Questo contenuto non è disponibile nella lingua selezionata.
6.2. Creating and managing nftables tables, chains, and rules
nftables
rule set, and how to manage it.
6.2.1. Displaying the nftables rule set
nftables
contains tables, chains, and rules. This section explains how to display this rule set.
# nft list ruleset table inet example_table { chain example_chain { type filter hook input priority filter; policy accept; tcp dport http accept tcp dport ssh accept } }
Note
nftables
does not pre-create tables. As a consequence, displaying the rule set on a host without any tables, the nft list ruleset
command shows no output.
6.2.2. Creating an nftables table
nftables
is a name space that contains a collection of chains, rules, sets, and other objects. This section explains how to create a table.
ip
: Matches only IPv4 packets. This is the default if you do not specify an address family.ip6
: Matches only IPv6 packets.inet
: Matches both IPv4 and IPv6 packets.arp
: Matches IPv4 address resolution protocol (ARP) packets.bridge
: Matches packets that traverse a bridge device.netdev
: Matches packets from ingress.
Procedure 6.4. Creating an nftables table
- Use the
nft add table
command to create a new table. For example, to create a table named example_table that processesIPv4
andIPv6
packets:# nft add table inet example_table
- Optionally, list all tables in the rule set:
# nft list tables table inet example_table
Additional resources
- For further details about address families, see the
Address families
section in thenft(8)
man page. - For details on other actions you can run on tables, see the
Tables
section in thenft(8)
man page.
6.2.3. Creating an nftables chain
- Base chain: You can use base chains as an entry point for packets from the networking stack.
- Regular chain: You can use regular chains as a
jump
target and to better organize rules.
Prerequisites
- The table to which you want to add the new chain exists.
Procedure 6.5. Creating an nftables chain
- Use the
nft add chain
command to create a new chain. For example, to create a chain named example_chain in example_table:# nft add chain inet example_table example_chain '{ type filter hook input priority 0 ; policy accept ; }'
Important
To avoid that the shell interprets the semicolons as the end of the command, you must escape the semicolons with a backslash. Moreover, some shells interpret the curly braces as well, so quote the curly braces and anything inside them with ticks ('
).This chain filters incoming packets. Thepriority
parameter specifies the order in whichnftables
processes chains with the same hook value. A lower priority value has precedence over higher ones. Thepolicy
parameter sets the default action for rules in this chain. Note that if you are logged in to the server remotely and you set the default policy todrop
, you are disconnected immediately if no other rule allows the remote access. - Optionally, display all chains:
# nft list chains table inet example_table { chain example_chain { type filter hook input priority filter; policy accept; } }
Additional resources
- For further details about address families, see the
Address families
section in thenft(8)
man page. - For details on other actions you can run on chains, see the
Chains
section in thenft(8)
man page.
6.2.4. Appending a rule to the end of an nftables chain
Prerequisites
- The chain to which you want to add the rule exists.
Procedure 6.6. Appending a rule to the end of an nftables chain
- To add a new rule, use the
nft add rule
command. For example, to add a rule to the example_chain in the example_table that allows TCP traffic on port 22:# nft add rule inet example_table example_chain tcp dport 22 accept
You can alternatively specify the name of the service instead of the port number. In the example, you could usessh
instead of the port number22
. Note that a service name is resolved to a port number based on its entry in the/etc/services
file. - Optionally, display all chains and their rules in example_table:
# nft list table inet example_table table inet example_table { chain example_chain { type filter hook input priority filter; policy accept; ... tcp dport ssh accept } }
Additional resources
- For further details about address families, see the
Address families
section in thenft(8)
man page. - For details on other actions you can run on chains, see the
Rules
section in thenft(8)
man page.
6.2.5. Inserting a rule at the beginning of an nftables chain
nftables
chain.
Prerequisites
- The chain to which you want to add the rule exists.
Procedure 6.7. Inserting a rule at the beginning of an nftables chain
- To insert a new rule, use the
nft insert rule
command. For example, to insert a rule to the example_chain in the example_table that allows TCP traffic on port22
:# nft insert rule inet example_table example_chain tcp dport 22 accept
You can alternatively specify the name of the service instead of the port number. In the example, you could usessh
instead of the port number22
. Note that a service name is resolved to a port number based on its entry in the/etc/services
file. - Optionally, display all chains and their rules in example_table:
# nft list table inet example_table table inet example_table { chain example_chain { type filter hook input priority filter; policy accept; tcp dport ssh accept ... } }
Additional resources
- For further details about address families, see the
Address families
section in thenft(8)
man page. - For details on other actions you can run on chains, see the
Rules
section in thenft(8)
man page.
6.2.6. Inserting a rule at a specific position of an nftables chain
nftables
chain. This way you can place new rules at the right position.
Prerequisites
- The chain to which you want to add the rule exists.
Procedure 6.8. Inserting a rule at a specific position of an nftables chain
- Use the
nft -a list ruleset
command to display all chains and their rules in the example_table including their handle:# nft -a list table inet example_table table inet example_table { # handle 1 chain example_chain { # handle 1 type filter hook input priority filter; policy accept; tcp dport 22 accept # handle 2 tcp dport 443 accept # handle 3 tcp dport 389 accept # handle 4 } }
Using the-a
displays the handles. You require this information to position the new rules in the next steps. - Insert the new rules to the example_chain chain in the example_table:
- To insert a rule that allows TCP traffic on port 636 before handle 3, enter:
# nft insert rule inet example_table example_chain position 3 tcp dport 636 accept
- To add a rule that allows TCP traffic on port 80 after handle 3, enter:
# nft add rule inet example_table example_chain position 3 tcp dport 80 accept
- Optionally, display all chains and their rules in example_table:
# nft -a list table inet example_table table inet example_table { # handle 1 chain example_chain { # handle 1 type filter hook input priority filter; policy accept; tcp dport 22 accept # handle 2 tcp dport 636 accept # handle 5 tcp dport 443 accept # handle 3 tcp dport 80 accept # handle 6 tcp dport 389 accept # handle 4 } }
Additional resources
- For further details about address families, see the
Address families
section in thenft(8)
man page. - For details on other actions you can run on chains, see the
Rules
section in thenft(8)
man page.