nftables is the successor packet-classification framework built into the Linux kernel, replacing the legacy quartet of iptables, ip6tables, arptables, and ebtables with a single unified tool (nft). It has been available since Linux kernel 3.13 (2014) and is now the default firewall backend on all major distributions β RHEL 8+, Fedora 32+, Debian 10+, and Ubuntu 20.04+. Unlike iptables, nftables has no predefined chains; every table, chain, and hook must be explicitly declared, which eliminates unnecessary overhead but requires understanding the hierarchy: tables β chains β rules. The single most important mental model to internalize is that nftables processes chains in hook-priority order, and an accept verdict in one chain does not guarantee the packet is never seen by a later chain attached to the same hook.
What This Cheat Sheet Covers
This topic spans 21 focused tables and 150 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Address Families (Table Families)
Each nftables table is tied to an address family that determines which layer of the networking stack it inspects. Choosing the right family is the first design decision, because it controls both which hooks are available and what traffic the rules can see.
| Type | Example | Description |
|---|---|---|
add table inet filter | β’ Covers both IPv4 and IPv6 in the same ruleset β’ the preferred family for dual-stack hosts β’ Replaces separate iptables + ip6tables rulesets | |
add table ip filter | β’ IPv4 traffic only β’ Legacy-equivalent to iptables. | |
add table ip6 filter | β’ IPv6 traffic only β’ Legacy-equivalent to ip6tables. |