Network securitySecurityIntermediate36 min read

What Is nftables? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

nftables is a tool for setting up a firewall on Linux computers. It decides which network traffic is allowed in or out of your system. Think of it as a security guard for your computer's internet connection, checking every piece of data that tries to enter or leave.

Common Commands & Configuration

nft add rule inet filter input tcp dport {80, 443} accept

Adds a rule to the 'input' chain in the 'filter' table (family inet) that accepts TCP traffic on ports 80 and 443 using an anonymous set.

Tests understanding of anonymous sets and the inet family, which combines IPv4 and IPv6. Expect questions on how this differs from multiple iptables rules.

nft add map inet filter mymap { type ipv4_addr : verdict; }

Creates a named map called 'mymap' in the 'filter' table that maps IPv4 addresses to verdicts.

Verifies ability to define named maps, which are reusable. Exam questions often ask how to populate the map and use it in a rule.

nft add rule inet filter input ip saddr @mymap

Adds a rule that performs a lookup in the existing map 'mymap' based on the source IP address. The verdict from the map is automatically applied.

Tests the use of a named map within a rule. Common exam scenario: troubleshoot why a map rule is not applying the expected verdict.

nft add chain inet filter input { type filter hook input priority 0; policy drop; }

Creates the input base chain with a default policy of drop, meaning all packets not explicitly accepted will be dropped.

This is a fundamental configuration. The exam tests that you know how to set the chain policy (accept vs drop) and the priority value (0 is typical for filter).

nft add rule inet filter input ct state established,related accept

Accepts all packets belonging to established or related connections, as tracked by conntrack.

Classic stateful firewall rule. Expect questions on order: this rule must come before rules that handle new connections.

nft add rule inet nat prerouting tcp dport 8080 redirect to :80

Adds a DNAT-like rule in the 'prerouting' chain of the 'nat' table that redirects incoming TCP traffic on port 8080 to local port 80.

Tests nftables NAT syntax. The redirect verb is specific to nftables. Exam may compare to iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80.

nft add rule inet filter input meta l4proto {tcp, udp} th dport 53 accept

Accepts DNS traffic (UDP and TCP port 53) using the 'th' expression to match the transport header destination port.

This demonstrates the 'th' expression for port matching on any L4 protocol. Exam might compare with 'tcp dport' or 'udp dport' syntax.

nft add set inet filter blacklist { type ipv4_addr; flags interval; }

Creates a named set called 'blacklist' that can store IPv4 addresses with interval flags, allowing CIDR ranges.

Sets with interval flags are used for efficient range matching. The exam tests understanding of the 'flags' option and its impact on performance.

nftables appears directly in 3exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on Cisco CCNA. Practise them →

Must Know for Exams

nftables has become increasingly important in IT certification exams, particularly those focused on Linux administration and network security. In the CompTIA Linux+ (XK0-005) exam, nftables is a specific objective under the security domain. Candidates are expected to understand the basic syntax of nft commands, how to create simple rules, manage sets, and configure persistent firewall rules. The exam may present scenario-based questions where a candidate must choose the correct nftables command to allow or block a specific type of traffic. For example, a question might describe a scenario where a web server needs to allow incoming HTTPS traffic while blocking all other incoming connections, and the candidate must select the appropriate nft rule from multiple choices.

In the Red Hat Certified System Administrator (RHCSA) and Red Hat Certified Engineer (RHCE) exams, nftables is central because RHEL 8 and later use nftables as the default firewall service (via firewalld, which uses nftables as its backend). While the RHCSA exam may focus on using firewalld (the high-level tool), an understanding of nftables rules is beneficial for troubleshooting and for when the exam probes deeper into the underlying mechanisms. The RHCE exam, which covers more complex automation and security tasks, may require candidates to write custom nftables rulesets or integrate them with Ansible automation. Questions might involve setting up NAT, creating rate limiting rules, or implementing a deny-by-default policy.

In the Linux Professional Institute (LPI) LPIC-1 and LPIC-2 exams, firewall configuration is a key component. LPIC-1 (Exam 102) includes objectives on managing firewall rules using iptables and the newer nftables. Candidates need to understand the differences between the two and be able to use nftables for basic packet filtering. LPIC-2 (Exam 201) goes deeper into advanced network configuration, including nftables for complex scenarios like bridging, packet mangling, and advanced NAT. Exam questions may ask about the syntax for creating a table, a chain, or adding a rule. They might also test understanding of the different address families (inet, ip, ip6) and the hooks (input, forward, output).

For general IT security certifications like CompTIA Security+, while they do not specifically test nftables, they cover the concepts of firewalls, packet filtering, and network segmentation. Understanding nftables provides a concrete example of how stateful firewalls and access control lists work, which can help answer conceptual questions. For example, a question on Security+ might ask about the difference between a stateful and stateless firewall. Knowledge of nftables' connection tracking feature can help clarify this.

In Cisco's CCNA or other vendor-specific certifications, nftables is not directly tested, but the underlying networking principles-like ACLs, NAT, and port filtering-are universal. The specific implementation in Linux is often a secondary skill. However, for any exam that includes Linux administration, nftables is becoming unavoidable. The typical format includes multiple-choice questions, command-line simulation questions (for CompTIA), and performance-based tasks (for Red Hat). Candidates should be comfortable with the nft command, understanding options like add table, add chain, add rule, list ruleset, delete, and flush. Also, familiarity with the configuration file location (e.g., /etc/nftables.conf) is important. Finally, exam questions often aim to trip up candidates on the nuances, such as the default policy of a chain, the difference between drop and reject, or the use of sets for efficiency.

Simple Meaning

Imagine your computer is a busy office building with many doors. Everyone who enters or leaves must pass through the main gate where a security guard checks their identification. nftables is like that security guard for your computer's network traffic. It looks at every piece of data, called a packet, that tries to go in or out of your computer. The guard has a list of rules: for example, allow employees with a badge, block anyone without an appointment, and allow deliveries only during business hours. In nftables, you write similar rules. You can say, allow web traffic from a specific website, block all traffic from a known malicious IP address, or allow your computer to send emails but not receive them. nftables is designed to be more efficient and easier to manage than the older system called iptables. It uses a simpler rule structure and allows you to combine rules into sets, making your firewall faster and less cluttered. For IT professionals, learning nftables is important because it is the default firewall tool in many modern Linux distributions, such as Red Hat Enterprise Linux 8 and later, Debian 10 and later, and Ubuntu 18.04 and later. It helps in securing networks, preventing unauthorized access, and controlling data flow. While the idea is simple, the actual implementation involves understanding IP addresses, ports, protocols, and how to write rules that process network traffic efficiently. The key takeaway is that nftables is a powerful, flexible, and modern way to protect your computer or network from unwanted traffic.

Let's use an analogy with a library. The library has a door where people enter and leave. The librarian checks each person. nftables is like the librarian's instruction book. One page might say, let in anyone who is a member. Another says, block anyone with a large bag after 5 PM. nftables organizes these instructions in a clear way. It also has a faster way to check multiple similar instructions at once, like a list of banned member numbers. This makes the library's security check faster and more accurate. In the computer world, this speed is crucial because thousands of packets arrive every second.

Another analogy is a city's traffic management system. nftables is like the traffic lights and signs that control which cars (data packets) can go where. You can set up a rule that says, cars from certain neighborhoods (IP addresses) are not allowed on the highway (your server). Or you can allow only buses (certain types of traffic) to use the bus lane (a specific port). nftables gives you very fine-grained control over the flow of data.

In practice, nftables is configured using the nft command-line tool. You can create tables that hold chains, which are ordered lists of rules. Each rule has a set of criteria (like source IP, destination port, protocol) and a verdict (like accept, drop, or reject). This structure is cleaner than iptables, which had multiple separate tables and chains built into the kernel. nftables unifies all these into a single framework, making it easier to understand and debug.

Full Technical Definition

nftables is a netfilter-based packet classification framework that operates within the Linux kernel's network stack. It replaces the legacy iptables, ip6tables, arptables, and ebtables tools, providing a unified, more efficient, and more feature-rich interface for packet filtering, network address translation (NAT), connection tracking, and packet mangling. The architecture of nftables is based on a set of tables, chains, and rules. A table is a container for a specific type of traffic or functionality, such as IPv4 filtering, IPv6 filtering, or ARP handling. Each table has a specific address family (e.g., ip, ip6, inet, arp, bridge) and hooks into the netfilter framework at specific points in the packet traversal path (e.g., prerouting, input, forward, output, postrouting). Chains are ordered lists of rules that are evaluated sequentially. Rules consist of a set of expressions (match criteria) and a verdict (action). Expressions can match on various packet header fields, such as source/destination IP addresses, source/destination ports, protocol type, interface, and connection tracking state. Verdicts include accept (allow the packet), drop (silently discard the packet), reject (discard the packet and send an error message), jump (continue in another chain), and return (go back to the calling chain).

One of the key technical advantages of nftables over iptables is its use of a single common rule structure and the elimination of separate tools for different protocols. In iptables, administrators had to manage iptables (IPv4), ip6tables (IPv6), ebtables (Ethernet bridging), and arptables (ARP) independently. nftables unifies these through the inet family, which can handle both IPv4 and IPv6 traffic in the same table. Another major advancement is the support for dynamic sets, maps, and dictionaries. Sets allow administrators to group multiple IP addresses, ports, or other match criteria into a single named set, which can be updated atomically without reloading the entire ruleset. This is critical for dynamic environments where IP addresses change frequently, such as in cloud or containerized deployments. Maps (e.g., for port translation) and verdict maps allow for efficient rule matching by using key-value lookups.

nftables also introduces a new configuration syntax that is more structured and scriptable. The tool nft provides a human-readable, command-line interface. Configuration files can be written in a declarative format and loaded using nft -f. The design reduces the number of system calls and context switches compared to iptables because rules are compiled into bytecode that is executed in the kernel's virtual machine. This results in faster packet processing, especially when handling large numbers of rules. Nftables supports hooks at multiple points in the network stack, including ingress (at the earliest point on the receive path) and egress (at the latest point on the transmit path), allowing for very early or very late filtering. It also integrates with connection tracking, enabling stateful firewall rules that can track the state of connections (e.g., NEW, ESTABLISHED, RELATED, INVALID).

In terms of standards, nftables implements the netfilter framework's hooks as defined in the Linux kernel. It supports IPv4 (RFC 791), IPv6 (RFC 2460), TCP (RFC 793), UDP (RFC 768), ICMP (RFC 792), and many other protocols. It can also handle more esoteric protocols like SCTP and DCCP. The tool uses the nftables kernel subsystem, which is part of the mainline Linux kernel since version 3.13. Real IT implementation often involves creating a base set of rules for a server, such as allowing SSH (port 22), HTTP (port 80), and HTTPS (port 443) while dropping all other incoming traffic. Administrators might also create a set of IP addresses that are blacklisted, or a set of ports that are allowed for specific services. The flexibility of nftables makes it suitable for both simple desktop firewalls and complex enterprise-grade network security appliances.

Real-Life Example

Imagine you are the manager of a private club. The club has a single entrance door. You want to control who can enter and what they can bring inside. You have a list of VIP members who can come anytime, a list of banned troublemakers who are never allowed, and a policy that no outside food or drinks are allowed. nftables works like the instructions you give to the doorman. The doorman checks every person trying to enter. The instructions might be: If the person is a VIP member (source IP in a whitelist), let them in immediately. If the person is on the banned list (source IP in a blacklist), deny entry. If the person is carrying outside food or drink (packet content analysis, though less common), deny entry. For all other people, check their ID (connection state) and if they look okay, let them in but tell them they can only stay in the lounge area (specific destination port).

Now, let's map this to the IT world. The club is your computer or server. The door is the network interface. The people are data packets. The VIP list is a set of allowed IP addresses. The banned list is a set of blocked IP addresses. The no-outside-food rule is like blocking traffic on certain ports (e.g., blocking BitTorrent on port 6881). The instruction to only stay in the lounge is like forwarding traffic only to a specific web server (port 80).

nftables makes managing these instructions easier than the old system. Instead of having multiple separate instruction books (iptables for IPv4, ip6tables for IPv6), you have one unified instruction book. You can also group the VIP list into a set, so when a new VIP joins, you just add their name to the set without rewriting all the instructions. This is like adding a new name to a paper list that the doorman has. The doorman doesn't need new instructions; he just looks at the updated list. Similarly, in nftables, you can update the set while the firewall is running, without any downtime.

suppose the club has a policy that people can only enter using the main door, not the fire exit. This is like a default drop policy. By default, all traffic is blocked unless there is a specific rule to allow it. This is a common security best practice. nftables allows you to set a default policy for each chain, such as drop or accept. The default policy for the input chain (incoming traffic) is often set to drop, meaning anything not explicitly allowed is blocked. This is like telling the doorman, if you don't have a specific instruction, turn the person away.

Why This Term Matters

In practical IT terms, nftables matters because it is the current standard for Linux firewall management. Many modern distributions, especially Red Hat Enterprise Linux 8 and later, CentOS 8, Fedora, Debian 10 and later, and Ubuntu 18.04 and later, have moved to nftables as their default firewall backend. This shift means that IT professionals who manage Linux servers, workstations, or network appliances must be proficient in nftables to effectively secure systems. Understanding nftables is not just about writing rules; it is about comprehending the underlying packet flow and how to control it efficiently.

For system administrators, the ability to create and manage firewall rules is a core skill. nftables provides a more scalable and performant solution compared to iptables, especially in environments with thousands of rules or dynamic IP updates. For example, in a cloud environment where virtual machines and containers are constantly spun up and down, the ability to update sets atomically without restarting the firewall service is invaluable. This reduces downtime and improves security by allowing immediate blocking of new threats.

For network security engineers, nftables offers a rich set of features for implementing complex security policies. It supports stateful inspection through connection tracking, which is essential for allowing legitimate return traffic while blocking malicious probes. It also supports rate limiting, logging, and the use of user-defined chains for modular rule organization. The ability to use verdict maps allows for very concise and efficient rule sets that can perform different actions based on packet characteristics, such as redirecting traffic to a transparent proxy or performing network address translation.

nftables is not just for servers. It is also used in embedded devices, home routers, and IoT devices that run Linux. As the Internet of Things grows, the security of these devices becomes critical. nftables provides a lightweight yet powerful firewall solution that can be deployed on resource-constrained devices. For IT certification candidates, understanding nftables demonstrates a modern, forward-looking skill set. It shows that you are not stuck on legacy tools. Many certification exams, such as the CompTIA Linux+ and Red Hat Certified System Administrator (RHCSA), now include nftables objectives. Knowing nftables helps in real-world tasks like securing a web server, setting up a VPN, or creating a DMZ. Nftables matters because it is the present and future of Linux firewall management, and proficiency in it is essential for any serious Linux professional.

How It Appears in Exam Questions

Exam questions about nftables typically fall into several patterns: command syntax, scenario-based configuration, troubleshooting, and conceptual understanding. In command syntax questions, the exam might present a specific requirement, such as allowing SSH traffic on port 22 from a particular IP address, and then present five nft commands with subtle variations. The candidate must identify the correct one. For example, which command adds a rule to the input chain of the filter table for IPv4, accepting TCP traffic on port 22 from source 192.168.1.100? The correct answer would be something like: nft add rule ip filter input ip saddr 192.168.1.100 tcp dport 22 accept. Distractors might use incorrect protocols (udp instead of tcp), incorrect chain (forward instead of input), or incorrect syntax (missing saddr or dport keywords).

Scenario-based configuration questions often describe a real-world situation. For example: A server administrator wants to create a firewall that allows only DNS traffic (UDP port 53) from any source, and drops all other incoming traffic. The server has both IPv4 and IPv6 addresses. Which of the following is the best approach? The correct answer would involve creating an inet table (to handle both IPv4 and IPv6) with a base chain for input, setting its policy to drop, and adding a rule to accept UDP on port 53. Distractors might propose ip table only (ignoring IPv6), setting policy to accept (which would defeat the purpose), or using the forward chain instead of input.

Troubleshooting questions often require the candidate to identify why a nftables rule is not working. For instance, a user reports that they cannot access a web server on port 80, but they can ping it. The administrator checks the nftables ruleset and sees a rule that drops all traffic from the user's subnet. The question might ask: what is the likely cause? The candidate must recognize that the drop rule is too broad or that the HTTP rule is placed after the drop rule (since nftables processes rules sequentially in a chain). Another troubleshooting pattern involves checking for module loading or kernel support. A question might ask: after installing nftables, the command nft list ruleset returns an error. What is the most likely cause? The answer could be that the nf_tables kernel module is not loaded.

Conceptual questions may test the understanding of the architecture. For example: Which of the following best describes the difference between nftables and iptables? Options might include that nftables uses a single utility for all address families, while iptables requires separate tools, or that nftables uses a bytecode interpreter for faster rule matching. Another conceptual question could ask: Which chain would you place a rule to filter traffic destined for the local system? The answer is the input chain. Or: Which table family allows filtering both IPv4 and IPv6 traffic? The answer is inet.

Finally, questions about sets and maps are common in advanced exams. For example: An administrator wants to block a changing list of 50 IP addresses. What is the most efficient way to implement this in nftables? The answer is to create a named set and use it in a single rule. The follow-up might be how to add a new IP to that set without reloading the entire ruleset: nft add element ip filter blacklist { 10.0.0.5 }. Understanding these patterns is crucial for scoring well in exams that include nftables.

Practise nftables Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a junior system administrator at a small company. Your manager asks you to set up a basic firewall on the company's Linux web server. The server runs Ubuntu 20.04 and uses nftables. The requirements are simple: all incoming traffic to the server should be blocked by default, except for the following services: SSH (port 22) for remote management from the company's internal network (IP range 10.0.0.0/24), HTTP (port 80) and HTTPS (port 443) for the public website, and ping (ICMP) from anywhere for network troubleshooting. Also, you must ensure that established connections are allowed back in, so that responses to outbound traffic from the server (like software updates) are not blocked.

First, you check if nftables is installed and the kernel supports it. You run nft --version and it works. Then you begin to build the ruleset. You decide to use an inet table to handle both IPv4 and IPv6 traffic, making the rules clean. You create the table: nft add table inet filter. Then you create the base input chain with a default policy of drop: nft add chain inet filter input { type filter hook input priority 0; policy drop; }. This chain will inspect all incoming packets. Next, you need a rule to allow established and related traffic. This is a stateful firewall rule: nft add rule inet filter input ct state established,related accept. This rule must come early because once a packet is matched, it is accepted and the subsequent rules are not evaluated for that packet.

After that, you add the rule for SSH from the internal network: nft add rule inet filter input ip saddr 10.0.0.0/24 tcp dport 22 accept. This rule allows TCP traffic on port 22 only if the source IP address is in the 10.0.0.0/24 subnet. Then you add rules for HTTP and HTTPS from any source: nft add rule inet filter input tcp dport {80, 443} accept. This uses a list of ports. Then you add a rule for ICMP: nft add rule inet filter input icmp type echo-request accept. For IPv6, you would add a similar rule for icmpv6. Finally, you need to make the configuration permanent. You save the current ruleset to a file: nft list ruleset > /etc/nftables.conf. Then you enable the nftables service to load it at boot: systemctl enable nftables. You test the setup by trying to SSH from the internal network, which works. You try to telnet from outside on port 22, which is blocked. The website loads fine from any internet connection. This scenario demonstrates the core workflow of using nftables: creating tables, chains with policies, writing rules with matches and verdicts, and persisting the configuration.

Common Mistakes

Forgetting to add a default policy to a chain, leaving it at the default 'accept'.

If the default policy is accept, then any traffic not explicitly denied will be allowed, which defeats the purpose of a firewall for security. The entire intent is to block all traffic except what is explicitly allowed.

Always set the default policy to 'drop' for input and forward chains, and then add specific rules for allowed traffic. For example: nft add chain inet filter input { type filter hook input priority 0; policy drop; }.

Placing the rule for established/related connection state after other rules that drop traffic.

The rule for established connections must be early in the chain. If a drop rule appears first, it may drop legitimate return traffic that should be allowed. Rules are evaluated sequentially, and the first match wins.

Put the rule 'ct state established,related accept' as the first rule in the input chain, before any other matching rules.

Using the wrong hook or chain. For example, using the 'forward' chain when trying to filter traffic destined for the local system.

The 'forward' chain only processes traffic that is being routed through the system (like a router), not traffic destined for the local system. Incoming traffic to the local system goes through the 'input' chain. Using the forward chain will not filter local traffic at all.

Use the 'input' chain for traffic destined for the local machine. Use the 'forward' chain for traffic being forwarded. Use the 'output' chain for traffic generated by the local machine.

Creating an 'ip' table and ignoring IPv6 traffic, leaving the system exposed over IPv6.

Many modern networks use both IPv4 and IPv6. If a firewall only covers IPv4, an attacker could use IPv6 to bypass the firewall entirely, as the IPv6 traffic would not be filtered.

Use the 'inet' address family when creating tables to automatically apply rules to both IPv4 and IPv6 packets. For example: nft add table inet filter.

Making a typo in the rule syntax, such as using 'dport' in the wrong context or forgetting the protocol (tcp/udp) before the port.

nftables syntax is strict. Omitting the protocol or misspelling a keyword will cause the command to fail with an error, and no rule will be applied. This can leave the system unprotected.

Double-check the syntax. Use 'tcp dport' for TCP ports and 'udp dport' for UDP ports. Always test the commands interactively before loading them permanently. Use 'nft -c -f /etc/nftables.conf' to check configuration file syntax.

Not saving the ruleset after making changes, so the firewall rules are lost after a reboot.

nftables rules are ephemeral unless explicitly saved. After a system restart, only the base empty ruleset is loaded unless the nft save configuration is activated.

After verifying the rules, run 'nft list ruleset > /etc/nftables.conf' to save them to the configuration file, and ensure the nftables service is enabled with 'systemctl enable nftables'.

Exam Trap — Don't Get Fooled

{"trap":"In an exam question, the answer choice might present a rule that uses 'reject' instead of 'drop' for a default policy or in a situation where the intent is to silently block traffic.","why_learners_choose_it":"Learners may see the word 'reject' and think it means 'block'. They are not careful about the difference between dropping and rejecting a packet.

