Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 6. Getting Started with nftables
nftables
framework provides packet classification facilities and it is the designated successor to the iptables
, ip6tables
, arptables
, ebtables
, and ipset
tools. It offers numerous improvements in convenience, features, and performance over previous packet-filtering tools, most notably:
- built-in lookup tables instead of linear processing
- a single framework for both the
IPv4
andIPv6
protocols - rules all applied atomically instead of fetching, updating, and storing a complete rule set
- support for debugging and tracing in the rule set (
nftrace
) and monitoring trace events (in thenft
tool) - more consistent and compact syntax, no protocol-specific extensions
- a Netlink API for third-party applications
iptables
, nftables
use tables for storing chains. The chains contain individual rules for performing actions. The nft
tool replaces all tools from the previous packet-filtering frameworks. The libnftnl
library can be used for low-level interaction with nftables
Netlink API over the libmnl
library.
nft list ruleset
command. Since these tools add tables, chains, rules, sets, and other objects to the nftables
rule set, be aware that nftables
rule-set operations, such as the nft flush ruleset
command, might affect rule sets installed using the formerly separate legacy commands.
When to use firewalld or nftables
firewalld
: Use thefirewalld
utility for simplefirewall
use cases. The utility is easy to use and covers the typical use cases for these scenarios.nftables
: Use thenftables
utility to set up complex and performance critical firewalls, such as for a whole network.
Important
6.1. Writing and executing nftables scripts
nftables
framework provides a native scripting environment that brings a major benefit over using shell scripts to maintain firewall
rules: the execution of scripts is atomic. This means that the system either applies the whole script or prevents the execution if an error occurs. This guarantees that the firewall is always in a consistent state.
nftables
script environment enables administrators to:
- add comments
- define variables
- include other rule set files
nftables
scripts.
*.nft
scripts in the /etc/nftables/
directory. These scripts contain commands that create tables and empty chains for different purposes.
6.1.1. Supported nftables script formats
nftables
scripting environment supports scripts in the following formats:
- You can write a script in the same format as the
nft list ruleset
command displays the rule set:#!/usr/sbin/nft -f # Flush the rule set flush ruleset table inet example_table { chain example_chain { # Chain for incoming packets that drops all packets that # are not explicitly allowed by any rule in this chain type filter hook input priority 0; policy drop; # Accept connections to port 22 (ssh) tcp dport ssh accept } }
- You can use the same syntax for commands as in
nft
commands:#!/usr/sbin/nft -f # Flush the rule set flush ruleset # Create a table add table inet example_table # Create a chain for incoming packets that drops all packets # that are not explicitly allowed by any rule in this chain add chain inet example_table example_chain { type filter hook input priority 0 ; policy drop ; } # Add a rule that accepts connections to port 22 (ssh) add rule inet example_table example_chain tcp dport ssh accept
6.1.2. Running nftables scripts
nftables
script either by passing it to the nft
utility or execute the script directly.
Prerequisites
- The procedure of this section assumes that you stored an
nftables
script in the/etc/nftables/example_firewall.nft
file.
Procedure 6.1. Running nftables scripts using the nft
utility
- To run an
nftables
script by passing it to thenft
utility, enter:# nft -f /etc/nftables/example_firewall.nft
Procedure 6.2. Running the nftables
script directly:
- Steps that are required only once:
- Ensure that the script starts with the following shebang sequence:
#!/usr/sbin/nft -f
Important
If you omit the-f
parameter, thenft
utility does not read the script and displays: Error: syntax error, unexpected newline, expecting string. - Optional: Set the owner of the script to
root
:# chown root /etc/nftables/example_firewall.nft
- Make the script executable for the owner:
# chmod u+x /etc/nftables/example_firewall.nft
- Run the script:
# /etc/nftables/example_firewall.nft
If no output is displayed, the system executed the script successfully.
Important
nft
executes the script successfully, incorrectly placed rules, missing parameters, or other problems in the script can cause that the firewall behaves not as expected.
Additional resources
- For details about setting the owner of a file, see the
chown(1)
man page. - For details about setting permissions of a file, see the
chmod(1)
man page. - For more information about loading
nftables
rules with system boot, see Section 6.1.6, “Automatically loading nftables rules when the system boots”
6.1.3. Using comments in nftables scripts
nftables
scripting environment interprets everything to the right of a #
character as a comment.
Example 6.1. Comments in an nftables script
... # Flush the rule set flush ruleset add table inet example_table # Create a table ...
6.1.4. Using variables in an nftables script
nftables
script, use the define
keyword. You can store single values and anonymous sets in a variable. For more complex scenarios, use named sets or verdict maps.
Variables with a single value
INET_DEV
with the value enp1s0:
define INET_DEV = enp1s0
$
sign followed by the variable name:
...
add rule inet example_table example_chain iifname $INET_DEV
tcp dport ssh accept
...
Variables that contain an anonymous set
define DNS_SERVERS = { 192.0.2.1, 192.0.2.2 }
$
sign followed by the variable name:
add rule inet example_table example_chain ip daddr $DNS_SERVERS
accept
Note
Additional resources
- For more information about sets, see Section 6.4, “Using sets in nftables commands”.
- For more information about verdict maps, see Section 6.5, “Using verdict maps in nftables commands”.
6.1.5. Including files in an nftables script
nftables
scripting environment enables administrators to include other scripts by using the include
statement.
nftables
includes files from the default search path, which is set to /etc
on Red Hat Enterprise Linux.
Example 6.2. Including files from the default search directory
include "example.nft"
Example 6.3. Including all *.nft
files from a directory
*.nft
that are stored in the /etc/nftables/rulesets/
directory:
include "/etc/nftables/rulesets/*.nft"
include
statement does not match files beginning with a dot.
Additional resources
- For further details, see the
Include files
section in thenft(8)
man page.
6.1.6. Automatically loading nftables rules when the system boots
nftables
systemd service loads firewall scripts that are included in the /etc/sysconfig/nftables.conf
file. This section explains how to load firewall rules when the system boots.
Prerequisites
- The
nftables
scripts are stored in the/etc/nftables/
directory.
Procedure 6.3. Automatically loading nftables rules when the system boots
- Edit the
/etc/sysconfig/nftables.conf
file.- If you enhance
*.nft
scripts created in/etc/nftables/
when you installed the nftables package, uncomment the include statement for these scripts. - If you write scripts from scratch, add include statements to include these scripts. For example, to load the
/etc/nftables/example.nft
script when thenftables
service starts, add:include "/etc/nftables/example.nft"
- Optionally, start the
nftables
service to load the firewall rules without rebooting the system:# systemctl start nftables
- Enable the nftables service.
# systemctl enable nftables
Additional resources
- For more information, see Section 6.1.1, “Supported nftables script formats”