Supported features compared to xtables: Difference between revisions

From nftables wiki
Jump to navigation Jump to search
(linked to my ad-hoc script updating the xlate sample links)
 
(41 intermediate revisions by 6 users not shown)
Line 1: Line 1:
Last update: 2016/Jan/11                                                       
Last update: Mar/2022
                                                                               
 
This page tracks the list of supported and unsupported extensions with comments and suggestions.
This page tracks the list of supported and unsupported extensions with comments and suggestions.
                                                                               
== Unsupported extensions ==                                                   
                                                                               
=== matches: xt ===                                                             
                                                                               
==== bpf ====                                                                   
* consider native interface                                                     
==== cluster ====                                                               
* consider native interface                                                     
==== connlimit ====                                                             
* consider native interface                                                                                               
==== ipvs ====                                                                 
* consider native interface                                                     
==== nfacct ====                                                               
* consider native interface                                                     
==== osf ====                                                                   
* consider native interface                                                     
==== policy ====                                                               
* consider native interface                                                     
==== rateest ====                                                               
* consider native interface                                                     
==== recent ====                                                               
* consider native interface                                                     
==== socket ====                                                               
* consider native interface                                                     
==== string ====                                                               
* consider native interface                                                     
==== tcpmss ====                                                               
* consider native interface 
==== time ====
* consider native interface                                                   
==== u32 ====                                                                   
* raw expressions?                                                             


=== targets: xt ===                                                            
== Unsupported extensions ==
 
=== matches: xt ===


==== AUDIT ====                                                                
==== bpf ====
* add nft_audit.                                                               
* consider native interface
==== CHECKSUM ====                                                             
==== rateest ====
* add nft_payload.                                                             
* consider native interface
==== CONNSECMARK ====
==== string ====
* nft_meta.                                                                     
==== CT ====                                                                   
* nft_meta_target
==== DSCP ====
* add nft_mangle
==== HL ====
* add nft_mangle                                                               
==== HMARK ====                                                                 
* consider native interface                                                     
==== IDLETIMER ====                                                             
* consider native interface                                                     
==== LED ====                                                                   
* consider native (need this?)                                                 
==== NETMAP ====                                                               
* nft_nat.                                                                     
==== RATEEST ====                                                               
* consider native interface                                                     
==== SECMARK ====                                                               
* nft_meta_target
==== SET ====                                                               
* consider native interface
==== SYNPROXY ====                                                               
* consider native interface                                                               
==== TCPMSS ====                                                               
* consider native interface                                                    
==== TCPOPTSTRIP ====                                                          
* consider native interface                                                                                                  
==== TPROXY ====                                                               
* consider native interface                                                             
                                                                     
=== targets: ipv4 ===                                                           
                                                                               
==== TTL ====
                                                                               
=== targets: ipv6 ===                                                           
                                                                               
==== NPT ====                                                                  
* consider native interface
* consider native interface
==== u32 ====
* raw expressions?


=== matches: bridge ===
=== targets: xt ===


==== 802.3 ====
==== CHECKSUM ====
* nft_payload
* add nft_payload.
* To the day, the only use case for this was DHCP clients not working with partial checksums. That should be fixed nowadays.
* See https://lwn.net/Articles/396466/ and https://www.spinics.net/lists/kvm/msg37660.html
* See https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/930962 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832090


==== among ====
==== CT ====
* sets
* nft_ct_target. Refer to [[Matching_connection_tracking_stateful_metainformation]].
==== IDLETIMER ====
* consider native interface
==== LED ====
* consider native (need this?)
==== RATEEST ====
* consider native interface
==== TCPOPTSTRIP ====
* consider native interface, need to extend nft_exthdr.c


==== arp ====
=== targets: ipv4 ===
* nft_payload


==== ip ====
==== TTL ====
* nft_payload


==== ip6 ====
=== targets: ipv6 ===
* nft_payload


==== limit ====
==== NPT ====
* nft_limit
* consider native interface
 
==== mark ====
* nft_mark
 
==== pkttype ====
* nft_meta
 
==== stp ====
* nft_payload
 
==== vlan ====
* nft_payload


=== targets: bridge ===
=== targets: bridge ===
Line 119: Line 49:
* consider native interface
* consider native interface


==== dnat ====
=== targets: arp ===
* nft_payload


==== snat ====
TODO
* nft_payload


==== redirect ====
== Supported extensions ==
* nft_payload + nft_meta (pkttype set unicast)
(Links updated via [http://nwl.cc/~n0-1/update_nftables_wiki_xlate_links.sh script].)


==== mark ====
=== matches: xt ===
* nft_mark


=== watchers: bridge ===
==== addrtype ====
* nft_fib, starting with 4.10 kernel. Refer to [[Matching routing information]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_addrtype.txlate Examples from iptables-translate testsuite]


==== log ====
==== cgroup ====
* nft_log
* nft_meta. Refer to [[Quick_reference-nftables_in_10_minutes#Meta]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_cgroup.txlate Examples from iptables-translate testsuite]
[Awaits support for cgroup2]


==== nflog ====
==== cluster ====
* nft_log
* nft_hash
* [https://git.netfilter.org/iptables/tree/extensions/libxt_cluster.txlate Examples from iptables-translate testsuite]


=== targets: arp ===
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira). Refer to [[Matching_packet_headers#Matching_UDP.2FTCP_headers_in_the_same_rule|matching UDP/TCP headers in the same rule]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_comment.txlate Examples from iptables-translate testsuite]


TODO
==== connbytes ====
 
* nft_ct, 4.5 kernel. Refer to [[Meters]].
== Supported extensions ==                                                      
* [https://git.netfilter.org/iptables/tree/extensions/libxt_connbytes.txlate Examples from iptables-translate testsuite]
                                                                               
==== connlabel ====
=== matches: xt ===                                                             
* nft_meta, since 3.16.
   
* [https://git.netfilter.org/iptables/tree/extensions/libxt_connlabel.txlate Examples from iptables-translate testsuite]
==== addrtype ====
==== connlimit ====
* nft_fib, starting with 4.10 kernel
* consider native interface. Refer to [[Meters]].
==== cgroup ====
* [https://git.netfilter.org/iptables/tree/extensions/libxt_connlimit.txlate Examples from iptables-translate testsuite]
* nft_meta.
[Awaits support for cgroup2]                                                                            
==== comment ====
* Built-in support via NFTA_RULE_USERDATA, since 3.15 (Pablo Neira).            
==== connbytes ====                                                            
* nft_ct, 4.5 kernel
==== connlabel ====                                                             
* nft_meta, since 3.16 (Florian Westphal).
==== connmark ====
==== connmark ====
* nft_meta.
* nft_meta.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_connmark.txlate Examples from iptables-translate testsuite]
==== conntrack ====
==== conntrack ====
* nft_ct.
* nft_ct.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_conntrack.txlate Examples from iptables-translate testsuite]
==== cpu ====
==== cpu ====
* nft_meta, since 3.18 (Valentina Giusti/Ana Rey).
* nft_meta, since 3.18.
==== dccp ====                                                                  
* [https://git.netfilter.org/iptables/tree/extensions/libxt_cpu.txlate Examples from iptables-translate testsuite]
* nft_payload.  
==== dccp ====
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_dccp.txlate Examples from iptables-translate testsuite]
[Unsupported option : dccp-option]
[Unsupported option : dccp-option]
==== devgroup ====                                                              
==== devgroup ====
* nft_meta, since 3.18 (Ana Rey).
* nft_meta, since 3.18.
==== dscp ====                                            
* [https://git.netfilter.org/iptables/tree/extensions/libxt_devgroup.txlate Examples from iptables-translate testsuite]
==== dscp ====
* nft_payload.
* nft_payload.
==== ecn ====                                                                  
* [https://git.netfilter.org/iptables/tree/extensions/libxt_dscp.txlate Examples from iptables-translate testsuite]
* nft_payload.                                                                  
==== ecn ====
==== esp ====                                                                  
* nft_payload.
* nft_payload.                                                                  
* [https://git.netfilter.org/iptables/tree/extensions/libxt_ecn.txlate Examples from iptables-translate testsuite]
==== hashlimit ====                                                            
==== esp ====
* flow statement
* nft_payload.
 
