User contributions for Pablo
Jump to navigation
Jump to search
13 July 2016
- 21:0521:05, 13 July 2016 diff hist −3 Netfilter hooks No edit summary
- 21:0421:04, 13 July 2016 diff hist −22 Netfilter hooks No edit summary
- 21:0321:03, 13 July 2016 diff hist +7 Configuring chains No edit summary
- 19:1819:18, 13 July 2016 diff hist +41 Main Page →Advanced data structures for performance packet classification
- 19:1619:16, 13 July 2016 diff hist +15 Main Page →Videos
- 19:1419:14, 13 July 2016 diff hist +2,439 N List of available translations via iptables-translate tool Created page with "The following '''matches and targets''' (in alphabetic order) can be fully translated via iptables-translate tool: == Translatable extensions == === Matches === ====xt==== *..."
- 19:0019:00, 13 July 2016 diff hist +201 N Ipset Created page with "[http://ipset.netfilter.org/ IPSet] is an extension to allow packet classification based on sets. It is currently maintained and actively developed by the Netfilter coreteam d..."
- 18:5918:59, 13 July 2016 diff hist +2,942 N Jumping to chain Created page with "Like in ''iptables'', you can structure your rule-set in using a tree of chains. To do so, you first need to create the custom chain via: <source lang=..."
- 18:5818:58, 13 July 2016 diff hist +2,253 N Rejecting traffic Created page with "'''Note''': Full reject support is available since Linux kernel 3.18. The following rule shows how to reject any traffic from the network: <source lang="bash"> % nft add rul..."
- 18:5818:58, 13 July 2016 diff hist +1,673 N Logging traffic Created page with "'''Note''': Full logging support is available starting Linux kernel 3.17. If you run an older kernel, you have to modprobe ipt_LOG to enable logging. You can log packets usin..."
- 18:5818:58, 13 July 2016 diff hist +3,726 N Performing Network Address Translation (NAT) Created page with "The ''nat'' chain type allows you to perform NAT. This chain type comes with special semantics: * The first packet of a flow is used to look up for a matching rule which sets..."
- 18:5818:58, 13 July 2016 diff hist +1,702 N Setting packet metainformation Created page with "You can set some metainformation in a packet: one of mark, priority or nftrace. Please note that you require a Linux kernel >= 3.14 to use these features. == mark == The fol..."
- 18:5718:57, 13 July 2016 diff hist +2,799 N Queueing to userspace Created page with "= Basic operation = '''Important note''': You require a Linux kernel 3.14 to enqueue packets to userspace using nftables. Like in ''iptables'', you can use the nfqueue infra..." current
- 18:5718:57, 13 July 2016 diff hist +1,024 N Duplicating packets Created page with "Since Linux kernel 4.3, you can duplicate packets to another destination from the ''ip'' and ''ip6'' families. You may want to use this feature to address this traffic to anot..."
- 18:5718:57, 13 July 2016 diff hist +644 N Counters Created page with "Counters are optional in ''nftables'', thus, you need to explicitly specify them in the rule if you want them. The following example allows you to account all tcp traffic tha..."
- 18:5618:56, 13 July 2016 diff hist +2,893 N Sets Created page with "''nftables'' comes with a built-in generic set infrastructure that allows you to use '''any''' supported selector to build sets. This infrastructure makes possible the represe..."
- 18:5618:56, 13 July 2016 diff hist +2,632 N Verdict Maps (vmaps) Created page with "The ''dictionaries'', also known as ''verdict maps'', are one of the most interesting features available in ''nftables''. Basically, they allow you to attach an action to an e..."
- 18:5618:56, 13 July 2016 diff hist +865 N Intervals Created page with "Intervals are expressed as value-value. The following example show how to drop the traffic coming the range 192.168.0.1 to 192.168.0.250: <source lang="bash"> % nft add rule..."
- 18:5518:55, 13 July 2016 diff hist +1,564 N Maps Created page with "Maps are yet another interesting feature that has been in ''nftables'' since the very beginning. You can use a map to look up for data based on some specific key that is used..."
- 18:5418:54, 13 July 2016 diff hist +1,727 N Concatenations Created page with "Since Linux kernel 4.1, nftables supports concatenations. This new feature allows you to put two or more selectors together to perform very fast lookups by combining them wit..."
- 18:5418:54, 13 July 2016 diff hist +1,845 N Simple ruleset for a workstation Created page with "= fw.basic = <source lang="bash"> table ip filter { chain input { type filter hook input priority 0; # accept traffic originated from us c..."
- 18:5318:53, 13 July 2016 diff hist +350 N Bridge filtering Created page with "== Limitation == There is currently no connection tracking available for bridge filtering. == Examples == Filter on TCP destination port: <source lang="bash"> nft add rule..."
- 18:5318:53, 13 July 2016 diff hist +1,166 N Multiple NATs using nftables maps Created page with "Thanks to nftables Maps, if you have a previous iptables NAT (destination NAT) ruleset like this: <source lang="bash"> % iptables -t nat -A PREROUTING -p tcp --dport 1000..."
- 18:5218:52, 13 July 2016 diff hist +1,147 N List of updates since Linux kernel 3.13 Created page with "A listing of the development progress. == 3.13 == * nf_tables merged mainstream. == 3.14 == * set packet mark support. * nfqueue support (only for ip and ip6 families). *..."
- 18:5218:52, 13 July 2016 diff hist +18,428 N Supported features compared to xtables Created page with "Last update: 2016/Jan/11 This page tr..."
- 18:5118:51, 13 July 2016 diff hist +747 N Configuring tables Created page with "You can also delete tables with the following command: <source lang="bash"> % nft delete table ip foo </source> '''Troubleshooting''': Since Linux kernel 3.18, you can delet..."
