THE 10X RULE WIKI DRIVER
Such ingress chains see network packets just after the NIC driver passes them up to the networking stack. The principal (only?) use for this family is for base chains using the ingress hook, new in Linux kernel 4.2. There is no legacy x_tables equivalent to the netdev family. Therefore you can filter ARP traffic from here. Such base chains see all network traffic on the specified interface, with no assumptions about L2 or 元 protocols. The netdev family is different from the others in that it is used to create base chains attached to a single network interface. Note that there is no nf_conntrack integration for the nftables bridge family.
Some old x_tables modules such as physdev will also eventually be served from the nftables bridge family. The ebtables tool is the legacy x_tables equivalent. No assumptions are made about 元 protocols. Tables of this family see traffic/packets traversing bridges (i.e. The arptables tool is the legacy x_tables equivalent.
Tables of this family see ARP-level (i.e, L2) traffic, before any 元 handling is done by the kernel. New in nftables 0.9.7 and Linux kernel 4.10 is the inet family ingress hook, which filters at the same location as the netdev ingress hook. # These rules affect both IPv4 and IPv6 packets:Īdd rule inet filter input ct state established,related counter acceptĪdd rule inet filter input udp dport 53 accept Add rule inet filter input ip saddr 1.1.1.1 counter acceptĪdd rule inet filter input ip6 daddr fe00::2 counter accept