Quick reference-nftables in 10 minutes
Source: https://wiki.nftables.org/wiki-nftables ... 10_minutes
Quick reference-nftables in 10 minutes
Find below some basic concepts to know before using nftables.
table refers to a container of chains with no specific semantics.
chain within a table refers to a container of rules.
rule refers to an action to be configured within a chain.
nft command line
nft is the command line tool in order to interact with nftables at userspace.
Tables
family refers to a one of the following table types: ip, arp, ip6, bridge, inet, netdev.
Код: Выделить всё
% nft list tables [<family>]
% nft list table [<family>] <name> [-n] [-a]
% nft (add | delete | flush) table [<family>] <name>The argument -n shows the addresses and other information that uses names in numeric format. The -a argument is used to display the handle.
Chains
type refers to the kind of chain to be created. Possible types are:
filter: Supported by arp, bridge, ip, ip6 and inet table families.
route: Mark packets (like mangle for the output hook, for other hooks use the type filter instead), supported by ip and ip6.
nat: In order to perform Network Address Translation, supported by ip and ip6.
hook refers to an specific stage of the packet while it's being processed through the kernel. More info in Netfilter hooks.
The hooks for ip, ip6 and inet families are: prerouting, input, forward, output, postrouting.
The hooks for arp family are: input, output.
The bridge family handles ethernet packets traversing bridge devices.
The hook for netdev is: ingress.
priority refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: NF_IP_PRI_CONNTRACK_DEFRAG (-400), NF_IP_PRI_RAW (-300), NF_IP_PRI_SELINUX_FIRST (-225), NF_IP_PRI_CONNTRACK (-200), NF_IP_PRI_MANGLE (-150), NF_IP_PRI_NAT_DST (-100), NF_IP_PRI_FILTER (0), NF_IP_PRI_SECURITY (50), NF_IP_PRI_NAT_SRC (100), NF_IP_PRI_SELINUX_LAST (225), NF_IP_PRI_CONNTRACK_HELPER (300).
policy is the default verdict statement to control the flow in the base chain. Possible values are: accept (default) and drop. Warning: Setting the policy to drop discards all packets that have not been accepted by the ruleset.
Код: Выделить всё
% nft (add | create) chain [<family>] <table> <name> [ { type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] } ]
% nft (delete | list | flush) chain [<family>] <table> <name>
% nft rename chain [<family>] <table> <name> <newname>Rules
handle is an internal number that identifies a certain rule.
position is an internal number that is used to insert a rule before a certain handle.
Код: Выделить всё
% nft add rule [<family>] <table> <chain> <matches> <statements>
% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements>
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements>
% nft delete rule [<family>] <table> <chain> [handle <handle>]Matches
matches are clues used to access to certain packet information and create filters according to them.
ip match
dscp <value> |
ip dscp cs1 |
|
length <length> |
Total packet length |
ip length 232 |
id <id> |
IP ID |
ip id 22 |
frag-off <value> |
Fragmentation offset |
ip frag-off & 0x1fff != 0 # match fragments |
ttl <ttl> |
Time to live |
ip ttl 0 |
protocol <protocol> |
Upper layer protocol |
ip protocol tcp |
checksum <checksum> |
IP header checksum |
ip checksum 13172 |
saddr <ip source address> |
Source address |
ip saddr 192.168.2.0/24 |
daddr <ip destination address> |
Destination address |
ip daddr 192.168.0.1 |
version <version> |
Ip Header version |
ip version 4 |
hdrlength <header length> |
IP header length |
ip hdrlength 0 |
IP6 match
dscp <value> |
ip6 dscp cs1 |
|
flowlabel <label> |
Flow label |
ip6 flowlabel 22 |
length <length> |
Payload length |
ip6 length 232 |
nexthdr <header> |
Next header type (Upper layer protocol number) |
ip6 nexthdr {esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6} |
hoplimit <hoplimit> |
Hop limit |
ip6 hoplimit 1 |
saddr <ip source address> |
Source Address |
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234 |
daddr <ip destination address> |
Destination Address |
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234 |
version <version> |
IP header version |
ip6 version 6 |
TCP match
dport <destination port> |
Destination port |
tcp dport 22 |
sport <source port> |
Source port |
tcp sport 22 |
sequence <value> |
Sequence number |
tcp sequence 22 |
ackseq <value> |
Acknowledgement number |
tcp ackseq 22 |
flags <flags> |
TCP flags |
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} |
window <value> |
Window |
tcp window 22 |
checksum <checksum> |
IP header checksum |
tcp checksum 22 |
urgptr <pointer> |
Urgent pointer |
tcp urgptr 22 |
doff <offset> |
Data offset |
tcp doff 8 |
UDP match
dport <destination port> |
Destination port |
udp dport 22 |
sport <source port> |
Source port |
udp sport 22 |
length <length> |
Total packet length |
udp length 6666 |
checksum <checksum> |
UDP checksum |
udp checksum 22 |
UDPlite match
dport <destination port> |
Destination port |
udplite dport 22 |
