saddr limit rate 10/second } accept
</source>

In this example we create a rule to match ''new'' TCP ''ssh'' (port 22) connections, which uses a dynamic set named ''my_ssh_meter'' to limit the traffic rate to 10 connections per second for each source IP address. The available time units on limits are: ''second'', ''minute'', ''hour'', ''day'' and ''week''.

You can also use [[concatenations]] to build selectors:

<source lang="bash">
% nft add set my_filter_table my_ssh_meter { type ipv4_addr . inet_service\; flags timeout, dynamic \;}
% nft add rule my_filter_table my_input_chain tcp dport 22 ct state new add @my_ssh_meter { ip saddr . tcp dport timeout 60s limit rate 10/second } accept
</source>

This rule counts incoming connections (packets with state ''new'') based on the tuple ''(IP source address, TCP destination port)'', the counters are dropped after 60 seconds without update.

== Listing meters ==

To list the content matched by the meter use:

<source lang="bash">
% nft list map my_filter_table my_ssh_meter
table ip my_filter_table {
map my_ssh_meter {
type ipv4_addr . inet_service
size 65535
flags dynamic,timeout
elements = { 64.62.190.36 . 55000 expires 38s : counter packets 2 bytes 220, 83.98.201.47 . 35460 expires 39s : counter packets 10 bytes 5988, 172.217.7.142 . 43254 expires 46s : counter packets 1 bytes 98}
}
}
</source>

== Doing connlimit with nft ==

Since 4.18, there is a new ''ct count'' selector that allows you to count the number of existing connections. This extension uses the information available in the Connection Tracking System table, therefore, the counting of connection is based on the existing entries in the table.

The following example shows how to do ''connlimit'' from nftables:

table ip my_filter_table {
set my_connlimit {
type ipv4_addr
size 65535
flags dynamic
}

chain my_output_chain {
type filter hook output priority filter; policy accept;
ct state new add @my_connlimit { ip daddr ct count over 20 } counter packets 0 bytes 0 drop
}
}

The example above dynamically populates the set ''connlimit'' from the packet path. For the first packet of each connection (ie. packets matching ''ct state new''), this adds an entry into ''connlimit'' set, this entry uses the IPv4 destination address as a key. If the number of connection goes over 20, then packets are dropped.

Since ''connlimit'' is a set, you can perform any operation on it, such as listing and flushing its content.

== Doing iptables hashlimit with nft ==

Meters replace iptables hashlimit in nft. From iptables v1.6.2 onward, you can use the tool '''iptables-translate''' to see how to translate hashlimit rules.

Almost all hashlimit options are available in nft, starting with --hashlimit-mode, it is replaced by the selector in a meter. All modes are available except no mode, a meter demands a selector, an iptables rule without hashlimit-mode isn't supported in nft. A simple rule translation is:

<source lang="bash">
$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200/sec --hashlimit-mode srcip,dstport --hashlimit-name http1 -j DROP
nft add rule ip filter INPUT tcp dport 80 meter http1 { tcp dport . ip saddr limit rate over 200/second } counter drop
</source>

Notice that a meter is named, like hashlimit, and using multiple hashlimit-modes is similar to using a concatenation of selectors. Also, --hashlimit-above is translated to ''limit rate over'', to simulate --hashlimit-upto just omit or replace ''over'' with ''until'' in the rule.

The options --hashlimit-burst and --hashlimit-htable-expire are translated to ''burst'' and ''timeout'' in a meter:

<source lang="bash">
$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP
nft add rule ip filter INPUT tcp dport 80 meter http2 { tcp dport . ip saddr timeout 3s limit rate over 200 kbytes/second burst 1 mbytes} counter drop
</source>

This rule shows how ''timeout'' and ''burst'' are used in a meter, also notice that meters, similarly to hashlimit, accepts limiting rates by bytes frequency instead of packets.

Another hashlimit option is to limit the traffic rate on subnets, of IP source or destination addresses, using the options --hashlimit-srcmask and --hashlimit-dstmask. This feature is available in nft by attaching a subnet mask to a meter selector, attach to ''ip saddr'' for source address and to ''ip daddr'' for destination adress:

<source lang="bash">
$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-upto 200 --hashlimit-mode srcip --hashlimit-name http3 --hashlimit-srcmask 24 -j DROP
nft add rule ip filter INPUT tcp dport 80 meter http3 { ip saddr and 255.255.255.0 limit rate 200/second } counter drop
</source>

This rule will limit packets rate, grouping subnets determined by the first 24 bits of the IP source address, from the incoming packets on port 80.

The remaining options, --hashlimit-htable-max, --hashlimit-htable-size and --hashlimit-htable-gcinterval don't apply to meters.

Meters

2019-08-06T14:03:06Z

Nevola: /* Listing meters */ update with "my" and update new syntax

== Meters ==

Meters used to be known as ''flow tables'' before nft v0.8.1 and Linux kernel 4.3, and are a way to use maps with stateful objects.

