Supported features compared to xtables

From nftables wiki
Jump to navigation Jump to search

Last update: Mar/2022

This page tracks the list of supported and unsupported extensions with comments and suggestions.

Unsupported extensions

matches: xt

bpf

  • consider native interface

rateest

  • consider native interface

string

  • consider native interface

u32

  • raw expressions?

targets: xt

CHECKSUM

CT

IDLETIMER

  • consider native interface

LED

  • consider native (need this?)

RATEEST

  • consider native interface

TCPOPTSTRIP

  • consider native interface, need to extend nft_exthdr.c

targets: ipv4

TTL

targets: ipv6

NPT

  • consider native interface

targets: bridge

arpreply

  • consider native interface

targets: arp

TODO

Supported extensions

(Links updated via script.)

matches: xt

addrtype

cgroup

[Awaits support for cgroup2]

cluster

comment

connbytes

connlabel

connlimit

connmark

conntrack

cpu

dccp

[Unsupported option : dccp-option]

devgroup

dscp

ecn

esp

hashlimit

helper

ipcomp

[Unsupported option : compres]

iprange

ipvs

length

limit

mac

mark

multiport

nfacct

osf

  • consider native interface

owner

[Unsupported option : socket-exists]

pkttype

policy

recent

  • consider native interface. Refer to Sets.

sctp

socket

statistic

set

  • Use native nf_tables set infrastructure.

state

  • nft_ct

tcp

tcpmss

time

udp

targets: xt

AUDIT

CLASSIFY

CONNMARK

CONNSECMARK

  • nft_ct, since 4.20

DSCP

HL

  • nft_payload

HMARK

  • nft_meta + nft_hash.

MARK

NETMAP

  • nft_nat, upcoming 5.8

NFLOG

NFQUEUE

SECMARK

  • nft_meta, since 4.20

SYNPROXY

TEE

TPROXY

TRACE

TCPMSS

matches: ipv4

ah

icmp

[Unsupported codes: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-host-unreachable, communication-prohibited, host-precedence-violation, precedence-cutoff, network-redirect, host-redirect, TOS-network-redirect, TOS-host-redirect, ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing ]

realm

rp_filter

  • nft_fib, starting with 4.10 kernel

ttl

matches: ipv6

rp_filter

  • nft_fib, starting with 4.10 kernel

ah

eui64

  • nft_payload + nft_cmp.

frag

hbh

HBH options are not supported yet. [Unsupported option: --hbh-opts]

hl

icmp6

[Unsupported icmpv6 codes: no-route, communication-prohibited, beyond-scope, address-unreachable, port-unreachable, failed-policy, reject-route, ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header, unknown-header-type and unknown-option]

ipv6header

  • nft_exthdr + nft_cmp.

mh

[Needs bug fixation for option mh-type with range]

rt

[Unsupported options: --rt-0-res, --rt-0-addrs, --rt-0-not-strict]

targets: ipv4

ECN

  • nft_payload

DNAT

LOG

[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]

MASQUERADE

REDIRECT

REJECT

SNAT

targets: ipv6

DNAT

LOG

[Unsupported options : log-tcp-sequence, log-tcp-options, log-ip-options, log-uid, log-macdecode]

MASQUERADE

REDIRECT

REJECT

SNAT

matches: bridge

802.3

  • nft_payload

among

  • sets

arp

  • nft_payload

ip

ip6

limit

mark

pkttype

stp

  • nft_payload

vlan


targets: bridge

dnat

snat

redirect

  • nft_payload + nft_meta (pkttype set unicast)

mark


watchers: bridge

log

nflog

Deprecated extensions

matches

physdev

  • br_netfilter aims to be deprecated by nftables.

quota

  • nfacct already provides quota support.

tos

  • deprecated by dscp

targets

CLUSTERIP

  • deprecated by cluster match.

TOS

  • deprecated by DSCP

targets: ipv4

ULOG

  • Removed from tree since 3.17.
Retrieved from "http://wiki.nftables.org/wiki-nftables/index.php?title=Supported_features_compared_to_xtables&oldid=1138"