Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 6. Getting Started with nftables

The nftables framework provides packet classification facilities and it is the designated successor to the iptables, ip6tables, arptables, ebtables, and ipset tools. It offers numerous improvements in convenience, features, and performance over previous packet-filtering tools, most notably:
  • built-in lookup tables instead of linear processing
  • a single framework for both the IPv4 and IPv6 protocols
  • rules all applied atomically instead of fetching, updating, and storing a complete rule set
  • support for debugging and tracing in the rule set (nftrace) and monitoring trace events (in the nft tool)
  • more consistent and compact syntax, no protocol-specific extensions
  • a Netlink API for third-party applications
Similarly to iptables, nftables use tables for storing chains. The chains contain individual rules for performing actions. The nft tool replaces all tools from the previous packet-filtering frameworks. The libnftnl library can be used for low-level interaction with nftables Netlink API over the libmnl library.
To display the effect of rule set changes, use the nft list ruleset command. Since these tools add tables, chains, rules, sets, and other objects to the nftables rule set, be aware that nftables rule-set operations, such as the nft flush ruleset command, might affect rule sets installed using the formerly separate legacy commands.

When to use firewalld or nftables

  • firewalld: Use the firewalld utility for simple firewall use cases. The utility is easy to use and covers the typical use cases for these scenarios.
  • nftables: Use the nftables utility to set up complex and performance critical firewalls, such as for a whole network.

Important

To avoid that the different firewall services influence each other, run only one of them on a RHEL host, and disable the other services.

6.1. Writing and executing nftables scripts
Copia collegamento

The nftables framework provides a native scripting environment that brings a major benefit over using shell scripts to maintain firewall rules: the execution of scripts is atomic. This means that the system either applies the whole script or prevents the execution if an error occurs. This guarantees that the firewall is always in a consistent state.
Additionally, the nftables script environment enables administrators to:
  • add comments
  • define variables
  • include other rule set files
This section explains how to use these features, as well as creating and executing nftables scripts.
When you install the nftables package, Red Hat Enterprise Linux automatically creates *.nft scripts in the /etc/nftables/ directory. These scripts contain commands that create tables and empty chains for different purposes.

6.1.1. Supported nftables script formats
Copia collegamento

The nftables scripting environment supports scripts in the following formats:
  • You can write a script in the same format as the nft list ruleset command displays the rule set: 
    #!/usr/sbin/nft -f

# Flush the rule set
flush ruleset

table inet example_table {
  chain example_chain {
    # Chain for incoming packets that drops all packets that
    # are not explicitly allowed by any rule in this chain
    type filter hook input priority 0; policy drop;

    # Accept connections to port 22 (ssh)
    tcp dport ssh accept
  }
}
    Copy to Clipboard Toggle word wrap
  • You can use the same syntax for commands as in nft commands: 
    #!/usr/sbin/nft -f

# Flush the rule set
flush ruleset

# Create a table
add table inet example_table

# Create a chain for incoming packets that drops all packets
# that are not explicitly allowed by any rule in this chain
add chain inet example_table example_chain { type filter hook input priority 0 ; policy drop ; }

# Add a rule that accepts connections to port 22 (ssh)
add rule inet example_table example_chain tcp dport ssh accept
    Copy to Clipboard Toggle word wrap

6.1.2. Running nftables scripts
Copia collegamento

You can run nftables script either by passing it to the nft utility or execute the script directly.

Prerequisites

  • The procedure of this section assumes that you stored an nftables script in the /etc/nftables/example_firewall.nft file.

