Now it’s time to talk about nftables. Quoting nftables wiki:

“nftables is the new packet classification framework that intends to replace the existing {ip,ip6,arp,eb}_tables infrastructure.”

Using it you can filter network traffic on your machine:

  • Configure firewalls, to accept or drop (among other features) packets based on port numbers and addresses, this is high customizable;
  • Control traffic flow rate;
  • Log traffic;
  • Perform NAT;
  • Many other things.

To organize packets classification, nftables defines many data structures.

Tables are the base of nftables, not surprised, are we? You can have many of them, they determine the family of packets (ip, ip6…) and hold other structures. To create a new table just type on command line:

nft add table ip foo

Where ip is the family of the table and foo is its name.

A table alone has no use, they must be populated with chains, sets or maps. Let’s forget maps and sets for now and look at chains first, they hold rules (the ones in charge of packets classification) and determine the type (filtering, rerouting…) and hook (input, output…) of classification. Try it with:

nft add chain ip foo bar {type filter hook output priority 0 \;}

Again, ip is the family of table foo and bar is the name of this chain. The code within brackets says it’ll filter packets originated in the local system (output), the priority determine the precedence of chains in case of conflicting rules.

Still, nothing happens, we need rules. Rules go inside chains and determine the action which packets will trigger, there are many possible rules, read this reference to create yours, it also has info for chains and tables. Simple rules are:

nft add rule ip foo bar tcp dport http counter
nft add rule ip foo bar tcp dport https counter

These rules counter the packets that leave the local system, using tcp protocol with destination ports http (80) and https (443). To see it working type:

nft list ruleset

If you have a browser sending page requests, you should see the numbers increasing with time to time. Also it displays your tables, chains and rules.

You can save the ruleset in a text file to load it again later:

nft list ruleset > tmp

The file tmp can be loaded with:

nft -f tmp

To destroy the ruleset use flush command:

nft flush ruleset

That’s a quick and simplified view on how nftables is used, I’ll use it as reference for future posts. When talking about chains, I said to forget about sets and maps, this week I worked with them and they shall appear soon, on the following post.
To a better understanding of nftables I recommend this tutorial. And for further reference, including install instructions, refer to wiki-nftables.




One thought on “NFtables

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s