{ "mode": "man", "parameter": "xtables-nft", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/xtables-nft/8/json", "generated": "2026-05-30T08:16:21Z", "sections": { "NAME": { "content": "xtables-nft — iptables using nftables kernel api\n\n", "subsections": [] }, "DESCRIPTION": { "content": "xtables-nft are versions of iptables that use the nftables API. This is a set of tools to\nhelp the system administrator migrate the ruleset from iptables(8), ip6tables(8), arpta‐‐\nbles(8), and ebtables(8) to nftables(8).\n\nThe xtables-nft set is composed of several commands:\n\n• iptables-nft\n\n• iptables-nft-save\n\n• iptables-nft-restore\n\n• ip6tables-nft\n\n• ip6tables-nft-save\n\n• ip6tables-nft-restore\n\n• arptables-nft\n\n• ebtables-nft\n\nThese tools use the libxtables framework extensions and hook to the nftables kernel sub‐\nsystem using the nftcompat module.\n\n", "subsections": [] }, "USAGE": { "content": "The xtables-nft tools allow you to manage the nftables backend using the native syntax of\niptables(8), ip6tables(8), arptables(8), and ebtables(8).\n\nYou should use the xtables-nft tools exactly the same way as you would use the corresponding\noriginal tools.\n\nAdding a rule will result in that rule being added to the nftables kernel subsystem instead.\nListing the ruleset will use the nftables backend as well.\n\nWhen these tools were designed, the main idea was to replace each legacy binary with a sym‐\nlink to the xtables-nft program, for example:\n\n/sbin/iptables -> /usr/sbin/iptables-nft-multi\n/sbin/ip6tables -> /usr/sbin/ip6tables-nft-multi\n/sbin/arptables -> /usr/sbin/arptables-nft-multi\n/sbin/ebtables -> /usr/sbin/ebtables-nft-multi\n\nThe iptables version string will indicate whether the legacy API (get/setsockopt) or the new\nnftables api is used:\niptables -V\niptables v1.7 (nftables)\n\n", "subsections": [] }, "DIFFERENCES TO LEGACY IPTABLES": { "content": "Because the xtables-nft tools use the nftables kernel API, rule additions and deletions are\nalways atomic. Unlike iptables-legacy, iptables-nft -A .. will NOT need to retrieve the\ncurrent ruleset from the kernel, change it, and re-load the altered ruleset. Instead, ipta‐\nbles-nft will tell the kernel to add one rule. For this reason, the iptables-legacy --wait\noption is a no-op in iptables-nft.\n\nUse of the xtables-nft tools allow monitoring ruleset changes using the xtables-monitor(8)\ncommand.\n\nWhen using -j TRACE to debug packet traversal to the ruleset, note that you will need to use\nxtables-monitor(8) in --trace mode to obtain monitoring trace events.\n\n", "subsections": [] }, "EXAMPLES": { "content": "One basic example is creating the skeleton ruleset in nftables from the xtables-nft tools,\nin a fresh machine:\n\nroot@machine:~# iptables-nft -L\n[...]\nroot@machine:~# ip6tables-nft -L\n[...]\nroot@machine:~# arptables-nft -L\n[...]\nroot@machine:~# ebtables-nft -L\n[...]\nroot@machine:~# nft list ruleset\ntable ip filter {\nchain INPUT {\ntype filter hook input priority 0; policy accept;\n}\n\nchain FORWARD {\ntype filter hook forward priority 0; policy accept;\n}\n\nchain OUTPUT {\ntype filter hook output priority 0; policy accept;\n}\n}\ntable ip6 filter {\nchain INPUT {\ntype filter hook input priority 0; policy accept;\n}\n\nchain FORWARD {\ntype filter hook forward priority 0; policy accept;\n}\n\nchain OUTPUT {\ntype filter hook output priority 0; policy accept;\n}\n}\ntable bridge filter {\nchain INPUT {\ntype filter hook input priority -200; policy accept;\n}\n\nchain FORWARD {\ntype filter hook forward priority -200; policy accept;\n}\n\nchain OUTPUT {\ntype filter hook output priority -200; policy accept;\n}\n}\ntable arp filter {\nchain INPUT {\ntype filter hook input priority 0; policy accept;\n}\n\nchain FORWARD {\ntype filter hook forward priority 0; policy accept;\n}\n\nchain OUTPUT {\ntype filter hook output priority 0; policy accept;\n}\n}\n\n(please note that in fresh machines, listing the ruleset for the first time results in all\ntables an chain being created).