Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

6.2. Creating and managing nftables tables, chains, and rules

This section explains how to display the nftables rule set, and how to manage it.

6.2.1. Displaying the nftables rule set

The rule set of nftables contains tables, chains, and rules. This section explains how to display this rule set.
To display all the rule set, enter:
# nft list ruleset
table inet example_table {
  chain example_chain {
    type filter hook input priority filter; policy accept;
    tcp dport http accept
    tcp dport ssh accept
  }
}

Note

By default, nftables does not pre-create tables. As a consequence, displaying the rule set on a host without any tables, the nft list ruleset command shows no output.

6.2.2. Creating an nftables table

A table in nftables is a name space that contains a collection of chains, rules, sets, and other objects. This section explains how to create a table.
Each table must have an address family defined. The address family of a table defines what address types the table processes. You can set one of the following address families when you create a table:
  • ip: Matches only IPv4 packets. This is the default if you do not specify an address family.
  • ip6: Matches only IPv6 packets.
  • inet: Matches both IPv4 and IPv6 packets.
  • arp: Matches IPv4 address resolution protocol (ARP) packets.
  • bridge: Matches packets that traverse a bridge device.
  • netdev: Matches packets from ingress.

Procedure 6.4. Creating an nftables table

  1. Use the nft add table command to create a new table. For example, to create a table named example_table that processes IPv4 and IPv6 packets:
    # nft add table inet example_table
  2. Optionally, list all tables in the rule set:
    # nft list tables
    table inet example_table

Additional resources

  • For further details about address families, see the Address families section in the nft(8) man page.
  • For details on other actions you can run on tables, see the Tables section in the nft(8) man page.

6.2.3. Creating an nftables chain

Chains are containers for rules. The following two rule types exists:
  • Base chain: You can use base chains as an entry point for packets from the networking stack.
  • Regular chain: You can use regular chains as a jump target and to better organize rules.
The procedure describes how to add a base chain to an existing table.

Prerequisites

  • The table to which you want to add the new chain exists.

Procedure 6.5. Creating an nftables chain

  1. Use the nft add chain command to create a new chain. For example, to create a chain named example_chain in example_table:
    # nft add chain inet example_table example_chain '{ type filter hook input priority 0 ; policy accept ; }'

    Important

    To avoid that the shell interprets the semicolons as the end of the command, you must escape the semicolons with a backslash. Moreover, some shells interpret the curly braces as well, so quote the curly braces and anything inside them with ticks (').
    This chain filters incoming packets. The priority parameter specifies the order in which nftables processes chains with the same hook value. A lower priority value has precedence over higher ones. The policy parameter sets the default action for rules in this chain. Note that if you are logged in to the server remotely and you set the default policy to drop, you are disconnected immediately if no other rule allows the remote access.
  2. Optionally, display all chains:
    # nft list chains
    table inet example_table {
      chain example_chain {
        type filter hook input priority filter; policy accept;
      }
    }
    

Additional resources

  • For further details about address families, see the Address families section in the nft(8) man page.
  • For details on other actions you can run on chains, see the Chains section in the nft(8) man page.

6.2.4. Appending a rule to the end of an nftables chain

This section explains how to append a rule to the end of an existing nftables chain.

Prerequisites

  • The chain to which you want to add the rule exists.

Procedure 6.6. Appending a rule to the end of an nftables chain

  1. To add a new rule, use the nft add rule command. For example, to add a rule to the example_chain in the example_table that allows TCP traffic on port 22:
    # nft add rule inet example_table example_chain tcp dport 22 accept
    You can alternatively specify the name of the service instead of the port number. In the example, you could use ssh instead of the port number 22. Note that a service name is resolved to a port number based on its entry in the /etc/services file.
  2. Optionally, display all chains and their rules in example_table:
    # nft list table inet example_table
    table inet example_table {
      chain example_chain {
        type filter hook input priority filter; policy accept;
        ...
        tcp dport ssh accept
      }
    }
    

Additional resources

  • For further details about address families, see the Address families section in the nft(8) man page.
  • For details on other actions you can run on chains, see the Rules section in the nft(8) man page.

6.2.5. Inserting a rule at the beginning of an nftables chain

This section explains how to insert a rule at the beginning of an existing nftables chain.

Prerequisites

  • The chain to which you want to add the rule exists.

Procedure 6.7. Inserting a rule at the beginning of an nftables chain

  1. To insert a new rule, use the nft insert rule command. For example, to insert a rule to the example_chain in the example_table that allows TCP traffic on port 22:
    # nft insert rule inet example_table example_chain tcp dport 22 accept
    You can alternatively specify the name of the service instead of the port number. In the example, you could use ssh instead of the port number 22. Note that a service name is resolved to a port number based on its entry in the /etc/services file.
  2. Optionally, display all chains and their rules in example_table:
    # nft list table inet example_table
    table inet example_table {
      chain example_chain {
        type filter hook input priority filter; policy accept;
        tcp dport ssh accept
        ...
      }
    }
    

Additional resources

  • For further details about address families, see the Address families section in the nft(8) man page.
  • For details on other actions you can run on chains, see the Rules section in the nft(8) man page.

6.2.6. Inserting a rule at a specific position of an nftables chain

This section explains how to insert rules before and after an existing rule in an nftables chain. This way you can place new rules at the right position.

Prerequisites

  • The chain to which you want to add the rule exists.

Procedure 6.8. Inserting a rule at a specific position of an nftables chain

  1. Use the nft -a list ruleset command to display all chains and their rules in the example_table including their handle:
    # nft -a list table inet example_table
    table inet example_table { # handle 1
      chain example_chain { # handle 1
        type filter hook input priority filter; policy accept;
        tcp dport 22 accept # handle 2
        tcp dport 443 accept # handle 3
        tcp dport 389 accept # handle 4
      }
    }
    
    Using the -a displays the handles. You require this information to position the new rules in the next steps.
  2. Insert the new rules to the example_chain chain in the example_table:
    • To insert a rule that allows TCP traffic on port 636 before handle 3, enter:
      # nft insert rule inet example_table example_chain position 3 tcp dport 636 accept
    • To add a rule that allows TCP traffic on port 80 after handle 3, enter:
      # nft add rule inet example_table example_chain position 3 tcp dport 80 accept
  3. Optionally, display all chains and their rules in example_table:
    # nft -a list table inet example_table
    table inet example_table { # handle 1
      chain example_chain { # handle 1
        type filter hook input priority filter; policy accept;
        tcp dport 22 accept # handle 2
        tcp dport 636 accept # handle 5
        tcp dport 443 accept # handle 3
        tcp dport 80 accept # handle 6
        tcp dport 389 accept # handle 4
      }
    }
    

Additional resources

  • For further details about address families, see the Address families section in the nft(8) man page.
  • For details on other actions you can run on chains, see the Rules section in the nft(8) man page.