# MIgrating from ip(6)tables to nftables

## pa4wdh

Hi All,

I'm a ip(6)tables fan and have pretty extensive rulesets and i'd like to check out nftables. I've done some first experiments and it looks alright.

Before i can migrate all my rulesets there are two features i need and according to de nftables wiki[1] are not supported (yet):

- The LED target (obviously not a hard requirement, but really nice to have)

- The string match

Both have a comment "Consider native", I don't really understand what they mean by that, I also can't find any nftables-native solution.

Does anyone here know how to use similar features with nftables?

[1]: https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables

----------

## Ant P.

I guess they mean those things should now be done via a userspace program using the log/queue target. Batteries not included, naturally. I can see the reason for them changing it, but it is annoying.

----------

## pa4wdh

Thanks for your answer Ant P.

I'm more than happy to write my own userspace program if that's what's needed. For the LED target i can see it's quite easy: Use the logging facility and have a userspace program to read the log and perform the LED actions. For the string match i don't see how i can send the complete packet to a user space program, perform the string match there, and send the result back to netfilter. Do you know to do that? (especially the sending to userspace and sending the result back  :Cool:  )

----------

## Ant P.

That's done with net-libs/libnetfilter_queue. Docs for that are here, and there's a link to an off-site example that looks close to what you want.

There's also net-libs/nfqueue-bindings, but that's been p.masked recently.

----------

## pa4wdh

Thanks, that is very useful Ant P.

I also found the "payload" option in nftables, for data that has a predictable location in the packet that might be a better (and better performing) option than nfqueue.

It's time to start experimenting again, thanks!

----------

## eccerr0r

Anyone happen to know when iptables too will be deprecated completely? :(

Just noticed my iptables commands didn't work on another machine I was working on and found nftables documentation which seems to indicate it's a replacement, once again (ipfw anyone? others? when will linux firewall rules settle down? ever?)...

So far iptables should still work fine for now after finding the kernel options that I was missing.  Sigh.  Compile again...

----------

## Zucca

IIRC nftables has some "raw" commands which are in iptables format syntax.

Anyways. You can use nftables like iptables, that is run multiple nft commands in a shell script. Or you can create "nft native" rulefile. I don't really know if they are relly called "rulefiles".

Here's one old file I created for one of my boxes:

```
#!/sbin/nft -f

# Before work - we clean our working table.

flush ruleset

# Define / set some variables

# ...so that when change is needed it _could_ be easier(?).

define wanif = ethmb0

define wlanif = wlanusb0

define lanif = ethcard0

# ipv4 NATting

# Note that when natting you cannot use 'inet'.

table ip ipreroute {

    chain prerouting {

        type nat hook prerouting priority 0; policy accept;

        # We have DNSd too!

        ip daddr { 1.1.1.1, 8.8.4.4, 8.8.8.8, 165.193.78.252 } dnat to 10.0.0.1

    }

    chain postrouting {

        type nat hook postrouting priority 100; policy accept;

        oifname $wanif masquerade

    }

}
```

Also see nft quick reference.

----------

## pa4wdh

I'm not aware of any deprecation plans.

If you prefer the iptables syntax you can also have the iptables tools which use nftables as a backend, so to you it'll be like nothing has changed, but in the kernel you're using the nftables stuff. As for as i know you can do that by setting the nftables useflag for net-firewall/iptables.

Next to that i can highly recommend learning the nftables. I've migrated a ~1500 rule iptables setup and a similar amount of rules for ip6tables to a single nftables ruleset of ~2000 rules and never looked back. I got so used to the nftables syntax that iptables looks a bit old fashioned now. Espescially sets can make your ruleset a lot easier to read.

----------

## eccerr0r

I suppose right now it's a deployment issue, wanted to deploy a simple firewall on a remote system.  Of course the hazards of screwing up a rule exists - do something that's familiar when working something risky...

... experiment something risky on something that you don't have to worry too much about ...

... and then migrate over once familiar.

Ah, oh well.

----------

## Princess Nell

This thread seems to have been dormant for a while, but just in case: have you tried the iptables-restore-translate tool described in the nftables wiki? You'll need to build net-firewall/iptables with nftables USE flag to get those extra tools.

----------