Also, 'reject' might appear to be safer because it sends an error message, but that can reveal information to an attacker.","how_to_avoid_it":"Understand that 'drop' silently discards the packet, while 'reject' discards the packet and sends an error message (like ICMP port unreachable) back to the sender. For security, 'drop' is generally preferred to avoid giving information to an attacker.

In questions asking for a 'stealth' firewall, 'drop' is the correct verdict. Also, remember that only 'accept', 'drop', 'reject', 'jump', 'goto', 'return', 'continue' are valid verdicts, and you cannot set a chain's default policy to 'reject' (the default policy can only be 'accept' or 'drop')."

Commonly Confused With

nftablesvsiptables

iptables is the legacy firewall tool in Linux. nftables is its modern replacement. The main differences are that nftables uses a single tool for all address families, has a more streamlined syntax, supports sets and maps for efficient rule management, and is faster. iptables is still widely used but is considered deprecated in many distributions.

With iptables, you had to use separate commands for IPv4 (iptables), IPv6 (ip6tables), and bridging (ebtables). With nftables, you can use one command with the 'inet' family to cover all IP traffic.

nftablesvsfirewalld

firewalld is a high-level firewall management tool that uses nftables (or iptables) as its backend. It provides a dynamic, zone-based interface, allowing administrators to manage rules by zone (e.g., public, internal, dmz) rather than writing raw nftables rules. firewalld is not a different technology but a frontend.

If you use 'firewall-cmd' to add a service, firewalld translates that command into nftables or iptables rules. Directly editing nftables rules can sometimes conflict with firewalld's management, so it is important to pick one method.

nftablesvsUFW (Uncomplicated Firewall)

UFW is a user-friendly command-line tool for managing iptables or nftables (depending on the distribution). It is a frontend that hides the complexity of iptables/nftables syntax. Useful for beginners, but it lacks the advanced features available in raw nftables.

To allow SSH with UFW, you type 'ufw allow 22'. Under the hood, UFW generates the equivalent nftables or iptables rule. For complex rules, you need to go directly to nftables.

Step-by-Step Breakdown

1

1. Understanding the Packet Flow Path

Before writing nftables rules, you must understand how a packet moves through the Linux network stack. When a packet arrives, it first goes through the ingress hook (for very early filtering), then the prerouting chain (where DNAT occurs). Then the kernel decides if the packet is destined for the local system (goes to input chain) or for forwarding (goes to forward chain). Local system output goes through the output chain, then postrouting (where SNAT occurs). Understanding this path is essential for placing rules in the correct chain.

2

2. Choosing the Right Table and Address Family

A table in nftables is defined with an address family (ip, ip6, inet, arp, bridge, netdev). For most firewall purposes, 'inet' is the best choice as it handles both IPv4 and IPv6. The table is a container. Using a meaningful name like 'filter' or 'mangle' helps with organization. Example: nft add table inet filter. You also need to decide if you need separate tables for different types of processing (filtering, NAT, mangle).

3

3. Creating Chains with Hooks and Base Priorities

A chain is where rules live. Base chains are attached to netfilter hooks (input, forward, output, prerouting, postrouting) and have a priority that determines the order of processing relative to other chains on the same hook. The type must be 'filter' for filtering, 'nat' for NAT, or 'route' for routing. Example: nft add chain inet filter input { type filter hook input priority 0; policy drop; }. The priority 0 is standard. Lower numbers are processed first.

4

4. Writing Rules with Expressions and Verdicts

Rules consist of one or more expressions that match packet characteristics, followed by a verdict. Common expressions include: ip saddr (source IP), ip daddr (destination IP), tcp dport (TCP destination port), udp sport (UDP source port), meta iif (input interface), meta oif (output interface), ct state (connection tracking state). The verdict tells what to do: accept, drop, reject, jump to another chain, etc. Example: nft add rule inet filter input tcp dport 22 accept.

5

5. Using Sets and Maps for Efficiency

When you have many similar rules (e.g., blocking many IP addresses), using a set is efficient. First, create a named set: nft add set inet filter blacklist { type ipv4_addr; }. Then add elements: nft add element inet filter blacklist { 10.0.0.1, 10.0.0.2 }. Then a single rule can match against the set: nft add rule inet filter input ip saddr @blacklist drop. Sets can be updated dynamically without reloading the entire ruleset. Maps (like verdict maps) allow returning a verdict based on a key, making very compact rules.

6

6. Making Rules Persistent

Rules are lost on reboot unless saved. The standard way is to dump the current ruleset to a file and tell the nftables service to load it at boot. The command 'nft list ruleset > /etc/nftables.conf' saves the full ruleset. Then enable the service with systemctl enable nftables. Alternatively, you can write the configuration file manually in the nftables syntax. It is good practice to test the file syntax using 'nft -c -f /etc/nftables.conf' before loading it with 'systemctl restart nftables'.

