From: Florian Westphal <fw@strlen.de>
To: Mathias Dufresne <mathias.dufresne@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: [nftables] is it possible to declare multiple tables for a given family type?
Date: Sun, 1 Mar 2026 14:52:32 +0100 [thread overview]
Message-ID: <aaREoEE9j4MwEyq9@strlen.de> (raw)
In-Reply-To: <ecfa18a6-3488-43cb-8ba5-00dfeeac8a01@gmail.com>
Mathias Dufresne <mathias.dufresne@gmail.com> wrote:
> Hi everyone,
>
> I'm trying to replace my very old iptables script with nftables and I'm
> wondering if it is possible to declare several tables of the same family.
Sure it is.
> The goal would be to sort my rules among these tables...
Why? Its awkward. In iptables its much better to place all filter rules
in the filter table rather than spread them out over raw, mangle +
filter.
So why would you do that in nftables?
> chain input {
> type filter hook input priority filter; policy accept;
> iif "eth12" ip daddr 172.16.0.1 tcp dport 22 ct state
> new jump ipv4_log_ssh
> oif "eth12" ip saddr 172.16.0.1 tcp sport 22 ct state
> new jump ipv4_log_ssh
You have lots of 'sport 22 ct state new' rules, they make no sense.
If you already use connection tracking, why do you need statless-alike
rule? The replies from sshd should be handled via 'ct state
established'.
> chain forward {
> type filter hook forward priority filter; policy accept;
> iif "eth12" ip daddr 172.16.0.1 tcp dport 22 ct state
> new accept
> oif "eth12" ip saddr 172.16.0.1 tcp sport 22 ct state
> new accept
> }
This entire chain has no effect whatsoever, the filter policy is accept
so all packets are accepted, hence, the entire chain can be removed.
> chain output {
> type filter hook output priority filter; policy accept;
> iif "eth12" ip daddr 172.16.0.1 tcp dport 22 ct state
> new accept
> oif "eth12" ip saddr 172.16.0.1 tcp sport 22 ct state
> new accept
> }
Same. All packets are accepted, so why not remove the entire chain?
> chain input {
> type filter hook input priority filter; policy accept;
> ct state { established, related } counter packets 556
> bytes 48604 accept
> jump ipv4_log_drop
> }
That makes more sense. I suggest you place your other input rules here.
Just like in iptables, 'accept' in raw table just means packets
continue to travel through the stack, you need to accept them in mangle
and again in filter table.
Also, base chains (those with a line like
'type filter hook input priority filter; policy accept;') always cause a
slow-down: they divert all packets into the nftables vm, so its a good idea to
minimize the amount of times this happens per packet.
prev parent reply other threads:[~2026-03-01 13:52 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-01 10:12 [nftables] is it possible to declare multiple tables for a given family type? Mathias Dufresne
2026-03-01 13:52 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aaREoEE9j4MwEyq9@strlen.de \
--to=fw@strlen.de \
--cc=mathias.dufresne@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox