Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

6.2. Creating and managing nftables tables, chains, and rules

This section explains how to display the nftables rule set, and how to manage it.

6.2.1. Displaying the nftables rule set
Copiar enlace

The rule set of nftables contains tables, chains, and rules. This section explains how to display this rule set.
To display all the rule set, enter: 
# nft list ruleset
table inet example_table {
  chain example_chain {
    type filter hook input priority filter; policy accept;
    tcp dport http accept
    tcp dport ssh accept
  }
}
Copy to Clipboard Toggle word wrap

Note

By default, nftables does not pre-create tables. As a consequence, displaying the rule set on a host without any tables, the nft list ruleset command shows no output.

6.2.2. Creating an nftables table
Copiar enlace

A table in nftables is a name space that contains a collection of chains, rules, sets, and other objects. This section explains how to create a table.
Each table must have an address family defined. The address family of a table defines what address types the table processes. You can set one of the following address families when you create a table:
  • ip: Matches only IPv4 packets. This is the default if you do not specify an address family.
  • ip6: Matches only IPv6 packets.
  • inet: Matches both IPv4 and IPv6 packets.
  • arp: Matches IPv4 address resolution protocol (ARP) packets.
  • bridge: Matches packets that traverse a bridge device.
  • netdev: Matches packets from ingress.

Procedure 6.4. Creating an nftables table

  1. Use the nft add table command to create a new table. For example, to create a table named example_table that processes IPv4 and IPv6 packets: 
    # nft add table inet example_table
    Copy to Clipboard Toggle word wrap
  2. Optionally, list all tables in the rule set: 
    # nft list tables
table inet example_table
    Copy to Clipboard Toggle word wrap

Additional resources

  • For further details about address families, see the Address families section in the nft(8) man page.
  • For details on other actions you can run on tables, see the Tables section in the nft(8) man page.

6.2.3. Creating an nftables chain
Copiar enlace

Chains are containers for rules. The following two rule types exists:
  • Base chain: You can use base chains as an entry point for packets from the networking stack.
  • Regular chain: You can use regular chains as a jump target and to better organize rules.
The procedure describes how to add a base chain to an existing table.

Prerequisites

  • The table to which you want to add the new chain exists.

Procedure 6.5. Creating an nftables chain

  1. Use the nft add chain command to create a new chain. For example, to create a chain named example_chain in example_table: 
    # nft add chain inet example_table example_chain '{ type filter hook input priority 0 ; policy accept ; }'
    Copy to Clipboard Toggle word wrap

    Important

    To avoid that the shell interprets the semicolons as the end of the command, you must escape the semicolons with a backslash. Moreover, some shells interpret the curly braces as well, so quote the curly braces and anything inside them with ticks (').
    This chain filters incoming packets. The priority parameter specifies the order in which nftables processes chains with the same hook value. A lower priority value has precedence over higher ones. The policy parameter sets the default action for rules in this chain. Note that if you are logged in to the server remotely and you set the default policy to drop, you are disconnected immediately if no other rule allows the remote access.
  2. Optionally, display all chains: 
    # nft list chains
table inet example_table {
  chain example_chain {
    type filter hook input priority filter; policy accept;
  }
}
    Copy to Clipboard Toggle word wrap

Additional resources

  • For further details about address families, see the Address families section in the nft(8) man page.
  • For details on other actions you can run on chains, see the Chains section in the nft(8) man page.

6.2.4. Appending a rule to the end of an nftables chain
Copiar enlace

This section explains how to append a rule to the end of an existing nftables chain.

Prerequisites

  • The chain to which you want to add the rule exists.

Procedure 6.6. Appending a rule to the end of an nftables chain

  1. To add a new rule, use the nft add rule command. For example, to add a rule to the example_chain in the example_table that allows TCP traffic on port 22: 
    # nft add rule inet example_table example_chain tcp dport 22 accept
    Copy to Clipboard Toggle word wrap
    You can alternatively specify the name of the service instead of the port number. In the example, you could use ssh instead of the port number 22. Note that a service name is resolved to a port number based on its entry in the /etc/services file.
  2. Optionally, display all chains and their rules in example_table: 
    # nft list table inet example_table
table inet example_table {
  chain example_chain {
    type filter hook input priority filter; policy accept;
    ...
    tcp dport ssh accept
  }
}
    Copy to Clipboard Toggle word wrap

Additional resources

  • For further details about address families, see the Address families section in the nft(8) man page.
  • For details on other actions you can run on chains, see the Rules section in the nft(8) man page.

6.2.5. Inserting a rule at the beginning of an nftables chain
Copiar enlace

This section explains how to insert a rule at the beginning of an existing nftables chain.

Prerequisites

  • The chain to which you want to add the rule exists.

Procedure 6.7. Inserting a rule at the beginning of an nftables chain

  1. To insert a new rule, use the nft insert rule command. For example, to insert a rule to the example_chain in the example_table that allows TCP traffic on port 22: 
    # nft insert rule inet example_table example_chain tcp dport 22 accept
    Copy to Clipboard Toggle word wrap
    You can alternatively specify the name of the service instead of the port number. In the example, you could use ssh instead of the port number 22. Note that a service name is resolved to a port number based on its entry in the /etc/services file.
  2. Optionally, display all chains and their rules in example_table: 
    # nft list table inet example_table
table inet example_table {
  chain example_chain {
    type filter hook input priority filter; policy accept;
    tcp dport ssh accept
    ...
  }
}
    Copy to Clipboard Toggle word wrap

Additional resources

  • For further details about address families, see the Address families section in the nft(8) man page.
  • For details on other actions you can run on chains, see the Rules section in the nft(8) man page.

6.2.6. Inserting a rule at a specific position of an nftables chain
Copiar enlace

This section explains how to insert rules before and after an existing rule in an nftables chain. This way you can place new rules at the right position.

Prerequisites

  • The chain to which you want to add the rule exists.

Procedure 6.8. Inserting a rule at a specific position of an nftables chain

  1. Use the nft -a list ruleset command to display all chains and their rules in the example_table including their handle: 
    # nft -a list table inet example_table
table inet example_table { # handle 1
  chain example_chain { # handle 1
    type filter hook input priority filter; policy accept;
    tcp dport 22 accept # handle 2
    tcp dport 443 accept # handle 3
    tcp dport 389 accept # handle 4
  }
}
    Copy to Clipboard Toggle word wrap
    Using the -a displays the handles. You require this information to position the new rules in the next steps.
  2. Insert the new rules to the example_chain chain in the example_table:
    • To insert a rule that allows TCP traffic on port 636 before handle 3, enter: 
      # nft insert rule inet example_table example_chain position 3 tcp dport 636 accept
      Copy to Clipboard Toggle word wrap
    • To add a rule that allows TCP traffic on port 80 after handle 3, enter: 
      # nft add rule inet example_table example_chain position 3 tcp dport 80 accept
      Copy to Clipboard Toggle word wrap
  3. Optionally, display all chains and their rules in example_table: 
    # nft -a list table inet example_table
table inet example_table { # handle 1
  chain example_chain { # handle 1
    type filter hook input priority filter; policy accept;
    tcp dport 22 accept # handle 2
    tcp dport 636 accept # handle 5
    tcp dport 443 accept # handle 3
    tcp dport 80 accept # handle 6
    tcp dport 389 accept # handle 4
  }
}
    Copy to Clipboard Toggle word wrap

Additional resources

  • For further details about address families, see the Address families section in the nft(8) man page.
  • For details on other actions you can run on chains, see the Rules section in the nft(8) man page.
Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat