Commands #
{add | insert} rule [family] table chain [handle handle | index index] statement ... [comment comment]
replace rule [family] table chain handle handle statement ... [comment comment]
delete rule [family] table chain handle handle
Statements and verdicts #
- accept Accept the packet and stop processing.
- continue Continue processing the packet.
- drop Stop processing and silently drop the packet.
- goto Send processing to the specified chain but don’t return to the calling chain.
- jump Send processing to the specified chain and return to the calling chain when done or when a return statement is executed.
- limit Process the packet according to the rule if the limit of matching received packets has been reached.
- log Log the packet and continue processing.
- queue Stop processing and send the packet to the user-space process.
- reject Stop processing and reject the packet.
- return Send processing back to the calling chain.
nftables uses payload expressions and meta expressions #
Payload expressions are those that are gathered from packet information. For instance, there are certain header expressions such as sport and dport (source port and destination port, respectively) that apply to TCP and UDP packets and don’t make sense at the IPv4 and IPv6 layer since those layers don’t use ports. Payload Expressions for IPv4 TCP Header Expressions
Meta Expressions can be used for rules that apply broadly or are tied to common packet or interface properties.