nftables Cheat Sheet: Useful Commands for nft Part 1

nftables is a modern packet filtering framework for Linux and is set to replace iptables in the long term. In this post, I present the most useful commands that have proven effective in my daily admin work.

The creation of new tables and chains is rarely needed in my practice, so I won’t cover that here.

In Part 1, I explain the basic concepts. In Part 2, I go over the most important commands.

Definition of Terms

table

A table is the top-level organizational unit. It contains chains, sets, maps, flowtables, and objects. In the following, I’ll focus only on chains and sets.

Common families for tables:

• ip (IPv4 only)
• ip6 (IPv6 only)
• inet (combines IPv4 + IPv6)
• arp, bridge, netdev (for special scenarios)

Example of a simple inet table:

table inet mytable {
    set blacklist {
        type ipv4_addr
        elements = { 1.2.3.4, 5.6.7.8 }
    }

    map portmap {
        type inet_service : verdict
        elements = { 22 : drop, 80 : accept }
    }

    chain input {
        type filter hook input priority 0; policy accept;
        ip saddr @blacklist drop
    }

    counter mycounter {
        packets 0 bytes 0
    }
}

chain

A chain is a container for rules and processes incoming, forwarded, or outgoing packets—depending on which hook it is bound to.

Typical examples:

• chain input
• chain output
• chain forward
• custom chains like chain f2b-chain (for fail2ban)

Each chain can also define a policy — this is the default behavior if no rule matches:

• drop → the packet is dropped
• accept → the packet is accepted

Example of a simple input chain:

chain input {
    type filter hook input priority 0;
    policy accept;

    ip saddr @blacklist drop
    tcp dport 22 accept
}

In this example:

• The chain is bound to the input hook (i.e., incoming packets),
• with the policy accept as the default behavior,
• and evaluates two rules: blocking IPs from a set (@blacklist) and allowing SSH (port 22).

rule

A rule defines what should happen to a network packet when certain conditions are met. It consists of:

• Actions (e.g., accept, drop, reject, log, counter)
• Match conditions (e.g., source IP, destination port, protocol)

Example:

tcp dport 22 ip saddr @addr-set-sshd reject

This rule:

• applies to TCP connections targeting port 22 (SSH),
• checks whether the source address is included in a set called addr-set-sshd,
• and rejects the packet with a reject response.

set

A set is a dynamically populated list of values that can be referenced in rules. Typical contents include IP addresses, ports, or even combinations (e.g., IP + port).

Sets are commonly used for:

• IP blocklists (e.g., in combination with Fail2Ban)
• Port allowances
• Optimizing multiple rules into a single one

Example:

set blacklist {
    type ipv4_addr;
    elements = { 1.2.3.4, 5.6.7.8 }
}

• type defines the data type (e.g., ipv4_addr, inet_service, verdict, …)
• elements contains the entries

Sets are especially useful because they can be modified at runtime—without having to reload the entire ruleset.

hook

A hook binds a chain to a specific point in the network stack, i.e., to a phase of packet processing in the Linux kernel. Without a hook, a chain is only usable internally (e.g., as a target for jump statements). Common hooks include: input, output, forward, prerouting, and postrouting.

Example of a chain with a hook:

chain input {
    type filter hook input priority 0;
    policy accept;

    ip saddr @blacklist drop
}

This definition:

• binds the chain to the input hook (incoming packets to the system),
• with priority 0 (execution order within the hook),
• and sets the policy to accept if no rule matches.

Priority (priority) determines the order of execution if multiple chains use the same hook.

Lower values → earlier execution.

ruleset

The ruleset is the complete nftables rule configuration on a system.

It includes all tables, chains, rules, sets, maps, objects, and flowtables—that is, the entire firewall state.