nft
Configure Linux packet filtering, firewalling, and NAT
TLDR
View current configuration
Add a new table with family "inet" and table "filter"
Add a new chain to accept all inbound traffic
Add a new rule to accept several TCP ports
Add a NAT rule to translate all traffic from the 192.168.0.0/24 subnet to the host's public IP
Show rule handles
Delete a rule
Save current configuration
SYNOPSIS
nft [ options ] command
PARAMETERS
-a, --handle
Show rule handles. A rule's handle is its unique ID.
-c, --numeric
Numeric output. Don't try to resolve addresses, port names or user names to their textual representation.
-d, --debug
Enable debug output.
-e, --echo
Echo command to standard output.
-f, --file
Read input from file.
-g, --gen-update
Generate update command for a ruleset.
-i, --interactive
Interactive mode.
-j, --json
Output in JSON format.
-j=raw, --json=raw
Output in raw JSON format.
-m, --machine
Machine-readable output format.
-n, --nofatal
Don't exit if table/chain does not exist.
-nn, --netns
Apply command to a network namespace.
-N, --nonetns
Do not apply command to network namespace.
-o, --out
Write output to file.
-p, --pretty
Pretty print JSON output.
-r, --rollback
Rollback on error.
-s, --stateless
Stateless mode (skip ruleset activation).
-s, --service
Run in service mode.
-t, --terse
Terse output.
-t=timestamp, --terse=timestamp
Add timestamp to terse output.
-T, --table
Show table names.
-v, --verbose
Verbose output.
-V, --version
Show version.
-w, --wait
Wait for the ruleset to be activated.
-w=seconds, --wait=seconds
Wait for the ruleset to be activated for a maximum of given number of seconds.
-x, --xml
Output in XML format.
DESCRIPTION
nft is the command-line interface to nftables, the packet filtering framework in the Linux kernel. It replaces the legacy iptables, ip6tables, arptables, and ebtables tools, offering a unified and more efficient way to manage network filtering rules. nft allows you to define rulesets that control network traffic based on various criteria, such as source/destination addresses, ports, protocols, and more.
The tool supports transactional rule updates, meaning that changes are applied atomically to the kernel, minimizing the risk of inconsistent states. nft uses a more expressive and flexible syntax compared to its predecessors, enabling the creation of complex filtering policies with improved readability and maintainability. The rule sets are stored in the kernel and executed efficiently. nft can also be used to monitor network traffic by adding counters to rules, which can be helpful when debugging the firewall configuration.
CAVEATS
nft requires appropriate kernel support. Older kernels might not be compatible with all features.
COMMAND STRUCTURE
nft commands typically follow a hierarchical structure:
nft [options] {add | delete | list | flush | ...} object [parameters]
Where 'object' can be a table, chain, rule, set, etc., and 'parameters' specify the details of the operation on that object.
RULE MANAGEMENT
You can add, delete, list, and flush rules within chains. Rules specify matching criteria and actions to be taken on matching packets (e.g., accept, drop, log).
SETS AND MAPS
nft supports sets and maps, which are data structures that allow you to group IP addresses, ports, or other values and use them in rules. This is useful for creating dynamic and scalable filtering policies.
HISTORY
nft was introduced as a successor to the legacy iptables tools to address their limitations and provide a more modern and efficient packet filtering solution. Its development aimed at unifying the filtering syntax across different protocols (IPv4, IPv6, ARP, Ethernet bridging), improving performance, and enhancing the extensibility of the packet filtering framework. The first versions of nft were released in the early 2010s, and it has been actively developed since then, gradually replacing the older tools in many Linux distributions.