Patrick McHardy kaber@trash.net 2008 Patrick McHardy nftables 8 nftables Administration tool for packet filtering and classification nftables -n/--numeric -I/--includepath directory -f/--file filename -i/--interactive cmd nftables -h/--help -v/--version nftables is used to set up, maintain and inspect packet filtering and classification rules in the Linux kernel. For a full summary of options, run nftables --help. -h/--help Show help message and all options. -v/--version Show version. -n/--numeric Numeric output: IP addresses and other information that might need network traffic to resolve to symbolic names are shown numerically. -I/--includepath directory Add the directory directory to the list of directories to by searched for included files. -f/--file filename Read input from filename. -i/--interactive Read input from an interactive readline CLI. Input is parsed line-wise. When the last character of a line just before the newline character is a non-quoted backslash (\), the newline is treated as a line continuation. A # begins a comment. All following characters on the same line are ignored. Other files can be included by using include "filename". table add delete list flush family table Tables are containers for chains. They are identified by their family and their name. The family must be one of ip ip6 arp bridge . When no family is specified, ip is used by default. add Add a new table for the given family with the given name. delete Delete the specified table. list List all chains and rules of the specified table. flush Flush all chains and rules of the specified table. chain add family table chain hook priority chain add delete list flush family table chain Chains are containers for rules. They exist in two kinds, basechains and regular chains. A basecase is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization. add Add a new chain in the specified table. When a hook and priority value are specified, the chain is created as a base chain and hooked up to the networking stack. delete Delete the specified chain. list List all rules of the specified chain. flush Flush all rules of the specified chain. rule add delete family table chain handle handle statement Rules are constructed from two kinds of components according to a set of rules: expressions and statements. The lowest order expression is a primary expression, representing either a constant or a single datum from a packets payload, meta data or a stateful module. Primary expressions can be used as arguments to relational expressions (equality, set membership, ...) to construct match expressions. A meta expression refers to meta data associated with a packet. Keyword Description Type length Length of the packet in bytes Numeric (32 bit) protocol Ethertype protocol value ethertype priority TC packet priority Numeric (32 bit) mark Packet mark packetmark iif Input interface index ifindex iifname Input interface name ifname iiftype Input interface hardware type hwtype oif Output interface index ifindex oifname Output interface name ifname oiftype Output interface hardware type hwtype skuid UID associated with originating socket uid skgid GID associated with originating socket gid rtclassid Routing realm realm Type Description ifindex Interface index (32 bit number). Can be specified numerically or as name of an existing interface. ifname Interface name (16 byte string). Does not have to exist. uid User ID (32 bit number). Can be specified numerically or as user name. gid Group ID (32 bit number). Can be specified numerically or as group name. realm Routing Realm (32 bit number). Can be specified numerically or as symbolic name defined in /etc/iproute2/rt_realms. Keyword Description daddr Destination address saddr Source address type EtherType Keyword Description id VLAN ID (VID) cfi Canonical Format Indicator pcp Priority code point type EtherType Keyword Description htype ARP hardware type ptype EtherType hlen Hardware address len plen Protocol address len op Operation Keyword Description version IP header version (4) hdrlength IP header length including options tos Type Of Service length Total packet length id IP ID frag-off Fragment offset ttl Time to live protocol Upper layer protocol checksum IP header checksum saddr Source address daddr Destination address Keyword Description version IP header version (6) priority flowlabel length nexthdr Nexthdr protocol hoplimit saddr Source address daddr Destination address Keyword Description sport Source port dport Destination port vtag Verfication Tag checksum Checksum Keyword Description sport Source port dport Destination port Keyword Description sport Source port dport Destination port sequence Sequence number ackseq Acknowledgement number doff Data offset reserved Reserved area flags TCP flags window Window checksum Checksum urgptr Urgent pointer Keyword Description sport Source port dport Destination port length Total packet length checksum Checksum Keyword Description sport Source port dport Destination port cscov Checksum coverage checksum Checksum Keyword Description nexthdr Next header protocol hdrlength AH Header length reserved Reserved area spi Security Parameter Index sequence Sequence number Keyword Description spi Security Parameter Index sequence Sequence number Keyword Description nexthdr Next header protocol flags Flags cfi Compression Parameter Index On success, nftables exits with a status of 0. Unspecified errors cause it to exit with a status of 1, memory allocation errors with a status of 2. iptables(8) ip6tables(8) arptables(8) ebtables(8) ip(8) tc(8) nftables was written by Patrick McHardy. Copyright © 2008 Patrick McHardy kaber@trash.net This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation.