Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
Chapter 6. Getting Started with nftables
The
nftables
framework provides packet classification facilities and it is the designated successor to the iptables
, ip6tables
, arptables
, ebtables
, and ipset
tools. It offers numerous improvements in convenience, features, and performance over previous packet-filtering tools, most notably:
- built-in lookup tables instead of linear processing
- a single framework for both the
IPv4
andIPv6
protocols - rules all applied atomically instead of fetching, updating, and storing a complete rule set
- support for debugging and tracing in the rule set (
nftrace
) and monitoring trace events (in thenft
tool) - more consistent and compact syntax, no protocol-specific extensions
- a Netlink API for third-party applications
Similarly to
iptables
, nftables
use tables for storing chains. The chains contain individual rules for performing actions. The nft
tool replaces all tools from the previous packet-filtering frameworks. The libnftnl
library can be used for low-level interaction with nftables
Netlink API over the libmnl
library.
To display the effect of rule set changes, use the
nft list ruleset
command. Since these tools add tables, chains, rules, sets, and other objects to the nftables
rule set, be aware that nftables
rule-set operations, such as the nft flush ruleset
command, might affect rule sets installed using the formerly separate legacy commands.
When to use firewalld or nftables
firewalld
: Use thefirewalld
utility for simplefirewall
use cases. The utility is easy to use and covers the typical use cases for these scenarios.nftables
: Use thenftables
utility to set up complex and performance critical firewalls, such as for a whole network.
Important
To avoid that the different firewall services influence each other, run only one of them on a RHEL host, and disable the other services.
6.1. Writing and executing nftables scripts
The
nftables
framework provides a native scripting environment that brings a major benefit over using shell scripts to maintain firewall
rules: the execution of scripts is atomic. This means that the system either applies the whole script or prevents the execution if an error occurs. This guarantees that the firewall is always in a consistent state.
Additionally, the
nftables
script environment enables administrators to:
- add comments
- define variables
- include other rule set files
This section explains how to use these features, as well as creating and executing
nftables
scripts.
When you install the nftables package, Red Hat Enterprise Linux automatically creates
*.nft
scripts in the /etc/nftables/
directory. These scripts contain commands that create tables and empty chains for different purposes.
6.1.1. Supported nftables script formats
The
nftables
scripting environment supports scripts in the following formats:
- You can write a script in the same format as the
nft list ruleset
command displays the rule set:#!/usr/sbin/nft -f # Flush the rule set flush ruleset table inet example_table { chain example_chain { # Chain for incoming packets that drops all packets that # are not explicitly allowed by any rule in this chain type filter hook input priority 0; policy drop; # Accept connections to port 22 (ssh) tcp dport ssh accept } }
- You can use the same syntax for commands as in
nft
commands:#!/usr/sbin/nft -f # Flush the rule set flush ruleset # Create a table add table inet example_table # Create a chain for incoming packets that drops all packets # that are not explicitly allowed by any rule in this chain add chain inet example_table example_chain { type filter hook input priority 0 ; policy drop ; } # Add a rule that accepts connections to port 22 (ssh) add rule inet example_table example_chain tcp dport ssh accept
6.1.2. Running nftables scripts
You can run
nftables
script either by passing it to the nft
utility or execute the script directly.
Prerequisites
- The procedure of this section assumes that you stored an
nftables
script in the/etc/nftables/example_firewall.nft
file.
Procedure 6.1. Running nftables scripts using the nft
utility
- To run an
nftables
script by passing it to thenft
utility, enter:# nft -f /etc/nftables/example_firewall.nft
Procedure 6.2. Running the nftables
script directly:
- Steps that are required only once:
- Ensure that the script starts with the following shebang sequence:
#!/usr/sbin/nft -f
Important
If you omit the-f
parameter, thenft
utility does not read the script and displays: Error: syntax error, unexpected newline, expecting string. - Optional: Set the owner of the script to
root
:# chown root /etc/nftables/example_firewall.nft
- Make the script executable for the owner:
# chmod u+x /etc/nftables/example_firewall.nft
- Run the script:
# /etc/nftables/example_firewall.nft
If no output is displayed, the system executed the script successfully.
Important
Even if
nft
executes the script successfully, incorrectly placed rules, missing parameters, or other problems in the script can cause that the firewall behaves not as expected.
Additional resources
- For details about setting the owner of a file, see the
chown(1)
man page. - For details about setting permissions of a file, see the
chmod(1)
man page. - For more information about loading
nftables
rules with system boot, see Section 6.1.6, “Automatically loading nftables rules when the system boots”
6.1.3. Using comments in nftables scripts
The
nftables
scripting environment interprets everything to the right of a #
character as a comment.
Example 6.1. Comments in an nftables script
Comments can start at the beginning of a line, as well as next to a command:
... # Flush the rule set flush ruleset add table inet example_table # Create a table ...
6.1.4. Using variables in an nftables script
To define a variable in an
nftables
script, use the define
keyword. You can store single values and anonymous sets in a variable. For more complex scenarios, use named sets or verdict maps.
Variables with a single value
The following example defines a variable named
INET_DEV
with the value enp1s0:
define INET_DEV = enp1s0
You can use the variable in the script by writing the
$
sign followed by the variable name:
...
add rule inet example_table example_chain iifname $INET_DEV
tcp dport ssh accept
...
Variables that contain an anonymous set
The following example defines a variable that contains an anonymous set:
define DNS_SERVERS = { 192.0.2.1, 192.0.2.2 }
You can use the variable in the script by writing the
$
sign followed by the variable name:
add rule inet example_table example_chain ip daddr $DNS_SERVERS
accept
Note
Note that curly braces have special semantics when you use them in a rule because they indicate that the variable represents a set.
Additional resources
- For more information about sets, see Section 6.4, “Using sets in nftables commands”.
- For more information about verdict maps, see Section 6.5, “Using verdict maps in nftables commands”.
6.1.5. Including files in an nftables script
The
nftables
scripting environment enables administrators to include other scripts by using the include
statement.
If you specify only a file name without an absolute or relative path,
nftables
includes files from the default search path, which is set to /etc
on Red Hat Enterprise Linux.
Example 6.2. Including files from the default search directory
To include a file from the default search directory:
include "example.nft"
Example 6.3. Including all *.nft
files from a directory
To include all files ending in
*.nft
that are stored in the /etc/nftables/rulesets/
directory:
include "/etc/nftables/rulesets/*.nft"
Note that the
include
statement does not match files beginning with a dot.
Additional resources
- For further details, see the
Include files
section in thenft(8)
man page.
6.1.6. Automatically loading nftables rules when the system boots
The
nftables
systemd service loads firewall scripts that are included in the /etc/sysconfig/nftables.conf
file. This section explains how to load firewall rules when the system boots.
Prerequisites
- The
nftables
scripts are stored in the/etc/nftables/
directory.
Procedure 6.3. Automatically loading nftables rules when the system boots
- Edit the
/etc/sysconfig/nftables.conf
file.- If you enhance
*.nft
scripts created in/etc/nftables/
when you installed the nftables package, uncomment the include statement for these scripts. - If you write scripts from scratch, add include statements to include these scripts. For example, to load the
/etc/nftables/example.nft
script when thenftables
service starts, add:include "/etc/nftables/example.nft"
- Optionally, start the
nftables
service to load the firewall rules without rebooting the system:# systemctl start nftables
- Enable the nftables service.
# systemctl enable nftables
Additional resources
- For more information, see Section 6.1.1, “Supported nftables script formats”