1XTABLES-NFT(8) System Manager's Manual XTABLES-NFT(8)
2
6 xtables-nft — iptables using nftables kernel api
7
10 xtables-nft are versions of iptables that use the nftables API. This
11 is a set of tools to help the system administrator migrate the ruleset
12 from iptables(8), ip6tables(8), arptables(8), and ebtables(8) to nfta‐
13 bles(8).
14 The xtables-nft set is composed of several commands:
16 · iptables-nft
18 · iptables-nft-save
20 · iptables-nft-restore
22 · ip6tables-nft
24 · ip6tables-nft-save
26 · ip6tables-nft-restore
28 · arptables-nft
30 · ebtables-nft
32 These tools use the libxtables framework extensions and hook to the
34 nf_tables kernel subsystem using the nft_compat module.
35
38 The xtables-nft tools allow you to manage the nf_tables backend using
39 the native syntax of iptables(8), ip6tables(8), arptables(8), and ebta‐
40 bles(8).
41 You should use the xtables-nft tools exactly the same way as you would
43 use the corresponding original tools.
44 Adding a rule will result in that rule being added to the nf_tables
46 kernel subsystem instead. Listing the ruleset will use the nf_tables
47 backend as well.
48 When these tools were designed, the main idea was to replace each
50 legacy binary with a symlink to the xtables-nft program, for example:
51 /sbin/iptables -> /usr/sbin/iptables-nft-multi
53 /sbin/ip6tables -> /usr/sbin/ip6tables-nft-multi
54 /sbin/arptables -> /usr/sbin/arptables-nft-multi
55 /sbin/ebtables -> /usr/sbin/ebtables-nft-multi
56 The iptables version string will indicate whether the legacy API
58 (get/setsockopt) or the new nf_tables api is used:
59 iptables -V
60 iptables v1.7 (nf_tables)
61
64 Because the xtables-nft tools use the nf_tables kernel API, rule addi‐
65 tions and deletions are always atomic. Unlike iptables-legacy, ipta‐
66 bles-nft -A .. will NOT need to retrieve the current ruleset from the
67 kernel, change it, and re-load the altered ruleset. Instead, iptables-
68 nft will tell the kernel to add one rule. For this reason, the ipta‐
69 bles-legacy --wait option is a no-op in iptables-nft.
70 Use of the xtables-nft tools allow monitoring ruleset changes using the
72 xtables-monitor(8) command.
73 When using -j TRACE to debug packet traversal to the ruleset, note that
75 you will need to use xtables-monitor(8) in --trace mode to obtain moni‐
76 toring trace events.
77
80 One basic example is creating the skeleton ruleset in nf_tables from
81 the xtables-nft tools, in a fresh machine:
82 root@machine:~# iptables-nft -L
84 [...]
85 root@machine:~# ip6tables-nft -L
86 [...]
87 root@machine:~# arptables-nft -L
88 [...]
89 root@machine:~# ebtables-nft -L
90 [...]
91 root@machine:~# nft list ruleset
92 table ip filter {
93 chain INPUT {
94 type filter hook input priority 0; policy accept;
95 }
96 chain FORWARD {
98 type filter hook forward priority 0; policy accept;
99 }
100 chain OUTPUT {
102 type filter hook output priority 0; policy accept;
103 }
104 }
105 table ip6 filter {
106 chain INPUT {
107 type filter hook input priority 0; policy accept;
108 }
109 chain FORWARD {
111 type filter hook forward priority 0; policy accept;
112 }
113 chain OUTPUT {
115 type filter hook output priority 0; policy accept;
116 }
117 }
118 table bridge filter {
119 chain INPUT {
120 type filter hook input priority -200; policy accept;
121 }
122 chain FORWARD {
124 type filter hook forward priority -200; policy accept;
125 }
126 chain OUTPUT {
128 type filter hook output priority -200; policy accept;
129 }
130 }
131 table arp filter {
132 chain INPUT {
133 type filter hook input priority 0; policy accept;
134 }
135 chain FORWARD {
137 type filter hook forward priority 0; policy accept;
138 }
139 chain OUTPUT {
141 type filter hook output priority 0; policy accept;
142 }
143 }
144 (please note that in fresh machines, listing the ruleset for the first
146 time results in all tables an chain being created).
147 To migrate your complete filter ruleset, in the case of iptables(8),
149 you would use:
150 root@machine:~# iptables-legacy-save > myruleset # reads from x_tables
152 root@machine:~# iptables-nft-restore myruleset # writes to nf_tables
153 or
154 root@machine:~# iptables-legacy-save | iptables-translate-restore | less
155 to see how rules would look like in the nft nft(8) syntax.
157
160 You should use Linux kernel >= 4.17.
161 The CLUSTERIP target is not supported.
163 To get up-to-date information about this, please head to
165 http://wiki.nftables.org/.
166
169 nft(8), xtables-translate(8), xtables-monitor(8)
170
173 The nftables framework is written by the Netfilter project
174 (https://www.netfilter.org).
175 This manual page was written by Arturo Borrero Gonzalez
177 <arturo@debian.org> for the Debian project, but may be used by others.
178 This documentation is free/libre under the terms of the GPLv2+.
180 June 2018 XTABLES-NFT(8)