Simple nftables configuration

okay so, nftables was added to mainline kernel in 3.13 (2014). it's going to replace iptables, so I figured I'd write up a short config to show how much better it is.

with iptables, you'd do;

iptables -A OUTPUT -d 1.2.3.4 -j DROP

and with nftables you'd do;

nft add rule ip filter output ip daddr 1.2.3.4 drop

now this is the example used on wikipedia to prove the syntax difference, which I think is retarded.

what would make way more sense is to show an actual config file, like my /etc/nftables.conf;

#!/usr/sbin/nft -f
# vim: ft=pf
flush ruleset

define tcp_services = { ssh, 9090 }
define nfs_services = { nfs, sunrpc, 32767 }


table inet filter {
    chain input {
        type filter hook input priority 0;
        policy drop;

        iif lo accept;

        ct state established, related accept;
        ct state invalid drop;

        # accept ping
        ip protocol icmp icmp type echo-request ct state new accept;

        # accept incomming connections on these ports
        tcp dport $tcp_services accept;

        # enable nfs locally
        tcp dport $nfs_services ip saddr 192.168.0.0/24 accept;

        # to not break ipv6
        ip6 nexthdr icmpv6 icmpv6 type {
            nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert
        } accept
    }

    chain forward {
        type filter hook forward priority 0;

        # route your own packets
        policy drop;
    }

    chain output {
        type filter hook output priority 0;
        policy accept;
    }
}

this is the my config, and as you can probably tell, it looks similar to pf.conf, or if you've been deeper into iptables; it looks like fern.conf.

so what it does is; it opens up port 22 (ssh), 9090 (which I use for screen sharing), and { nfs, sunrpc, 32767 (portmapper) }, but only if the source address is from my local network.

to load the config, you just execute the config doas /etc/nftables.conf.