4. nftablesnftables
➢ Replacement of iptables, ip6tables,
arptables & ebtables
➢ including ipset
➢ Remove the duplicated code from all
modules
➢ Simplify the dual stack(IPv4/6) handling
➢ ip, ip6, inet, arp & bridge address families
5. nftablesnftables
➢ Merged mainstream in October 2013,
available since January 2014 in Linux kernel
3.13.
➢ It reuses the existing Netfilter building
blocks: hooks, conntrack, NAT, logging and
userspace queueing.
➢ It also reuses existing xtables extensions
through nft compat.
10. nftables vs. iptablesnftables vs. iptables
➢ Tables and chains are fully configurable
list
tables [family]
table [family] <name>
chain [family] <table> <name>
add
table [family] <name>
chain [family] <table> <name> [chain definitions]
rule [family] <table> <chain> <rule definition>
table [family] <name> (shortcut for `add table`)
Families:
ip - IPv4
ip6 - IPv6
inet - IPv4 or v6
arp - arp
bridge - linux bridge
11. nftables vs. iptablesnftables vs. iptables
➢ Tables and chains are fully configurable
➢ Tables are without any predefined purpose
➢ there are no raw, filter, nat & mangle tables
12. nftables vs. iptablesnftables vs. iptables
➢ Tables and chains are fully configurable
➢ Tables are without any predefined purpose
➢ there are no raw, filter, nat & mangle tables
➢ By default there are no chains
➢ if there is no chain that would match the packet
it will not be touched by netfilter code
➢ Every chain has a type:
➢ filter
➢ nat (only the first packet of a flow hits this chain)
➢ route (mangle)
13. HooksHooks
➢ Base chains are the ones that are attached
to hooks
➢ Non-base chains are used for ordering
➢ All available hooks:
➢ ingress
➢ input
➢ output
➢ forward
➢ prerouting
➢ postrouting
14. nftables vs. iptablesnftables vs. iptables
➢ No distinction between matches and targets
anymore
➢ no difference between ACCEPT and -s
# nft insert rule filter input ct state established accept
VS.
# iptables -I INPUT -j ACCEPT -m conntrack --ctstate
ESTABLISHED
15. nftables vs. iptablesnftables vs. iptables
➢ You can specify several actions in one
single rule
# nft add rule filter forward tcp dport 22 log drop
VS.
# iptables -A FORWARD -p tcp --dport 22 -j LOG
# iptables -A FORWARD -p tcp --dport 22 -j DROP
16. nftables vs. iptablesnftables vs. iptables
➢ No built-in counter per chain and rules
➢ counters introduce delays in packet processing
➢ counters can be added to any chain using the
'counter' keyword
# nft add rule ip filter output ip daddr 1.2.3.4
counter drop
17. nftables vs. iptablesnftables vs. iptables
➢ New supported protocols without kernel
upgrades
➢ most of the logic in nftables is inside its
userspace
➢ it compiles the rules to VM bytecode in netlink
format and then it pushes this into the kernel via
the nftables Netlink API
➢ it provides generic set and map infrastructure
18. nftables vs. iptablesnftables vs. iptables
➢ Better support for dynamic ruleset updates
➢ iptables always replaces all rules
➢ even if you only delete one rule
➢ even if you only add one rule
➢ nftables uses linked-list to solve this issue
19. flush rulesetflush ruleset
table inet filter {table inet filter {
chain input {chain input {
type filter hook input priority 0; policy drop;type filter hook input priority 0; policy drop;
# established/related connections# established/related connections
ct state established,related acceptct state established,related accept
# invalid connections# invalid connections
ct state invalid dropct state invalid drop
# loopback interface# loopback interface
iif lo acceptiif lo accept
23. JumpsJumps
➢accept (accept a packet)
➢reject (reject a packet)
➢drop (drop a packet)
➢snat (perform source NAT on a packet)
➢dnat (perform destination NAT on a packet)
➢log (log a packet)
➢counter (keep a counter on a packet; counters are
optional in nftables)
➢return (stop traversing the chain)
➢jump <chain> (jump to another chain)
➢goto <chain> (jump to another chain, but do not return)
24. Match argumentsMatch arguments
meta:
oif <output interface INDEX>
iif <input interface INDEX>
oifname <output interface NAME>
iifname <input interface NAME>
(oif and iif accept string arguments and are
converted to interface indexes)
(oifname and iifname are more dynamic, but
slower because of string matching)
25. Match argumentsMatch arguments
icmp:
type <icmp type>
icmpv6:
type <icmpv6 type>
ip:
protocol <protocol>
daddr <destination address>
saddr <source address>
ip6:
daddr <destination address>
saddr <source address>
26. Match argumentsMatch arguments
tcp:
dport <destination port>
sport <source port>
udp:
dport <destination port>
sport <source port>
ct:
state <new | established | related | invalid>