* [https://git.netfilter.org/iptables/tree/extensions/libxt_esp.txlate Examples from iptables-translate testsuite]
==== helper ====                                                                
==== hashlimit ====
* meter statement. Refer to [[Meters]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_hashlimit.txlate Examples from iptables-translate testsuite]
==== helper ====
* nft_ct.
* nft_ct.
 
* [https://git.netfilter.org/iptables/tree/extensions/libxt_helper.txlate Examples from iptables-translate testsuite]
==== ipcomp ====
==== ipcomp ====
* nft_payload.
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_ipcomp.txlate Examples from iptables-translate testsuite]
[Unsupported option : compres]
[Unsupported option : compres]
==== iprange ====                                                              
==== iprange ====
* nft_payload, through native range support. To emulate iptables --ports you need two rules.                                                  
* nft_payload, through native range support. To emulate iptables --ports you need two rules.
==== length ====                                                               
* [https://git.netfilter.org/iptables/tree/extensions/libxt_iprange.txlate Examples from iptables-translate testsuite]
* nft_meta.                                                                    
==== ipvs ====
==== limit ====                                                                
* consider native interface. Refer to [[Load balancing]].
* nft_limit.                                                                    
==== length ====
==== mac ====                                                                   
* nft_meta.
* nft_payload.                                                                  
* [https://git.netfilter.org/iptables/tree/extensions/libxt_length.txlate Examples from iptables-translate testsuite]
==== mark ====                                                                  
==== limit ====
* nft_meta.                                                                    
* nft_limit. Refer to [[Stateful objects]].
==== multiport ====                                                             
* [https://git.netfilter.org/iptables/tree/extensions/libxt_limit.txlate Examples from iptables-translate testsuite]
* nft_payload.
==== mac ====
[Unsupported option : ports]                                                                                        
==== owner ====                                                                
* nft_meta.  
[Unsupported option : socket-exists]                                                                    
==== pkttype ====                                                               
* nft_meta                                                                                                               
==== sctp ====                                                                  
* nft_payload.
* nft_payload.
[Unsupported option: --chunk-types]
* [https://git.netfilter.org/iptables/tree/extensions/libxt_mac.txlate Examples from iptables-translate testsuite]
==== mark ====
* nft_meta.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_mark.txlate Examples from iptables-translate testsuite]
==== multiport ====
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_multiport.txlate Examples from iptables-translate testsuite]
==== nfacct ====
* consider native interface. Refer to [[Stateful objects]].
==== osf ====
* consider native interface
==== owner ====
* nft_meta.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_owner.txlate Examples from iptables-translate testsuite]
[Unsupported option : socket-exists]
==== pkttype ====
* nft_meta
* [https://git.netfilter.org/iptables/tree/extensions/libxt_pkttype.txlate Examples from iptables-translate testsuite]
==== policy ====
* nft_xfrm, since 5.0
* [https://git.netfilter.org/iptables/tree/extensions/libxt_policy.txlate Examples from iptables-translate testsuite]
==== recent ====
* consider native interface. Refer to [[Sets]].
==== sctp ====
* nft_payload
* nft_exthdr for --chunk-types
* [https://git.netfilter.org/iptables/tree/extensions/libxt_sctp.txlate Examples from iptables-translate testsuite]
==== socket ====
* consider native interface
* [https://git.netfilter.org/iptables/tree/extensions/libxt_socket.txlate Examples from iptables-translate testsuite]
==== statistic ====
* nft_numgen. Refer to [[Load balancing]].
* [https://git.netfilter.org/iptables/tree/extensions/libxt_statistic.txlate Examples from iptables-translate testsuite]
==== set ====
==== set ====
* Use native nf_tables set infrastructure.                                      
* Use native nf_tables set infrastructure.
==== state ====                                                                
==== state ====
* nft_ct                                                                        
* nft_ct
==== tcp ====
==== tcp ====
* nft_payload
* nft_payload
==== udp ====                                                                
* [https://git.netfilter.org/iptables/tree/extensions/libxt_tcp.txlate Examples from iptables-translate testsuite]
==== tcpmss ====
* nft_exthdr, since 4.14
* [https://git.netfilter.org/iptables/tree/extensions/libxt_tcpmss.txlate Examples from iptables-translate testsuite]
 