- 18:5118:51, 13 July 2016 diff hist +7,032 N Configuring chains Created page with "As in ''iptables'', you attach your rules to chains. However, contrary to the ''iptables'' modus operandi, the ''nftables'' infrastructure comes with no pr..."
- 18:5018:50, 13 July 2016 diff hist +6,657 N Simple rule management Created page with "= Appending new rules = To add new rules, you have to specify the corresponding table and the chain that you want to use, eg. <source lang="bash"> % nft add rule filter outp..."
- 18:5018:50, 13 July 2016 diff hist +1,077 N Atomic rule replacement Created page with "You can use the ''-f'' option to atomically update your rule-set: <source lang="bash"> % nft -f file </source> Where ''file'' contains your rule-set. You can save your rule..."
- 18:4918:49, 13 July 2016 diff hist +713 N Error reporting from the command line Created page with "The ''nft'' command line utility tries to help you when you use a wrong datatype. The following examples shows the error output if you pass an IPv4 address as a TCP port. <s..." current
- 18:4918:49, 13 July 2016 diff hist +970 N Building rules through expressions Created page with "''nftables'' provides the following built-in operations: * '''ne''' which stands for non equal. Alternatively you can use '''!='''. * '''lt''' means ''less than''. Alternativ..."
- 18:4818:48, 13 July 2016 diff hist +1,531 N Operations at ruleset level Created page with "== Using native nft syntax == Linux Kernel 3.18 includes some improvements regarding the available operations to manage your ruleset as a whole. === listing === Listing the..."
- 18:4818:48, 13 July 2016 diff hist +1,307 N Monitoring ruleset updates Created page with "nft can display notifications of ruleset updates through: <source lang="bash"> % nft monitor </source> This subscribes ''nft'' to any kind of ruleset update. You can filte..." current
- 18:4818:48, 13 July 2016 diff hist +2,452 N Scripting Created page with "Many people like to maintain their ruleset in shell scripts, this allows them to add comments and arrange rules in more human-friendly way. This is problematic though since sh..."
- 18:4718:47, 13 July 2016 diff hist +3,479 N Ruleset debug/tracing Created page with "Since nftables v0.6 and linux kernel 4.6, ruleset debug/tracing is supported. This is an equivalent of the old iptables method -J TRACE, but with some great improvements. Th..."
- 18:4718:47, 13 July 2016 diff hist +2,992 N Matching packet headers Created page with "The ''nft'' command line utility supports the following layer 4 protocols: AH, ESP, UDP, UDPlite, TCP, DCCP, SCTP and IPComp. = Matching transport protocol = The following r..."
- 18:4618:46, 13 July 2016 diff hist +2,504 N Matching packet metainformation Created page with "''nftables'' comes with the packet metainformation selectors that you can use to match information that is stored in the network packet. = The meta selectors = The current..."
- 18:4618:46, 13 July 2016 diff hist +1,601 N Matching connection tracking stateful metainformation Created page with "As in ''iptables'', you can match the state tracking information (sometimes refered as ''conntrack'' or ''ct'' information) that Netfilter collects through the ''Connection Tr..."
- 18:4518:45, 13 July 2016 diff hist +818 N Accepting and dropping packets Created page with "= Dropping packets = You can use the ''drop'' option to drop packets. Note that drop is a '''terminating''' action, so you cannot add any other action after it. <source lang..." current
- 18:4418:44, 13 July 2016 diff hist +1,118 N Rate limiting matchings Created page with "You can ratelimit traffic through ''limit''. The following example shows how to accept a maximum of 10 ICMP echo-request packets per second: <source lang="bash"> % nft add r..."
- 18:3818:38, 13 July 2016 diff hist +3,631 N Main differences with iptables Created page with "The main differences between ''nftables'' and ''iptables'' from the user point of view are: * The '''syntax'''. The ''iptables'' command line tool uses a getopt_long()-based..."
- 18:3818:38, 13 July 2016 diff hist +3,021 N Netfilter hooks Created page with "If you are familiar with Netfilter, don't worry, most of the infrastructure remains the same. ''nftables'' reuses the existing hook infrastructure, [http://people.netfilter.or..."
- 18:3718:37, 13 July 2016 diff hist +7,049 N Building and installing nftables from sources Created page with "nftables requires several userspace libraries, the 'nft' userspace command line utility and the kernel modules. If you are using a major linux distribution, you may consider..."
- 18:3718:37, 13 July 2016 diff hist +1,609 N Nftables from distributions Created page with "Most major Linux distributions have support for nftables: * they include a kernel with nf_tables support * they include userspace support Normally, you can get nftables worki..."
- 18:3618:36, 13 July 2016 diff hist +2,148 N Troubleshooting Created page with "In this section, you can find frequently asked questions that has been posted on the [http://www.netfilter.org/mailinglists.html Netfilter mailing list]. == Question 1: Addre..."
- 18:3618:36, 13 July 2016 diff hist +33,565 N Quick reference-nftables in 10 minutes Created page with "Find below some basic concepts to know before using nftables. '''table''' refers to a container of chains with no specific semantics. '''chain''' with..."
- 18:3418:34, 13 July 2016 diff hist −12 Why nftables? No edit summary
- 18:3318:33, 13 July 2016 diff hist +1,453 N Why nftables? Created page with "We like iptables after all, this tool has been serving us (and will likely keep serving still for a while in many deployments) to filter out traffic on both per-packet and per..."
- 18:3118:31, 13 July 2016 diff hist +707 N What is nftables? initial page
- 18:2718:27, 13 July 2016 diff hist +2,278 Main Page initial page