Among other things, they provide a native replacement for the ''hashlimit'' match in iptables. However, meters are a lot more flexible since you can use any selector, one or many through [[concatenations]].

'''Note that the ''meter'' keyword is obsolete, the dynamic set and map syntax is now preferred for consistency.'''

== Using meters ==

The following commands create a table named ''my_filter_table'', a chain named ''my_input_chain'' which hooks incoming traffic and a rule that uses a meter:

<source lang="bash">
% nft add table my_filter_table
% nft add chain my_filter_table my_input_chain {type filter hook input priority 0\;}
% nft add set my_filter_table my_ssh_meter { type ipv4_addr\; flags dynamic \;}
% nft add rule my_filter_table my_input_chain tcp dport 22 ct state new add @my_ssh_meter { ip saddr limit rate 10/second } accept
</source>

In this example we create a rule to match ''new'' TCP ''ssh'' (port 22) connections, which uses a dynamic set named ''my_ssh_meter'' to limit the traffic rate to 10 connections per second for each source IP address. The available time units on limits are: ''second'', ''minute'', ''hour'', ''day'' and ''week''.

You can also use [[concatenations]] to build selectors:

<source lang="bash">
% nft add set my_filter_table my_ssh_meter { type ipv4_addr . inet_service\; flags timeout, dynamic \;}
% nft add rule my_filter_table my_input_chain tcp dport 22 ct state new add @my_ssh_meter { ip saddr . tcp dport timeout 60s limit rate 10/second } accept
</source>

This rule counts incoming connections (packets with state ''new'') based on the tuple ''(IP source address, TCP destination port)'', the counters are dropped after 60 seconds without update.

== Listing meters ==

To list the content matched by the meter use:

<source lang="bash">
% nft list map my_filter_table my_ssh_meter
table ip my_filter_table {
map my_ssh_meter {
type ipv4_addr . inet_service
size 65535
flags dynamic,timeout
elements = { 64.62.190.36 . 55000 expires 38s : counter packets 2 bytes 220, 83.98.201.47 . 35460 expires 39s : counter packets 10 bytes 5988, 172.217.7.142 . 43254 expires 46s : counter packets 1 bytes 98}
}
}
</source>

== Doing connlimit with nft ==

Since 4.18, there is a new ''ct count'' selector that allows you to count the number of existing connections. This extension uses the information available in the Connection Tracking System table, therefore, the counting of connection is based on the existing entries in the table.

The following example shows how to do ''connlimit'' from nftables:

table ip filter {
set connlimit {
type ipv4_addr
size 65535
flags dynamic
}

chain y {
type filter hook output priority filter; policy accept;
ct state new add @connlimit { ip daddr ct count over 20 } counter packets 0 bytes 0 drop
}
}

The example above dynamically populates the set ''connlimit'' from the packet path. For the first packet of each connection (ie. packets matching ''ct state new''), this adds an entry into ''connlimit'' set, this entry uses the IPv4 destination address as a key. If the number of connection goes over 20, then packets are dropped.

Since ''connlimit'' is a set, you can perform any operation on it, such as listing and flushing its content.

== Doing iptables hashlimit with nft ==

Meters replace iptables hashlimit in nft. From iptables v1.6.2 onward, you can use the tool '''iptables-translate''' to see how to translate hashlimit rules.

Almost all hashlimit options are available in nft, starting with --hashlimit-mode, it is replaced by the selector in a meter. All modes are available except no mode, a meter demands a selector, an iptables rule without hashlimit-mode isn't supported in nft. A simple rule translation is:

<source lang="bash">
$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200/sec --hashlimit-mode srcip,dstport --hashlimit-name http1 -j DROP
nft add rule ip filter INPUT tcp dport 80 meter http1 { tcp dport . ip saddr limit rate over 200/second } counter drop
</source>

Notice that a meter is named, like hashlimit, and using multiple hashlimit-modes is similar to using a concatenation of selectors. Also, --hashlimit-above is translated to ''limit rate over'', to simulate --hashlimit-upto just omit or replace ''over'' with ''until'' in the rule.

The options --hashlimit-burst and --hashlimit-htable-expire are translated to ''burst'' and ''timeout'' in a meter:

<source lang="bash">
$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP
nft add rule ip filter INPUT tcp dport 80 meter http2 { tcp dport . ip saddr timeout 3s limit rate over 200 kbytes/second burst 1 mbytes} counter drop
</source>

This rule shows how ''timeout'' and ''burst'' are used in a meter, also notice that meters, similarly to hashlimit, accepts limiting rates by bytes frequency instead of packets.