sport <source port> |
Source port |
udplite sport 22 |
checksum <checksum> |
Checksum |
udplite checksum 22 |
SCTP match
dport <destination port> |
Destination port |
sctp dport 22 |
sport <source port> |
Source port |
sctp sport 22 |
checksum <checksum> |
Checksum |
sctp checksum 22 |
vtag <tag> |
Verification tag |
sctp vtag 22 |
chunk <type> |
Existence of a chunk with given type in packet |
sctp chunk init exists |
chunk <type> <field> |
A chunk's field value (implies chunk existence) |
<sourcex lang="bash"> |
DCCP match
dport <destination port> |
Destination port |
dccp dport 22 |
sport <source port> |
Source port |
dccp sport 22 |
type <type> |
Type of packet |
dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack} |
AH match
hdrlength <length> |
AH header length |
ah hdrlength 11-23 |
reserved <value> |
ah reserved 22 |
|
spi <value> |
ah spi 111 |
|
sequence <sequence> |
Sequence Number |
ah sequence 123 |
ESP match
spi <value> |
esp spi 111 |
|
sequence <sequence> |
Sequence Number |
esp sequence 123 |
COMP match
nexthdr <protocol> |
Next header protocol (Upper layer protocol) |
comp nexthdr != esp |
flags <flags> |
Flags |
comp flags 0x0 |
cpi <value> |
Compression Parameter Index |
comp cpi 22 |
ICMP match
type <type> |
ICMP packet type |
icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation} |
code |
ICMP packet code |
icmp code 111 |
checksum <value> |
ICMP packet checksum |
icmp checksum 12343 |
id <value> |
ICMP packet id |
icmp id 12343 |
sequence <value> |
ICMP packet sequence |
icmp sequence 12343 |
mtu <value> |
ICMP packet mtu |
icmp mtu 12343 |
gateway <value> |
ICMP packet gateway |
icmp gateway 12343 |
ICMPv6 match
type <type> |
ICMPv6 packet type |
icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, parameter-problem, mld2-listener-report } |
code |
ICMPv6 packet code |
icmpv6 code 4 |
checksum <value> |
ICMPv6 packet checksum |
icmpv6 checksum 12343 |
id <value> |
ICMPv6 packet id |
icmpv6 id 12343 |
sequence <[value> |
ICMPv6 packet sequence |
icmpv6 sequence 12343 |
mtu <value> |
ICMPv6 packet mtu |
icmpv6 mtu 12343 |
max-delay <value> |
ICMPv6 packet max delay |
icmpv6 max-delay 33-45 |
ETHER match
saddr <mac address> |
Source mac address |
ether saddr 00:0f:54:0c:11:04 |
type <type> |
ether type vlan |
DST match
nexthdr <proto> |
Next protocol header |
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp} |
hdrlength <length> |
Header Length |
dst hdrlength 22 |
FRAG match
nexthdr <proto> |
Next protocol header |
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp} |
reserved <value> |
frag reserved 22 |
|
frag-off <value> |
frag frag-off 22 |
|
more-fragments <value> |
frag more-fragments 0 |
|
id <value> |
frag id 1 |
HBH match
nexthdr <proto> |
Next protocol header |
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6} |
hdrlength <length> |
Header Length |
hbh hdrlength 22 |
MH match
nexthdr <proto> |
Next protocol header |
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp } |
hdrlength <length> |
Header Length |
mh hdrlength 22 |
type <type> |
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message} |
|
reserved <value> |
mh reserved 22 |
|
checksum <value> |
mh checksum 22 |
RT match
nexthdr <proto> |
Next protocol header |
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp } |
hdrlength <length> |
Header Length |
rt hdrlength 22 |
type <type> |
rt type 22 |
|
seg-left <value> |
rt seg-left 22 |
VLAN match
id <value> |
Vlan tag ID |
vlan id 4094 |
cfi <value> |
vlan cfi 0 |
|
pcp <value> |
vlan pcp 7 |
ARP match
ptype <value> |
Payload type |
arp ptype 0x0800 |
htype <value> |
Header type |
arp htype 1 |
hlen <length> |
Header Length |
arp hlen 1 |
plen <length> |
Payload length |
arp plen 1 |
operation <value> |
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request} |
CT match
state <state> |
State of the connection |
ct state { new, established, related, untracked } |
direction <value> |
Direction of the packet relative to the connection |
ct direction original |
status <status> |
Status of the connection |
ct status expected |
mark <set> |
Mark of the connection |
ct mark 0 |
expiration |
Connection expiration time |
ct expiration 30 |
helper "<helper>" |
Helper associated with the connection |
ct helper "ftp" |
[original | reply] bytes <value> |
ct original bytes [gt] 100000 |
|
[original | reply] packets <value> |
ct reply packets < 100 |
|
[original | reply] ip saddr <ip source address> |
ct original ip saddr 192.168.0.1 |
|
[original | reply] ip daddr <ip destination address> |
ct original ip daddr 192.168.0.1 |
|
[original | reply] l3proto <protocol> |
ct original l3proto ipv4 |
|
[original | reply] protocol <protocol> |
ct original protocol 6 |
|
[original | reply] proto-dst <port> |
ct original proto-dst 22 |
|
[original | reply] proto-src <port> |
ct reply proto-src 53 |
|
count [over] <number of connections> |
ct count over 2 tcp dport 22 add @ssh_flood { ip saddr ct count over 2 } reject |
Meta match
meta matches packet by metainformation.
