Thomas.will am 25. Juli 2025 um 05:26 Uhr

2025-07-25T05:26:15Z

Linkai.zhang: /* Netfilter hakt sich in Linux-Netzwerkpaketflüsse ein */

2023-01-19T08:04:39Z

Netfilter hakt sich in Linux-Netzwerkpaketflüsse ein

Linkai.zhang: /* Netfilter hakt sich in Linux-Netzwerkpaketflüsse ein */

2023-01-19T08:04:27Z

Netfilter hakt sich in Linux-Netzwerkpaketflüsse ein

Thomas.will am 14. September 2022 um 19:13 Uhr

2022-09-14T19:13:48Z

Änderungen zeigen

Thomas.will am 14. September 2022 um 19:07 Uhr

2022-09-14T19:07:15Z

Thomas.will am 14. September 2022 um 19:05 Uhr

2022-09-14T19:05:28Z

Änderungen zeigen

Thomas.will: Die Seite wurde neu angelegt: „''nftables'' uses mostly the same Netfilter infrastructure as legacy ''iptables''. The hook infrastructure, [http://people.netfilter.org/pablo/docs/login.pdf C…“

2022-09-14T18:58:37Z

Die Seite wurde neu angelegt: „''nftables'' uses mostly the same Netfilter infrastructure as legacy ''iptables''. The hook infrastructure, [http://people.netfilter.org/pablo/docs/login.pdf C…“

Neue Seite

''nftables'' uses mostly the same Netfilter infrastructure as legacy ''iptables''. The hook infrastructure, [http://people.netfilter.org/pablo/docs/login.pdf Connection Tracking System], NAT engine, logging infrastructure, and userspace queueing remain the same. Only the packet classification framework is new.

__TOC__

== Netfilter hooks into Linux networking packet flows ==

The following schematic shows packet flows through Linux networking:

https://people.netfilter.org/pablo/nf-hooks.png

Traffic flowing to the local machine in the input path sees the prerouting and input hooks. Then, the traffic that is generated by local processes follows the output and postrouting path.

If you configure your Linux box to behave as a router, do not forget to enable forwarding via:

echo 1 > /proc/sys/net/ipv4/ip_forward

Then packets that are not addressed to your local system will be seen from the forward hook. Such forwarded packets follow the path: prerouting, forward and postrouting.

In a major change from iptables, which predefines chains at '''every''' hook (i.e. ''INPUT'' chain in ''filter'' table), nftables predefines '''no''' chains at all. You must must explicitly create a [[Configuring_chains#Base_chain_hooks | base chain]] at each hook at which you want to filter traffic.

=== Ingress hook ===

The ingress hook was added in Linux kernel 4.2. Unlike the other netfilter hooks, the ingress hook is attached to a particular network interface.

You can use ''nftables'' with the ingress hook to enforce very early filtering policies that take effect even before prerouting. Do note that at this very early stage, fragmented datagrams have not yet been reassembled. So, for example, matching ip saddr and daddr works for all ip packets, but matching L4 headers like udp dport works only for unfragmented packets, or the first fragment.

The ingress hook provides an alternative to ''tc'' ingress filtering. You still need ''tc'' for traffic shaping/queue management.

== Hooks by family and chain type ==

The following table lists available hooks by [[Nftables_families|family]] and [[Configuring_chains#Base_chain_types|chain type]]. Minimum nftables and Linux kernel versions are shown for recently-added hooks.

{| class="wikitable"
|- style="vertical-align:bottom;"
! style="text-align:left;" rowspan="2" | Chain type
! colspan="7" | Hooks

|-
! ingress
! prerouting
! forward
! input
! output
! postrouting
! egress

|- style="vertical-align:bottom;"
! colspan="8" | inet family

|- style="vertical-align:top;"
| filter
| {{yes|1=[https://marc.info/?l=netfilter&m=160379555303808&w=2 0.9.7] / [https://kernelnewbies.org/Linux_5.10 5.10]}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{no}}

|- style="vertical-align:top;"
| nat
| {{no}}
| {{yes}}
| {{no}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{no}}

|- style="vertical-align:top;"
| route
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{yes}}
| {{no}}
| {{no}}

|- style="vertical-align:bottom;"
! colspan="8" | ip6 family

|- style="vertical-align:top;"
| filter
| {{no}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{no}}

|- style="vertical-align:top;"
| nat
| {{no}}
| {{yes}}
| {{no}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{no}}

|- style="vertical-align:top;"
| route
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{yes}}
| {{no}}
| {{no}}

|- style="vertical-align:bottom;"
! colspan="8" | ip family

|- style="vertical-align:top;"
| filter
| {{no}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{no}}

|- style="vertical-align:top;"
| nat
| {{no}}
| {{yes}}
| {{no}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{no}}

|- style="vertical-align:top;"
| route
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{yes}}
| {{no}}
| {{no}}

|- style="vertical-align:bottom;"
! colspan="8" | arp family

|- style="vertical-align:top;"
| filter
| {{no}}
| {{no}}
| {{no}}
| {{yes}}
| {{yes}}
| {{no}}
| {{no}}

|- style="vertical-align:top;"
| nat
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}

|- style="vertical-align:top;"
| route
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}

|- style="vertical-align:bottom;"
! colspan="8" | bridge family

|- style="vertical-align:top;"
| filter
| {{no}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{no}}

|- style="vertical-align:top;"
| nat
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}

|- style="vertical-align:top;"
| route
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}

|- style="vertical-align:bottom;"
! colspan="8" | netdev family

|- style="vertical-align:top;"
| filter
| {{yes|1=[https://marc.info/?l=netfilter&m=146488681521497&w=2 0.6] / [https://kernelnewbies.org/Linux_4.2 4.2]}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no|- / [https://kernelnewbies.org/Linux_5.7 5.7]}}

|- style="vertical-align:top;"
| nat
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}

|- style="vertical-align:top;"
| route
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| {{no}}

|}

== Priority within hook ==

Within a given hook, Netfilter performs operations in order of increasing numerical priority. Each nftables [[Configuring_chains#Base_chain_hooks | base chain]] and [[Flowtables|flowtable]] is assigned a priority that defines its ordering among other base chains and flowtables and Netfilter internal operations at the same hook. For example, a chain on the ''prerouting'' hook with priority ''-300'' will be placed before connection tracking operations.

The following table shows Netfilter priority values, check the nft manpage for reference.

{| class="wikitable"
|- style="vertical-align:bottom;"
! style="text-align:left;" | nftables [[Nftables_families|Families]]
! style="text-align:left;" | Typical hooks
! style="text-align:left;" | ''nft'' Keyword
! style="text-align:right;" | Value
! style="text-align:left;" | Netfilter Internal Priority
! style="text-align:left;" | Description

|- style="vertical-align:top;"
|
| prerouting
|
| style="text-align:right;" | -450
| NF_IP_PRI_RAW_BEFORE_DEFRAG
|

|- style="vertical-align:top;"
| inet, ip, ip6
| prerouting
|
| style="text-align:right;" | -400
| NF_IP_PRI_CONNTRACK_DEFRAG
| Packet defragmentation / datagram reassembly

|- style="vertical-align:top;"
| inet, ip, ip6
| all
| '''raw'''
| style="text-align:right;" | -300
| NF_IP_PRI_RAW
| Traditional priority of the raw table placed before connection tracking operation

|- style="vertical-align:top;"
|
|
|
| style="text-align:right;" | -225
| NF_IP_PRI_SELINUX_FIRST
| SELinux operations

|- style="vertical-align:top;"
| inet, ip, ip6
| prerouting, output
|
| style="text-align:right;" | -200
| NF_IP_PRI_CONNTRACK
| [[Connection_Tracking_System | Connection tracking]] processes run early in prerouting and output hooks to associate packets with tracked connections.

|- style="vertical-align:top;"
| inet, ip, ip6
| all
| '''mangle'''
| style="text-align:right;" | -150
| NF_IP_PRI_MANGLE
| Mangle operation

|- style="vertical-align:top;"
| inet, ip, ip6
| prerouting
| '''dstnat'''
| style="text-align:right;" | -100
| NF_IP_PRI_NAT_DST
| Destination NAT

|- style="vertical-align:top;"
| inet, ip, ip6, arp, netdev
| all
| '''filter'''
| style="text-align:right;" | 0
| NF_IP_PRI_FILTER
| Filtering operation, the filter table

|- style="vertical-align:top;"
| inet, ip, ip6
| all
| '''security'''
| style="text-align:right;" | 50
| NF_IP_PRI_SECURITY
| Place of security table, where secmark can be set for example

|- style="vertical-align:top;"
| inet, ip, ip6
| postrouting
| '''srcnat'''
| style="text-align:right;" | 100
| NF_IP_PRI_NAT_SRC
| Source NAT

|- style="vertical-align:top;"
|
| postrouting
|
| style="text-align:right;" | 225
| NF_IP_PRI_SELINUX_LAST
| SELinux at packet exit

|- style="vertical-align:top;"
| inet, ip, ip6
| postrouting
|
| style="text-align:right;" | 300
| NF_IP_PRI_CONNTRACK_HELPER
| Connection tracking helpers, which identify expected and related packets.

|- style="vertical-align:top;"
| inet, ip, ip6
| input, postrouting
|
| style="text-align:right;" | INT_MAX
| NF_IP_PRI_CONNTRACK_CONFIRM
| Connection tracking adds new tracked connections at final step in input & postrouting hooks.

|- style="vertical-align:top;"
| colspan="6" |  

|- style="vertical-align:top;"
| bridge
| prerouting
| '''dstnat'''
| style="text-align:right;" | -300
| NF_BR_PRI_NAT_DST_BRIDGED
|

|- style="vertical-align:top;"
| bridge
| all
| '''filter'''
| style="text-align:right;" | -200
| NF_BR_PRI_FILTER_BRIDGED
|

|- style="vertical-align:top;"
| bridge
|
|
| style="text-align:right;" | 0
| NF_BR_PRI_BRNF
|

|- style="vertical-align:top;"
| bridge
| output
| '''out'''
| style="text-align:right;" | 100
| NF_BR_PRI_NAT_DST_OTHER
|

|- style="vertical-align:top;"
| bridge
|
|
| style="text-align:right;" | 200
| NF_BR_PRI_FILTER_OTHER
|

|- style="vertical-align:top;"
| bridge
| postrouting
| '''srcnat'''
| style="text-align:right;" | 300
| NF_BR_PRI_NAT_SRC
|

|}

Starting with nftables 0.9.6 you may set priority using keywords instead of numbers. (Note that the same keyword maps to different numerical priorities in the bridge family vs. the other families.) You can also specify priority as an integral offset from a keyword, i.e. ''mangle - 5'' is equivalent to numerical priority -155.

It's possible to specify keyword priorities even in family/hook combinations where they don't make logical sense. Recall that the relative numerical ordering of priorities within a given hook is all that matters as far as Netfilter is concerned. Keep in mind that this relative ordering includes packet defragmentation, connection tracking and other Netfilter operations as well as your nftables base chains and flowtables.

← Nächstältere Version		Version vom 25. Juli 2025, 05:26 Uhr
Zeile 1:		Zeile 1:
	''nftables'' verwendet größtenteils dieselbe Netfilter-Infrastruktur wie ältere ''iptables''. Die Hook-Infrastruktur, [http://people.netfilter.org/pablo/docs/login.pdf Connection Tracking System], NAT-Engine, Logging-Infrastruktur und Userspace-Warteschlangen bleiben gleich. Lediglich das Framework zur Paketklassifizierung ist neu.		''nftables'' verwendet größtenteils dieselbe Netfilter-Infrastruktur wie ältere ''iptables''. Die Hook-Infrastruktur, [http://people.netfilter.org/pablo/docs/login.pdf Connection Tracking System], NAT-Engine, Logging-Infrastruktur und Userspace-Warteschlangen bleiben gleich. Lediglich das Framework zur Paketklassifizierung ist neu.