==== time ====
* nft_meta, since 5.4
* [https://git.netfilter.org/iptables/tree/extensions/libxt_time.txlate Examples from iptables-translate testsuite]
 
==== udp ====
* nft_payload
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libxt_udp.txlate Examples from iptables-translate testsuite]
=== targets: xt ===
==== AUDIT ====
* nft_log, since 4.18.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_AUDIT.txlate Examples from iptables-translate testsuite]
==== CLASSIFY ====
* nft_meta, since 3.14.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_CLASSIFY.txlate Examples from iptables-translate testsuite]
==== CONNMARK ====
* nft_ct
* [https://git.netfilter.org/iptables/tree/extensions/libxt_CONNMARK.txlate Examples from iptables-translate testsuite]
==== CONNSECMARK ====
* nft_ct, since 4.20
==== DSCP ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libxt_DSCP.txlate Examples from iptables-translate testsuite]
==== HL ====
* nft_payload
==== HMARK ====
* nft_meta + nft_hash.
==== MARK ====
* nft_meta, since 3.14.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_MARK.txlate Examples from iptables-translate testsuite]
==== NETMAP ====
* nft_nat, upcoming 5.8
==== NFLOG ====
* nft_log, since 3.17.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_NFLOG.txlate Examples from iptables-translate testsuite]
==== NFQUEUE ====
* nft_queue, since 3.14.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_NFQUEUE.txlate Examples from iptables-translate testsuite]
==== SECMARK ====
* nft_meta, since 4.20
==== SYNPROXY ====
* nft_synproxy, since 5.3
* [https://git.netfilter.org/iptables/tree/extensions/libxt_SYNPROXY.txlate Examples from iptables-translate testsuite]


=== targets: xt ===                                                             
                                                                               
==== CLASSIFY ====                                                             
* nft_meta, since 3.14 (Tomasz Bursztyka).   
==== CONNMARK ====                                                                                                                   
==== MARK ====                                                                 
* nft_meta, since 3.14 (Tomasz Bursztyka).                                     
==== NFLOG ====                                                                 
* nft_log, since 3.17 (Pablo Neira).                                           
==== NFQUEUE ====                                                               
* nft_queue, since 3.14 (Eric Leblond). '''Bridge support still missing'''.
==== TEE ====
==== TEE ====
* nft_dup, since 4.3 (Pablo Neira)
* nft_dup, since 4.3.
==== TRACE ====                                                                
* [https://git.netfilter.org/iptables/tree/extensions/libxt_TEE.txlate Examples from iptables-translate testsuite]
* nft_meta, since 3.14 (Tomasz Bursztyka).                                      
==== TPROXY ====
=== matches: ipv4 ===                                                          
* nft_tproxy, since 4.19
                                                                               
* [https://git.netfilter.org/iptables/tree/extensions/libxt_TPROXY.txlate Examples from iptables-translate testsuite]
==== ah ====                                                                    
 
==== TRACE ====
* nft_meta, since 3.14.
* [https://git.netfilter.org/iptables/tree/extensions/libxt_TRACE.txlate Examples from iptables-translate testsuite]
 
==== TCPMSS ====
* nft_exthdr, since 4.14
* [https://git.netfilter.org/iptables/tree/extensions/libxt_TCPMSS.txlate Examples from iptables-translate testsuite]
 
=== matches: ipv4 ===
 
==== ah ====
* nft_payload + nft_cmp
* nft_payload + nft_cmp
* [https://git.netfilter.org/iptables/tree/extensions/libipt_ah.txlate Examples from iptables-translate testsuite]
==== icmp ====
==== icmp ====
* nft_payload + nft_cmp.
* nft_payload + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_icmp.txlate Examples from iptables-translate testsuite]
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]
==== realm ====                                                                
==== realm ====
* nft_meta, through NFT_META_RTCLASSID.  
* nft_meta, through NFT_META_RTCLASSID.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_realm.txlate Examples from iptables-translate testsuite]
==== rp_filter ====
==== rp_filter ====
* nft_fib, starting with 4.10 kernel
* nft_fib, starting with 4.10 kernel
==== ttl ====
==== ttl ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libipt_ttl.txlate Examples from iptables-translate testsuite]
=== matches: ipv6 ===


[http://www.example.com link title]=== matches: ipv6 ===                                                           
           
==== rp_filter ====
==== rp_filter ====
* nft_fib, starting with 4.10 kernel                                                                  
* nft_fib, starting with 4.10 kernel
==== ah  ====                                                                  
==== ah  ====
* nft_payload + nft_cmp.
* nft_payload + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_ah.txlate Examples from iptables-translate testsuite]
==== eui64 ====
==== eui64 ====
* nft_payload + nft_cmp.
* nft_payload + nft_cmp.
==== frag ====
==== frag ====
* nft_exthdr + nft_cmp.
* nft_exthdr + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_frag.txlate Examples from iptables-translate testsuite]
==== hbh ====
==== hbh ====
* nft_exthdr + nft_cmp.
* nft_exthdr + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_hbh.txlate Examples from iptables-translate testsuite]
HBH options are not supported yet.
HBH options are not supported yet.
[Unsupported option: --hbh-opts]
[Unsupported option: --hbh-opts]
==== hl ====  
==== hl ====
* nft_payload.  
* nft_payload.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_hl.txlate Examples from iptables-translate testsuite]
==== icmp6 ====
==== icmp6 ====
* nft_payload + nft_cmp.
* nft_payload + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_icmp6.txlate Examples from iptables-translate testsuite]
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]
==== ipv6header ====
==== ipv6header ====
Line 265: Line 283:
==== mh ====
==== mh ====
* nft_exthdr + nft_cmp.
* nft_exthdr + nft_cmp.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_mh.txlate Examples from iptables-translate testsuite]
[Needs bug fixation for option mh-type with range]
[Needs bug fixation for option mh-type with range]
==== rt ====
==== rt ====
* nft_exthdr + nft_cmp
* nft_exthdr + nft_cmp
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_rt.txlate Examples from iptables-translate testsuite]
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]
[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]


=== targets: ipv4 ===
=== targets: ipv4 ===
==== ECN ====                                                                  
==== ECN ====
* nft_payload
* nft_payload


==== DNAT ====  
==== DNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).  
* nft_nat, since 3.13.
==== LOG ====                                                                  
* [https://git.netfilter.org/iptables/tree/extensions/libipt_DNAT.txlate Examples from iptables-translate testsuite]
* nft_log, since 3.17 (Pablo Neira).
==== LOG ====
* nft_log, since 3.17.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_LOG.txlate Examples from iptables-translate testsuite]
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====
==== MASQUERADE ====
* nft_masq, since 3.18 (Arturo Borrero).
* nft_masq, since 3.18.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_MASQUERADE.txlate Examples from iptables-translate testsuite]
==== REDIRECT ====
==== REDIRECT ====
* nft_redirect, since 3.19 (Arturo Borrero).
* nft_redirect, since 3.19.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_REDIRECT.txlate Examples from iptables-translate testsuite]


==== REJECT ====                                                                
==== REJECT ====
* nft_reject_ipv4, since 3.13 (Patrick McHardy/Eric Leblond).                                        
* nft_reject_ipv4, since 3.13.
* nft_reject_inet, since 3.14 (Patrick McHardy).
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18 (Pablo Neira)   
* nft_reject_bridge, since 3.18.
==== SNAT ====                                                          
* [https://git.netfilter.org/iptables/tree/extensions/libipt_REJECT.txlate Examples from iptables-translate testsuite]
* nft_nat, since 3.13 (Tomasz Bursztyka).
==== SNAT ====
* nft_nat, since 3.13.
* [https://git.netfilter.org/iptables/tree/extensions/libipt_SNAT.txlate Examples from iptables-translate testsuite]


=== targets: ipv6 ===
=== targets: ipv6 ===
==== DNAT ====
==== DNAT ====
* nft_nat, since 3.13 (Tomasz Bursztyka).  
* nft_nat, since 3.13.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_DNAT.txlate Examples from iptables-translate testsuite]
==== LOG ====
==== LOG ====
* nft_log, since 3.17 (Pablo Neira).
* nft_log, since 3.17.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_LOG.txlate Examples from iptables-translate testsuite]
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]
==== MASQUERADE ====                                                            
==== MASQUERADE ====
* nft_masq, since 3.18 (Arturo Borrero).
* nft_masq, since 3.18.
==== REDIRECT ====                                                              
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_MASQUERADE.txlate Examples from iptables-translate testsuite]
* nft_redirect, since 3.19 (Arturo Borrero).
==== REDIRECT ====
* nft_redirect, since 3.19.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_REDIRECT.txlate Examples from iptables-translate testsuite]
 
==== REJECT ====
* nft_reject_ipv6, since 3.14.
* nft_reject_inet, since 3.14.
* nft_reject_bridge, since 3.18.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_REJECT.txlate Examples from iptables-translate testsuite]
==== SNAT ====
* nft_nat, since 3.13.
* [https://git.netfilter.org/iptables/tree/extensions/libip6t_SNAT.txlate Examples from iptables-translate testsuite]
 
=== matches: bridge ===


==== REJECT ====                                                                                 
==== 802.3 ====
* nft_reject_ipv6, since 3.14 (Patrick McHardy/Eric Leblond)                   
* nft_payload
* nft_reject_inet, since 3.14 (Patrick McHardy).
* nft_reject_bridge, since 3.18 (Pablo Neira)   
==== SNAT ====                                                                                                                         
* nft_nat, since 3.13 (Tomasz Bursztyka).


== Deprecated extensions ==                                                    
==== among ====
                                                                               
* sets
=== matches ===                                                                
 
==== arp ====
==== physdev ====                                                              
* nft_payload
* br_netfilter aims to be deprecated by nftables.                                                                              
 
==== quota ====                                                                
==== ip ====
* nfacct already provides quota support.
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libebt_ip.txlate Examples from iptables-translate testsuite]
 
==== ip6 ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libebt_ip6.txlate Examples from iptables-translate testsuite]
 
==== limit ====
* nft_limit
* [https://git.netfilter.org/iptables/tree/extensions/libebt_limit.txlate Examples from iptables-translate testsuite]
 
==== mark ====
* nft_mark
* [https://git.netfilter.org/iptables/tree/extensions/libebt_mark_m.txlate Examples from iptables-translate testsuite]
 
==== pkttype ====
* nft_meta
* [https://git.netfilter.org/iptables/tree/extensions/libebt_pkttype.txlate Examples from iptables-translate testsuite]
 
==== stp ====
* nft_payload
 
==== vlan ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libebt_vlan.txlate Examples from iptables-translate testsuite]
 
 
=== targets: bridge ===
 
==== dnat ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libebt_dnat.txlate Examples from iptables-translate testsuite]
 
==== snat ====
* nft_payload
* [https://git.netfilter.org/iptables/tree/extensions/libebt_snat.txlate Examples from iptables-translate testsuite]
 
==== redirect ====
* nft_payload + nft_meta (pkttype set unicast)
 
==== mark ====
* nft_mark
* [https://git.netfilter.org/iptables/tree/extensions/libebt_mark.txlate Examples from iptables-translate testsuite]
 
 
=== watchers: bridge ===
 
==== log ====
* nft_log
* [https://git.netfilter.org/iptables/tree/extensions/libebt_log.txlate Examples from iptables-translate testsuite]
 
==== nflog ====
* nft_log
* [https://git.netfilter.org/iptables/tree/extensions/libebt_nflog.txlate Examples from iptables-translate testsuite]
 
== Deprecated extensions ==
 
=== matches ===
 
==== physdev ====
* br_netfilter aims to be deprecated by nftables.
==== quota ====
* nfacct already provides quota support.
==== tos ====
==== tos ====
* deprecated by dscp                                      
* deprecated by dscp
                                                                               
 
=== targets ===                                                                
=== targets ===
                                                                               
 
==== CLUSTERIP ====                                                            
==== CLUSTERIP ====
* deprecated by cluster match.                                                  
* deprecated by cluster match.
==== TOS ====                                                                
==== TOS ====
* deprecated by DSCP
* deprecated by DSCP


=== targets: ipv4 ===                                                          
=== targets: ipv4 ===
                                                                               
 
==== ULOG ====                                                                  
==== ULOG ====
* Removed from tree since 3.17.
* Removed from tree since 3.17.

Latest revision as of 11:38, 14 September 2024

Last update: Mar/2022

This page tracks the list of supported and unsupported extensions with comments and suggestions.

Unsupported extensions

matches: xt

bpf

  • consider native interface

rateest

  • consider native interface

string

  • consider native interface

u32

  • raw expressions?

targets: xt

CHECKSUM

CT

IDLETIMER

  • consider native interface

LED

  • consider native (need this?)

RATEEST

  • consider native interface

TCPOPTSTRIP

  • consider native interface, need to extend nft_exthdr.c

targets: ipv4

TTL

targets: ipv6

NPT

  • consider native interface

targets: bridge

arpreply

  • consider native interface

targets: arp

TODO

Supported extensions

(Links updated via script.)

matches: xt

addrtype

cgroup

[Awaits support for cgroup2]

cluster

comment

connbytes

connlabel

connlimit

connmark

conntrack

cpu

dccp

[Unsupported option : dccp-option]

devgroup

dscp

ecn

esp

hashlimit

helper

ipcomp

[Unsupported option : compres]

iprange

ipvs

length

limit

mac

mark

multiport

nfacct

osf

  • consider native interface

owner

[Unsupported option : socket-exists]

pkttype

policy

recent

  • consider native interface. Refer to Sets.

sctp

socket

statistic

set

  • Use native nf_tables set infrastructure.

state

  • nft_ct

tcp

tcpmss

time

udp

targets: xt

AUDIT

CLASSIFY

CONNMARK

CONNSECMARK

  • nft_ct, since 4.20

DSCP

HL

  • nft_payload

HMARK

  • nft_meta + nft_hash.

MARK

NETMAP

  • nft_nat, upcoming 5.8

NFLOG

NFQUEUE

SECMARK

  • nft_meta, since 4.20

SYNPROXY

TEE

TPROXY

TRACE

TCPMSS

matches: ipv4

ah

icmp

[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]

realm

rp_filter

  • nft_fib, starting with 4.10 kernel

ttl

matches: ipv6

rp_filter

  • nft_fib, starting with 4.10 kernel

ah

eui64

  • nft_payload + nft_cmp.

frag

hbh

HBH options are not supported yet. [Unsupported option: --hbh-opts]

hl

icmp6

[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]

ipv6header

  • nft_exthdr + nft_cmp.

mh

[Needs bug fixation for option mh-type with range]

rt

[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

targets: ipv4

ECN

  • nft_payload

DNAT

LOG

[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]

MASQUERADE

REDIRECT

REJECT

SNAT

targets: ipv6

DNAT

LOG

[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]

MASQUERADE

REDIRECT

REJECT

SNAT

matches: bridge

802.3

  • nft_payload

among

  • sets

arp

  • nft_payload

ip

ip6

limit

mark

pkttype

stp

  • nft_payload

vlan


targets: bridge

dnat

snat

redirect

  • nft_payload + nft_meta (pkttype set unicast)

mark


watchers: bridge

log

nflog

Deprecated extensions

matches

physdev

  • br_netfilter aims to be deprecated by nftables.

quota

  • nfacct already provides quota support.

tos

  • deprecated by dscp

targets

CLUSTERIP

  • deprecated by cluster match.

TOS

  • deprecated by DSCP

targets: ipv4

ULOG

  • Removed from tree since 3.17.