{
    "content": [
        {
            "type": "text",
            "text": "# XTABLES-NFT (info)\n\n## NAME\n\nxtables-nft -- iptables using nftables kernel api\n\n## DESCRIPTION\n\nxtables-nft  are  versions of iptables that use the nftables API.  This\nis a set of tools to help the system administrator migrate the  ruleset\nfrom  iptables(8), ip6tables(8), arptables(8), and ebtables(8) to nfta-\nbles(8).\n\n## Sections\n\n- **NAME**\n- **DESCRIPTION**\n- **USAGE**\n- **DIFFERENCES TO LEGACY IPTABLES**\n- **EXAMPLES**\n- **LIMITATIONS**\n- **SEE ALSO**\n- **AUTHORS**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n"
        }
    ],
    "structuredContent": {
        "command": "XTABLES-NFT",
        "section": "",
        "mode": "info",
        "summary": "xtables-nft -- iptables using nftables kernel api",
        "synopsis": null,
        "tldr_summary": null,
        "tldr_examples": [],
        "tldr_source": null,
        "flags": [],
        "examples": [
            "One basic example is creating the skeleton ruleset  in  nftables  from",
            "the xtables-nft tools, in a fresh machine:",
            "root@machine:~# iptables-nft -L",
            "[...]",
            "root@machine:~# ip6tables-nft -L",
            "[...]",
            "root@machine:~# arptables-nft -L",
            "[...]",
            "root@machine:~# ebtables-nft -L",
            "[...]",
            "root@machine:~# nft list ruleset",
            "table ip filter {",
            "chain INPUT {",
            "type filter hook input priority 0; policy accept;",
            "chain FORWARD {",
            "type filter hook forward priority 0; policy accept;",
            "chain OUTPUT {",
            "type filter hook output priority 0; policy accept;",
            "table ip6 filter {",
            "chain INPUT {",
            "type filter hook input priority 0; policy accept;",
            "chain FORWARD {",
            "type filter hook forward priority 0; policy accept;",
            "chain OUTPUT {",
            "type filter hook output priority 0; policy accept;",
            "table bridge filter {",
            "chain INPUT {",
            "type filter hook input priority -200; policy accept;",
            "chain FORWARD {",
            "type filter hook forward priority -200; policy accept;",
            "chain OUTPUT {",
            "type filter hook output priority -200; policy accept;",
            "table arp filter {",
            "chain INPUT {",
            "type filter hook input priority 0; policy accept;",
            "chain FORWARD {",
            "type filter hook forward priority 0; policy accept;",
            "chain OUTPUT {",
            "type filter hook output priority 0; policy accept;",
            "(please  note that in fresh machines, listing the ruleset for the first",
            "time results in all tables an chain being created).",
            "To migrate your complete filter ruleset, in the  case  of  iptables(8),",
            "you would use:",
            "root@machine:~# iptables-legacy-save > myruleset # reads from xtables",
            "root@machine:~# iptables-nft-restore myruleset   # writes to nftables",
            "or",
            "root@machine:~# iptables-legacy-save | iptables-translate-restore | less",
            "to see how rules would look like in the nft nft(8) syntax."
        ],
        "see_also": [
            {
                "name": "nft",
                "section": "8",
                "url": "https://www.chedong.com/phpMan.php/man/nft/8/json"
            },
            {
                "name": "xtables-translate",
                "section": "8",
                "url": "https://www.chedong.com/phpMan.php/man/xtables-translate/8/json"
            },
            {
                "name": "xtables-monitor",
                "section": "8",
                "url": "https://www.chedong.com/phpMan.php/man/xtables-monitor/8/json"
            }
        ],
        "section_outline": [
            {
                "name": "NAME",
                "lines": 2,
                "subsections": []
            },
            {
                "name": "DESCRIPTION",
                "lines": 26,
                "subsections": []
            },
            {
                "name": "USAGE",
                "lines": 24,
                "subsections": []
            },
            {
                "name": "DIFFERENCES TO LEGACY IPTABLES",
                "lines": 14,
                "subsections": []
            },
            {
                "name": "EXAMPLES",
                "lines": 78,
                "subsections": []
            },
            {
                "name": "LIMITATIONS",
                "lines": 7,
                "subsections": []
            },
            {
                "name": "SEE ALSO",
                "lines": 2,
                "subsections": []
            },
            {
                "name": "AUTHORS",
                "lines": 9,
                "subsections": []
            }
        ],
        "sections": {
            "NAME": {
                "content": "xtables-nft -- iptables using nftables kernel api\n",
                "subsections": []
            },
            "DESCRIPTION": {
                "content": "xtables-nft  are  versions of iptables that use the nftables API.  This\nis a set of tools to help the system administrator migrate the  ruleset\nfrom  iptables(8), ip6tables(8), arptables(8), and ebtables(8) to nfta-\nbles(8).\n\nThe xtables-nft set is composed of several commands:\n\no iptables-nft\n\no iptables-nft-save\n\no iptables-nft-restore\n\no ip6tables-nft\n\no ip6tables-nft-save\n\no ip6tables-nft-restore\n\no arptables-nft\n\no ebtables-nft\n\nThese tools use the libxtables framework extensions and hook  to  the\nnftables kernel subsystem using the nftcompat module.\n",
                "subsections": []
            },
            "USAGE": {
                "content": "The  xtables-nft  tools allow you to manage the nftables backend using\nthe native syntax of iptables(8), ip6tables(8), arptables(8), and ebta-\nbles(8).\n\nYou  should use the xtables-nft tools exactly the same way as you would\nuse the corresponding original tools.\n\nAdding a rule will result in that rule being  added  to  the  nftables\nkernel  subsystem  instead.  Listing the ruleset will use the nftables\nbackend as well.\n\nWhen these tools were designed, the  main  idea  was  to  replace  each\nlegacy binary with a symlink to the xtables-nft program, for example:\n\n/sbin/iptables -> /usr/sbin/iptables-nft-multi\n/sbin/ip6tables -> /usr/sbin/ip6tables-nft-multi\n/sbin/arptables -> /usr/sbin/arptables-nft-multi\n/sbin/ebtables -> /usr/sbin/ebtables-nft-multi\n\nThe  iptables  version  string  will  indicate  whether  the legacy API\n(get/setsockopt) or the new nftables api is used:\niptables -V\niptables v1.7 (nftables)\n",
                "subsections": []
            },
            "DIFFERENCES TO LEGACY IPTABLES": {
                "content": "Because the xtables-nft tools use the nftables kernel API, rule  addi-\ntions  and  deletions are always atomic.  Unlike iptables-legacy, ipta-\nbles-nft -A ..  will NOT need to retrieve the current ruleset from  the\nkernel, change it, and re-load the altered ruleset.  Instead, iptables-\nnft will tell the kernel to add one rule.  For this reason,  the  ipta-\nbles-legacy --wait option is a no-op in iptables-nft.\n\nUse of the xtables-nft tools allow monitoring ruleset changes using the\nxtables-monitor(8) command.\n\nWhen using -j TRACE to debug packet traversal to the ruleset, note that\nyou will need to use xtables-monitor(8) in --trace mode to obtain moni-\ntoring trace events.\n",
                "subsections": []
            },
            "EXAMPLES": {
                "content": "One basic example is creating the skeleton ruleset  in  nftables  from\nthe xtables-nft tools, in a fresh machine:\n\nroot@machine:~# iptables-nft -L\n[...]\nroot@machine:~# ip6tables-nft -L\n[...]\nroot@machine:~# arptables-nft -L\n[...]\nroot@machine:~# ebtables-nft -L\n[...]\nroot@machine:~# nft list ruleset\ntable ip filter {\nchain INPUT {\ntype filter hook input priority 0; policy accept;\n}\n\nchain FORWARD {\ntype filter hook forward priority 0; policy accept;\n}\n\nchain OUTPUT {\ntype filter hook output priority 0; policy accept;\n}\n}\ntable ip6 filter {\nchain INPUT {\ntype filter hook input priority 0; policy accept;\n}\n\nchain FORWARD {\ntype filter hook forward priority 0; policy accept;\n}\n\nchain OUTPUT {\ntype filter hook output priority 0; policy accept;\n}\n}\ntable bridge filter {\nchain INPUT {\ntype filter hook input priority -200; policy accept;\n}\n\nchain FORWARD {\ntype filter hook forward priority -200; policy accept;\n}\n\nchain OUTPUT {\ntype filter hook output priority -200; policy accept;\n}\n}\ntable arp filter {\nchain INPUT {\ntype filter hook input priority 0; policy accept;\n}\n\nchain FORWARD {\ntype filter hook forward priority 0; policy accept;\n}\n\nchain OUTPUT {\ntype filter hook output priority 0; policy accept;\n}\n}\n\n(please  note that in fresh machines, listing the ruleset for the first\ntime results in all tables an chain being created).\n\nTo migrate your complete filter ruleset, in the  case  of  iptables(8),\nyou would use:\n\nroot@machine:~# iptables-legacy-save > myruleset # reads from xtables\nroot@machine:~# iptables-nft-restore myruleset   # writes to nftables\nor\nroot@machine:~# iptables-legacy-save | iptables-translate-restore | less\n\nto see how rules would look like in the nft nft(8) syntax.\n",
                "subsections": []
            },
            "LIMITATIONS": {
                "content": "You should use Linux kernel >= 4.17.\n\nThe CLUSTERIP target is not supported.\n\nTo   get   up-to-date   information   about   this,   please   head  to\nhttp://wiki.nftables.org/.\n",
                "subsections": []
            },
            "SEE ALSO": {
                "content": "nft(8), xtables-translate(8), xtables-monitor(8)\n",
                "subsections": []
            },
            "AUTHORS": {
                "content": "The  nftables  framework  is   written   by   the   Netfilter   project\n(https://www.netfilter.org).\n\nThis  manual  page  was  written by Arturo Borrero Gonzalez <arturo@de-\nbian.org> for the Debian project, but may be used by others.\n\nThis documentation is free/libre under the terms of the GPLv2+.\n\nJune 2018                    XTABLES-NFT(8)",
                "subsections": []
            }
        }
    }
}