Practical Mini-Lesson

nftables is a powerful tool, but mastering it requires understanding its structure and common patterns. In practice, a Linux professional will often start with a default deny policy. The first thing to do when setting up a server is to create the base rules.

Let's walk through a comprehensive example. Suppose we have a web server that also runs SSH and DNS. We want to allow incoming SSH from a management network (10.10.10.0/24), HTTP and HTTPS from anywhere, DNS (UDP 53) from anywhere, and allow the server to make outbound connections for updates.

We also want to log dropped packets for troubleshooting. We'll create an inet table called 'filter' with input, forward, and output chains. The default policy for input and forward will be drop, and for output accept (since we trust the output traffic).

We add the rule for established connections first: nft add rule inet filter input ct state related,established accept. Then we add rules for SSH, HTTP, HTTPS, and DNS. For logging, we create a separate chain for logging, and then jump to it before dropping packets.

But for simplicity, we can add a rule at the end of the chain that logs and drops all remaining traffic: nft add rule inet filter input log prefix "Dropped: " drop. This logs every dropped packet to the kernel log (dmesg). This is extremely useful for debugging.

Once the ruleset is tested, we save it. Professionals should also use version control for their nftables.conf file to track changes. What can go wrong? One common issue is forgetting to allow ICMP for path MTU discovery, which can cause connectivity problems.

Another issue is misordering rules: placing the log-drop rule before the allowed ports will cause all traffic to be dropped. Also, if you are using firewalld, directly editing nftables rules can cause conflicts because firewalld manages its own ruleset. It is best to use one or the other.

Another professional tip: use the 'nft monitor' command to see packets being evaluated in real-time, which is excellent for debugging. The command 'nft list ruleset' can be piped to view the entire configuration. In automation contexts, tools like Ansible have modules for nftables, allowing rule deployment across many servers.

Understanding the underlying principles of tables, chains, and rules is essential for creating efficient, secure, and maintainable firewall configurations.

Understanding Verdict Maps and Anonymous Sets in nftables

nftables introduces several powerful data structures that surpass the capabilities of legacy iptables, and two of the most important for performance and efficiency are verdict maps and anonymous sets. A verdict map, also spelled as 'verdict map' or 'vmap', is a way to associate a key with a verdict (such as accept, drop, jump, or return) inside a single rule. Instead of writing multiple rules to check different source IP addresses and apply different actions, you can define a map that directly links each IP address to its corresponding verdict.

This drastically reduces the number of rules the kernel must traverse, which leads to faster packet processing, especially under heavy network load. For example, a verdict map might look like: 'ip saddr vmap { 192.168.

1.1 : accept, 10.0.0.0/8 : drop }'. The kernel performs a hash lookup on the source address, immediately retrieves the pre-defined verdict, and applies it without scanning further rules.

This is particularly beneficial in exam scenarios where you must demonstrate understanding of how nftables scales differently from iptables. Many certification questions now test whether you can differentiate between a simple set (which only stores values for matching) and a verdict map (which stores both keys and verdicts). Another related structure is the anonymous set, which is an inline set definition that exists only within a single rule.

For instance, 'tcp dport { 80, 443 } accept' creates an anonymous set containing ports 80 and 443. The kernel internally uses an optimized set-based lookup (e.g., bitmaps or hash tables) rather than a linear chain of rules.

This is a significant upgrade from iptables, where each port required a separate rule or a match module. In nftables, you never need multiple rules for the same action with different criteria; you simply aggregate them into a set. The performance gain is especially clear when dealing with port ranges or multiple IP addresses.

The exam may ask you to identify the correct syntax for a verdict map or explain the difference between a named set (defined in a separate table and reusable across rules) and an anonymous set. Remember that anonymous sets are defined inline in a rule and are implicitly created when the rule is added. They are destroyed when the rule is removed.

Named sets, on the other hand, must be explicitly created and can be updated dynamically without reloading the entire rule set. This is a crucial operational difference. For the exam, you should also know that verdict maps accept keys of any type that sets can hold.

For example, you can create a verdict map keyed on interface names or even meta expressions like 'meta mark'. The verdict map's value is always a verdict, which must be one of accept, drop, queue, continue, return, jump, or goto. If you use the jump or goto verdict inside a map, the target chain must exist and be reachable.

These structures reflect nftables' design philosophy of moving complexity into data structures rather than rule chains. This makes nftables more suitable for high-performance environments like datacenter firewalls or routers. In your studies, practice writing rules that use verdict maps to reduce the number of chains and rules.

For example, replace a series of rules that check different IP addresses for different actions with a single rule using a verdict map. This will not only improve performance but also simplify maintenance. The exam will reward this kind of efficient design approach.

Understanding verdict maps and anonymous sets is essential for passing any certification that covers nftables, as these are core differentiators from legacy tools and are often tested in case-study questions involving performance optimization.

Stateful Packet Filtering with nftables and the Conntrack Module

One of the foundational concepts in modern firewall design is stateful packet filtering, and nftables handles this through the connection tracking (conntrack) subsystem. Unlike stateless firewalls that inspect each packet in isolation, stateful filtering tracks the state of network connections and allows the return traffic while blocking unsolicited inbound packets. In nftables, you use the 'ct' (connection tracking) expression to match packets based on their connection state.

The commonly used states are 'new', 'established', 'related', and 'invalid'. The typical rule configuration for a stateful rule set is to allow all packets in the 'established' and 'related' states and drop or reject 'invalid' packets. For example, a basic rule might be 'ct state established,related accept'.

This rule is usually placed early in the input chain to allow replies to connections initiated from the local host. The 'new' state is reserved for packets that start a new connection, and you would apply more restrictive rules to those, such as allowing only specific ports or protocols. In the exam, you must understand the difference between the 'related' state and the 'established' state.

'Related' refers to packets that are part of a secondary connection associated with an existing connection, like FTP data connections or ICMP errors. nftables uses the same conntrack infrastructure as iptables, so the concepts carry over, but the syntax is different. For instance, in iptables you would write '-m state --state ESTABLISHED,RELATED -j ACCEPT', while in nftables you write 'ct state established,related accept'.

The key difference is that nftables does not require a separate match module; the 'ct' expression is built into the nftables framework and can be combined with other expressions. You can also match on conntrack labels, mark, or zone using the ct expression. For example, 'ct mark 1 accept' will accept packets that have a conntrack mark set to 1.

This is useful for policy-based routing or advanced filtering scenarios. Another important concept for the exam is the flow table, which is an nftables feature that accelerates forwarding of established connections. A flow table offloads entire flows to hardware or fast-path software, reducing CPU usage.

You enable it with the 'flow offload' action, and it works in tandem with conntrack. The syntax is: 'flow table myflow { type nat; hook forward priority 0; }' and then in a rule: 'ct state established,related flow add @myflow'. This is a high-performance feature that exam questions may test in the context of network optimization.

You should also know that nftables allows you to set conntrack policies per table. For example, you can configure the table to not track certain traffic by using the 'notrack' statement: 'ct state invalid notrack'. This is useful for protocols that do not work well with connection tracking, like certain VPN encapsulations.

In addition to state matching, nftables can modify the conntrack state using the 'ct' set statement. For instance, you can intentionally mark a packet as 'invalid' using 'ct state set invalid'. This is often used for attack mitigation or to bypass tracking for certain traffic.

The exam expects you to understand the order of operations: conntrack must be enabled in the kernel, and you must use the 'ct' expression only in hooks that run after conntrack has processed the packet (typically in the prerouting or input hooks). If you try to use 'ct state' before conntrack runs, it will not match. This is a common pitfall.

Stateful filtering in nftables is powerful and flexible. By mastering the 'ct' expression, flow offloading, and the different state values, you will be well-prepared for exam questions on network security. Remember that the goal is to allow legitimate traffic while blocking unauthorized access, and nftables gives you the tools to do this efficiently with minimal rule overhead.

Practice writing rules that permit only 'established' and 'related' traffic while dropping 'invalid' traffic and restricting 'new' traffic to specific ports. This pattern is the foundation of most firewall configurations evaluated in certification exams.

Memory Tip

Think of nftables as the 'new fire table', a modern, unified replacement for the old iptables. Remember the key hook: 'I am a fire, FIRE it up', Filter table, Inet family, Rule sets, Established connections first.

Learn This Topic Fully

This glossary page explains what nftables means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

XK0-005XK0-006(current version)

Related Glossary Terms

Quick Knowledge Check

1.In nftables, which expression is used to match packets based on connection tracking state?

2.What is the primary advantage of using a verdict map over multiple individual rules in nftables?

3.Which nftables table family filters both IPv4 and IPv6 traffic?

4.What is the default policy of a base chain if not explicitly specified?

5.Which nftables action is used to offload established connections to hardware or fast-path software?

6.In nftables, what is the difference between a named set and an anonymous set?