{"id":3251,"date":"2022-12-20T16:43:58","date_gmt":"2022-12-20T19:43:58","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/xtables-nft-man8\/"},"modified":"2022-12-20T16:43:58","modified_gmt":"2022-12-20T19:43:58","slug":"xtables-nft-man8","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/xtables-nft-man8\/","title":{"rendered":"XTABLES-NFT (man8)"},"content":{"rendered":"

XTABLES-NFT<\/h1>\n

NAME<\/a>
DESCRIPTION<\/a>
USAGE<\/a>
DIFFERENCES TO LEGACY IPTABLES<\/a>
EXAMPLES<\/a>
LIMITATIONS<\/a>
SEE ALSO<\/a>
AUTHORS<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

xtables-nft \u2014 iptables using nftables kernel api<\/p>\n

DESCRIPTION <\/a> <\/h2>\n

xtables-nft<\/b> are versions of iptables that use the nftables API. This is a set of tools to help the system administrator migrate the ruleset from iptables(8)<\/b>, ip6tables(8)<\/b>, arptables(8)<\/b>, and ebtables(8)<\/b> to nftables(8)<\/b>.<\/p>\n

The xtables-nft<\/b> set is composed of several commands:<\/p>\n\n\n\n\n\n\n\n\n\n
<\/td>\n\n

\u2022<\/p>\n<\/td>\n

<\/td>\n\n

iptables\u2212nft<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n\n

\u2022<\/p>\n<\/td>\n

<\/td>\n\n

iptables\u2212nft\u2212save<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n\n

\u2022<\/p>\n<\/td>\n

<\/td>\n\n

iptables\u2212nft\u2212restore<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n\n

\u2022<\/p>\n<\/td>\n

<\/td>\n\n

ip6tables\u2212nft<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n\n

\u2022<\/p>\n<\/td>\n

<\/td>\n\n

ip6tables\u2212nft\u2212save<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n\n

\u2022<\/p>\n<\/td>\n

<\/td>\n\n

ip6tables\u2212nft\u2212restore<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n\n

\u2022<\/p>\n<\/td>\n

<\/td>\n\n

arptables\u2212nft<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n\n

\u2022<\/p>\n<\/td>\n

<\/td>\n\n

ebtables\u2212nft<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

These tools use the libxtables framework extensions and hook to the nf_tables kernel subsystem using the nft_compat<\/b> module.<\/p>\n

USAGE <\/a> <\/h2>\n

The xtables-nft tools allow you to manage the nf_tables backend using the native syntax of iptables(8)<\/b>, ip6tables(8)<\/b>, arptables(8)<\/b>, and ebtables(8)<\/b>.<\/p>\n

You should use the xtables-nft tools exactly the same way as you would use the corresponding original tools.<\/p>\n

Adding a rule will result in that rule being added to the nf_tables kernel subsystem instead. Listing the ruleset will use the nf_tables backend as well.<\/p>\n

When these tools were designed, the main idea was to replace each legacy binary with a symlink to the xtables-nft program, for example:<\/p>\n

\/sbin\/iptables -> \/usr\/sbin\/iptables\u2212nft\u2212multi<\/p>\n\n\n\n\n
<\/td>\n\n

\/sbin\/ip6tables -> \/usr\/sbin\/ip6tables\u2212nft\u2212multi<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

\/sbin\/arptables -> \/usr\/sbin\/arptables\u2212nft\u2212multi<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

\/sbin\/ebtables -> \/usr\/sbin\/ebtables\u2212nft\u2212multi<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

The iptables version string will indicate whether the legacy API (get\/setsockopt) or the new nf_tables api is used:<\/p>\n\n\n\n
<\/td>\n\n

iptables \u2212V<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

iptables v1.7 (nf_tables)<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

DIFFERENCES TO LEGACY IPTABLES <\/a> <\/h2>\n

Because the xtables-nft tools use the nf_tables kernel API, rule additions and deletions are always atomic. Unlike iptables-legacy, iptables-nft \u2212A .. will NOT need to retrieve the current ruleset from the kernel, change it, and re-load the altered ruleset. Instead, iptables-nft will tell the kernel to add one rule. For this reason, the iptables-legacy \u2212\u2212wait option is a no-op in iptables-nft.<\/p>\n

Use of the xtables-nft tools allow monitoring ruleset changes using the xtables\u2212monitor(8)<\/b> command.<\/p>\n

When using \u2212j TRACE to debug packet traversal to the ruleset, note that you will need to use xtables\u2212monitor(8)<\/b> in \u2212\u2212trace mode to obtain monitoring trace events.<\/p>\n

EXAMPLES <\/a> <\/h2>\n

One basic example is creating the skeleton ruleset in nf_tables from the xtables-nft tools, in a fresh machine:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
<\/td>\n<\/td>\n\n