Another hashlimit option is to limit the traffic rate on subnets, of IP source or destination addresses, using the options --hashlimit-srcmask and --hashlimit-dstmask. This feature is available in nft by attaching a subnet mask to a meter selector, attach to ''ip saddr'' for source address and to ''ip daddr'' for destination adress:

<source lang="bash">
$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-upto 200 --hashlimit-mode srcip --hashlimit-name http3 --hashlimit-srcmask 24 -j DROP
nft add rule ip filter INPUT tcp dport 80 meter http3 { ip saddr and 255.255.255.0 limit rate 200/second } counter drop
</source>

This rule will limit packets rate, grouping subnets determined by the first 24 bits of the IP source address, from the incoming packets on port 80.

The remaining options, --hashlimit-htable-max, --hashlimit-htable-size and --hashlimit-htable-gcinterval don't apply to meters.

Meters

2019-08-06T14:00:33Z

Nevola: /* Using meters */ use "my" and fix some incorrect syntax

== Meters ==

Meters used to be known as ''flow tables'' before nft v0.8.1 and Linux kernel 4.3, and are a way to use maps with stateful objects.

Among other things, they provide a native replacement for the ''hashlimit'' match in iptables. However, meters are a lot more flexible since you can use any selector, one or many through [[concatenations]].

'''Note that the ''meter'' keyword is obsolete, the dynamic set and map syntax is now preferred for consistency.'''

== Using meters ==

The following commands create a table named ''my_filter_table'', a chain named ''my_input_chain'' which hooks incoming traffic and a rule that uses a meter:

<source lang="bash">
% nft add table my_filter_table
% nft add chain my_filter_table my_input_chain {type filter hook input priority 0\;}
% nft add set my_filter_table my_ssh_meter { type ipv4_addr\; flags dynamic \;}
% nft add rule my_filter_table my_input_chain tcp dport 22 ct state new add @my_ssh_meter { ip saddr limit rate 10/second } accept
</source>

In this example we create a rule to match ''new'' TCP ''ssh'' (port 22) connections, which uses a dynamic set named ''my_ssh_meter'' to limit the traffic rate to 10 connections per second for each source IP address. The available time units on limits are: ''second'', ''minute'', ''hour'', ''day'' and ''week''.

You can also use [[concatenations]] to build selectors:

<source lang="bash">
% nft add set my_filter_table my_ssh_meter { type ipv4_addr . inet_service\; flags timeout, dynamic \;}
% nft add rule my_filter_table my_input_chain tcp dport 22 ct state new add @my_ssh_meter { ip saddr . tcp dport timeout 60s limit rate 10/second } accept
</source>

This rule counts incoming connections (packets with state ''new'') based on the tuple ''(IP source address, TCP destination port)'', the counters are dropped after 60 seconds without update.

== Listing meters ==

To list the content matched by the meter use:

<source lang="bash">
% nft list map filter ssh-meter
table ip filter {
map ssh-meter {
type iface_index . ipv4_addr . inet_service
flags timeout
elements = { "wlan1" . 64.62.190.36 . 55000 expires 38s : counter packets 2 bytes 220, "wlan1" . 83.98.201.47 . 35460 expires 39s : counter packets 10 bytes 5988, "wlan1" . 172.217.7.142 . 43254 expires 46s : counter packets 1 bytes 98}
}
}
</source>

== Doing connlimit with nft ==

Since 4.18, there is a new ''ct count'' selector that allows you to count the number of existing connections. This extension uses the information available in the Connection Tracking System table, therefore, the counting of connection is based on the existing entries in the table.

The following example shows how to do ''connlimit'' from nftables:

table ip filter {
set connlimit {
type ipv4_addr
size 65535
flags dynamic
}

chain y {
type filter hook output priority filter; policy accept;
ct state new add @connlimit { ip daddr ct count over 20 } counter packets 0 bytes 0 drop
}
}

The example above dynamically populates the set ''connlimit'' from the packet path. For the first packet of each connection (ie. packets matching ''ct state new''), this adds an entry into ''connlimit'' set, this entry uses the IPv4 destination address as a key. If the number of connection goes over 20, then packets are dropped.

Since ''connlimit'' is a set, you can perform any operation on it, such as listing and flushing its content.

== Doing iptables hashlimit with nft ==

Meters replace iptables hashlimit in nft. From iptables v1.6.2 onward, you can use the tool '''iptables-translate''' to see how to translate hashlimit rules.

Almost all hashlimit options are available in nft, starting with --hashlimit-mode, it is replaced by the selector in a meter. All modes are available except no mode, a meter demands a selector, an iptables rule without hashlimit-mode isn't supported in nft. A simple rule translation is:

<source lang="bash">
$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200/sec --hashlimit-mode srcip,dstport --hashlimit-name http1 -j DROP
nft add rule ip filter INPUT tcp dport 80 meter http1 { tcp dport . ip saddr limit rate over 200/second } counter drop
</source>

Notice that a meter is named, like hashlimit, and using multiple hashlimit-modes is similar to using a concatenation of selectors. Also, --hashlimit-above is translated to ''limit rate over'', to simulate --hashlimit-upto just omit or replace ''over'' with ''until'' in the rule.