Procedure 6.1. Running nftables scripts using the nft utility

  • To run an nftables script by passing it to the nft utility, enter: 
    # nft -f /etc/nftables/example_firewall.nft
    Copy to Clipboard Toggle word wrap

Procedure 6.2. Running the nftables script directly:

  1. Steps that are required only once:
    1. Ensure that the script starts with the following shebang sequence: 
      #!/usr/sbin/nft -f
      Copy to Clipboard Toggle word wrap

      Important

      If you omit the -f parameter, the nft utility does not read the script and displays: Error: syntax error, unexpected newline, expecting string.
    2. Optional: Set the owner of the script to root: 
      # chown root /etc/nftables/example_firewall.nft
      Copy to Clipboard Toggle word wrap
    3. Make the script executable for the owner: 
      # chmod u+x /etc/nftables/example_firewall.nft
      Copy to Clipboard Toggle word wrap
  2. Run the script: 
    # /etc/nftables/example_firewall.nft
    Copy to Clipboard Toggle word wrap
    If no output is displayed, the system executed the script successfully.

Important

Even if nft executes the script successfully, incorrectly placed rules, missing parameters, or other problems in the script can cause that the firewall behaves not as expected.

Additional resources

6.1.3. Using comments in nftables scripts
Copia collegamento

The nftables scripting environment interprets everything to the right of a # character as a comment.

Example 6.1. Comments in an nftables script

Comments can start at the beginning of a line, as well as next to a command: 
...
# Flush the rule set
flush ruleset

add table inet example_table  # Create a table
...
Copy to Clipboard Toggle word wrap

6.1.4. Using variables in an nftables script
Copia collegamento

To define a variable in an nftables script, use the define keyword. You can store single values and anonymous sets in a variable. For more complex scenarios, use named sets or verdict maps.

Variables with a single value

The following example defines a variable named INET_DEV with the value enp1s0: 
define INET_DEV = enp1s0
Copy to Clipboard Toggle word wrap
You can use the variable in the script by writing the $ sign followed by the variable name: 
...
add rule inet example_table example_chain iifname $INET_DEV tcp dport ssh accept
...
Copy to Clipboard Toggle word wrap

Variables that contain an anonymous set

The following example defines a variable that contains an anonymous set: 
define DNS_SERVERS = { 192.0.2.1, 192.0.2.2 }
Copy to Clipboard Toggle word wrap
You can use the variable in the script by writing the $ sign followed by the variable name: 
add rule inet example_table example_chain ip daddr $DNS_SERVERS accept
Copy to Clipboard Toggle word wrap

Note

Note that curly braces have special semantics when you use them in a rule because they indicate that the variable represents a set.

Additional resources

6.1.5. Including files in an nftables script
Copia collegamento

The nftables scripting environment enables administrators to include other scripts by using the include statement.
If you specify only a file name without an absolute or relative path, nftables includes files from the default search path, which is set to /etc on Red Hat Enterprise Linux.

Example 6.2. Including files from the default search directory

To include a file from the default search directory: 
include "example.nft"
Copy to Clipboard Toggle word wrap

Example 6.3. Including all *.nft files from a directory

To include all files ending in *.nft that are stored in the /etc/nftables/rulesets/ directory: 
include "/etc/nftables/rulesets/*.nft"
Copy to Clipboard Toggle word wrap
Note that the include statement does not match files beginning with a dot.

Additional resources

  • For further details, see the Include files section in the nft(8) man page.

6.1.6. Automatically loading nftables rules when the system boots
Copia collegamento

The nftables systemd service loads firewall scripts that are included in the /etc/sysconfig/nftables.conf file. This section explains how to load firewall rules when the system boots.

Prerequisites

  • The nftables scripts are stored in the /etc/nftables/ directory.

Procedure 6.3. Automatically loading nftables rules when the system boots

  1. Edit the /etc/sysconfig/nftables.conf file.
    • If you enhance *.nft scripts created in /etc/nftables/ when you installed the nftables package, uncomment the include statement for these scripts.
    • If you write scripts from scratch, add include statements to include these scripts. For example, to load the /etc/nftables/example.nft script when the nftables service starts, add: 
      include "/etc/nftables/example.nft"
      Copy to Clipboard Toggle word wrap
  2. Optionally, start the nftables service to load the firewall rules without rebooting the system: 
    # systemctl start nftables
    Copy to Clipboard Toggle word wrap
  3. Enable the nftables service. 
    # systemctl enable nftables
    Copy to Clipboard Toggle word wrap

Additional resources

Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat