什么是 nftables ? 它与 iptables 的区别是什么?
与 iptables 相比,nftables 的语法更加简单,不过对于 iptables 中的语法,在 nftables 中也能用。
Moving from iptables to nftables
This page gives information on moving/migrating from the old iptables/xtables (legacy) world to the new nftables framework.
A common situation is the need to move from an existing iptables ruleset to nftables. The Netfilter team has created some tools and mechanisms to ease in this move.
Please, make sure to check the links below:
After the migration process, you are encouraged to implement new nftables mechanisms such as sets, maps, verdict maps, concatenations and more.
command translation
You can generate a translation of an iptables/ip6tables command to know the nftables equivalent.
% iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
nft add rule ip filter INPUT tcp dport 22 ct state new counter accept
% ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT
nft add rule ip6 filter FORWARD iifname eth0 oifname eth3 meta l4proto udp udp dport { 111,222} counter accept
Instead of translating command by command, you can translate your whole ruleset in a single run:
% iptables-save > save.txt
% cat save.txt
# Generated by iptables-save v1.6.0 on Sat Dec 24 14:26:40 2016
*filter
:INPUT ACCEPT [5166:1752111]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5058:628693]
-A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Sat Dec 24 14:26:40 2016
% iptables-restore-translate -f save.txt
# Translated by iptables-restore-translate v1.6.0 on Sat Dec 24 14:26:59 2016
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; }
add chain ip filter FORWARD { type filter hook forward priority 0; }
add chain ip filter OUTPUT { type filter hook output priority 0; }
add rule ip filter FORWARD tcp dport 22 ct state new counter accept
You should be able to directly give this to nftables:
% iptables-restore-translate -f save.txt > ruleset.nft
% nft -f ruleset.nft
% nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
tcp dport ssh ct state new counter packets 0 bytes 0 accept
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
These translate tools are included in the iptables source tarball and works for iptables and ip6tables.
using the nf_tables compat backend
Since June 2018, the old xtables/setsockopt tools are considered legacy.
However, there is support to use the iptables/ip6tables/arptables/ebtables old syntax with the nf_tables kernel backend.
This is described with further details in the Legacy xtables tools wiki page.
% iptables-nft -A FORWARD -p icmp -j ACCEPT
% iptables-nft-save
# Generated by xtables-save v1.6.0 (nf_tables) on Sat Dec 24 14:38:08 2016
*filter
:INPUT ACCEPT [62:3777]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [62:4074]
-A FORWARD -p icmp -j ACCEPT
COMMIT
# Completed on Sat Dec 24 14:38:08 2016
% nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
ip protocol icmp counter packets 0 bytes 0 accept
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
Note that translation to native nftables syntax is done if available.
In the case of some missing translation, you will see a commented rule in nftables:
% ebtables-nft -L
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 2, policy: ACCEPT
--802_3-type 0x0001 -j CONTINUE
--mark 0x1 -j CONTINUE
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
% nft list ruleset
table bridge filter {
chain INPUT {
type filter hook input priority -200; policy accept;
}
chain FORWARD {
type filter hook forward priority -200; policy accept;
#--802_3-type 0x0001 counter packets 0 bytes 0
#--mark 0x1 counter packets 0 bytes 0
}
chain OUTPUT {
type filter hook output priority -200; policy accept;
}
}
With these tools, the workflow could be saving the old iptables-legacy ruleset and then loading it with iptables-nft:
% iptables-save > iptables.txt
% iptables-nft-restore < iptables.txt
% iptables-nft-save
# Generated by xtables-save v1.6.0 (nf_tables) on Sat Dec 24 14:51:41 2016
*filter
:INPUT ACCEPT [19:1283]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18:2487]
-A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Sat Dec 24 14:51:41 2016
% nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
ip protocol tcp tcp dport 22 ct state new counter packets 0 bytes 0 accept
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
大家可使用 iptables-translate 工具,该工具接受 iptables 命令并将其转为等效的 nftables 命令,这是了解两种语法差异的一种简单方法。
使用以下命令在 Ubuntu 和基于 Debian 的发行版上安装 iptables-translate:
安装后,你可以将 iptables 语法传递给 iptables-translate 命令,它将返回 nftables 等效命令。
下面我们看一些具体的语法示例。
阻止传入连接
下述命令将阻止来自IP地址192.168.2.1的传入连接:
允许传入SSH连接
放开 ssh 连接权限:
允许来自特定 IP 范围的传入SSH连接
如果只想允许来自192.168.1.0/24的传入SSH连接:
允许MySQL连接到eth0网络接口
允许传入HTTP和HTTPS流量
为了允许特定类型的流量,以下是这两个命令的语法:
从这些例子中可以看出,nftables 语法与 iptables 非常相似,但命令更直观一些。
nftables 日志
上述nft命令示例中的“counter”选项告诉nftables统计规则被触碰的次数,就像默认情况下使用的iptables一样。
在nftables中,需要指定:
nftables内置了用于导出配置的选项。它目前支持XML和JSON。