The options --hashlimit-burst and --hashlimit-htable-expire are translated to ''burst'' and ''timeout'' in a meter:

<source lang="bash">
$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP
nft add rule ip filter INPUT tcp dport 80 meter http2 { tcp dport . ip saddr timeout 3s limit rate over 200 kbytes/second burst 1 mbytes} counter drop
</source>

This rule shows how ''timeout'' and ''burst'' are used in a meter, also notice that meters, similarly to hashlimit, accepts limiting rates by bytes frequency instead of packets.

Another hashlimit option is to limit the traffic rate on subnets, of IP source or destination addresses, using the options --hashlimit-srcmask and --hashlimit-dstmask. This feature is available in nft by attaching a subnet mask to a meter selector, attach to ''ip saddr'' for source address and to ''ip daddr'' for destination adress:

<source lang="bash">
$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-upto 200 --hashlimit-mode srcip --hashlimit-name http3 --hashlimit-srcmask 24 -j DROP
nft add rule ip filter INPUT tcp dport 80 meter http3 { ip saddr and 255.255.255.0 limit rate 200/second } counter drop
</source>

This rule will limit packets rate, grouping subnets determined by the first 24 bits of the IP source address, from the incoming packets on port 80.

The remaining options, --hashlimit-htable-max, --hashlimit-htable-size and --hashlimit-htable-gcinterval don't apply to meters.

Meters

2019-08-06T13:21:55Z

Nevola: /* Meters */, make it more readable

== Meters ==

Meters used to be known as ''flow tables'' before nft v0.8.1 and Linux kernel 4.3, and are a way to use maps with stateful objects.

Among other things, they provide a native replacement for the ''hashlimit'' match in iptables. However, meters are a lot more flexible since you can use any selector, one or many through [[concatenations]].

'''Note that the ''meter'' keyword is obsolete, the dynamic set and map syntax is now preferred for consistency.'''

== Using meters ==

The following commands create a table named ''filter'', a chain named ''input'' which hooks incoming traffic and a rule that uses a meter:

<source lang="bash">
% nft add table filter
% nft add chain filter input {type filter hook input priority 0\;}
% nft add map filter ssh-meter { type ipv4_addr : limit; }
% nft add rule filter input tcp dport 22 ct state new update @ssh-meter { ip saddr limit rate 10/second } accept
</source>

In this example we create a rule to match ''new'' ''ssh'' (port 22) connections, which uses a meter named ''ssh-meter'' to limit the traffic rate to 10 packets per second for each source IP address. The available time units on limits are: ''second'', ''minute'', ''hour'', ''day'' and ''week''.

You can also use [[concatenations]] to build selectors:

<source lang="bash">
% nft add rule filter input tcp dport 22 ct state new update @ssh-meter { ip saddr . tcp dport timeout 60s limit rate 10/second } accept
</source>

This rule counts incoming packets based on the tuple ''(input interface index, IP source address, TCP destination port)'', the counters are dropped after 60 seconds without update.

== Listing meters ==

To list the content matched by the meter use:

<source lang="bash">
% nft list map filter ssh-meter
table ip filter {
map ssh-meter {
type iface_index . ipv4_addr . inet_service
flags timeout
elements = { "wlan1" . 64.62.190.36 . 55000 expires 38s : counter packets 2 bytes 220, "wlan1" . 83.98.201.47 . 35460 expires 39s : counter packets 10 bytes 5988, "wlan1" . 172.217.7.142 . 43254 expires 46s : counter packets 1 bytes 98}
}
}
</source>

== Doing connlimit with nft ==

Since 4.18, there is a new ''ct count'' selector that allows you to count the number of existing connections. This extension uses the information available in the Connection Tracking System table, therefore, the counting of connection is based on the existing entries in the table.

The following example shows how to do ''connlimit'' from nftables:

table ip filter {
set connlimit {
type ipv4_addr
size 65535
flags dynamic
}

chain y {
type filter hook output priority filter; policy accept;
ct state new add @connlimit { ip daddr ct count over 20 } counter packets 0 bytes 0 drop
}
}

The example above dynamically populates the set ''connlimit'' from the packet path. For the first packet of each connection (ie. packets matching ''ct state new''), this adds an entry into ''connlimit'' set, this entry uses the IPv4 destination address as a key. If the number of connection goes over 20, then packets are dropped.

Since ''connlimit'' is a set, you can perform any operation on it, such as listing and flushing its content.

== Doing iptables hashlimit with nft ==

Meters replace iptables hashlimit in nft. From iptables v1.6.2 onward, you can use the tool '''iptables-translate''' to see how to translate hashlimit rules.