root@machine:~# iptables\u2212nft \u2212L<\/p>\n<\/td>\n

<\/td>\n <\/td>\n<\/tr>\n
<\/td>\n<\/td>\n\n

[…]<\/p>\n<\/td>\n

<\/td>\n <\/td>\n<\/tr>\n
<\/td>\n<\/td>\n\n

root@machine:~# ip6tables\u2212nft \u2212L<\/p>\n<\/td>\n

<\/td>\n <\/td>\n<\/tr>\n
<\/td>\n<\/td>\n\n

[…]<\/p>\n<\/td>\n

<\/td>\n <\/td>\n<\/tr>\n
<\/td>\n<\/td>\n\n

root@machine:~# arptables\u2212nft \u2212L<\/p>\n<\/td>\n

<\/td>\n <\/td>\n<\/tr>\n
<\/td>\n<\/td>\n\n

[…]<\/p>\n<\/td>\n

<\/td>\n <\/td>\n<\/tr>\n
<\/td>\n<\/td>\n\n

root@machine:~# ebtables\u2212nft \u2212L<\/p>\n<\/td>\n

<\/td>\n <\/td>\n<\/tr>\n
<\/td>\n<\/td>\n\n

[…]<\/p>\n<\/td>\n

<\/td>\n <\/td>\n<\/tr>\n
<\/td>\n<\/td>\n\n

root@machine:~# nft list ruleset<\/p>\n<\/td>\n

<\/td>\n <\/td>\n<\/tr>\n
<\/td>\n<\/td>\n\n

table ip filter {<\/p>\n<\/td>\n

<\/td>\n <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n\n

chain INPUT {<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n <\/td>\n\n

type filter hook input priority 0; policy accept;<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n <\/td>\n <\/td>\n\n

}<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n\n

chain FORWARD {<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n <\/td>\n\n

type filter hook forward priority 0; policy accept;<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n <\/td>\n <\/td>\n\n

}<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n\n

chain OUTPUT {<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n <\/td>\n\n

type filter hook output priority 0; policy accept;<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n <\/td>\n <\/td>\n\n

}<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n<\/td>\n\n

}<\/p>\n<\/td>\n

<\/td>\n <\/td>\n<\/tr>\n
<\/td>\n<\/td>\n\n

table ip6 filter {<\/p>\n<\/td>\n

<\/td>\n <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n\n

chain INPUT {<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n <\/td>\n\n

type filter hook input priority 0; policy accept;<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n <\/td>\n <\/td>\n\n

}<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n\n

chain FORWARD {<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n <\/td>\n\n

type filter hook forward priority 0; policy accept;<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n <\/td>\n <\/td>\n\n

}<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n\n

chain OUTPUT {<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n <\/td>\n\n

type filter hook output priority 0; policy accept;<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n <\/td>\n <\/td>\n\n

}<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n<\/td>\n\n

}<\/p>\n<\/td>\n

<\/td>\n <\/td>\n<\/tr>\n
<\/td>\n<\/td>\n\n

table bridge filter {<\/p>\n<\/td>\n

<\/td>\n <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n\n

chain INPUT {<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n <\/td>\n\n

type filter hook input priority \u2212200; policy accept;<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n <\/td>\n <\/td>\n\n

}<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n\n

chain FORWARD {<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n <\/td>\n\n

type filter hook forward priority \u2212200; policy accept;<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n <\/td>\n <\/td>\n\n

}<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n\n

chain OUTPUT {<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n <\/td>\n\n

type filter hook output priority \u2212200; policy accept;<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n <\/td>\n <\/td>\n\n

}<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n<\/td>\n\n

}<\/p>\n<\/td>\n

<\/td>\n <\/td>\n<\/tr>\n
<\/td>\n<\/td>\n\n

table arp filter {<\/p>\n<\/td>\n

<\/td>\n <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n\n

chain INPUT {<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n <\/td>\n\n

type filter hook input priority 0; policy accept;<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n <\/td>\n <\/td>\n\n

}<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n\n

chain FORWARD {<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n <\/td>\n\n

type filter hook forward priority 0; policy accept;<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n <\/td>\n <\/td>\n\n

}<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n\n

chain OUTPUT {<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n <\/td>\n <\/td>\n <\/td>\n\n

type filter hook output priority 0; policy accept;<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n <\/td>\n <\/td>\n\n

}<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n<\/td>\n\n

}<\/p>\n<\/td>\n

<\/td>\n <\/td>\n<\/tr>\n<\/table>\n

(please note that in fresh machines, listing the ruleset for the first time results in all tables an chain being created).<\/p>\n

To migrate your complete filter ruleset, in the case of iptables(8)<\/b>, you would use:<\/p>\n\n\n\n
<\/td>\n\n

root@machine:~# iptables\u2212legacy\u2212save > myruleset # reads from x_tables<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

root@machine:~# iptables\u2212nft\u2212restore myruleset # writes to nf_tables<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

or<\/p>\n\n\n
<\/td>\n\n

root@machine:~# iptables\u2212legacy\u2212save | iptables-translate-restore | less<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

to see how rules would look like in the nft nft(8)<\/b> syntax.<\/p>\n

LIMITATIONS <\/a> <\/h2>\n

You should use Linux kernel >= 4.17<\/b>.<\/p>\n

The CLUSTERIP target is not supported.<\/p>\n

To get up-to-date information about this, please head to http:\/\/wiki.nftables.org\/<\/b>.<\/p>\n

SEE ALSO <\/a> <\/h2>\n

nft(8)<\/b>, xtables\u2212translate(8)<\/b>, xtables\u2212monitor(8)<\/b><\/p>\n

AUTHORS <\/a> <\/h2>\n

The nftables framework is written by the Netfilter project (https:\/\/www.netfilter.org).<\/p>\n

This manual page was written by Arturo Borrero Gonzalez for the Debian project, but may be used by others.<\/p>\n

This documentation is free\/libre under the terms of the GPLv2+.<\/p>\n

\n","protected":false},"excerpt":{"rendered":"

xtables-nft \u2014 iptables using nftables kernel api <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[5,52,4,388],"class_list":["post-3251","post","type-post","status-publish","format-standard","hentry","category-8-administracion-del-sistema","tag-5","tag-administracion","tag-man8","tag-xtables-nft"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3251","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=3251"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3251\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=3251"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=3251"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=3251"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}