Looking for a good nft tutorial

Someone sent me a set of nft commands, which seemed to work. But I can't find much of an explanation of what they do.

Is there a good tutorial for the basics of nftables? I assume that OpenWrt's implementation is identical to every other, so links to any good one would be appreciated. Thanks.


Agreed; it's time for the Jedi Masters to share their secrets.



The wiki might seam's to be confusing at first sight but is actually quiet good.

1 Like

I have seen that page. But it doesn't even answer the question: How can I see the rules that are in place now?

The best my Google-fu could do is: https://www.mankier.com/8/nft that says:

nft list ruleset

But then how do I interpret the output? Links appreciated. Thanks all...

Are you aware that you did not have asked this question? Did you (at least) tried to read the articles which are linked on the front page of that wiki?

If you do not ask any specific question or show rules where you have struggles no one is able to help you...

Yes, I did try to read some of the articles. My sense was that they were written as a cheat-sheet for someone who already knows how the system works.

I'm a newcomer to nftables. And so my original question still stands:

So far, the answer seems to be, "No." I would love to be proven wrong by having someone provide links. Thanks.

1 Like

I also need intro material to read. I just found this one and it looks decent:

We may have to look to books to get more basics, background and theory etc. ...Or perhaps look for basics in documentation for iptables and then work from there to transfer knowledge into working with nftables.

1 Like

I might asked again: what is your struggle? The wiki explains tables and chains and rules. It also explains how to use advanced concepts like vmaps, sets and how you should organize your ruleset.
Are you looking for basic firewall rules? Are you searching how the Linux packet filtering system works?
Just throwing a "I'm looking for explanation" without saying for what will not bring any benefits.
The web is full of 5 minute introductions. The arch wiki contains an okish overview what rules you might want on a workstation. And so on.

But back to your initial post: you said you have gotten rules you do not understand. The 10 min introduction is a cheat sheet for quick lookup of options. But you still failed to provide rules which you do not understand. And again you have not asked for an introduction you have asked about specific rules. So the reader would assume you have a basic understanding how a firewall on Linux works in general...

So my last try: what rules do you have which you do not understand? Or provide the full rule set with inline comments what is unclear to you.

@_bernd I would like to push back a little here on your position and tone because I feel the same way as @richb-hanover-priv.

It is a well-recognised phenomenon that highly technically minded individuals are often not well suited to communicating or describing technical subject-matter in a manner that facilitates a rapid understanding by others. In my work I often have to form a bridge between inventors and the provision of a technical description of inventions, and so I experience this first hand.

I do not think that the nftables wiki provides a good introduction or overview for those not familiar with nftables or perhaps even not familiar with iptables. Like @richb-hanover-priv indicated it seems to assume a great deal of background knowledge.

@richb-hanover-priv asked for:

and I would like one too.

I came across this:

and found that fairly helpful.

The OpenWrt wiki in general leaves a lot to be desired as compared to the quality of, say, the ArchLinux wiki.

Let's take a look at the OpenWrt page on nftables:

It clearly needs a lot of work. Will it get it? Probably not any time soon. I would be willing to help, but to contribute requires understanding and gaining understanding is the problem we face!

By way of what I think is a helpful comparison, consider by contrast the Archlinux wiki:


The OpenWrt wiki entry for nftables leaves a fair amount to be desired and lacks practical assistance for basic concepts like, for example, how to add a custom table. Taking the latter example, as far as I can tell, an explanation for that is buried in a comment on a GitHub issue here:

And even then the default behaviour is that if the firewall does not properly load owing to a typo in a config file or similar the user cannot even access his OpenWrt system on reboot without entering failsafe mode. Ouch!

In general improved knowledge sharing is an area that I think the OpenWrt project as a whole could benefit from. The wiki is surely an important and promising avenue for such improvement, and of course that requires willing volunteers and improving the culture in respect of documentation. Not easy, but I hope this may get better with time.


In my experience, the best tutorial is to read and understand a well-documented nftables ruleset (see many of dlakelan’s threads and github repo). nftables is not well-understood yet compared to iptables, and is still under active development by the Netfilter team, so existing tutorials get stale quickly.

Isn’t firewall3/firewall4 meant to insulate less technical users from the intricacies of iptables/nftables? Once firewall4 becomes part of a stable release, I would expect the firewall wiki documentation to be updated for the changes since firewall3.

1 Like

The simplest answer is: ENOTIME. That is, like most people on the Forum, I have limited time to learn about new technologies. As a forty-year network professional, I am confident that I could take 2-5 hours to read through the first results from Google and learn about nftables.

But why should I? (And more to the point, why should every other reader of the Forum?) One big advantage of having a community of techies is that we can share tips, secrets, or ways to learn about a new topic, especially if those links point to information that's known to be correct for OpenWrt.

My fond hope is to find a page that says, "Look. Here is what you need to know about this stuff. Here's the lingo, here's what those terms mean, here's what happens when a packet arrives..."

It's OK if no such page(s) exist. But it's not wrong for me to ask the Forum if anyone has links.

1 Like

Sounds like a good resource. Would you provide links?

Most of the threads are focused on DSCP for QoS, but all include a sound basic nftables firewall. These were written before firewall4 was available.


In 2 to 5 hours you are able to read the nftables wiki cover to cover. Twice.
Then there is the man page for nftables.
If you are familiar with the concept of tables and chains you should have not that of a hard time.
I can only repeat my point: you said you have issues understanding a ruleset but you did not shared it so how could anyone point you in a specific direction?

For my sins, I did write most of the openwrt page on nft : https://openwrt.org/docs/guide-user/firewall/misc/nftables - this was just done quickly, as previously it was largely empty, and I just wanted something in place to show how to get it working on openwrt, and not to go into the details of nft. I've updated it on major releases, but only made the minor changes needed for that release.

Also gut feeling, when the 22.03 version of openwrt comes out - it will need a more major rewrite, as 22.03 with fw4 is nftables based. I'll probably still keep the above page, as how to do nftables from a file - as speaking just for myself, I like that format.

As to how to learn nftables, well I'm not an expert by any means. Me though I learnt the structure of it direct from the nftables web site wiki; and learning the structure of tables, containing chains, containing rules is critical.

Learning the various rules, well the wiki again is place to start. But I also found nft describe to be critical if you want exactly what is possible. E.g. to get the full options of oiftype then nft describe oiftype gives them; I found nft describe to have some things in it, that I've not seemed documented elsewhere.

And I'm sorry this isn't a completely clear introduction. Alas, I haven't yet found a good introduction. So think there is space for some to write one!


This is a perfect (although somewhat disappointing) answer to the question - there doesn't appear to be a decent tutorial for nftables. Drat. But I can stop Googling...

I completely understand your "... for my sins..." comment :slight_smile: You realized that somebody needed to write some documentation, and that "somebody" turned out to be you. I applaud you, and there's no need to apologize. Thanks.


Hi rich, when I started with nftables (about 2014-2015?) I used Arch Linux guides to get going and then nftables wiki for more details.



This is certainly the kind of document I was looking for. Thanks!

1 Like

Someone, @ldir, in another thread shared a link to what looks like an excellet write-up on the connection tracking aspect of nft. A 3 part series so far.
Link to that thread post:

Quote from that post:

https://thermalcircle.de/doku.php?id=blog:linux:connection_tracking_1_modules_and_hooks goes into more depth than my mind can cope with.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.