nftables

Links

nftables wiki

https://wiki.nftables.org/

List rules

# nft -a list ruleset
table inet filter { # handle 4
	set ssh-ips { # handle 4
		type ipv4_addr
		size 65535
		flags dynamic
		elements = { 192.168.100.1 }
	}

	chain input { # handle 1
		type filter hook input priority filter; policy drop;
		ct state established,related accept # handle 5
		ct state invalid drop # handle 6
		iif "lo" accept # handle 7
…

Here’s how to dump a table:

# nft list table ip sometable
table ip sometable {
	chain prerouting {
		type nat hook prerouting priority filter; policy accept;
	}

	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr ░░░░░░░░░░░░░ counter packets ░░ bytes ░░░░ masquerade
	}
}

To list a chain, do something like: nft -a list chain inet filter input.

If you want to save and restore a table, you can do something like the following (adapted from the nftables wiki):

echo "destroy table ip sometable" > ./sometable-backup
nft list table ip sometable >> ./sometable-backup

Then to load it:

nft -f ./sometable-backup

Make a chain accept by default

Normally I only do this to test if something is due to a firewall issue. The following example is for the “filter” table and the “input” chain.

nft add chain inet filter input '{ policy accept; }'

Then to set it back to drop:

nft add chain inet filter input '{ policy drop; }'

Test a config

Here’s how to check a configuration. I’ve added an echo statement just to be clear.

nft --check --file ./ruleset.cfg && echo "Good"

Sets

Sets are documented on the nftables wiki.

Here’s how you add an element to a set:

nft add element inet filter some-set-of-ips '{ 8.8.8.8 }'

Rules

nft insert rule inet filter input handle 45 "ip saddr { 192.168.10.0/24 } tcp dport { 2222 } counter accept"