[nftables] is it possible to declare multiple tables for a given family type?

public inbox for netfilter@vger.kernel.org
 help / color / mirror / Atom feed

* [nftables] is it possible to declare multiple tables for a given family type?
@ 2026-03-01 10:12 Mathias Dufresne
  2026-03-01 13:52 ` Florian Westphal
  0 siblings, 1 reply; 2+ messages in thread
From: Mathias Dufresne @ 2026-03-01 10:12 UTC (permalink / raw)
  To: netfilter

Hi everyone,

I'm trying to replace my very old iptables script with nftables and I'm 
wondering if it is possible to declare several tables of the same family.

As far as my tests went, it seems it is not or that I did not understand 
the ordering of rules...

The goal would be to sort my rules among these tables...

Something like that:
===============================================================================
table ip filter_SSH {
         chain ipv4_log_ssh {
                 counter packets 0 bytes 0 log prefix "Accept ip SVC for 
'administrative services/ssh': "
                 counter packets 0 bytes 0 log prefix "Accept ip SVC for 
'administrative services/ssh': " group 2
                 counter packets 0 bytes 0 accept
         }

         chain input {
                 type filter hook input priority filter; policy accept;
                 iif "eth12" ip daddr 172.16.0.1 tcp dport 22 ct state 
new jump ipv4_log_ssh
                 oif "eth12" ip saddr 172.16.0.1 tcp sport 22 ct state 
new jump ipv4_log_ssh
         }

         chain forward {
                 type filter hook forward priority filter; policy accept;
                 iif "eth12" ip daddr 172.16.0.1 tcp dport 22 ct state 
new accept
                 oif "eth12" ip saddr 172.16.0.1 tcp sport 22 ct state 
new accept
         }

         chain output {
                 type filter hook output priority filter; policy accept;
                 iif "eth12" ip daddr 172.16.0.1 tcp dport 22 ct state 
new accept
                 oif "eth12" ip saddr 172.16.0.1 tcp sport 22 ct state 
new accept
         }
}
table ip filter_DNS {
         chain ipv4_log_dns {
                 counter packets 0 bytes 0 log prefix "Accept ip SVC for 
'DNS': "
                 counter packets 0 bytes 0 log prefix "Accept ip SVC for 
'DNS': " group 2
                 counter packets 0 bytes 0 accept
         }

         chain input {
                 type filter hook input priority filter; policy accept;
                 iif "eth12" ip daddr 172.16.0.2 udp dport 53 jump 
ipv4_log_dns
                 oif "eth12" ip saddr 172.16.0.2 udp sport 53 jump 
ipv4_log_dns
         }

         chain forward {
                 type filter hook forward priority filter; policy accept;
                 iif "eth12" ip daddr 172.16.0.2 udp dport 53 accept
                 oif "eth12" ip saddr 172.16.0.2 udp sport 53 accept
         }

         chain output {
                 type filter hook output priority filter; policy accept;
                 iif "eth12" ip daddr 172.16.0.2 udp dport 53 accept
                 oif "eth12" ip saddr 172.16.0.2 udp sport 53 accept
         }
}
table ip ZZZ_accept_related {
         chain ipv4_log_drop {
                 counter packets 0 bytes 0 log prefix "DROP: dropping 
everything else"
                 counter packets 0 bytes 0 log prefix "DROP: dropping 
everything else" group 2
                 counter packets 0 bytes 0 drop
         }

         chain input {
                 type filter hook input priority filter; policy accept;
                 ct state { established, related } counter packets 556 
bytes 48604 accept
                 jump ipv4_log_drop
         }

         chain forward {
                 type filter hook forward priority filter; policy accept;
                 ct state { established, related } counter packets 0 
bytes 0 accept
                 jump ipv4_log_drop
         }

         chain output {
                 type filter hook output priority filter; policy accept;
                 ct state { established, related } counter packets 557 
bytes 49124 accept
                 jump ipv4_log_drop
         }
}
===============================================================================

Best regards,

mathias



^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [nftables] is it possible to declare multiple tables for a given family type?
  2026-03-01 10:12 [nftables] is it possible to declare multiple tables for a given family type? Mathias Dufresne
@ 2026-03-01 13:52 ` Florian Westphal
  0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2026-03-01 13:52 UTC (permalink / raw)
  To: Mathias Dufresne; +Cc: netfilter

Mathias Dufresne <mathias.dufresne@gmail.com> wrote:
> Hi everyone,
> 
> I'm trying to replace my very old iptables script with nftables and I'm 
> wondering if it is possible to declare several tables of the same family.

Sure it is.

> The goal would be to sort my rules among these tables...

Why? Its awkward.  In iptables its much better to place all filter rules
in the filter table rather than spread them out over raw, mangle +
filter.

So why would you do that in nftables?

>          chain input {
>                  type filter hook input priority filter; policy accept;
>                  iif "eth12" ip daddr 172.16.0.1 tcp dport 22 ct state 
> new jump ipv4_log_ssh
>                  oif "eth12" ip saddr 172.16.0.1 tcp sport 22 ct state 
> new jump ipv4_log_ssh

You have lots of 'sport 22 ct state new' rules, they make no sense.
If you already use connection tracking, why do you need statless-alike
rule?  The replies from sshd should be handled via 'ct state
established'.
>          chain forward {
>                  type filter hook forward priority filter; policy accept;
>                  iif "eth12" ip daddr 172.16.0.1 tcp dport 22 ct state 
> new accept
>                  oif "eth12" ip saddr 172.16.0.1 tcp sport 22 ct state 
> new accept
>          }

This entire chain has no effect whatsoever, the filter policy is accept
so all packets are accepted, hence, the entire chain can be removed.

>          chain output {
>                  type filter hook output priority filter; policy accept;
>                  iif "eth12" ip daddr 172.16.0.1 tcp dport 22 ct state 
> new accept
>                  oif "eth12" ip saddr 172.16.0.1 tcp sport 22 ct state 
> new accept
>          }

Same.  All packets are accepted, so why not remove the entire chain?

>          chain input {
>                  type filter hook input priority filter; policy accept;
>                  ct state { established, related } counter packets 556 
> bytes 48604 accept
>                  jump ipv4_log_drop
>          }

That makes more sense.  I suggest you place your other input rules here.

Just like in iptables, 'accept' in raw table just means packets
continue to travel through the stack, you need to accept them in mangle
and again in filter table.

Also, base chains (those with a line like
'type filter hook input priority filter; policy accept;') always cause a
slow-down: they divert all packets into the nftables vm, so its a good idea to
minimize the amount of times this happens per packet.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-03-01 13:52 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-01 10:12 [nftables] is it possible to declare multiple tables for a given family type? Mathias Dufresne
2026-03-01 13:52 ` Florian Westphal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox