Using nftables in Red Hat Enterprise Linux 8

The article was prepared on the eve of the start of the course "Linux Administrator"

Red Hat Enterprise Linux 8 nftables. , nftables. DevOps-. , , nftables — iptables.

, nftables – userland-, nft . netfilter. nft.

, . .

: , .

, nftables -? , .

# nft list ruleset

… . , . ?

nftables , iptables. . , iptables, , , .

nftables . : ip, ip6, inet, arp, bridge netdev. inet , ipv4 ipv6. .

: , iptables, . nftables – , , . , , , .


# nft add table inet my_table
# nft list ruleset
table inet my_table {

, , . .

– , .

, . , , , . filter, input, priority 0 , .

# nft add chain inet my_table my_filter_chain { type filter hook input priority 0 \; }

: () , shell .

. , iptables. jump goto . , , .

# nft add chain inet my_table my_utility_chain

, , , , . SSH.

# nft add rule inet my_table my_filter_chain tcp dport ssh accept

, inet, IPv4, IPv6.

add . insert, .

# nft insert rule inet my_table my_filter_chain tcp dport http accept

, , .

# nft list ruleset
table inet my_table {
    chain my_filter_chain {
    type filter hook input priority 0; policy accept;
    tcp dport http accept
    tcp dport ssh accept

, http ssh, insert.

. .

  1. index, . add . insert, . 0.

# nft insert rule inet my_table my_filter_chain index 1 tcp dport nfs accept
# nft list ruleset
table inet my_table {
    chain my_filter_chain {
    type filter hook input priority 0; policy accept;
    tcp dport http accept
    tcp dport nfs accept
    tcp dport ssh accept

# nft add rule inet my_table my_filter_chain index 0 tcp dport 1234 accept
# nft list ruleset
table inet my_table {
    chain my_filter_chain {
    type filter hook input priority 0; policy accept;
    tcp dport http accept
    tcp dport 1234 accept
    tcp dport nfs accept
    tcp dport ssh accept

: index insert iptables -I . , , , nftables 0. -, . "nft insert rule … index 0" .

  1. handle, , . add. , insert. handle , –handle .

# nft --handle list ruleset
table inet my_table { # handle 21
    chain my_filter_chain { # handle 1
    type filter hook input priority 0; policy accept;
    tcp dport http accept # handle 3
    tcp dport ssh accept # handle 2
# nft add rule inet my_table my_filter_chain handle 3 tcp dport 1234 accept
# nft insert rule inet my_table my_filter_chain handle 2 tcp dport nfs accept
# nft --handle list ruleset
table inet my_table { # handle 21
    chain my_filter_chain { # handle 1
    type filter hook input priority 0; policy accept;
    tcp dport http accept # handle 3
    tcp dport 1234 accept # handle 8
    tcp dport nfs accept # handle 7
    tcp dport ssh accept # handle 2

nftables handle , . , , .

handle , –echo –handle. CLI handle.

# nft --echo --handle add rule inet my_table my_filter_chain udp dport 3333 accept
add rule inet my_table my_filter_chain udp dport 3333 accept # handle 4

: nftables . handle.

handle add insert .

handle , .

# nft --handle list ruleset
table inet my_table { # handle 21
    chain my_filter_chain { # handle 1
    type filter hook input priority 0; policy accept;
    tcp dport http accept # handle 3
    tcp dport 1234 accept # handle 8
    tcp dport nfs accept # handle 7
    tcp dport ssh accept # handle 2

handle .

# nft delete rule inet my_table my_filter_chain handle 8
# nft --handle list ruleset
table inet my_table { # handle 21
    chain my_filter_chain { # handle 1
    type filter hook input priority 0; policy accept;
    tcp dport http accept # handle 3
    tcp dport nfs accept # handle 7
    tcp dport ssh accept # handle 2

. .


# nft list table inet my_table
table inet my_table {
    chain my_filter_chain {
        type filter hook input priority 0; policy accept;
        tcp dport http accept
        tcp dport nfs accept
        tcp dport ssh accept


# nft list chain inet my_table my_other_chain
table inet my_table {
    chain my_other_chain {
        udp dport 12345 log prefix "UDP-12345"

nftables . , , IP-, , .

inline-. , .


# nft add rule inet my_table my_filter_chain ip saddr {, } accept
# nft list ruleset
table inet my_table {
    chain my_filter_chain {
        type filter hook input priority 0; policy accept;
        tcp dport http accept
        tcp dport nfs accept
        tcp dport ssh accept
        ip saddr {, } accept

, , . , .

, .

# nft add rule inet my_table my_filter_chain tcp dport { http, nfs, ssh } accept

: iptables ipset. nftables , ipset .

Nftables . , . , : ipv4_addr, inet_service, ether_addr.


# nft add set inet my_table my_set { type ipv4_addr \; }
# nft list sets
table inet my_table {
    set my_set {
    type ipv4_addr

@ . IP- .

# nft insert rule inet my_table my_filter_chain ip saddr @my_set drop
# nft list chain inet my_table my_filter_chain
table inet my_table {
    chain my_filter_chain {
    type filter hook input priority 0; policy accept;
    ip saddr @my_set drop
    tcp dport http accept
    tcp dport nfs accept
    tcp dport ssh accept
    ip saddr {, } accept

, , . .

# nft add element inet my_table my_set {, }
# nft list set inet my_table my_set
table inet my_table {
    set my_set {
    type ipv4_addr
    elements = {, }


# nft add element inet my_table my_set { }
Error: Set member cannot be range, missing interval flag on declaration
add element inet my_table my_set { }

, . , , , .

. IP- . , .

# nft add set inet my_table my_range_set { type ipv4_addr \; flags interval \; }
# nft add element inet my_table my_range_set  { }
# nft list set inet my_table my_range_set
table inet my_table {
    set my_range_set {
    type ipv4_addr
    flags interval
    elements = { }

: IP-. , .

. , «.» .

IPv4-, IP- .

# nft add set inet my_table my_concat_set  { type ipv4_addr . inet_proto . inet_service \; }
# nft list set inet my_table my_concat_set
table inet my_table {
    set my_concat_set {
    type ipv4_addr . inet_proto . inet_service


# nft add element inet my_table my_concat_set { . tcp . telnet }

, (tcp, telnet) .

, .

# nft add rule inet my_table my_filter_chain ip saddr . meta l4proto . tcp dport @my_concat_set accept
# nft list chain inet my_table my_filter_chain
table inet my_table {
    chain my_filter_chain {
    ip saddr {, } accept
    meta nfproto ipv4 ip saddr . meta l4proto . tcp dport @my_concat_set accept

, inline-. , .

# nft add rule inet my_table my_filter_chain ip saddr . meta l4proto . udp dport { . udp . bootps } accept

, nftables.

: nftables ipset, , hash:ip,port.

Verdict Map

Verdict map – nftables, , . , .

, , TCP UDP . verdict map, .

# nft add chain inet my_table my_tcp_chain
# nft add chain inet my_table my_udp_chain
# nft add rule inet my_table my_filter_chain meta l4proto vmap { tcp : jump my_tcp_chain, udp : jump my_udp_chain }
# nft list chain inet my_table my_filter_chain
table inet my_table {
    chain my_filter_chain {
    meta nfproto ipv4 ip saddr . meta l4proto . udp dport { . udp . bootps } accept
    meta l4proto vmap { tcp : jump my_tcp_chain, udp : jump my_udp_chain }

, verdict map.

# nft add map inet my_table my_vmap { type inet_proto : verdict \; }

. . , verdict map .

verdict map .

# nft add rule inet my_table my_filter_chain meta l4proto vmap @my_vmap

nftables – , . , .

# nft add table inet table_one
# nft add chain inet table_one my_chain
# nft add table inet table_two
# nft add chain inet table_two my_chain
# nft list ruleset
table inet table_one {
    chain my_chain {
table inet table_two {
    chain my_chain {

, , . iptables , .

. . , . table_one , table_two. . . , .

nftables . list nft , . nftables systemd.

# nft list ruleset > /root/nftables.conf

# nft -f /root/nftables.conf

, systemd . /etc/sysconfig/nftables.conf.

# systemctl enable nftables
# nft list ruleset > /etc/sysconfig/nftables.conf

: , RHEL-8, nftables /etc/nftables. iptables. /etc/sysconfig/nftables.conf, .

, nftables. nftables. , . nft . , , nftables.

« Linux»

All Articles