nftables is a netfilter project that aims to replace the existing {ip,ip6,arp,eb}tables framework. It provides a new packet filtering framework, a new user-space utility (nft), and a compatibility layer for {ip,ip6}tables. It uses the existing hooks, connection tracking system, user-space queueing component, and logging subsystem of netfilter.

It consists of three main components: a kernel implementation, the libnlnetlink communication and the nftables user-space front-end.The kernel provides a netlink configuration interface, as well as run-time rule-set evaluation, libnl contains the low-level functions for communicating with the kernel, and the nftables front-end is what the user interacts with via nft.

You can also visit theofficial nftables wiki page for more information.

Install the userspace utilities packagenftables.

Alternatively,installingiptables-nft, which includesnftables as a dependency, will automatically uninstalliptables (an indirect dependency of thebasemeta package) and prevent conflicts betweeniptables andnftables when used together. See#Using iptables-nft for details.

• firewalld (firewall-cmd) — Daemon and console interface for configuring network and firewall zones as well as setting up and configuring firewall rules.

https://firewalld.org/ ||firewalld

• nft-blackhole — Script / daemon to blocking IP in nftables by country and black lists.

https://github.com/tomasz-c/nft-blackhole ||nft-blackhole^AUR

• ufw — Ufw stands for Uncomplicated Firewall, and is a program for managing a netfilter firewall.

https://help.ubuntu.com/community/UFW ||ufw

• reaction — A daemon that scans program outputs for repeated patterns, and takes action. A lightweight alternative to fail2ban.

https://framagit.org/ppom/reaction ||reaction^AUR

nftables makesno distinction between temporary rules made in the command line and permanent ones loaded from or saved to a file.

All rules have to be created or loaded usingnft command line utility.

Refer to#Configuration section on how to use.

Current ruleset can be printed with:

# nft list ruleset

Remove all ruleset leaving the system with no firewall:

# nft flush ruleset

Read ruleset from/etc/nftables.conf byrestartingnftables.service.

nftables comes with a simple and secure firewall configuration stored in the/etc/nftables.conf file.

Thenftables.service will load rules from that file whenstarted or enabled.

nftables user-space utilitynft performs most of the rule-set evaluation before handing rule-sets to the kernel. Rules are stored in chains, which in turn are stored in tables. The following sections indicate how to create and modify these constructs.

To read input from a file use the-f/--file option:

# nft --filefilename

Note that any rules already loaded arenot automatically flushed.

Seenft(8) for a complete list of all commands.

Tables hold#Chains. Unlike tables in iptables, there are no built-in tables in nftables. The number of tables and their names is up to the user. However, each table only has one address family and only applies to packets of this family. Tables can have one of five families specified:

ip (i.e. IPv4) is the default family and will be used if family is not specified.

To create one rule that applies to both IPv4 and IPv6, useinet.inet allows for the unification of theip andip6 families to make defining rules for both easier.

Seenft(8) § ADDRESS FAMILIES for a complete description of address families.

In all of the following,family_type is optional, and if not specified is set toip.

The following adds a new table:

# nft add tablefamily_typetable_name

To list all tables:

# nft list tables

To list all chains and rules of a specified table:

# nft list tablefamily_typetable_name

For example, to list all the rules of themy_table table of theinet family:

# nft list table inet my_table

To delete a table:

# nft delete tablefamily_typetable_name

This will destroy all chains in the table.

To flush/clear all rules from a table:

# nft flush tablefamily_typetable_name

The purpose of chains is to hold#Rules. Unlike chains in iptables, there are no built-in chains in nftables. This means that if no chain uses any types or hooks in the netfilter framework, packets that would flow through those chains will not be touched by nftables, unlike iptables.

Chains have two types. Abase chain is an entry point for packets from the networking stack, where a hook value is specified. Aregular chain may be used as a jump target for better organization.

See thetraffic flow diagram showing the ordering between individual hooks. Within a given hook, netfilter performs operations in order of increasing numerical priority.

In all of the followingfamily_type is optional, and if not specified is set toip.

To add a base chain it is mandatory to specify type, hook and priority values:

# nft add chainfamily_typetable_namechain_name '{ typechain_type hookhook_type prioritypriority_value ; policypolicy ;}'

chain_type can befilter,route, ornat.

For IPv4/IPv6/Inet address familieshook_type can beprerouting,input,forward,output, orpostrouting. Seenft(8) § CHAINS for a list of supportedfamily_type,chain_type andhook_type combinations.

priority_value takes either a priority name or an integer value. Seenft(8) § CHAINS for a list of standard priority names and values. Chains with lower numbers are processed first and can be negative.[5]

Optionally base chains can have apolicy (drop or the defaultaccept), to define what happens to packets not explicitly accepted or refused in contained rules.

For example, to add a base chain that filters input packets:

# nft add chain inet my_table my_chain '{ type filter hook input priority 0; }'

Replaceadd withcreate in any of the above to add a new chain but return an error if the chain already exists.

The following adds a regular chain namedchain_name to the table namedtable_name:

# nft add chainfamily_typetable_namechain_name

For example, to add a regular chain namedmy_tcp_chain to themy_table table of theinet address family:

# nft add chain inet my_table my_tcp_chain

The following lists all chains without rules (see#List rules) of afamily_type:

# nft list chainsfamily_type

For example, the following lists the chains of ipv6:

# nft list chains ip6

if you omit the family_type all chains are printed.

To edit a chain, simply call it by its name and define the rules you want to change.

# nft chainfamily_type table_name chain_name '{ [ typechain_type hookhook_type devicedevice_name prioritypriority_value ; policypolicy_type ; ] }'

For example, to change themy_input chain policy of the default table fromaccept todrop

# nft chain inet my_table my_input '{ policy drop ; }'

To delete a chain:

# nft delete chainfamily_typetable_namechain_name

The chain must not contain any rules or be a jump target.

To flush rules from a chain:

# nft flush chainfamily_typetable_namechain_name

Rules are either constructed from expressions or statements and are contained within chains.

To add a rule to a chain:

# nft add rulefamily_typetable_namechain_name handlehandle_valuestatement

The rule is appended athandle_value, which is optional. If not specified, the rule is appended to the end of the chain.

The--handle switch, which can be added to any valid list command, must be used to determine a rule handle. This switch tellsnft to list the handles in its output. The--numeric argument is useful for viewing some numeric output, like unresolved IP addresses.

# nft --handle --numeric list chain inet my_table my_input

table inet my_table {     chain input {          type filter hook input priority 0;          ip saddr 127.0.0.1 accept # handle 10     }}

To prepend the rule to the position:

# nft insert rulefamily_typetable_namechain_name handlehandle_valuestatement

Ifhandle_value is not specified, the rule is prepended to the chain.

Typically astatement includes some expression to be matched and then a verdict statement. Verdict statements includeaccept,drop,queue,continue,return,jumpchain_name, andgotochain_name. Other statements than verdict statements are possible. Seenft(8) for more information.

There are various expressions available in nftables and, for the most part, coincide with their iptables counterparts. The most noticeable difference is that there are no generic or implicit matches. A generic match was one that was always available, such as--protocol or--source. Implicit matches were protocol-specific, such as--sport when a packet was determined to be TCP.

The following is an incomplete list of the matches available:

• meta (meta properties, e.g. interfaces)
• icmp (ICMP protocol)
• icmpv6 (ICMPv6 protocol)
• ip (IP protocol)
• ip6 (IPv6 protocol)
• tcp (TCP protocol)
• udp (UDP protocol)
• sctp (SCTP protocol)
• ct (connection tracking)

The following is an incomplete list of match arguments (for a more complete list, seenft(8)):

meta:  oif <output interface INDEX>  iif <input interface INDEX>  oifname <output interface NAME>  iifname <input interface NAME>  (oif and iif accept string arguments and are converted to interface indexes)  (oifname and iifname are more dynamic, but slower because of string matching)icmp:  type <icmp type>icmpv6:  type <icmpv6 type>ip:  protocol <protocol>  daddr <destination address>  saddr <source address>ip6:  daddr <destination address>  saddr <source address>tcp:  dport <destination port>  sport <source port>udp:  dport <destination port>  sport <source port>sctp:  dport <destination port>  sport <source port>ct:  state <new | established | related | invalid>

The following lists all rules of a chain:

# nft list chainfamily_typetable_namechain_name

For example, the following lists the rules of the chain namedmy_output in theinet table namedmy_table:

# nft list chain inet my_table my_output

Individual rules can only be deleted by their handles. Obtaining the handles was shown at#Add rule. Assuming

# nft --handle --numeric list chain inet my_table my_input

table inet my_table {     chain input {          type filter hook input priority 0;          ip saddr 127.0.0.1 accept # handle 10     }}

# nft delete rule inet my_table my_input handle 10

deletes it.

All the chains in a table can be flushed with thenft flush table command. Individual chains can be flushed using either thenft flush chain ornft delete rule commands.

# nft flush tabletable_name# nft flush chainfamily_typetable_namechain_name# nft delete rulefamily_typetable_namechain_name

The first command flushes all of the chains in the iptable_name table. The second flushes thechain_name chain in thefamily_typetable_name table. The third deletes all of the rules inchain_name chain in thefamily_typetable_name table.

Sets are named or anonymous, and consist of one or more elements, separated by commas, enclosed by curly braces. Anonymous sets are embedded in rules and cannot be updated, you must delete and re-add the rule. E.g., you cannot just remove "http" from the dports set in the following:

# nft add rule ip6 filter input tcp dport {telnet, http, https} accept

Named sets can be updated, and can be typed and flagged.sshguard uses named sets for the IP addresses of blocked hosts.

table ip sshguard {       set attackers {               type ipv4_addr               flags interval               elements = { 1.2.3.4 }       }

Toadd ordelete elements from the set, use:

# nft add element ip sshguard attackers { 5.6.7.8/32 }# nft delete element ip sshguard attackers { 1.2.3.4/32 }

Note the typeipv4_addr can include a CIDR netmask (the/32 here is not necessary, but is included for completeness' sake). Note also, the set defined here byTABLE ip sshguard { SET attackers } is addressed asip sshguard attackers.

Flush the current ruleset:

# echo "flush ruleset" > /tmp/nftables

Dump the current ruleset:

# nft -s list ruleset >> /tmp/nftables

Now you can edit/tmp/nftables and apply your changes with:

# nft -f /tmp/nftables

/etc/nftables.conf

flush rulesettable inet my_table {set LANv4 {type ipv4_addrflags intervalelements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 }}set LANv6 {type ipv6_addrflags intervalelements = { fd00::/8, fe80::/10 }}chain my_input_lan {udp sport 1900 udp dport >= 1024 meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"udp sport netbios-ns udp dport >= 1024 meta pkttype unicast accept comment "Accept Samba Workgroup browsing replies"}chain my_input {type filter hook input priority filter; policy drop;iif lo accept comment "Accept any localhost traffic"ct state invalid drop comment "Drop invalid connections"fib daddr . iif type != { local, broadcast, multicast } drop comment "Drop packets if the destination IP address is not configured on the incoming interface (strong host model)"ct state { established, related } accept comment "Accept traffic originated from us"meta l4proto { icmp, ipv6-icmp } accept comment "Accept ICMP"ip protocol igmp accept comment "Accept IGMP"udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS"udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"ip6 saddr @LANv6 jump my_input_lan comment "Connections from private IP address ranges"ip saddr @LANv4 jump my_input_lan comment "Connections from private IP address ranges"counter comment "Count any other traffic"}chain my_forward {type filter hook forward priority filter; policy drop;# Drop everything forwarded to us. We do not forward. That is routers job.}chain my_output {type filter hook output priority filter; policy accept;# Accept every outbound connection}}

/etc/nftables.conf

flush rulesettable inet my_table {set LANv4 {type ipv4_addrflags intervalelements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 }}set LANv6 {type ipv6_addrflags intervalelements = { fd00::/8, fe80::/10 }}chain my_input_lan {meta l4proto { tcp, udp } th dport 2049 accept comment "Accept NFS"udp dport netbios-ns accept comment "Accept NetBIOS Name Service (nmbd)"udp dport netbios-dgm accept comment "Accept NetBIOS Datagram Service (nmbd)"tcp dport netbios-ssn accept comment "Accept NetBIOS Session Service (smbd)"tcp dport microsoft-ds accept comment "Accept Microsoft Directory Service (smbd)"udp sport { bootpc, 4011 } udp dport { bootps, 4011 } accept comment "Accept PXE"udp dport tftp accept comment "Accept TFTP"}chain my_input {type filter hook input priority filter; policy drop;iif lo accept comment "Accept any localhost traffic"ct state invalid drop comment "Drop invalid connections"fib daddr . iif type != { local, broadcast, multicast } drop comment "Drop packets if the destination IP address is not configured on the incoming interface (strong host model)"ct state { established, related } accept comment "Accept traffic originated from us"meta l4proto { icmp, ipv6-icmp } accept comment "Accept ICMP"ip protocol igmp accept comment "Accept IGMP"udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS"udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"ip6 saddr @LANv6 jump my_input_lan comment "Connections from private IP address ranges"ip saddr @LANv4 jump my_input_lan comment "Connections from private IP address ranges"tcp dport ssh accept comment "Accept SSH on port 22"tcp dport ipp accept comment "Accept IPP/IPPS on port 631"meta l4proto { tcp, udp } th dport { http, https, 8008, 8080 } accept comment "Accept HTTP (ports 80, 443, 8008, 8080)"udp sport bootpc udp dport bootps ip saddr 0.0.0.0 ip daddr 255.255.255.255 accept comment "Accept DHCPDISCOVER (for DHCP-Proxy)"}chain my_forward {type filter hook forward priority filter; policy drop;# Drop everything forwarded to us. We do not forward. That is routers job.}chain my_output {type filter hook output priority filter; policy accept;# Accept every outbound connection}}

table inet my_table {chain my_input {type filter hook input priority filter; policy drop;iif lo accept comment "Accept any localhost traffic"ct state invalid drop comment "Drop invalid connections"fib daddr . iif type != { local, broadcast, multicast } drop comment "Drop packets if the destination IP address is not configured on the incoming interface (strong host model)"meta l4proto icmp icmp type echo-request limit rate over 10/second burst 4 packets drop comment "No ping floods"meta l4proto ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 4 packets drop comment "No ping floods"ct state { established, related } accept comment "Accept traffic originated from us"meta l4proto { icmp, ipv6-icmp } accept comment "Accept ICMP"ip protocol igmp accept comment "Accept IGMP"tcp dport ssh ct state new limit rate 15/minute accept comment "Avoid brute force on SSH"}}

When using jumps in configuration file, it is necessary to define the target chain first. Otherwise one could end up withError: Could not process rule: No such file or directory.

table inet my_table {    chain web {        tcp dport http accept        tcp dport 8080 accept    }    chain my_input {        type filter hook input priority filter;        ip saddr 10.0.2.0/24 jump web        drop    }}

If your box has more than one network interface, and you would like to use different rules for different interfaces, you may want to use a "dispatching" filter chain, and then interface-specific filter chains. For example, let us assume your box acts as a home router, you want to run a web server accessible over the LAN (interfaceenp3s0), but not from the public internet (interfaceenp2s0), you may want to consider a structure like this:

table inet my_table {  chain my_input { # this chain serves as a dispatcher    type filter hook input priority filter; policy drop;    iif lo accept comment "always accept loopback"    iifname enp2s0 jump my_input_public    iifname enp3s0 jump my_input_private  }  chain my_input_public { # rules applicable to public interface interface    ct state {established,related} accept    ct state invalid drop    udp dport bootpc accept    tcp dport bootpc accept  }  chain my_input_private {    ct state {established,related} accept    ct state invalid drop    udp dport bootpc accept    tcp dport bootpc accept    tcp port http accept    tcp port https accept    reject with icmpx port-unreachable comment "all other traffic"  }  chain my_output { # we let everything out    type filter hook output priority filter;    accept  }}

Alternatively you could choose only oneiifname statement, such as for the single upstream interface, and put the default rules for all other interfaces in one place, instead of dispatching for each interface.

nftables has a special keywordmasquerade "where the source address is automagically set to the address of the output interface" (source). This is particularly useful for situations in which the IP address of the interface is unpredictable or unstable, such as the upstream interface of routers connecting to many ISPs. Without it, the Network Address Translation rules would have to be updated every time the IP address of the interface changed.

To use it:

• make sure masquerading is enabled in the kernel (true if you use the default kernel), otherwise during kernel configuration, setCONFIG_NFT_MASQ=m.
• themasquerade keyword can only be used in chains of typenat.
• masquerading is a kind of source NAT, so only works in the output path.

Example for a machine with two interfaces: LAN connected toenp3s0, and public internet connected toenp2s0:

table inet my_nat {  chain my_masquerade {    type nat hook postrouting priority srcnat;    oifname "enp2s0" masquerade  }}

Since the table type isinet both IPv4 and IPv6 packets will be masqueraded. If you want only ipv4 packets to be masqueraded (since extra adress space of IPv6 makes NAT not required)meta nfproto ipv4 expression can be used infront ofoifname "enp2s0" or the table type can be changed toip.

This example will masquerade traffic exiting through a WAN interface called eth0 and forward ports 22 and 80 to10.0.0.2. You will need to setnet.ipv4.ip_forward to1 viasysctl.

table nat {    chain prerouting {        type nat hook prerouting priority dstnat;        iif eth0 tcp dport {22, 80} dnat to 10.0.0.2    }    chain postrouting {        type nat hook postrouting priority srcnat;        oif eth0 masquerade    }}

Use this snippet to count HTTPS connections:

/etc/nftables.conf

table inet filter {    set https {        type ipv4_addr;        flags dynamic;        size 65536;        timeout 60m;    }    chain input {        type filter hook input priority filter;        ct state new meta l4proto { tcp, udp } th dport 443 update @https { ip saddr counter }    }}

To print the counters, runnft list set inet filter https.

Use this snippet to drop all HTTPS connections for 1 minute from a source IP (or /64 IPv6 range) that exceeds the limit of 10/second.

/etc/nftables.conf

table inet dev {    set blackhole_ipv4 {        type ipv4_addr;        flags dynamic, timeout;        size 65536;    }    set blackhole_ipv6 {        type ipv6_addr;        flags dynamic, timeout;        size 65536;    }    chain input {        type filter hook input priority filter; policy accept;        ct state new meta l4proto { tcp, udp } th dport 443 \                meter flood_ipv4 size 128000 { ip saddr timeout 10s limit rate over 10/second } \                add @blackhole_ipv4 { ip saddr timeout 1m }        ct state new meta l4proto { tcp, udp } th dport 443 \                meter flood_ipv6 size 128000 { ip6 saddr and ffff:ffff:ffff:ffff:: timeout 10s limit rate over 10/second } \                add @blackhole_ipv6 { ip6 saddr and ffff:ffff:ffff:ffff:: timeout 1m }        ip saddr @blackhole_ipv4 counter drop        ip6 saddr and ffff:ffff:ffff:ffff:: @blackhole_ipv6 counter drop    }}

To print the blackholed IPs, runnft list set inet dev blackhole_ipvX.

The output ofnft list ruleset command is a valid input file for it as well. Current rule set can be saved to file and later loaded back in.

# nft -s list ruleset | teefilename

SeeSimple stateful firewall for more information.

Flush the current ruleset:

# nft flush ruleset

Add a table:

# nft add table inet my_table

Add the input, forward, and output base chains. The policy for input and forward will be to drop. The policy for output will be to accept.

# nft add chain inet my_table my_input '{ type filter hook input priority 0 ; policy drop ; }'# nft add chain inet my_table my_forward '{ type filter hook forward priority 0 ; policy drop ; }'# nft add chain inet my_table my_output '{ type filter hook output priority 0 ; policy accept ; }'

Add two regular chains that will be associated with tcp and udp:

# nft add chain inet my_table my_tcp_chain# nft add chain inet my_table my_udp_chain

Related and established traffic will be accepted:

# nft add rule inet my_table my_input ct state '{ related, established }' accept

All loopback interface traffic will be accepted:

# nft add rule inet my_table my_input iif lo accept

Drop any invalid traffic:

# nft add rule inet my_table my_input ct state invalid drop

Accept ICMP and IGMP:

# nft add rule inet my_table my_input meta l4proto '{ icmp, ipv6-icmp }' accept# nft add rule inet my_table my_input ip protocol igmp accept

New udp traffic will jump to the UDP chain:

# nft add rule inet my_table my_input meta l4proto udp ct state new jump my_udp_chain

New tcp traffic will jump to the TCP chain:

# nft add rule inet my_table my_input 'meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump my_tcp_chain'

At this point you should decide what ports you want to open to incoming connections, which are handled by the TCP and UDP chains. For example to open connections for a web server add:

# nft add rule inet my_table my_tcp_chain tcp dport 80 accept

To accept HTTPS connections for a webserver on port 443:

# nft add rule inet my_table my_tcp_chain tcp dport 443 accept# nft add rule inet my_table my_udp_chain udp dport 443 accept

To accept SSH traffic on port 22:

# nft add rule inet my_table my_tcp_chain tcp dport 22 accept

To accept incoming DNS requests:

# nft add rule inet my_table my_tcp_chain tcp dport 53 accept# nft add rule inet my_table my_udp_chain udp dport 53 accept

Be sure to make your changes permanent when satisfied.

Sshguard is program that can detect brute-force attacks and modify firewalls based on IP addresses it temporarily blacklists. SeeSshguard#nftables on how to set up nftables to be used with it.

You can log packets using thelog action. The most simple rule to log all incoming traffic is:

# nft add rule inet filter input log

Seenftables wiki for details.

Listen to all events, report in native nft format.

# nft monitor

Seenft(8) § MONITOR

meta nftrace set 1 ruleset packet tracing on/off. Usemonitor trace command to watch traces.

In another shell "include" the file inside the interactive shell:

# nft -inft> include "/root/nftables.trace"

Example, adjust to your needs:

/root/nftables.trace

add table ip temp-trace {comment "Temporary table!!"; flags owner;}add chain ip temp-trace icmp-prerouting { type filter hook prerouting priority raw - 1 ; }add rule ip temp-trace icmp-preroutingip protocol icmpmeta nftrace set 1

This file adds a temporary table (flags owner) so that it gets automatically removed, if the calling (process) interactive nft is closed. The Base Chain needs to be adjusted for your use case. You can create multiple chains and multiple rules with "meta nftrace set 1" "ip protocol icmp" is used just as an example and is not necessary. There are many ways to achieve a similar effect, the advantage is that by closing the interactive shell the previous state is automatically restored, and if an error is inside the file nothing gets executed.

Seenftables wiki and apython tool automating the process and coloring.

The older iptables language remains quite dominant in Linux documentation, and quite a few things still depend on iptables to run (such as Docker's networking). Although it's also perfectly workable to use legacy iptablesand nftables at the same time, using iptables-nft's translation is preferred because:

• It puts everything in the same place, using the newer, more efficient, non-locking framework.
• It checks for conflicts.

There are two ways to use the old iptables language with nftables:

• iptables-translate andiptables-restore-translate (idem forip6tables,ebtables, etc.) take iptable language and output nft language. They donot change running nft settings. Seextables-translate(8).

For configuration you want to maintain later on, it's a good idea to use the-translate tool and integrate the result code into your existing rules. For example, if you find something useful insimple stateful firewall or the wider Internet, you can translate them to put into your nft config.

