[nftables] is it possible to declare multiple tables for a given family type?

public inbox for netfilter@vger.kernel.org
 help / color / mirror / Atom feed

From: Mathias Dufresne <mathias.dufresne@gmail.com>
To: netfilter@vger.kernel.org
Subject: [nftables] is it possible to declare multiple tables for a given family type?
Date: Sun, 1 Mar 2026 11:12:19 +0100	[thread overview]
Message-ID: <ecfa18a6-3488-43cb-8ba5-00dfeeac8a01@gmail.com> (raw)

Hi everyone,

I'm trying to replace my very old iptables script with nftables and I'm 
wondering if it is possible to declare several tables of the same family.

As far as my tests went, it seems it is not or that I did not understand 
the ordering of rules...

The goal would be to sort my rules among these tables...

Something like that:
===============================================================================
table ip filter_SSH {
         chain ipv4_log_ssh {
                 counter packets 0 bytes 0 log prefix "Accept ip SVC for 
'administrative services/ssh': "
                 counter packets 0 bytes 0 log prefix "Accept ip SVC for 
'administrative services/ssh': " group 2
                 counter packets 0 bytes 0 accept
         }

         chain input {
                 type filter hook input priority filter; policy accept;
                 iif "eth12" ip daddr 172.16.0.1 tcp dport 22 ct state 
new jump ipv4_log_ssh
                 oif "eth12" ip saddr 172.16.0.1 tcp sport 22 ct state 
new jump ipv4_log_ssh
         }

         chain forward {
                 type filter hook forward priority filter; policy accept;
                 iif "eth12" ip daddr 172.16.0.1 tcp dport 22 ct state 
new accept
                 oif "eth12" ip saddr 172.16.0.1 tcp sport 22 ct state 
new accept
         }

         chain output {
                 type filter hook output priority filter; policy accept;
                 iif "eth12" ip daddr 172.16.0.1 tcp dport 22 ct state 
new accept
                 oif "eth12" ip saddr 172.16.0.1 tcp sport 22 ct state 
new accept
         }
}
table ip filter_DNS {
         chain ipv4_log_dns {
                 counter packets 0 bytes 0 log prefix "Accept ip SVC for 
'DNS': "
                 counter packets 0 bytes 0 log prefix "Accept ip SVC for 
'DNS': " group 2
                 counter packets 0 bytes 0 accept
         }

         chain input {
                 type filter hook input priority filter; policy accept;
                 iif "eth12" ip daddr 172.16.0.2 udp dport 53 jump 
ipv4_log_dns
                 oif "eth12" ip saddr 172.16.0.2 udp sport 53 jump 
ipv4_log_dns
         }

         chain forward {
                 type filter hook forward priority filter; policy accept;
                 iif "eth12" ip daddr 172.16.0.2 udp dport 53 accept
                 oif "eth12" ip saddr 172.16.0.2 udp sport 53 accept
         }

         chain output {
                 type filter hook output priority filter; policy accept;
                 iif "eth12" ip daddr 172.16.0.2 udp dport 53 accept
                 oif "eth12" ip saddr 172.16.0.2 udp sport 53 accept
         }
}
table ip ZZZ_accept_related {
         chain ipv4_log_drop {
                 counter packets 0 bytes 0 log prefix "DROP: dropping 
everything else"
                 counter packets 0 bytes 0 log prefix "DROP: dropping 
everything else" group 2
                 counter packets 0 bytes 0 drop
         }

         chain input {
                 type filter hook input priority filter; policy accept;
                 ct state { established, related } counter packets 556 
bytes 48604 accept
                 jump ipv4_log_drop
         }

         chain forward {
                 type filter hook forward priority filter; policy accept;
                 ct state { established, related } counter packets 0 
bytes 0 accept
                 jump ipv4_log_drop
         }

         chain output {
                 type filter hook output priority filter; policy accept;
                 ct state { established, related } counter packets 557 
bytes 49124 accept
                 jump ipv4_log_drop
         }
}
===============================================================================

Best regards,

mathias

next             reply	other threads:[~2026-03-01 10:12 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-01 10:12 Mathias Dufresne [this message]
2026-03-01 13:52 ` [nftables] is it possible to declare multiple tables for a given family type? Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ecfa18a6-3488-43cb-8ba5-00dfeeac8a01@gmail.com \
    --to=mathias.dufresne@gmail.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox