nft

View current configuration

$ sudo nft list ruleset

$ sudo nft add table [inet] [filter]

$ sudo nft add chain [inet] [filter] [input] \{ type [filter] hook [input] priority [0] \; policy [accept] \; \}

$ sudo nft add rule [inet] [filter] [input] [tcp] [dport \{ telnet, ssh, http, https \} accept]

$ sudo nft add rule [nat] [postrouting] ip saddr [192.168.0.0/24] [masquerade]

$ sudo nft --handle --numeric list chain [family] [table] [chain]

$ sudo nft delete rule [inet] [filter] [input] handle [3]

$ sudo nft list ruleset > [/etc/nftables.conf]

`nft [options] command [arguments...]`

Common commands:
nft list [family] {tables | table [chain ] | chains | rulesets}
nft add [family] {table | chain | rule} ...
nft delete [family] {table | chain | rule} ...
nft flush [family] {tables | table | chain }
nft monitor [subsystem]
nft -f [--check]
nft help [command]
nft version

-f, --file
    Reads and executes commands from the specified file.

-c, --check
    Checks the syntax of commands in the file without applying them. Often used with -f.

-a, --atomic
    Ensures all changes are applied as a single, atomic transaction.

-v, --version
    Displays the `nft` version information.

-s, --stats
    Shows packet and byte counters for rules.

-t, --trace
    Traces packets matching specific rules, providing detailed debug information.

-e, --echo
    Echos the rule back as it is parsed, useful for debugging.

-D, --debug
    Sets the debug level for `nft` internal operations.

-I, --include
    Adds a directory to the include path for file imports.

list
    Lists existing tables, chains, and rules.

add
    Adds new tables, chains, or rules to the nftables configuration.

delete
    Deletes specified tables, chains, or rules.

flush
    Flushes (deletes all contents from) a table or chain.

monitor
    Monitors nftables events as they occur in real-time.

help
    Provides help on `nft` commands and options.

`nft` is the command-line utility for nftables, a modern packet filtering framework provided by the Linux kernel's Netfilter project.

It is designed to replace the legacy iptables, ip6tables, arptables, and ebtables tools with a single, unified syntax. nftables offers several advantages, including a simpler, more expressive rule language, atomic rule set updates, enhanced performance due to its bytecode-based engine, and support for complex data structures like sets and maps directly within the kernel.

Users can define tables, chains, and rules to filter, modify, and route network packets based on various criteria, such as source/destination IP addresses, ports, protocols, and interface names. `nft` allows for both interactive command-line operations and script-based configuration via input files.

`nft` operates on the live kernel firewall configuration and requires root privileges for most operations.

Incorrect or poorly constructed rules can immediately disconnect your system from the network, making it inaccessible. Always test changes carefully, especially in remote environments, and consider using nft -f --check before applying complex scripts. Atomic operations (--atomic) help prevent partial rule sets from being installed if an error occurs.

`nftables` utilizes a powerful, expressive rule language. Rules are composed of expressions and statements, allowing for complex matching and action definitions. It supports various data types, sets, and maps, making it highly flexible for diverse firewall requirements.

Examples: `add rule filter input ip saddr 192.168.1.1 drop`, `add rule filter output tcp dport { 80, 443 } accept`.

Rules are organized within chains, which are themselves contained within tables. Tables are isolated containers for sets of chains and rules, typically categorized by address family (e.g., ip, ip6, inet, bridge) and purpose (e.g., filter, nat, route).

Chains can be base chains (attached to Netfilter hooks) or regular chains (jump targets).

A key feature of `nftables` is its support for atomic rule set updates. This means an entire set of changes is either applied completely or rolled back entirely if any error occurs. This prevents a broken or incomplete firewall configuration from being active, improving system stability and security.

`nftables` and its associated `nft` command were developed as the successor to the aging x_tables framework (used by iptables, ip6tables, etc.). The project aimed to address limitations of the older tools, such as scattered utilities for different protocols and a less flexible rule language.

Development began in 2008, with the first stable release in 2014. Many modern Linux distributions now use `nftables` as their default firewall backend, although iptables compatibility layers often exist to ease migration.

nftables(8), iptables(8), ip(8), ss(8), tc(8)