You can optionally create rules that use the set. For example, the following command adds a rule to the example_chain in the example_table that ignores all packets of IPv4 addresses in example_set. The nftables framework provides a native scripting environment that offers a major advantage over using shell scripts to manage firewall rules: script execution is atomic. This means that the system applies the entire script or prevents execution if an error occurs. This ensures that the firewall is always in a consistent state. There are statements of two types. Terminal instructions unconditionally stop the evaluation of the current rule, non-terminal instructions only conditionally stop or never stop the evaluation of the current rule, in other words, they are passive from the point of view of evaluating rule sets. There can be any number of non-terminal instructions in a rule, but only one terminal statement as the final instruction. This is more convenient, but as with raw expression notation, no dependencies are created or checked. It is the user`s responsibility to limit matching to header types that have an idea of the ports. Otherwise, rules that use raw expressions will not correctly match unbound packets, such as ESP packets misinterpreting the SPI field as a port. The nftables framework uses tables to store strings. Strings contain individual rules for performing actions.
The libnftnl library can be used for low-level interaction with the Netlink nftables API via the libmnl library. Even if nft runs the script successfully, misplaced rules, missing parameters, or other problems in the script can prevent the firewall from behaving as expected. To include all files with the *.nft extension stored in the /etc/nftables/rulesets/ directory: Note that if you change the “prmisc” parameter to something other than zero, you will get all the packages your device sees, whether they are intended for you or not!! Make sure you know the rules of the network you are using before putting your card in promiscuous mode!! */ A reliable method is to run Docker in a separate network namespace where it can do whatever it wants. It`s probably best not to use iptables-nft to prevent docker from mixing nftables and iptables rules. The snat and masquerade statements indicate that the source address of the package must be changed. While snat is only valid in post-routing and input strings, Masquerade is only useful in post-routing. The dnat and redirect statements are valid only in the pre-routing and output strings, they indicate that the destination address of the packet needs to be changed. You can also use non-basic strings called by base strings of type Nat string. All future packages related to this will also be mutilated, and the rules should no longer be revised. If your box has more than one network interface and you want to use different rules for different interfaces, you can use a string of filters “dispatching”, then filter chains specific to the interface. For example, let`s say that your box acts as a home router, that you want to run a web server accessible via the LAN (enp3s0 interface) but not from the public Internet (enp2s0 interface), you can consider a structure like this: If you have rules in iptables that you want to keep, install the iptables-nftables-compat tool. Then export your iptables rules, translate them, and import them into nftables.
Note that rules that have already been loaded are not automatically flushed. nftables retains some of the familiar parts of the Netfilter and iptables infrastructure. As with iptables, nftables continues to use tables, strings, and the rule hierarchy, that is, tables that contain strings and strings that contain rules. Although nftables changes the command-line syntax, it retains a compatibility layer that allows you to run iptables commands from the nftables kernel. Optionally, you can view all strings and their rules in example_table: You can write a script in the same format in which the nft list ruleset command displays the rule set: This string filters incoming packets. The priority parameter specifies the order in which nftables processes strings with the same hook value. A value with a lower priority takes precedence over a higher priority. The policy parameter sets the default action for rules in this string. If you are connected to the remote server and set the default delete policy, the connection is immediately disconnected if no other rules allow remote access. The Verdict statement modifies the flow of control in the rule set and issues policy decisions for packages. Valid decision statements are as follows: Because regular chains do not have hooks, they do not receive packets automatically.
Instead, they rely on rules that use the Skip or Go To action to route packets to them. In this case, the regular chain treats the packets as a basic chain. The string must not contain any rules or be a jump target. The ruleset keyword is used to identify all tables, strings, and so on that currently exist in the kernel. The following ruleset commands exist: The following rule set is a typical rule set for protecting a laptop in IPv4 and IPv6: If you used a custom script to load iptables rules, make sure that the script no longer starts automatically and restart it to flush all tables. The describe command displays information about the type of an expression and its data type. You can also specify a data type in which nft displays more information about the type. Output formatting of rulegroup lists that modify the output of the list rule set command: A table in nftables is a namespace that contains a collection of strings, rules, sets, and other objects. This section describes how to create a table.
The -n argument displays the addresses and other information used by the names in numeric format. The -a argument is used to display the handle. Basic strings also allow you to set the chain policy, that is, what happens to packages that are not explicitly accepted or rejected in the included rules. Supported policy values are accept (default) or drop. Strings are containers for rules. There are two types of rules: All rules must be created or loaded using the nft command-line utility. Chains live under tables and filter packets. You add each nftables rule to a string so that packets that are “captured” in the string filter are then passed to the rules in the string. Individual rules can only be removed by their handles.
The recovery of handles was shown in #Add rule. For example, suppose the handle here is an identifier for the rule you are deleting. You can get the handle of a rule by using the -a option when running the enumerate rules command, as in: Using nftables can affect the Docker network (and probably other container runtimes). You can find various workarounds on the internet that involve either fixing iptables rules and ensuring a set service start order, or disabling dockers` iptables management altogether, making using docker very restrictive (think port forwarding or docker composition). Include statements support the usual shell placeholder symbols (,?,[]). The lack of matches for an include statement is not an error when generic symbols are used in the include statement. This allows potentially empty include directories for statements such as “/etc/firewall/rules/”. Generic matches are loaded in alphabetical order. Files beginning with dot(.) are not mapped by include statements.
In general, it is a question of organization. You can create a “tree” of basic and regular strings that you can use to control the layout and flow of your nftables rule set.
