nftables(8)

'\" t

nft - Administration tool of the nftables framework for packet filtering and classification

nft [ -nNscaeSupyjtT ] [ -I directory ] [ -f filename | -i | cmd ...] nft -h nft -v

nft is the command line tool used to set up, maintain and inspect packet filtering and classification rules in the Linux kernel, in the nftables framework. The Linux kernel subsystem is known as nf_tables, and \(oqnf\(cq stands for Netfilter.

The command accepts several different options which are documented here in groups for better understanding of their meaning. You can get information about options by running nft --help.

General options:

-h, --help

Show help message and all options.

-v, --version

Show version.

-V

Show long version information, including compile-time configuration.

Ruleset input handling options that specify to how to load rulesets:

-f, --file filename

Read input from filename. If filename is -, read from stdin.

-D, --define name=value

Define a variable. You can only combine this option with -f.

-i, --interactive

Read input from an interactive readline CLI. You can use quit to exit, or use the EOF marker, normally this is CTRL-D.

-I, --includepath directory

Add the directory directory to the list of directories to be searched for included files. This option may be specified multiple times.

-c, --check

Check commands validity without actually applying the changes.

-o, --optimize

Optimize your ruleset. You can combine this option with -c to inspect the proposed optimizations.

Ruleset list output formatting that modify the output of the list ruleset command:

-a, --handle

Show object handles in output.

-s, --stateless

Omit stateful information of rules and stateful objects.

-t, --terse

Omit contents of sets from output.

-S, --service

Translate ports to service names as defined by /etc/services.

-N, --reversedns

Translate IP address to names via reverse DNS lookup. This may slow down your listing since it generates network traffic.

-u, --guid

Translate numeric UID/GID to names as defined by /etc/passwd and /etc/group.

-n, --numeric

Print fully numerical output.

-y, --numeric-priority

Display base chain priority numerically.

-p, --numeric-protocol

Display layer 4 protocol numerically.

-T, --numeric-time

Show time, day and hour values in numeric format.

Command output formatting:

-e, --echo

When inserting items into the ruleset using add, insert or replace commands, print notifications just like nft monitor.

-j, --json

Format output in JSON. See libnftables-json(5) for a schema description.

-d, --debug level

Enable debugging output. The debug level can be any of scanner, parser, eval, netlink, mnl, proto-ctx, segtree, all. You can combine more than one by separating by the , symbol, for example -d eval,mnl.

Input is parsed line-wise. When the last character of a line, just before the newline character, is a non-quoted backslash (\e), the next line is treated as a continuation. Multiple commands on the same line can be separated using a semicolon (;).

A hash sign (#) begins a comment. All following characters on the same line are ignored.

Identifiers begin with an alphabetic character (a-z,A-Z), followed by zero or more alphanumeric characters (a-z,A-Z,0-9) and the characters slash (/), backslash (\e), underscore (_) and dot (.). Identifiers using different characters or clashing with a keyword need to be enclosed in double quotes (").

include filename

Other files can be included by using the include statement. The directories to be searched for include files can be specified using the -I/--includepath option. You can override this behaviour either by prepending \(oq./\(cq to your path to force inclusion of files located in the current working directory (i.e. relative path) or / for file location expressed as an absolute path.

If -I/--includepath is not specified, then nft relies on the default directory that is specified at compile time. You can retrieve this default directory via the -h/--help option.

Include statements support the usual shell wildcard symbols (,?,[]). Having no matches for an include statement is not an error, if wildcard symbols are used in the include statement. This allows having potentially empty include directories for statements like include "/etc/firewall/rules/". The wildcard matches are loaded in alphabetical order. Files beginning with dot (.) are not matched by include statements.

define variable = expr undefine variable redefine variable = expr $variable

Symbolic variables can be defined using the define statement. Variable references are expressions and can be used to initialize other variables. The scope of a definition is the current block and all blocks contained within. Symbolic variables can be undefined using the undefine statement, and modified using the redefine statement.

Using symbolic variables.

define int_if1 = eth0 define int_if2 = eth1 define int_ifs = { $int_if1, $int_if2 } redefine int_if2 = wlan0 undefine int_if2

filter input iif $int_ifs accept

Address families determine the type of packets which are processed. For each address family, the kernel contains so called hooks at specific stages of the packet processing paths, which invoke nftables if rules for these hooks exist.

tab(:); lt lt lt lt lt lt lt lt lt lt lt lt. T{

ip T}:T{

IPv4 address family. T} T{

ip6 T}:T{

IPv6 address family. T} T{

inet T}:T{

Internet (IPv4/IPv6) address family. T} T{

arp T}:T{

ARP address family, handling IPv4 ARP packets. T} T{

bridge T}:T{

Bridge address family, handling packets which traverse a bridge device. T} T{

netdev T}:T{

Netdev address family, handling packets on ingress and egress. T}

All nftables objects exist in address family specific namespaces, therefore all identifiers include an address family. If an identifier is specified without an address family, the ip family is used by default.

The IPv4/IPv6/Inet address families handle IPv4, IPv6 or both types of packets. They contain five hooks at different packet processing stages in the network stack.

allbox tab(:); ltB ltB. T{ Hook T}:T{ Description T}

lt lt lt lt lt lt lt lt lt lt lt lt. T{

prerouting T}:T{

All packets entering the system are processed by the prerouting hook. It is invoked before the routing process and is used for early filtering or changing packet attributes that affect routing. T} T{

input T}:T{

Packets delivered to the local system are processed by the input hook. T} T{

forward T}:T{

Packets forwarded to a different host are processed by the forward hook. T} T{

output T}:T{

Packets sent by local processes are processed by the output hook. T} T{

postrouting T}:T{

All packets leaving the system are processed by the postrouting hook. T} T{

ingress T}:T{

All packets entering the system are processed by this hook. It is invoked before layer 3 protocol handlers, hence before the prerouting hook, and it can be used for filtering and policing. Ingress is only available for Inet family (since Linux kernel 5.10). T}

The ARP address family handles ARP packets received and sent by the system. It is commonly used to mangle ARP packets for clustering.

allbox tab(:); ltB ltB. T{ Hook T}:T{ Description T}

lt lt lt lt. T{

input T}:T{

Packets delivered to the local system are processed by the input hook. T} T{