Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

Chapter 6. Getting Started with nftables

The nftables framework provides packet classification facilities and it is the designated successor to the iptables, ip6tables, arptables, ebtables, and ipset tools. It offers numerous improvements in convenience, features, and performance over previous packet-filtering tools, most notably:
  • built-in lookup tables instead of linear processing
  • a single framework for both the IPv4 and IPv6 protocols
  • rules all applied atomically instead of fetching, updating, and storing a complete rule set
  • support for debugging and tracing in the rule set (nftrace) and monitoring trace events (in the nft tool)
  • more consistent and compact syntax, no protocol-specific extensions
  • a Netlink API for third-party applications
Similarly to iptables, nftables use tables for storing chains. The chains contain individual rules for performing actions. The nft tool replaces all tools from the previous packet-filtering frameworks. The libnftnl library can be used for low-level interaction with nftables Netlink API over the libmnl library.
To display the effect of rule set changes, use the nft list ruleset command. Since these tools add tables, chains, rules, sets, and other objects to the nftables rule set, be aware that nftables rule-set operations, such as the nft flush ruleset command, might affect rule sets installed using the formerly separate legacy commands.

When to use firewalld or nftables

  • firewalld: Use the firewalld utility for simple firewall use cases. The utility is easy to use and covers the typical use cases for these scenarios.
  • nftables: Use the nftables utility to set up complex and performance critical firewalls, such as for a whole network.

Important

To avoid that the different firewall services influence each other, run only one of them on a RHEL host, and disable the other services.

6.1. Writing and executing nftables scripts

The nftables framework provides a native scripting environment that brings a major benefit over using shell scripts to maintain firewall rules: the execution of scripts is atomic. This means that the system either applies the whole script or prevents the execution if an error occurs. This guarantees that the firewall is always in a consistent state.
Additionally, the nftables script environment enables administrators to:
  • add comments
  • define variables
  • include other rule set files
This section explains how to use these features, as well as creating and executing nftables scripts.
When you install the nftables package, Red Hat Enterprise Linux automatically creates *.nft scripts in the /etc/nftables/ directory. These scripts contain commands that create tables and empty chains for different purposes.

6.1.1. Supported nftables script formats

The nftables scripting environment supports scripts in the following formats:
  • You can write a script in the same format as the nft list ruleset command displays the rule set:
    #!/usr/sbin/nft -f
    
    # Flush the rule set
    flush ruleset
    
    table inet example_table {
      chain example_chain {
        # Chain for incoming packets that drops all packets that
        # are not explicitly allowed by any rule in this chain
        type filter hook input priority 0; policy drop;
    
        # Accept connections to port 22 (ssh)
        tcp dport ssh accept
      }
    }
    
  • You can use the same syntax for commands as in nft commands:
    #!/usr/sbin/nft -f
    
    # Flush the rule set
    flush ruleset
    
    # Create a table
    add table inet example_table
    
    # Create a chain for incoming packets that drops all packets
    # that are not explicitly allowed by any rule in this chain
    add chain inet example_table example_chain { type filter hook input priority 0 ; policy drop ; }
    
    # Add a rule that accepts connections to port 22 (ssh)
    add rule inet example_table example_chain tcp dport ssh accept
    

6.1.2. Running nftables scripts

You can run nftables script either by passing it to the nft utility or execute the script directly.

Prerequisites

  • The procedure of this section assumes that you stored an nftables script in the /etc/nftables/example_firewall.nft file.

Procedure 6.1. Running nftables scripts using the nft utility

  • To run an nftables script by passing it to the nft utility, enter:
    # nft -f /etc/nftables/example_firewall.nft

Procedure 6.2. Running the nftables script directly:

  1. Steps that are required only once:
    1. Ensure that the script starts with the following shebang sequence:
      #!/usr/sbin/nft -f

      Important

      If you omit the -f parameter, the nft utility does not read the script and displays: Error: syntax error, unexpected newline, expecting string.
    2. Optional: Set the owner of the script to root:
      # chown root /etc/nftables/example_firewall.nft
    3. Make the script executable for the owner:
      # chmod u+x /etc/nftables/example_firewall.nft
  2. Run the script:
    # /etc/nftables/example_firewall.nft
    If no output is displayed, the system executed the script successfully.

Important

Even if nft executes the script successfully, incorrectly placed rules, missing parameters, or other problems in the script can cause that the firewall behaves not as expected.

Additional resources

6.1.3. Using comments in nftables scripts

The nftables scripting environment interprets everything to the right of a # character as a comment.

Example 6.1. Comments in an nftables script

Comments can start at the beginning of a line, as well as next to a command:
...
# Flush the rule set
flush ruleset

add table inet example_table  # Create a table
...

6.1.4. Using variables in an nftables script

To define a variable in an nftables script, use the define keyword. You can store single values and anonymous sets in a variable. For more complex scenarios, use named sets or verdict maps.

Variables with a single value

The following example defines a variable named INET_DEV with the value enp1s0:
define INET_DEV = enp1s0
You can use the variable in the script by writing the $ sign followed by the variable name:
...
add rule inet example_table example_chain iifname $INET_DEV tcp dport ssh accept
...

Variables that contain an anonymous set

The following example defines a variable that contains an anonymous set:
define DNS_SERVERS = { 192.0.2.1, 192.0.2.2 }
You can use the variable in the script by writing the $ sign followed by the variable name:
add rule inet example_table example_chain ip daddr $DNS_SERVERS accept

Note

Note that curly braces have special semantics when you use them in a rule because they indicate that the variable represents a set.

Additional resources

6.1.5. Including files in an nftables script

The nftables scripting environment enables administrators to include other scripts by using the include statement.
If you specify only a file name without an absolute or relative path, nftables includes files from the default search path, which is set to /etc on Red Hat Enterprise Linux.

Example 6.2. Including files from the default search directory

To include a file from the default search directory:
include "example.nft"

Example 6.3. Including all *.nft files from a directory

To include all files ending in *.nft that are stored in the /etc/nftables/rulesets/ directory:
include "/etc/nftables/rulesets/*.nft"
Note that the include statement does not match files beginning with a dot.

Additional resources

  • For further details, see the Include files section in the nft(8) man page.

6.1.6. Automatically loading nftables rules when the system boots

The nftables systemd service loads firewall scripts that are included in the /etc/sysconfig/nftables.conf file. This section explains how to load firewall rules when the system boots.

Prerequisites

  • The nftables scripts are stored in the /etc/nftables/ directory.

Procedure 6.3. Automatically loading nftables rules when the system boots

  1. Edit the /etc/sysconfig/nftables.conf file.
    • If you enhance *.nft scripts created in /etc/nftables/ when you installed the nftables package, uncomment the include statement for these scripts.
    • If you write scripts from scratch, add include statements to include these scripts. For example, to load the /etc/nftables/example.nft script when the nftables service starts, add:
      include "/etc/nftables/example.nft"
  2. Optionally, start the nftables service to load the firewall rules without rebooting the system:
    # systemctl start nftables
  3. Enable the nftables service.
    # systemctl enable nftables

Additional resources