Nftables break down

So with IP tables we had chains like



How are the new chains configured for the Nftables in OpenWrt 22.03.2.

I am gradually migrating my most important iptable rules, but I am not sure I got the new chains correctly.

  • zone_${zone}_prerouting => dstnat_${zone}
  • zone_${zone}_postrouting => srcnat_${zone}
1 Like

what about

zone_wan_forward ?

  • zone_${zone}_input => input_${zone}
  • zone_${zone}_output => output_${zone}
  • zone_${zone}_forward => forward_${zone}
1 Like

these are very helpful!

what about something like


The old *_rule chains are user chains. There's no direct replacement for them in nftables. Instead you can simply declare custom chains at the various default hooks using different kinds of include mechanisms:

E.g. to produce a chain equivalent to iptables output_rule, place the following into /etc/nftables.d/my_output_rule_chain.nft:

chain output_rule {
    type filter hook output priority filter - 1; policy accept;

The priority value will control whether such a chain is invoked before or after the fw4 chains (fw4's output delegation chain uses priority filter a.k.a. 0).

See also


So at the moment I have determined my best course of action is a custom script. I simply have too many rules to try creating different customs.nft.

Thanks for all your help!

Man, I wish we had nftables much sooner! It is amazing how you can take really complicated iptable chains and use nftable mappings to simplify them!

I just shortened a lot of my rules.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.