diff options
author | Florian Westphal <fw@strlen.de> | 2018-06-18 09:18:28 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2018-06-27 23:44:04 +0200 |
commit | be70918eab26e0c5fe219fefab325056144976d9 (patch) | |
tree | ab256347ade0a13ccc8f91da83282436a18c8957 /iptables/xtables-nft.8 | |
parent | d49ba500efd4dc50eef10324f3c0b4f7ce5d6e3e (diff) |
xtables: rename xt-multi binaries to -nft, -legacy
This adds a clear distinction between old iptables (formerly
xtables-multi, now xtables-legacy-multi) and new iptables
(formerly xtables-compat-multi, now xtables-nft-multi).
Users will get the ip/ip6tables names via symbolic links, having
a distinct name postfix for the legacy/nft variants helps to
make a clear distinction, as iptables-nft will always use
nf_tables and iptables-legacy always uses get/setsockopt wheres
"iptables" could be symlinked to either -nft or -legacy.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'iptables/xtables-nft.8')
-rw-r--r-- | iptables/xtables-nft.8 | 201 |
1 files changed, 201 insertions, 0 deletions
diff --git a/iptables/xtables-nft.8 b/iptables/xtables-nft.8 new file mode 100644 index 00000000..91d5b54e --- /dev/null +++ b/iptables/xtables-nft.8 @@ -0,0 +1,201 @@ +.\" +.\" (C) Copyright 2016-2017, Arturo Borrero Gonzalez <arturo@netfilter.org> +.\" +.\" %%%LICENSE_START(GPLv2+_DOC_FULL) +.\" This is free documentation; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License as +.\" published by the Free Software Foundation; either version 2 of +.\" the License, or (at your option) any later version. +.\" +.\" The GNU General Public License's references to "object code" +.\" and "executables" are to be interpreted as the output of any +.\" document formatting or typesetting system, including +.\" intermediate and printed output. +.\" +.\" This manual is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public +.\" License along with this manual; if not, see +.\" <http://www.gnu.org/licenses/>. +.\" %%%LICENSE_END +.\" +.TH XTABLES-NFT 8 "June 2018" + +.SH NAME +xtables-nft \- iptables using nftables kernel api + +.SH DESCRIPTION +\fBxtables-nft\fP are versions of iptables that use the nftables api. + is set of tools to help the system administrator migrate the +ruleset from \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and +\fBebtables(8)\fP to \fBnftables(8)\fP. + +The \fBxtables-nft\fP set is composed of several commands: +.IP \[bu] 2 +iptables-nft +.IP \[bu] +iptables-nft-save +.IP \[bu] +iptables-nft-restore +.IP \[bu] +ip6tables-nft +.IP \[bu] +ip6tables-nft-save +.IP \[bu] +ip6tables-nft-restore +.IP \[bu] +arptables-nft +.IP \[bu] +ebtables-nft + +These tools use the libxtables framework extensions and hook to the nf_tables +kernel subsystem using the \fBnft_compat\fP module. + +.SH USAGE +The xtables-nft tools allow you to manage the nf_tables backend using the +native syntax of \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and +\fBebtables(8)\fP. + +You should use the xtables-nft tools exactly the same way as you would use the +corresponding original tool. + +Adding a rule will result in that rule being added to the nf_tables kernel +subsystem instead. +Listing the ruleset will use the nf_tables backend as well. + +When these tools were designed, the main idea was to replace each legacy binary +with a symlink to the xtables-nft program, for example: + +.nf + /sbin/iptables \-> /usr/sbin/iptables-nft-multi + /sbin/ip6tables \-> /usr/sbin/ip6tables-nft-mulit + /sbin/arptables \-> /usr/sbin/arptables-nft-multi + /sbin/ebtables \-> /usr/sbin/ebtables-nft-multi +.fi + +The iptables version string will indicate if the legacy API (get/setsockopt) or +the new nf_tables api is used: +.nf + iptables \-V + iptables v1.7 (nf_tables) +.fi + +.SH DIFFERENCES TO LEGACY IPTABLES + +Because the xtables-nft tools use the nf_tables kernel api, rule additions +are deletions are always atomic. Unlike iptables-legacy, iptables-nft \-A .. +will NOT need to retrieve the current ruleset from the kernel, change it, and +re-load the altered ruleset. Instead, iptables-nft will tell the kernel to add +one rule. For this reason, the iptables-legacy \-\-wait option is a no-op in +iptables-nft. + +Use of the xtables-nft tools allow monitoring ruleset changes using the +.B xtables-monitor(8) +command. + +When using \-j TRACE to debug packet traversal to the ruleset, note that you will need to use +.B xtables-monitor(8) +in \-\-trace mode to obtain monitoring trace events. + +.SH EXAMPLES +One basic example is creating the skeleton ruleset in nf_tables from the +xtables-nft tools, in a fresh machine: + +.nf + root@machine:~# iptables-nft -L + [...] + root@machine:~# ip6tables-nft -L + [...] + root@machine:~# arptables-nft -L + [...] + root@machine:~# ebtables-nft -L + [...] + root@machine:~# nft list ruleset + table ip filter { + chain INPUT { + type filter hook input priority 0; policy accept; + } + + chain FORWARD { + type filter hook forward priority 0; policy accept; + } + + chain OUTPUT { + type filter hook output priority 0; policy accept; + } + } + table ip6 filter { + chain INPUT { + type filter hook input priority 0; policy accept; + } + + chain FORWARD { + type filter hook forward priority 0; policy accept; + } + + chain OUTPUT { + type filter hook output priority 0; policy accept; + } + } + table bridge filter { + chain INPUT { + type filter hook input priority -200; policy accept; + } + + chain FORWARD { + type filter hook forward priority -200; policy accept; + } + + chain OUTPUT { + type filter hook output priority -200; policy accept; + } + } + table arp filter { + chain INPUT { + type filter hook input priority 0; policy accept; + } + + chain FORWARD { + type filter hook forward priority 0; policy accept; + } + + chain OUTPUT { + type filter hook output priority 0; policy accept; + } + } +.fi + +(please note that in fresh machines, listing the ruleset for the first time +results in all tables an chain being created). + +To migrate your complete filter ruleset, in the case of \fBiptables(8)\fP, +you would use: + +.nf + root@machine:~# iptables-legacy-save > myruleset # reads from x_tables + root@machine:~# iptables-nft-restore myruleset # writes to nf_tables +.fi + + +.SH LIMITATIONS +You should use \fBLinux kernel >= 4.17\fP. + +The CLUSTERIP target is not supported. + +To get up-to-date information about this, please head to +\fBhttp://wiki.nftables.org/\fP. + +.SH SEE ALSO +\fBnft(8)\fP, \fBxtables\-translate(8)\fP, \fBxtables\-monitor(8)\fP + +.SH AUTHORS +The nftables framework is written by the Netfilter project +(https://www.netfilter.org). + +This manual page was written by Arturo Borrero Gonzalez +<arturo@debian.org> for the Debian project, but may be used by others. + +This documentation is free/libre under the terms of the GPLv2+. |