After explaining the basic nft concepts in Part 1, I’ll now present the most important commands in Part 2..
I’ll omit sudo in the following examples. It will be required when running nft commands.
Display the complete configuration:
nft list rulesetThis command displays the entire current nftables ruleset.
Since the ruleset can become quite large depending on its complexity, I’ve created a custom script that trims the output to the essentials: for multiline blocks within curly braces, only the first and last line are shown.
This is especially useful when analyzing or comparing the structure using LLMs (e.g., ChatGPT, Claude, Gemini).
Here’s a one-liner that shortens the ruleset output:
nft list ruleset | awk 'BEGIN{b=0;h="";c=0;f="";l="";e=""} /{/&&!/}/{if(b)print;else{b=1;h=$0;c=0;f="";l="";e=""};next} /}/&&!/{/{if(b){b=0;print h;if(c<=2&&e!="")print e;else if(c>2){print f;print l};print $0}else print;next} {if(b){if(NF>0&&!/^[[:space:]]*$/){c++;if(c==1)f=$0;l=$0;if(c<=2){if(e=="")e=$0;else e=e"\n"$0}}}else print}'Listing Tables and Chains
Tables and chains were explained in Part 1 of this cheat sheet – here I’ll show you the most important commands to list them.
List tables:
nft list tables # lists all tables
# Example output:
table ip filter
table ip nat
table ip6 filter
table ip6 nat
table inet firewalld
# View a specific table (e.g., Fail2Ban table)
nft list table inet f2b-table
# List all chains of this table with handle numbers (-a is important!)
nft -a list chain inet f2b-table f2b-chainOutput:
table ip filter
table ip nat
table ip6 filter
table ip6 nat
table inet firewalld
table inet f2b-tableHere’s what it means:
inet= family (IPv4 + IPv6)f2b-table= table name (automatically created by Fail2Ban in this example)
Display a specific table:
nft list table <family> <tablename>
nft list table inet f2b-tableIn the output, you’ll see the contents of the table, such as sets and chains.
Display all chains in a table (including handles):
nft -a list chain <family> <tablename> <chainname>
nft -a list chain inet f2b-table f2b-chain-aalso displays the handle IDs, which you need to delete individual rulesf2b-chainis the name of the chain, for example automatically created by Fail2Ban
When you display the contents of a table, the chains are listed as well.
Rules
Rules are always part of a chain, so there’s no need to display them separately.
Displaying Sets
To display the sets of a table, you’ll need grep and sed:
nft list sets table inet f2b-table | grep "set" | sed 's/ {$//'The result will be a list of the sets contained in the table.
You can display a complete set as follows:
nft list set <family> <tablename> <set-name>
nft list set inet f2b-table addr-set-proftpdThe result will be a list of all entries in the set:
table inet f2b-table {
set addr-set-proftpd {
type ipv4_addr
elements = { 1.95.66.108, 2.59.152.3,
8.130.146.108, 8.134.69.106,
...
222.252.20.251, 223.240.69.191 }
}
}
If you want to query a single element from a set, you can use:
nft get element <family> <tablename> <setname> { 1.2.3.4 }
nft get element inet f2b-table addr-set-proftpd { 185.156.73.233 }The result will look like this:
table inet f2b-table {
set addr-set-proftpd {
type ipv4_addr
elements = { 185.156.73.233 }
}
}But be careful: if the element is not found, you’ll get a rather cryptic error message:
Error: Could not process rule: No such file or directory
get element inet f2b-table addr-set-proftpd { 1.2.3.4 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^So it’s better to always use grep:
nft list set <family> <tablename> <setname> | grep 1.2.3.4
If the element is not found, the output will be empty.
You can add an element to a set like this:
nft add element <family> <tablename> <setname>
nft add element inet f2b-table addr-set-proftpd { 1.2.3.4 }You can remove an element from a set like this:
nft delete element <family> <tablename> <setname>
nft delete element inet f2b-table addr-set-proftpd { 1.2.3.4 }
Leave a Reply
You must be logged in to post a comment.