| .\" |
| .\" (C) Copyright 2016-2017, Arturo Borrero Gonzalez <arturo@netfilter.org> |
| .\" |
| .\" %%%LICENSE_START(GPLv2+_DOC_FULL) |
| .\" This is free documentation; you can redistribute it and/or |
| .\" modify it under the terms of the GNU General Public License as |
| .\" published by the Free Software Foundation; either version 2 of |
| .\" the License, or (at your option) any later version. |
| .\" |
| .\" The GNU General Public License's references to "object code" |
| .\" and "executables" are to be interpreted as the output of any |
| .\" document formatting or typesetting system, including |
| .\" intermediate and printed output. |
| .\" |
| .\" This manual is distributed in the hope that it will be useful, |
| .\" but WITHOUT ANY WARRANTY; without even the implied warranty of |
| .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| .\" GNU General Public License for more details. |
| .\" |
| .\" You should have received a copy of the GNU General Public |
| .\" License along with this manual; if not, see |
| .\" <http://www.gnu.org/licenses/>. |
| .\" %%%LICENSE_END |
| .\" |
| .TH XTABLES-NFT 8 "June 2018" |
| |
| .SH NAME |
| xtables-nft \(em iptables using nftables kernel api |
| |
| .SH DESCRIPTION |
| \fBxtables-nft\fP are versions of iptables that use the nftables API. |
| This is a set of tools to help the system administrator migrate the |
| ruleset from \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and |
| \fBebtables(8)\fP to \fBnftables(8)\fP. |
| |
| The \fBxtables-nft\fP set is composed of several commands: |
| .IP \[bu] 2 |
| iptables\-nft |
| .IP \[bu] |
| iptables\-nft\-save |
| .IP \[bu] |
| iptables\-nft\-restore |
| .IP \[bu] |
| ip6tables\-nft |
| .IP \[bu] |
| ip6tables\-nft\-save |
| .IP \[bu] |
| ip6tables\-nft\-restore |
| .IP \[bu] |
| arptables\-nft |
| .IP \[bu] |
| ebtables\-nft |
| |
| These tools use the libxtables framework extensions and hook to the nf_tables |
| kernel subsystem using the \fBnft_compat\fP module. |
| |
| .SH USAGE |
| The xtables-nft tools allow you to manage the nf_tables backend using the |
| native syntax of \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and |
| \fBebtables(8)\fP. |
| |
| You should use the xtables-nft tools exactly the same way as you would use the |
| corresponding original tools. |
| |
| Adding a rule will result in that rule being added to the nf_tables kernel |
| subsystem instead. |
| Listing the ruleset will use the nf_tables backend as well. |
| |
| When these tools were designed, the main idea was to replace each legacy binary |
| with a symlink to the xtables-nft program, for example: |
| |
| .nf |
| /sbin/iptables -> /usr/sbin/iptables\-nft\-multi |
| /sbin/ip6tables -> /usr/sbin/ip6tables\-nft\-multi |
| /sbin/arptables -> /usr/sbin/arptables\-nft\-multi |
| /sbin/ebtables -> /usr/sbin/ebtables\-nft\-multi |
| .fi |
| |
| The iptables version string will indicate whether the legacy API (get/setsockopt) or |
| the new nf_tables api is used: |
| .nf |
| iptables \-V |
| iptables v1.7 (nf_tables) |
| .fi |
| |
| .SH DIFFERENCES TO LEGACY IPTABLES |
| |
| Because the xtables-nft tools use the nf_tables kernel API, rule additions |
| and deletions are always atomic. Unlike iptables-legacy, iptables-nft \-A .. |
| will NOT need to retrieve the current ruleset from the kernel, change it, and |
| re-load the altered ruleset. Instead, iptables-nft will tell the kernel to add |
| one rule. For this reason, the iptables-legacy \-\-wait option is a no-op in |
| iptables-nft. |
| |
| Use of the xtables-nft tools allow monitoring ruleset changes using the |
| .B xtables\-monitor(8) |
| command. |
| |
| When using \-j TRACE to debug packet traversal to the ruleset, note that you will need to use |
| .B xtables\-monitor(8) |
| in \-\-trace mode to obtain monitoring trace events. |
| |
| .SH EXAMPLES |
| One basic example is creating the skeleton ruleset in nf_tables from the |
| xtables-nft tools, in a fresh machine: |
| |
| .nf |
| root@machine:~# iptables\-nft \-L |
| [...] |
| root@machine:~# ip6tables\-nft \-L |
| [...] |
| root@machine:~# arptables\-nft \-L |
| [...] |
| root@machine:~# ebtables\-nft \-L |
| [...] |
| root@machine:~# nft list ruleset |
| table ip filter { |
| chain INPUT { |
| type filter hook input priority 0; policy accept; |
| } |
| |
| chain FORWARD { |
| type filter hook forward priority 0; policy accept; |
| } |
| |
| chain OUTPUT { |
| type filter hook output priority 0; policy accept; |
| } |
| } |
| table ip6 filter { |
| chain INPUT { |
| type filter hook input priority 0; policy accept; |
| } |
| |
| chain FORWARD { |
| type filter hook forward priority 0; policy accept; |
| } |
| |
| chain OUTPUT { |
| type filter hook output priority 0; policy accept; |
| } |
| } |
| table bridge filter { |
| chain INPUT { |
| type filter hook input priority \-200; policy accept; |
| } |
| |
| chain FORWARD { |
| type filter hook forward priority \-200; policy accept; |
| } |
| |
| chain OUTPUT { |
| type filter hook output priority \-200; policy accept; |
| } |
| } |
| table arp filter { |
| chain INPUT { |
| type filter hook input priority 0; policy accept; |
| } |
| |
| chain FORWARD { |
| type filter hook forward priority 0; policy accept; |
| } |
| |
| chain OUTPUT { |
| type filter hook output priority 0; policy accept; |
| } |
| } |
| .fi |
| |
| (please note that in fresh machines, listing the ruleset for the first time |
| results in all tables an chain being created). |
| |
| To migrate your complete filter ruleset, in the case of \fBiptables(8)\fP, |
| you would use: |
| |
| .nf |
| root@machine:~# iptables\-legacy\-save > myruleset # reads from x_tables |
| root@machine:~# iptables\-nft\-restore myruleset # writes to nf_tables |
| .fi |
| or |
| .nf |
| root@machine:~# iptables\-legacy\-save | iptables-translate-restore | less |
| .fi |
| |
| to see how rules would look like in the nft |
| \fBnft(8)\fP |
| syntax. |
| |
| .SH LIMITATIONS |
| You should use \fBLinux kernel >= 4.17\fP. |
| |
| The CLUSTERIP target is not supported. |
| |
| To get up-to-date information about this, please head to |
| \fBhttp://wiki.nftables.org/\fP. |
| |
| .SH SEE ALSO |
| \fBnft(8)\fP, \fBxtables\-translate(8)\fP, \fBxtables\-monitor(8)\fP |
| |
| .SH AUTHORS |
| The nftables framework is written by the Netfilter project |
| (https://www.netfilter.org). |
| |
| This manual page was written by Arturo Borrero Gonzalez |
| <arturo@debian.org> for the Debian project, but may be used by others. |
| |
| This documentation is free/libre under the terms of the GPLv2+. |