−
−	~~__Inhalt__~~

← Nächstältere Version		Version vom 19. Januar 2023, 08:04 Uhr
Zeile 21:		Zeile 21:
	Dann werden Pakete, die nicht an Ihr lokales System adressiert sind, vom Forward-Hook gesehen. Solche weitergeleiteten Pakete folgen dem Pfad: Prerouting, Forward und Postrouting.		Dann werden Pakete, die nicht an Ihr lokales System adressiert sind, vom Forward-Hook gesehen. Solche weitergeleiteten Pakete folgen dem Pfad: Prerouting, Forward und Postrouting.

−	Im Gegensatz zu iptables, das Ketten an '''jedem''' Hook (d.h. ''INPUT''-Kette in ''filter''-Tabelle) vordefiniert, definiert nftables überhaupt ''keine'' Ketten. Sie müssen explizit eine [[Configuring_chains#Base_chain_hooks \| base chain]] an jedem Hook, an dem Sie den Datenverkehr filtern möchten.	+	Im Gegensatz zu iptables, das Ketten an '''jedem''' Hook (d.h. ''INPUT''-Kette in ''filter''-Tabelle) vordefiniert, definiert nftables überhaupt '''keine''' Ketten. Sie müssen explizit eine [[Configuring_chains#Base_chain_hooks \| base chain]] an jedem Hook, an dem Sie den Datenverkehr filtern möchten.

@@ Zeile 21: / Zeile 21: @@
 Dann werden Pakete, die nicht an Ihr lokales System adressiert sind, vom Forward-Hook gesehen. Solche weitergeleiteten Pakete folgen dem Pfad: Prerouting, Forward und Postrouting.
-Im Gegensatz zu iptables, das Ketten an '''jedem''' Hook (d.h. ''INPUT''-Kette in ''filter''-Tabelle) vordefiniert, definiert nftables überhaupt ''keine''' Ketten. Sie müssen explizit eine [[Configuring_chains#Base_chain_hooks | base&nbsp;chain]] an jedem Hook, an dem Sie den Datenverkehr filtern möchten.
+Im Gegensatz zu iptables, das Ketten an '''jedem''' Hook (d.h. ''INPUT''-Kette in ''filter''-Tabelle) vordefiniert, definiert nftables überhaupt ''keine'' Ketten. Sie müssen explizit eine [[Configuring_chains#Base_chain_hooks | base&nbsp;chain]] an jedem Hook, an dem Sie den Datenverkehr filtern möchten.
@@ Zeile 31: / Zeile 31: @@
 Der Ingress-Hook bietet eine Alternative zur ''tc''-Eingangsfilterung. Sie benötigen noch ''tc'' für Traffic Shaping/Warteschlangenverwaltung.
 == Haken nach Familie und Kettentyp ==

← Nächstältere Version		Version vom 14. September 2022, 19:07 Uhr
Zeile 9:		Zeile 9:
	Das folgende Schema zeigt Paketflüsse durch Linux-Netzwerke:		Das folgende Schema zeigt Paketflüsse durch Linux-Netzwerke:

		+	[[Datei:Nf-hooks.png]]

−	~~https://people.netfilter.org/pablo/nf-hooks.png~~

Nftables Hooks - Versionsgeschichte

Thomas.will am 25. Juli 2025 um 05:26 Uhr

Linkai.zhang: /* Netfilter hakt sich in Linux-Netzwerkpaketflüsse ein */

Linkai.zhang: /* Netfilter hakt sich in Linux-Netzwerkpaketflüsse ein */

Thomas.will am 14. September 2022 um 19:13 Uhr

Thomas.will am 14. September 2022 um 19:07 Uhr

Thomas.will am 14. September 2022 um 19:05 Uhr

Thomas.will: Die Seite wurde neu angelegt: „''nftables'' uses mostly the same Netfilter infrastructure as legacy ''iptables''. The hook infrastructure, [http://people.netfilter.org/pablo/docs/login.pdf C…“