• iptables andiptables-restore (again idem forip6tables etc.) uses the above translationand put them into the running nft settings. It also offers statistics like regular iptables does. Seextables-nft(8).

Those commands work reasonably well given what they have to work with. They should "just work" with simple usage, but occasionally you will need to step in and debug.

systemd-networkd's connections can use theNFTSet= option to populate predefined named sets with host IP addresses, network prefixes and interface indexes. This allows to avoid hardcoding them in/etc/nftables.conf. TheNFTSet= option is supported in[Address],[DHCPv4],[DHCPv6] and[IPv6AcceptRA] sections. Seesystemd.network(5) § [ADDRESS] SECTION OPTIONS.

For example, to process connections from a local network (where IP addresses are assigned via DHCP or SLAAC) in a separatemy_input_lan chain:

/etc/nftables.conf

...table inet my_table {set eth_ipv4_prefix {type ipv4_addrflags intervalcomment "Populated by systemd-networkd"}set eth_ipv6_prefix {type ipv6_addrflags intervalcomment "Populated by systemd-networkd"elements = { fe80::/10 }}set eth_ifindex {type iface_indexcomment "Populated by systemd-networkd"}...chain my_input {type filter hook input priority filter; policy drop;iif @eth_ifindex ip6 saddr @eth_ipv6_prefix jump my_input_lan comment "Connections from LAN"iif @eth_ifindex ip saddr @eth_ipv4_prefix jump my_input_lan comment "Connections from LAN"}...}

/etc/systemd/network/my-network.network

...[DHCPv4]NFTSet=prefix:inet:my_table:eth_ipv4_prefixNFTSet=ifindex:inet:my_table:eth_ifindex[DHCPv6]NFTSet=prefix:inet:my_table:eth_ipv6_prefixNFTSet=ifindex:inet:my_table:eth_ifindex[IPv6AcceptRA]NFTSet=prefix:inet:my_table:eth_ipv6_prefixNFTSet=ifindex:inet:my_table:eth_ifindex...

Using nftables can interfere withDocker networking (and probably other container runtimes as well). You can find various workarounds on the internet which either involve patching iptables rules and ensuring a defined service start order or disabling dockers iptables management completely which makes using docker very restrictive (think port forwarding or docker-compose).

A reliable method is letting docker run in a separate network namespace where it can do whatever it wants. It is probably best tonot useiptables-nft to prevent docker from mixing nftables and iptables rules.

Use the following docker servicedrop-in file:

/etc/systemd/system/docker.service.d/netns.conf

[Service]PrivateNetwork=yesPrivateMounts=No# cleanupExecStartPre=-nsenter -t 1 -n -- ip link delete docker0# add vethExecStartPre=nsenter -t 1 -n -- ip link add docker0 type veth peer name docker0_nsExecStartPre=sh -c 'nsenter -t 1 -n -- ip link set docker0_ns netns "$$BASHPID" && true'ExecStartPre=ip link set docker0_ns name eth0# bring host onlineExecStartPre=nsenter -t 1 -n -- ip addr add 10.0.0.1/24 dev docker0ExecStartPre=nsenter -t 1 -n -- ip link set docker0 up# bring ns onlineExecStartPre=ip addr add 10.0.0.100/24 dev eth0ExecStartPre=ip link set eth0 upExecStartPre=ip route add default via 10.0.0.1 dev eth0

Adjust the10.0.0.* IP addresses if they are not appropriate for your setup.

Enable IP forwarding and set-up NAT for docker0 with the following postrouting rule:

iifname docker0 oifname eth0 masquerade

Then, ensure thatkernel IP forwarding is enabled.

Now you can setup a firewall and port forwarding for thedocker0 interface using nftables without any interference.

• netfilter nftables wiki
• debian:nftables
• gentoo:nftables
• First release of nftables
• nftables quick howto
• The return of nftables
• What comes after ‘iptables’? Its successor, of course: `nftables`
• Gene's Tech Blog – additional nftables samples for workstation and firewall

• Firewalls

• Pages or sections flagged with Template:Expansion
• Pages or sections flagged with Template:Accuracy