iifname <input interface name> |
Input interface name |
meta iifname "eth0" |
oifname <output interface name> |
Output interface name |
meta oifname "eth0" |
iif <input interface index> |
Input interface index |
meta iif eth0 |
oif <output interface index> |
Output interface index |
meta oif lo |
iiftype <input interface type> |
Input interface type |
meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre} |
oiftype <output interface type> |
Output interface hardware type |
meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre} |
length <length> |
Length of the packet in bytes |
meta length 1000 |
protocol <protocol> |
ethertype protocol |
meta protocol ip |
nfproto <protocol> |
meta nfproto ipv4 |
|
l4proto <protocol> |
meta l4proto 22 |
|
mark [set] |
Packet mark |
meta mark 0x4 |
priority [set] <priority> |
tc class id |
meta priority none |
skuid <user id> |
UID associated with originating socket |
meta skuid {bin, root, daemon} |
skgid <group id> |
GID associated with originating socket |
meta skgid {bin, root, daemon} |
rtclassid <class> |
Routing realm |
meta rtclassid cosmos |
pkttype <type> |
Packet type |
meta pkttype broadcast |
cpu <cpu index> |
CPU ID |
meta cpu 1 |
iifgroup <input group> |
Input interface group |
meta iifgroup 0 |
oifgroup <group> |
Output interface group |
meta oifgroup 0 |
cgroup <group> |
meta cgroup 1048577 |
Statements
statement is the action performed when the packet match the rule. It could be terminal and non-terminal. In a certain rule we can consider several non-terminal statements but only a single terminal statement.
Verdict statements
The verdict statement alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:
accept: Accept the packet and stop the remain rules evaluation.
drop: Drop the packet and stop the remain rules evaluation.
queue: Queue the packet to userspace and stop the remain rules evaluation.
continue: Continue the ruleset evaluation with the next rule.
return: Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept
jump <chain>: Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued
goto <chain>: Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement
Log statement
level [over] <value> <unit> [burst <value> <unit>] |
Log level |
log |
group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"] |
log prefix aaaaa-aaaaaa group 2 snaplen 33 |
Reject
The default reject will be the ICMP type port-unreachable. The icmpx is only used for inet family support.
More information on the Rejecting_traffic page.
reject statement
with <protocol> type <type> |
reject |
counter statement
packets <packets> bytes <bytes> |
counter |
limit statement
rate [over] <value> <unit> [burst <value> <unit>] |
Rate limit |
limit rate 400/minute |
nat statement
dnat to <destination address> |
Destination address translation |
dnat to 192.168.3.2 |
snat to <ip source address> |
Source address translation |
snat to 192.168.3.2 |
masquerade [<type>] [to :<port>] |
Masquerade |
masquerade |
queue statement
num <value> <scheduler> |
queue |
Extras
Export Configuration
Код: Выделить всё
% nft export (xml | json)Monitor Events
Monitor events from Netlink creating filters.
Код: Выделить всё
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]Nft scripting
List ruleset
Код: Выделить всё
% nft list rulesetFlush ruleset
Код: Выделить всё
% nft flush rulesetLoad ruleset
Create a command batch file and load it with the nft interpreter,
Код: Выделить всё
% echo "flush ruleset" > /etc/nftables.rules
% echo "add table filter" >> /etc/nftables.rules
% echo "add chain filter input" >> /etc/nftables.rules
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules
% nft -f /etc/nftables.rulesor create an executable nft script file,
Код: Выделить всё
% cat << EOF > /etc/nftables.rules
> #!/usr/local/sbin/nft -f
> flush ruleset
> add table filter
> add chain filter input
> add rule filter input meta iifname lo accept
> EOF
% chmod u+x /etc/nftables.rules
% /etc/nftables.rulesor create an executable nft script file from an already created ruleset,
Код: Выделить всё
% nft list ruleset > /etc/nftables.rules
% nft flush ruleset
% nft -f /etc/nftables.rulesExamples
Simple IP/IPv6 Firewall
Код: Выделить всё
flush ruleset
table firewall {
chain incoming {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept
# loopback interface
iifname lo accept
# icmp
icmp type echo-request accept
# open tcp ports: sshd (22), httpd (80)
tcp dport {ssh, http} accept
}
}
table ip6 firewall {
chain incoming {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept
# invalid connections
ct state invalid drop
# loopback interface
iifname lo accept
# icmp
# routers may also want: mld-listener-query, nd-router-solicit
icmpv6 type {echo-request,nd-neighbor-solicit} accept
# open tcp ports: sshd (22), httpd (80)
tcp dport {ssh, http} accept
}
}