nftables

From Alpine Linux
Revision as of 01:37, 3 January 2026 by John3-16 (talk | contribs) (1. Consolidated packaged rules passages (partly repetitive despite prior useful edits); 2. 'Packaged rules' section made subsection of Configuration, adding subheadings for downloading/enabling and reloading steps; 3. Added 'reload' passage, indicating that nftables is not a daemon so it will not appear under rc-status; 4. →‎See also: Added Tutorials and Howtos - Firewall; 5. Style/grammar amendments.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

The nftables project provides userspace tools to control the Linux nftables subsystem.

Installation

To use the nft command from the nftables package, install it first:

# apk add nftables

Configuration

The default nftables-shipped rules will block all incoming connections. The service that loads the rules from the /etc/nftables.d folder can be enabled with:

# rc-service nftables start

Make it start on future sessions also:

# rc-update add nftables boot

However, there may be further packaged rules shipped with additional installed packages.

Packaged rules

Downloading and enabling rules

If there are nftables rules elsewhere, in the /usr/share/nftables.avail folder, then they must be enabled: server software packages that are accompanied by an -nftrules package, for example, include the typical default rules to expose the server, but the rules are only downloaded and must then be enabled e.g. the openssh-nftrules package will only download rules to open the default port(s) used by openssh.

Tip: On Alpine Linux Edge and from v3.23 onwards, all -nftrules that are available for your current installation, as well as for any future package to be installed, can be downloaded by installing nftables-rulesets from the main repo:

# apk add nftables-rulesets

These rules are not active upon package installation: they are only downloaded into that /usr/share/nftables.avail/ directory. The user can then enable them, either by:

  • symlinking them individually to /etc/nftables.d/. For example, if there is the rule /usr/share/nftables.avail/sshd.nft, then issue the command below:

    # ln -s /usr/share/nftables.avail/sshd.nft /etc/nftables.d/sshd.nft

    or by
  • adding the configuration line include "/usr/share/nftables.avail/*.nft" into /etc/nftables.nft.

Reloading rules

The new ruleset can then be applied by simply reloading the service, or by rebooting. Reloading preserves the connections (the connection-tracking "conntrack" state), so it is preferable to restarting the service:

# rc-service nftables reload

or, alternatively, load the new ruleset with:

# nft -f /etc/nftables.nft

The nftables service is an init script that, when started or reloaded, runs once to load the rules and then exits. It is not a daemon, so it will not appear afterwards under # rc-status.

See also

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Nftables&oldid=31913"