summaryrefslogtreecommitdiffstats
path: root/iptables/xtables-nft.8
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2018-06-18 09:18:28 +0200
committerFlorian Westphal <fw@strlen.de>2018-06-27 23:44:04 +0200
commitbe70918eab26e0c5fe219fefab325056144976d9 (patch)
treeab256347ade0a13ccc8f91da83282436a18c8957 /iptables/xtables-nft.8
parentd49ba500efd4dc50eef10324f3c0b4f7ce5d6e3e (diff)
xtables: rename xt-multi binaries to -nft, -legacy
This adds a clear distinction between old iptables (formerly xtables-multi, now xtables-legacy-multi) and new iptables (formerly xtables-compat-multi, now xtables-nft-multi). Users will get the ip/ip6tables names via symbolic links, having a distinct name postfix for the legacy/nft variants helps to make a clear distinction, as iptables-nft will always use nf_tables and iptables-legacy always uses get/setsockopt wheres "iptables" could be symlinked to either -nft or -legacy. Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'iptables/xtables-nft.8')
-rw-r--r--iptables/xtables-nft.8201
1 files changed, 201 insertions, 0 deletions
diff --git a/iptables/xtables-nft.8 b/iptables/xtables-nft.8
new file mode 100644
index 00000000..91d5b54e
--- /dev/null
+++ b/iptables/xtables-nft.8
@@ -0,0 +1,201 @@
+.\"
+.\" (C) Copyright 2016-2017, Arturo Borrero Gonzalez <arturo@netfilter.org>
+.\"
+.\" %%%LICENSE_START(GPLv2+_DOC_FULL)
+.\" This is free documentation; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License as
+.\" published by the Free Software Foundation; either version 2 of
+.\" the License, or (at your option) any later version.
+.\"
+.\" The GNU General Public License's references to "object code"
+.\" and "executables" are to be interpreted as the output of any
+.\" document formatting or typesetting system, including
+.\" intermediate and printed output.
+.\"
+.\" This manual is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public
+.\" License along with this manual; if not, see
+.\" <http://www.gnu.org/licenses/>.
+.\" %%%LICENSE_END
+.\"
+.TH XTABLES-NFT 8 "June 2018"
+
+.SH NAME
+xtables-nft \- iptables using nftables kernel api
+
+.SH DESCRIPTION
+\fBxtables-nft\fP are versions of iptables that use the nftables api.
+ is set of tools to help the system administrator migrate the
+ruleset from \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and
+\fBebtables(8)\fP to \fBnftables(8)\fP.
+
+The \fBxtables-nft\fP set is composed of several commands:
+.IP \[bu] 2
+iptables-nft
+.IP \[bu]
+iptables-nft-save
+.IP \[bu]
+iptables-nft-restore
+.IP \[bu]
+ip6tables-nft
+.IP \[bu]
+ip6tables-nft-save
+.IP \[bu]
+ip6tables-nft-restore
+.IP \[bu]
+arptables-nft
+.IP \[bu]
+ebtables-nft
+
+These tools use the libxtables framework extensions and hook to the nf_tables
+kernel subsystem using the \fBnft_compat\fP module.
+
+.SH USAGE
+The xtables-nft tools allow you to manage the nf_tables backend using the
+native syntax of \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and
+\fBebtables(8)\fP.
+
+You should use the xtables-nft tools exactly the same way as you would use the
+corresponding original tool.
+
+Adding a rule will result in that rule being added to the nf_tables kernel
+subsystem instead.
+Listing the ruleset will use the nf_tables backend as well.
+
+When these tools were designed, the main idea was to replace each legacy binary
+with a symlink to the xtables-nft program, for example:
+
+.nf
+ /sbin/iptables \-> /usr/sbin/iptables-nft-multi
+ /sbin/ip6tables \-> /usr/sbin/ip6tables-nft-mulit
+ /sbin/arptables \-> /usr/sbin/arptables-nft-multi
+ /sbin/ebtables \-> /usr/sbin/ebtables-nft-multi
+.fi
+
+The iptables version string will indicate if the legacy API (get/setsockopt) or
+the new nf_tables api is used:
+.nf
+ iptables \-V
+ iptables v1.7 (nf_tables)
+.fi
+
+.SH DIFFERENCES TO LEGACY IPTABLES
+
+Because the xtables-nft tools use the nf_tables kernel api, rule additions
+are deletions are always atomic. Unlike iptables-legacy, iptables-nft \-A ..
+will NOT need to retrieve the current ruleset from the kernel, change it, and
+re-load the altered ruleset. Instead, iptables-nft will tell the kernel to add
+one rule. For this reason, the iptables-legacy \-\-wait option is a no-op in
+iptables-nft.
+
+Use of the xtables-nft tools allow monitoring ruleset changes using the
+.B xtables-monitor(8)
+command.
+
+When using \-j TRACE to debug packet traversal to the ruleset, note that you will need to use
+.B xtables-monitor(8)
+in \-\-trace mode to obtain monitoring trace events.
+
+.SH EXAMPLES
+One basic example is creating the skeleton ruleset in nf_tables from the
+xtables-nft tools, in a fresh machine:
+
+.nf
+ root@machine:~# iptables-nft -L
+ [...]
+ root@machine:~# ip6tables-nft -L
+ [...]
+ root@machine:~# arptables-nft -L
+ [...]
+ root@machine:~# ebtables-nft -L
+ [...]
+ root@machine:~# nft list ruleset
+ table ip filter {
+ chain INPUT {
+ type filter hook input priority 0; policy accept;
+ }
+
+ chain FORWARD {
+ type filter hook forward priority 0; policy accept;
+ }
+
+ chain OUTPUT {
+ type filter hook output priority 0; policy accept;
+ }
+ }
+ table ip6 filter {
+ chain INPUT {
+ type filter hook input priority 0; policy accept;
+ }
+
+ chain FORWARD {
+ type filter hook forward priority 0; policy accept;
+ }
+
+ chain OUTPUT {
+ type filter hook output priority 0; policy accept;
+ }
+ }
+ table bridge filter {
+ chain INPUT {
+ type filter hook input priority -200; policy accept;
+ }
+
+ chain FORWARD {
+ type filter hook forward priority -200; policy accept;
+ }
+
+ chain OUTPUT {
+ type filter hook output priority -200; policy accept;
+ }
+ }
+ table arp filter {
+ chain INPUT {
+ type filter hook input priority 0; policy accept;
+ }
+
+ chain FORWARD {
+ type filter hook forward priority 0; policy accept;
+ }
+
+ chain OUTPUT {
+ type filter hook output priority 0; policy accept;
+ }
+ }
+.fi
+
+(please note that in fresh machines, listing the ruleset for the first time
+results in all tables an chain being created).
+
+To migrate your complete filter ruleset, in the case of \fBiptables(8)\fP,
+you would use:
+
+.nf
+ root@machine:~# iptables-legacy-save > myruleset # reads from x_tables
+ root@machine:~# iptables-nft-restore myruleset # writes to nf_tables
+.fi
+
+
+.SH LIMITATIONS
+You should use \fBLinux kernel >= 4.17\fP.
+
+The CLUSTERIP target is not supported.
+
+To get up-to-date information about this, please head to
+\fBhttp://wiki.nftables.org/\fP.
+
+.SH SEE ALSO
+\fBnft(8)\fP, \fBxtables\-translate(8)\fP, \fBxtables\-monitor(8)\fP
+
+.SH AUTHORS
+The nftables framework is written by the Netfilter project
+(https://www.netfilter.org).
+
+This manual page was written by Arturo Borrero Gonzalez
+<arturo@debian.org> for the Debian project, but may be used by others.
+
+This documentation is free/libre under the terms of the GPLv2+.