\n\nTo migrate your complete filter ruleset, in the case of iptables(8), you would use:\n\nroot@machine:~# iptables-legacy-save > myruleset # reads from xtables\nroot@machine:~# iptables-nft-restore myruleset # writes to nftables\nor\nroot@machine:~# iptables-legacy-save | iptables-translate-restore | less\n\nto see how rules would look like in the nft nft(8) syntax.\n\n", "subsections": [] }, "LIMITATIONS": { "content": "You should use Linux kernel >= 4.17.\n\nThe CLUSTERIP target is not supported.\n\nTo get up-to-date information about this, please head to http://wiki.nftables.org/.\n\n", "subsections": [] }, "SEE ALSO": { "content": "nft(8), xtables-translate(8), xtables-monitor(8)\n\n", "subsections": [] }, "AUTHORS": { "content": "The nftables framework is written by the Netfilter project (https://www.netfilter.org).\n\nThis manual page was written by Arturo Borrero Gonzalez for the Debian\nproject, but may be used by others.\n\nThis documentation is free/libre under the terms of the GPLv2+.\n\n\n\nJune 2018 XTABLES-NFT(8)", "subsections": [] } }, "summary": "xtables-nft — iptables using nftables kernel api", "flags": [], "examples": [ "One basic example is creating the skeleton ruleset in nftables from the xtables-nft tools,", "in a fresh machine:", "root@machine:~# iptables-nft -L", "[...]", "root@machine:~# ip6tables-nft -L", "[...]", "root@machine:~# arptables-nft -L", "[...]", "root@machine:~# ebtables-nft -L", "[...]", "root@machine:~# nft list ruleset", "table ip filter {", "chain INPUT {", "type filter hook input priority 0; policy accept;", "chain FORWARD {", "type filter hook forward priority 0; policy accept;", "chain OUTPUT {", "type filter hook output priority 0; policy accept;", "table ip6 filter {", "chain INPUT {", "type filter hook input priority 0; policy accept;", "chain FORWARD {", "type filter hook forward priority 0; policy accept;", "chain OUTPUT {", "type filter hook output priority 0; policy accept;", "table bridge filter {", "chain INPUT {", "type filter hook input priority -200; policy accept;", "chain FORWARD {", "type filter hook forward priority -200; policy accept;", "chain OUTPUT {", "type filter hook output priority -200; policy accept;", "table arp filter {", "chain INPUT {", "type filter hook input priority 0; policy accept;", "chain FORWARD {", "type filter hook forward priority 0; policy accept;", "chain OUTPUT {", "type filter hook output priority 0; policy accept;", "(please note that in fresh machines, listing the ruleset for the first time results in all", "tables an chain being created).", "To migrate your complete filter ruleset, in the case of iptables(8), you would use:", "root@machine:~# iptables-legacy-save > myruleset # reads from xtables", "root@machine:~# iptables-nft-restore myruleset # writes to nftables", "or", "root@machine:~# iptables-legacy-save | iptables-translate-restore | less", "to see how rules would look like in the nft nft(8) syntax." ], "see_also": [ { "name": "nft", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/nft/8/json" }, { "name": "xtables-translate", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/xtables-translate/8/json" }, { "name": "xtables-monitor", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/xtables-monitor/8/json" } ] }