|
Packit Service |
d1fe03 |
.\"
|
|
Packit Service |
d1fe03 |
.\" (C) Copyright 2016-2017, Arturo Borrero Gonzalez <arturo@netfilter.org>
|
|
Packit Service |
d1fe03 |
.\"
|
|
Packit Service |
d1fe03 |
.\" %%%LICENSE_START(GPLv2+_DOC_FULL)
|
|
Packit Service |
d1fe03 |
.\" This is free documentation; you can redistribute it and/or
|
|
Packit Service |
d1fe03 |
.\" modify it under the terms of the GNU General Public License as
|
|
Packit Service |
d1fe03 |
.\" published by the Free Software Foundation; either version 2 of
|
|
Packit Service |
d1fe03 |
.\" the License, or (at your option) any later version.
|
|
Packit Service |
d1fe03 |
.\"
|
|
Packit Service |
d1fe03 |
.\" The GNU General Public License's references to "object code"
|
|
Packit Service |
d1fe03 |
.\" and "executables" are to be interpreted as the output of any
|
|
Packit Service |
d1fe03 |
.\" document formatting or typesetting system, including
|
|
Packit Service |
d1fe03 |
.\" intermediate and printed output.
|
|
Packit Service |
d1fe03 |
.\"
|
|
Packit Service |
d1fe03 |
.\" This manual is distributed in the hope that it will be useful,
|
|
Packit Service |
d1fe03 |
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
d1fe03 |
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
Packit Service |
d1fe03 |
.\" GNU General Public License for more details.
|
|
Packit Service |
d1fe03 |
.\"
|
|
Packit Service |
d1fe03 |
.\" You should have received a copy of the GNU General Public
|
|
Packit Service |
d1fe03 |
.\" License along with this manual; if not, see
|
|
Packit Service |
d1fe03 |
.\" <http://www.gnu.org/licenses/>.
|
|
Packit Service |
d1fe03 |
.\" %%%LICENSE_END
|
|
Packit Service |
d1fe03 |
.\"
|
|
Packit Service |
d1fe03 |
.TH XTABLES-NFT 8 "June 2018"
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
.SH NAME
|
|
Packit Service |
d1fe03 |
xtables-nft \(em iptables using nftables kernel api
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
.SH DESCRIPTION
|
|
Packit Service |
d1fe03 |
\fBxtables-nft\fP are versions of iptables that use the nftables API.
|
|
Packit Service |
d1fe03 |
This is a set of tools to help the system administrator migrate the
|
|
Packit Service |
d1fe03 |
ruleset from \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and
|
|
Packit Service |
d1fe03 |
\fBebtables(8)\fP to \fBnftables(8)\fP.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
The \fBxtables-nft\fP set is composed of several commands:
|
|
Packit Service |
d1fe03 |
.IP \[bu] 2
|
|
Packit Service |
d1fe03 |
iptables\-nft
|
|
Packit Service |
d1fe03 |
.IP \[bu]
|
|
Packit Service |
d1fe03 |
iptables\-nft\-save
|
|
Packit Service |
d1fe03 |
.IP \[bu]
|
|
Packit Service |
d1fe03 |
iptables\-nft\-restore
|
|
Packit Service |
d1fe03 |
.IP \[bu]
|
|
Packit Service |
d1fe03 |
ip6tables\-nft
|
|
Packit Service |
d1fe03 |
.IP \[bu]
|
|
Packit Service |
d1fe03 |
ip6tables\-nft\-save
|
|
Packit Service |
d1fe03 |
.IP \[bu]
|
|
Packit Service |
d1fe03 |
ip6tables\-nft\-restore
|
|
Packit Service |
d1fe03 |
.IP \[bu]
|
|
Packit Service |
d1fe03 |
arptables\-nft
|
|
Packit Service |
d1fe03 |
.IP \[bu]
|
|
Packit Service |
d1fe03 |
ebtables\-nft
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
These tools use the libxtables framework extensions and hook to the nf_tables
|
|
Packit Service |
d1fe03 |
kernel subsystem using the \fBnft_compat\fP module.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
.SH USAGE
|
|
Packit Service |
d1fe03 |
The xtables-nft tools allow you to manage the nf_tables backend using the
|
|
Packit Service |
d1fe03 |
native syntax of \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and
|
|
Packit Service |
d1fe03 |
\fBebtables(8)\fP.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
You should use the xtables-nft tools exactly the same way as you would use the
|
|
Packit Service |
d1fe03 |
corresponding original tools.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
Adding a rule will result in that rule being added to the nf_tables kernel
|
|
Packit Service |
d1fe03 |
subsystem instead.
|
|
Packit Service |
d1fe03 |
Listing the ruleset will use the nf_tables backend as well.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
When these tools were designed, the main idea was to replace each legacy binary
|
|
Packit Service |
d1fe03 |
with a symlink to the xtables-nft program, for example:
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
.nf
|
|
Packit Service |
d1fe03 |
/sbin/iptables -> /usr/sbin/iptables\-nft\-multi
|
|
Packit Service |
d1fe03 |
/sbin/ip6tables -> /usr/sbin/ip6tables\-nft\-multi
|
|
Packit Service |
d1fe03 |
/sbin/arptables -> /usr/sbin/arptables\-nft\-multi
|
|
Packit Service |
d1fe03 |
/sbin/ebtables -> /usr/sbin/ebtables\-nft\-multi
|
|
Packit Service |
d1fe03 |
.fi
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
The iptables version string will indicate whether the legacy API (get/setsockopt) or
|
|
Packit Service |
d1fe03 |
the new nf_tables api is used:
|
|
Packit Service |
d1fe03 |
.nf
|
|
Packit Service |
d1fe03 |
iptables \-V
|
|
Packit Service |
d1fe03 |
iptables v1.7 (nf_tables)
|
|
Packit Service |
d1fe03 |
.fi
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
.SH DIFFERENCES TO LEGACY IPTABLES
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
Because the xtables-nft tools use the nf_tables kernel API, rule additions
|
|
Packit Service |
d1fe03 |
and deletions are always atomic. Unlike iptables-legacy, iptables-nft \-A ..
|
|
Packit Service |
d1fe03 |
will NOT need to retrieve the current ruleset from the kernel, change it, and
|
|
Packit Service |
d1fe03 |
re-load the altered ruleset. Instead, iptables-nft will tell the kernel to add
|
|
Packit Service |
d1fe03 |
one rule. For this reason, the iptables-legacy \-\-wait option is a no-op in
|
|
Packit Service |
d1fe03 |
iptables-nft.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
Use of the xtables-nft tools allow monitoring ruleset changes using the
|
|
Packit Service |
d1fe03 |
.B xtables\-monitor(8)
|
|
Packit Service |
d1fe03 |
command.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
When using \-j TRACE to debug packet traversal to the ruleset, note that you will need to use
|
|
Packit Service |
d1fe03 |
.B xtables\-monitor(8)
|
|
Packit Service |
d1fe03 |
in \-\-trace mode to obtain monitoring trace events.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
.SH EXAMPLES
|
|
Packit Service |
d1fe03 |
One basic example is creating the skeleton ruleset in nf_tables from the
|
|
Packit Service |
d1fe03 |
xtables-nft tools, in a fresh machine:
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
.nf
|
|
Packit Service |
d1fe03 |
root@machine:~# iptables\-nft \-L
|
|
Packit Service |
d1fe03 |
[...]
|
|
Packit Service |
d1fe03 |
root@machine:~# ip6tables\-nft \-L
|
|
Packit Service |
d1fe03 |
[...]
|
|
Packit Service |
d1fe03 |
root@machine:~# arptables\-nft \-L
|
|
Packit Service |
d1fe03 |
[...]
|
|
Packit Service |
d1fe03 |
root@machine:~# ebtables\-nft \-L
|
|
Packit Service |
d1fe03 |
[...]
|
|
Packit Service |
d1fe03 |
root@machine:~# nft list ruleset
|
|
Packit Service |
d1fe03 |
table ip filter {
|
|
Packit Service |
d1fe03 |
chain INPUT {
|
|
Packit Service |
d1fe03 |
type filter hook input priority 0; policy accept;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
chain FORWARD {
|
|
Packit Service |
d1fe03 |
type filter hook forward priority 0; policy accept;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
chain OUTPUT {
|
|
Packit Service |
d1fe03 |
type filter hook output priority 0; policy accept;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
table ip6 filter {
|
|
Packit Service |
d1fe03 |
chain INPUT {
|
|
Packit Service |
d1fe03 |
type filter hook input priority 0; policy accept;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
chain FORWARD {
|
|
Packit Service |
d1fe03 |
type filter hook forward priority 0; policy accept;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
chain OUTPUT {
|
|
Packit Service |
d1fe03 |
type filter hook output priority 0; policy accept;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
table bridge filter {
|
|
Packit Service |
d1fe03 |
chain INPUT {
|
|
Packit Service |
d1fe03 |
type filter hook input priority \-200; policy accept;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
chain FORWARD {
|
|
Packit Service |
d1fe03 |
type filter hook forward priority \-200; policy accept;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
chain OUTPUT {
|
|
Packit Service |
d1fe03 |
type filter hook output priority \-200; policy accept;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
table arp filter {
|
|
Packit Service |
d1fe03 |
chain INPUT {
|
|
Packit Service |
d1fe03 |
type filter hook input priority 0; policy accept;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
chain FORWARD {
|
|
Packit Service |
d1fe03 |
type filter hook forward priority 0; policy accept;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
chain OUTPUT {
|
|
Packit Service |
d1fe03 |
type filter hook output priority 0; policy accept;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
.fi
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
(please note that in fresh machines, listing the ruleset for the first time
|
|
Packit Service |
d1fe03 |
results in all tables an chain being created).
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
To migrate your complete filter ruleset, in the case of \fBiptables(8)\fP,
|
|
Packit Service |
d1fe03 |
you would use:
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
.nf
|
|
Packit Service |
d1fe03 |
root@machine:~# iptables\-legacy\-save > myruleset # reads from x_tables
|
|
Packit Service |
d1fe03 |
root@machine:~# iptables\-nft\-restore myruleset # writes to nf_tables
|
|
Packit Service |
d1fe03 |
.fi
|
|
Packit Service |
d1fe03 |
or
|
|
Packit Service |
d1fe03 |
.nf
|
|
Packit Service |
d1fe03 |
root@machine:~# iptables\-legacy\-save | iptables-translate-restore | less
|
|
Packit Service |
d1fe03 |
.fi
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
to see how rules would look like in the nft
|
|
Packit Service |
d1fe03 |
\fBnft(8)\fP
|
|
Packit Service |
d1fe03 |
syntax.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
.SH LIMITATIONS
|
|
Packit Service |
d1fe03 |
You should use \fBLinux kernel >= 4.17\fP.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
The CLUSTERIP target is not supported.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
To get up-to-date information about this, please head to
|
|
Packit Service |
d1fe03 |
\fBhttp://wiki.nftables.org/\fP.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
.SH SEE ALSO
|
|
Packit Service |
d1fe03 |
\fBnft(8)\fP, \fBxtables\-translate(8)\fP, \fBxtables\-monitor(8)\fP
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
.SH AUTHORS
|
|
Packit Service |
d1fe03 |
The nftables framework is written by the Netfilter project
|
|
Packit Service |
d1fe03 |
(https://www.netfilter.org).
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
This manual page was written by Arturo Borrero Gonzalez
|
|
Packit Service |
d1fe03 |
<arturo@debian.org> for the Debian project, but may be used by others.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
This documentation is free/libre under the terms of the GPLv2+.
|