Almost all hashlimit options are available in nft, starting with --hashlimit-mode, it is replaced by the selector in a meter. All modes are available except no mode, a meter demands a selector, an iptables rule without hashlimit-mode isn't supported in nft. A simple rule translation is:

<source lang="bash">
$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200/sec --hashlimit-mode srcip,dstport --hashlimit-name http1 -j DROP
nft add rule ip filter INPUT tcp dport 80 meter http1 { tcp dport . ip saddr limit rate over 200/second } counter drop
</source>

Notice that a meter is named, like hashlimit, and using multiple hashlimit-modes is similar to using a concatenation of selectors. Also, --hashlimit-above is translated to ''limit rate over'', to simulate --hashlimit-upto just omit or replace ''over'' with ''until'' in the rule.

The options --hashlimit-burst and --hashlimit-htable-expire are translated to ''burst'' and ''timeout'' in a meter:

<source lang="bash">
$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP
nft add rule ip filter INPUT tcp dport 80 meter http2 { tcp dport . ip saddr timeout 3s limit rate over 200 kbytes/second burst 1 mbytes} counter drop
</source>

This rule shows how ''timeout'' and ''burst'' are used in a meter, also notice that meters, similarly to hashlimit, accepts limiting rates by bytes frequency instead of packets.

Another hashlimit option is to limit the traffic rate on subnets, of IP source or destination addresses, using the options --hashlimit-srcmask and --hashlimit-dstmask. This feature is available in nft by attaching a subnet mask to a meter selector, attach to ''ip saddr'' for source address and to ''ip daddr'' for destination adress:

<source lang="bash">
$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-upto 200 --hashlimit-mode srcip --hashlimit-name http3 --hashlimit-srcmask 24 -j DROP
nft add rule ip filter INPUT tcp dport 80 meter http3 { ip saddr and 255.255.255.0 limit rate 200/second } counter drop
</source>

This rule will limit packets rate, grouping subnets determined by the first 24 bits of the IP source address, from the incoming packets on port 80.

The remaining options, --hashlimit-htable-max, --hashlimit-htable-size and --hashlimit-htable-gcinterval don't apply to meters.

Supported features compared to xtables

2018-08-19T17:03:06Z

Nevola: fix typo

Last update: Aug/2018

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== time ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CONNSECMARK ====
* nft_ct
==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== SECMARK ====
* nft_meta_target
==== SET ====
* consider native interface
==== SYNPROXY ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====
* nft_meta, since 3.16.
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18.
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18.
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].
==== policy ====
* consider native interface. Refer to [[Configuring_chains#Base_chain_policy]].
==== recent ====
* consider native interface. Refer to [[Sets]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14
==== udp ====
* nft_payload

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18.
==== CLASSIFY ====
* nft_meta, since 3.14.
==== CONNMARK ====
* nft_ct
==== DSCP ====
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash.
==== MARK ====
* nft_meta, since 3.14.
==== NFLOG ====
* nft_log, since 3.17.
==== NFQUEUE ====
* nft_queue, since 3.14.
==== TEE ====
* nft_dup, since 4.3.
==== TPROXY ====
* nft_tproxy, upcoming release (4.19)
==== TRACE ====
* nft_meta, since 3.14.

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Supported features compared to xtables

2018-08-19T17:01:46Z

Nevola: remove authors, agreed with pablo.

Last update: Aug/2018

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== time ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CONNSECMARK ====
* nft_ct
==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interfac
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== SECMARK ====
* nft_meta_target
==== SET ====
* consider native interface
==== SYNPROXY ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====
* nft_meta, since 3.16.
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18.
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18.
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].
==== policy ====
* consider native interface. Refer to [[Configuring_chains#Base_chain_policy]].
==== recent ====
* consider native interface. Refer to [[Sets]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14
==== udp ====
* nft_payload

=== targets: xt ===

==== AUDIT ====
* nft_log, since 4.18.
==== CLASSIFY ====
* nft_meta, since 3.14.
==== CONNMARK ====
* nft_ct
==== DSCP ====
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash.
==== MARK ====
* nft_meta, since 3.14.
==== NFLOG ====
* nft_log, since 3.17.
==== NFQUEUE ====
* nft_queue, since 3.14.
==== TEE ====
* nft_dup, since 4.3.
==== TPROXY ====
* nft_tproxy, upcoming release (4.19)
==== TRACE ====
* nft_meta, since 3.14.

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13.
==== LOG ====
* nft_log, since 3.17.
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18.
==== REDIRECT ====
* nft_redirect, since 3.19.

==== REJECT ====
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
==== SNAT ====
* nft_nat, since 3.13.

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Supported features compared to xtables

2018-08-18T22:10:43Z

Nevola: link some documents referrals

Last update: 2016/Jan/11

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== time ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CONNSECMARK ====
* nft_ct
==== CT ====
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interfac
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== SECMARK ====
* nft_meta_target
==== SET ====
* consider native interface
==== SYNPROXY ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Routing_information]].
==== cgroup ====
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_header_fields#Matching_UDP.2FTCP_headers_in_the_same_rule]].
==== connbytes ====
* nft_ct, 4.5 kernel. Refer to [[Meters]].
==== connlabel ====
* nft_meta, since 3.16 (Florian Westphal).
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18 (Valentina Giusti/Ana Rey).
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18 (Ana Rey).
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].
==== policy ====
* consider native interface. Refer to [[Configuring_chains#Base_chain_policy]].
==== recent ====
* consider native interface. Refer to [[Sets]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14
==== udp ====
* nft_payload

=== targets: xt ===

==== CLASSIFY ====
* nft_meta, since 3.14 (Tomasz Bursztyka).
==== CONNMARK ====
==== MARK ====
* nft_meta, since 3.14 (Tomasz Bursztyka).
==== NFLOG ====
* nft_log, since 3.17 (Pablo Neira).
==== NFQUEUE ====
* nft_queue, since 3.14 (Eric Leblond). '''Bridge support still missing'''.
==== TEE ====
* nft_dup, since 4.3 (Pablo Neira)
==== TRACE ====
* nft_meta, since 3.14 (Tomasz Bursztyka).

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).
==== LOG ====
* nft_log, since 3.17 (Pablo Neira).
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18 (Arturo Borrero).
==== REDIRECT ====
* nft_redirect, since 3.19 (Arturo Borrero).

==== REJECT ====
* nft_reject_ipv4, since 3.13 (Patrick McHardy/Eric Leblond).
* nft_reject_inet, since 3.14 (Patrick McHardy).
* nft_reject_bridge, since 3.18 (Pablo Neira)
==== SNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).
==== LOG ====
* nft_log, since 3.17 (Pablo Neira).
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18 (Arturo Borrero).
==== REDIRECT ====
* nft_redirect, since 3.19 (Arturo Borrero).

==== REJECT ====
* nft_reject_ipv6, since 3.14 (Patrick McHardy/Eric Leblond)
* nft_reject_inet, since 3.14 (Patrick McHardy).
* nft_reject_bridge, since 3.18 (Pablo Neira)
==== SNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Supported features compared to xtables

2018-08-18T21:37:45Z

Nevola: update some supported matches

Last update: 2016/Jan/11

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== rateest ====
* consider native interface
==== string ====
* consider native interface
==== time ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== AUDIT ====
* add nft_audit.
==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CONNSECMARK ====
* nft_meta.
==== CT ====
* nft_meta_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== DSCP ====
* add nft_mangle. Refer to [[Quick_reference-nftables_in_10_minutes#Ip]].
==== HL ====
* add nft_mangle. Refer to [[Quick_reference-nftables_in_10_minutes#Ip6]].
==== HMARK ====
* consider native interface
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== SECMARK ====
* nft_meta_target
==== SET ====
* consider native interface
==== SYNPROXY ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface
==== TPROXY ====
* consider native interface

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel
==== cgroup ====
* nft_meta.
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira).
==== connbytes ====
* nft_ct, 4.5 kernel
==== connlabel ====
* nft_meta, since 3.16 (Florian Westphal).
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18 (Valentina Giusti/Ana Rey).
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18 (Ana Rey).
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].
==== helper ====
* nft_ct.
==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]
==== socket ====
* consider native interface
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].
==== policy ====
* consider native interface. Refer to [[Configuring_chains#Base_chain_policy]].
==== recent ====
* consider native interface. Refer to [[Sets]].
==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload
==== tcpmss ====
* nft_exthdr, since 4.14
==== udp ====
* nft_payload

=== targets: xt ===

==== CLASSIFY ====
* nft_meta, since 3.14 (Tomasz Bursztyka).
==== CONNMARK ====
==== MARK ====
* nft_meta, since 3.14 (Tomasz Bursztyka).
==== NFLOG ====
* nft_log, since 3.17 (Pablo Neira).
==== NFQUEUE ====
* nft_queue, since 3.14 (Eric Leblond). '''Bridge support still missing'''.
==== TEE ====
* nft_dup, since 4.3 (Pablo Neira)
==== TRACE ====
* nft_meta, since 3.14 (Tomasz Bursztyka).

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).
==== LOG ====
* nft_log, since 3.17 (Pablo Neira).
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18 (Arturo Borrero).
==== REDIRECT ====
* nft_redirect, since 3.19 (Arturo Borrero).

==== REJECT ====
* nft_reject_ipv4, since 3.13 (Patrick McHardy/Eric Leblond).
* nft_reject_inet, since 3.14 (Patrick McHardy).
* nft_reject_bridge, since 3.18 (Pablo Neira)
==== SNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).
==== LOG ====
* nft_log, since 3.17 (Pablo Neira).
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18 (Arturo Borrero).
==== REDIRECT ====
* nft_redirect, since 3.19 (Arturo Borrero).

==== REJECT ====
* nft_reject_ipv6, since 3.14 (Patrick McHardy/Eric Leblond)
* nft_reject_inet, since 3.14 (Patrick McHardy).
* nft_reject_bridge, since 3.18 (Pablo Neira)
==== SNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Supported features compared to xtables

2018-08-16T21:18:12Z

Nevola:

Last update: 2016/Jan/11

This page tracks the list of supported and unsupported extensions with comments and suggestions.

== Unsupported extensions ==

=== matches: xt ===

==== bpf ====
* consider native interface
==== cluster ====
* consider native interface
==== connlimit ====
* consider native interface. Refer to [[Meters]].
==== ipvs ====
* consider native interface. Refer to [[Load balancing]].
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== policy ====
* consider native interface. Refer to [[Configuring_chains#Base_chain_policy]].
==== rateest ====
* consider native interface
==== recent ====
* consider native interface. Refer to [[Sets]].
==== socket ====
* consider native interface
==== string ====
* consider native interface
==== time ====
* consider native interface
==== u32 ====
* raw expressions?

=== targets: xt ===

==== AUDIT ====
* add nft_audit.
==== CHECKSUM ====
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090

==== CONNSECMARK ====
* nft_meta.
==== CT ====
* nft_meta_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== DSCP ====
* add nft_mangle. Refer to [[Quick_reference-nftables_in_10_minutes#Ip]].
==== HL ====
* add nft_mangle. Refer to [[Quick_reference-nftables_in_10_minutes#Ip6]].
==== HMARK ====
* consider native interface
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== NETMAP ====
* nft_nat.
==== RATEEST ====
* consider native interface
==== SECMARK ====
* nft_meta_target
==== SET ====
* consider native interface
==== SYNPROXY ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface
==== TPROXY ====
* consider native interface

=== targets: ipv4 ===

==== TTL ====

=== targets: ipv6 ===

==== NPT ====
* consider native interface

=== targets: bridge ===

==== arpreply ====
* consider native interface

=== watchers: bridge ===

==== log ====
* nft_log

==== nflog ====
* nft_log

=== targets: arp ===

TODO

== Supported extensions ==

=== matches: xt ===

==== addrtype ====
* nft_fib, starting with 4.10 kernel
==== cgroup ====
* nft_meta.
[Awaits support for cgroup2]
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira).
==== connbytes ====
* nft_ct, 4.5 kernel
==== connlabel ====
* nft_meta, since 3.16 (Florian Westphal).
==== connmark ====
* nft_meta.
==== conntrack ====
* nft_ct.
==== cpu ====
* nft_meta, since 3.18 (Valentina Giusti/Ana Rey).
==== dccp ====
* nft_payload.
[Unsupported option : dccp-option]
==== devgroup ====
* nft_meta, since 3.18 (Ana Rey).
==== dscp ====
* nft_payload.
==== ecn ====
* nft_payload.
==== esp ====
* nft_payload.
==== hashlimit ====
* meter statement. Refer to [[Meters]].

==== helper ====
* nft_ct.

==== ipcomp ====
* nft_payload.
[Unsupported option : compres]
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== length ====
* nft_meta.
==== limit ====
* nft_limit. Refer to [[Stateful objects]].
==== mac ====
* nft_payload.
==== mark ====
* nft_meta.
==== multiport ====
* nft_payload.
[Unsupported option : ports]
==== owner ====
* nft_meta.
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
==== statistic ====
* nft_numgen
==== sctp ====
* nft_payload.
[Unsupported option: --chunk-types]

==== set ====
* Use native nf_tables set infrastructure.
==== state ====
* nft_ct
==== tcp ====
* nft_payload

==== tcpmss ====
* nft_exthdr, since 4.14

==== udp ====
* nft_payload

=== targets: xt ===

==== CLASSIFY ====
* nft_meta, since 3.14 (Tomasz Bursztyka).
==== CONNMARK ====
==== MARK ====
* nft_meta, since 3.14 (Tomasz Bursztyka).
==== NFLOG ====
* nft_log, since 3.17 (Pablo Neira).
==== NFQUEUE ====
* nft_queue, since 3.14 (Eric Leblond). '''Bridge support still missing'''.
==== TEE ====
* nft_dup, since 4.3 (Pablo Neira)
==== TRACE ====
* nft_meta, since 3.14 (Tomasz Bursztyka).

==== TCPMSS ====
* nft_exthdr, since 4.14

=== matches: ipv4 ===

==== ah ====
* nft_payload + nft_cmp
==== icmp ====
* nft_payload + nft_cmp.
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ttl ====

=== matches: ipv6 ===

==== rp_filter ====
* nft_fib, starting with 4.10 kernel
==== ah ====
* nft_payload + nft_cmp.
==== eui64 ====
* nft_payload + nft_cmp.
==== frag ====
* nft_exthdr + nft_cmp.
==== hbh ====
* nft_exthdr + nft_cmp.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
==== hl ====
* nft_payload.
==== icmp6 ====
* nft_payload + nft_cmp.
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
* nft_exthdr + nft_cmp.
==== mh ====
* nft_exthdr + nft_cmp.
[Needs bug fixation for option mh-type with range]
==== rt ====
* nft_exthdr + nft_cmp
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

=== targets: ipv4 ===
==== ECN ====
* nft_payload

==== DNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).
==== LOG ====
* nft_log, since 3.17 (Pablo Neira).
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18 (Arturo Borrero).
==== REDIRECT ====
* nft_redirect, since 3.19 (Arturo Borrero).

==== REJECT ====
* nft_reject_ipv4, since 3.13 (Patrick McHardy/Eric Leblond).
* nft_reject_inet, since 3.14 (Patrick McHardy).
* nft_reject_bridge, since 3.18 (Pablo Neira)
==== SNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).

=== targets: ipv6 ===
==== DNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).
==== LOG ====
* nft_log, since 3.17 (Pablo Neira).
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
* nft_masq, since 3.18 (Arturo Borrero).
==== REDIRECT ====
* nft_redirect, since 3.19 (Arturo Borrero).

==== REJECT ====
* nft_reject_ipv6, since 3.14 (Patrick McHardy/Eric Leblond)
* nft_reject_inet, since 3.14 (Patrick McHardy).
* nft_reject_bridge, since 3.18 (Pablo Neira)
==== SNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).

=== matches: bridge ===

==== 802.3 ====
* nft_payload

==== among ====
* sets

==== arp ====
* nft_payload

==== ip ====
* nft_payload

==== ip6 ====
* nft_payload

==== limit ====
* nft_limit

==== mark ====
* nft_mark

==== pkttype ====
* nft_meta

==== stp ====
* nft_payload

==== vlan ====
* nft_payload

=== targets: bridge ===

==== dnat ====
* nft_payload

==== snat ====
* nft_payload

==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)

==== mark ====
* nft_mark

== Deprecated extensions ==

=== matches ===

==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
* deprecated by dscp

=== targets ===

==== CLUSTERIP ====
* deprecated by cluster match.
==== TOS ====
* deprecated by DSCP

=== targets: ipv4 ===

==== ULOG ====
* Removed from tree since 3.17.

Load balancing

2017-06-19T22:33:34Z

Nevola: /* Using Direct Server Return (DSR) */

Since nftables v0.7, there is support in place to perform [[Performing Network Address Translation (NAT) | NAT]] load balancing.

Don't forget the special NAT chain semantics: Only the first packet evaluates the rule, follow up packets rely on conntrack to apply the NAT information.

== Round Robin ==

This method uses the nftables [[Math operations | number generator]].

The example below is distributing new connections in a round-robin fashion between 192.168.10.100 and 192.168.20.200.

<source>
% nft add rule nat prerouting dnat to numgen inc mod 2 map { \
0 : 192.168.10.100, \
1 : 192.168.20.200 }
</source>

You can also emulate flow distribution with different backend weights using intervals:

<source>
% nft add rule nat prerouting dnat to numgen inc mod 10 map { \
0-5 : 192.168.10.100, \
6-9 : 192.168.20.200 }
</source>

The distribution can be based on ports as well:

<source>
% nft add rule nat prerouting ip protocol tcp dnat to 192.168.1.100 : numgen inc mod 2 map {\
0 : 4040 ,\
1 : 4050 }
</source>

== Consistent Hash-based Distribution ==

Using the nftables internal [[Math operations | hashing mechanisms]].

<source>
% nft add rule x y dnat to jhash ip saddr . tcp dport mod 2 map { \
0 : 192.168.20.100, \
1 : 192.168.30.100 }
</source>

This relies on the Jenkins hash.

== Using stateless NAT ==

You can perform load balancing through stateless NAT approach as well. You can combine this either with the round robin and consistent hash-based distribution approaches.

The example below uses Round Robin flow distribution:

<source>
% nft add rule t c tcp dport 80 ip daddr set numgen inc mod 2 map { 0 : 192.168.1.100, 1 : 192.168.1.101 }
</source>

This is more lightweight that stateful NAT given there is no flow tracking in place.

== Using Direct Server Return (DSR) ==

This example performs a DSR topology for non connection oriented flows from ingress:

<source>
% nft add rule t c udp dport 53 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set numgen inc mod 2 map { 0 : xx:xx:xx:xx:xx:xx, 1: yy:yy:yy:yy:yy:yy } fwd to eth0
</source>

An approach for connection oriented flows can be performed as shown below.

<source>
% nft add rule t c tcp dport 80 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set jhash ip saddr . tcp sport mod 2 map { 0 : xx:xx:xx:xx:xx:xx, 1: yy:yy:yy:yy:yy:yy } fwd to eth0
</source>