The NFTables header designation has the following format:
target:: newnftables [nf_address_family] [nf_hook] {default_policy_override} {int: base chain priority} {noverbose} {base-chain-name [chainname]} {table-name [tablename]} {as-regular-chain} {address-family-override [addressfamily]}
Unless otherwise stated, all fields are required unless they're marked optional.
- nf_address_family: defines the IP address family for the policies. (inet, inet6, mixed)
- nf_hook: defines the traffic direction and the nftables hook for the rules. (input, output)
- default_policy_override: OPTIONAL defines the default action (ACCEPT, DROP) for non-matching packets. Default behavior is DROP. (Does not support specifying 'REJECT', only 'ACCEPT'. Case sensitive.)
- priority: OPTIONAL By default, this generator creates base chains with a starting priority of 0. Defining an integer value will override this behavior.
- noverbose: OPTIONAL Disable header and term comments in final ACL output. Default behavior is verbose.
- base-chain-name: OPTIONAL Takes one argument, and changes the name of the base chain from root to the passed argument (for example, root7 becomes my-chain7)
- table-name: OPTIONAL Takes one argument, and changes the name of the table from filtering_policies to the passed argument (for example, table ip6 filtering_policies {} becomes table ip6 my_table {})
- as-regular-chain: OPTIONAL takes no arguments, and removes type filter line from the root chain generated by this header.
- address-family-override: OPTIONAL Takes one argument, and overrides the address family of the table. By default, the generator creates an nftables table with the address family based on nf_address_family header above. Only bridge override is supported at the moment (for example,
address-family-override bridgewill generate the following table:table bridge filtering_policies {...}).
This NFTables ACL generator generates stateful policies via conntrack. Each NFTables base chain will accept valid return packets via (ct state established,related accept).
When a non-deny term is processed for ACL generation, the ct state new is added to the resulting policy to ensure only valid incoming connections for that term is accepted. This means invalid state packets are dropped by default.
An implementation design for this generator is that terms with options 'established', 'tcp-established' will not rendered in the final NFT configuration.
When reporting bugs about this generator ensure to include:
- Example policy (.pol file)
- Observed output (.nft file)
- Expected (correct) output in Nftables syntax (.nft syntax)
- action:: The action to take when matched. Refer to Sub-tokens -> Actions for valid options.
- comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
- destination-address:: One or more destination address tokens.
- destination-port:: One or more service definition tokens.
- expiration:: stop rendering this term after specified date. YYYY-MM-DD
- icmp-type:: Specify icmp-type code to match.
- source-interface:: input direction interface name (renders as: iifname)
- source-address:: One or more source address tokens.
- source-port:: One or more service definition tokens.
- destination-interface:: output direction interface name (renders as: oifname)
- protocol:: The network protocol(s) this term will match.
- logging:: NFTables system logging (host-based).
- counter:: NFTables counter for specific term.
Note: combining source-interface and destination-interface tokens within a term is not supported.
- accept
- deny
- reject
Note, deny maps to drop.
- disable no packets will be logged on syslog.
All of the below values are accepted, but outcome is exactly the same.
- true
- syslog
- local
Any string sub-token in counter is accepted. Do note this generator does not implement NFTables named counters - this is primarily due to original design decisions to keep each Term into its own chain structure, any support of named counters would simply make the configuration .nft file longer without any additional benefit with the possible exception of the ability to use a single counter-name for multiple terms.
This generator normalizes certain capirca policy.py string types to NFTables semantically correct values. The below tables summarize the supported ICMP type codes, the policy.py parent class definition and the NFtables specific value for the same type.
| ICMPv4 type code | Capirca (policy.py) | NFtables manual |
|---|---|---|
| 0 | echo-reply | echo-reply |
| 3 | unreachable | destination-unreachable |
| 4 | source-quench | source-quench |
| 5 | redirect | redirect |
| 6 | alternate-address | |
| 8 | echo-request | echo-request |
| 9 | router-advertisement | router-advertisement |
| 10 | router-solicitation | router-solicitation |
| 11 | time-exceeded | time-exceeded |
| 12 | parameter-problem | parameter-problem |
| 13 | timestamp-request | timestamp-request |
| 14 | timestamp-reply | timestamp-reply |
| 15 | information-request | info-request |
| 16 | information-reply | info-reply |
| 17 | mask-request | address-mask-request |
| 18 | mask-reply | address-mask-reply |
| 31 | conversion-error | |
| 32 | mobile-redirect |
| ICMPv6 type code | Capirca (policy.py) | NFtables manual |
|---|---|---|
| 1 | destination-unreachable | destination-unreachable |
| 2 | packet-too-big | packet-too-big |
| 3 | time-exceeded | time-exceeded |
| 4 | parameter-problem | parameter-problem |
| 128 | echo-request | echo-request |
| 129 | echo-reply | echo-reply |
| 130 | multicast-listener-query | mld-listener-query |
| 131 | multicast-listener-report | mld-listener-report |
| 132 | multicast-listener-done | mld-listener-done OR mld-listener-reduction |
| 133 | router-solicit | nd-router-solicit |
| 134 | router-advertisement | nd-router-advert |
| 135 | neighbor-solicit | nd-neighbor-solicit |
| 136 | neighbor-advertisement | nd-neighbor-advert |
| 137 | redirect-message | nd-redirect |
| 138 | router-renumbering | router-renumbering |
| 139 | icmp-node-information-query | |
| 140 | icmp-node-information-response | |
| 141 | inverse-neighbor-discovery-solicitation | ind-neighbor-solicit |
| 142 | inverse-neighbor-discovery-advertisement | ind-neighbor-advert |
| 143 | version-2-multicast-listener-report | mld2-listener-report |
| 144 | home-agent-address-discovery-request | |
| 145 | home-agent-address-discovery-reply | |
| 146 | mobile-prefix-solicitation | |
| 147 | mobile-prefix-advertisement | |
| 148 | certification-path-solicitation | |
| 149 | certification-path-advertisement | |
| 151 | multicast-router-advertisement | |
| 152 | multicast-router-solicitation | |
| 153 | multicast-router-termination |
source: https://www.netfilter.org/projects/nftables/manpage.html
- tcp-established and established will cause the term to not be rendered in the final NFT configuration. See 'Important' section above.