Nftables reaches 1.0

Posted Sep 1, 2021 18:58 UTC (Wed) by Chousuke (subscriber, #54562)
In reply to: Nftables reaches 1.0 by nybble41
Parent article: Nftables reaches 1.0

Unfortunately the nft manual page seems to take after the iproute2 suite of tools in being extremely light on examples and leaving the reader to figure out how to put things togethers from rather loosely organized grammar descriptions and tables. You basically have to guess how to use it.

For example, if you wanted to know how to perform a 1:1 nat for an entire IP prefix, the manual page would not help because it doesn't even mention that you can use bitwise operators (&, |) with netmasks to perform calculations and modifications on packet fields.

I know there's a partial sentence somewhere on the wiki page that indirectly hints at this being possible because I found it some time ago when I had to do prefix translation, but I can't find it anymore.

nftables is capable, but its documentation makes me sad. It's unbeliveably bad.

Nftables reaches 1.0

Posted Sep 1, 2021 19:27 UTC (Wed) by Chousuke (subscriber, #54562) [Link] (1 responses)

Replying to myself since I can't edit to give an actual example:

I tried finding the relevant documentation from the wiki page but I can't; I've forgotten where I found it the last time. The manual page says "Expressions can be combined using binary, logical, relational and other types of expressions", but *nowhere* does it detail what those expressions "binary", "logical" or "relational" expressions are. It doesn't even contain the word "operator".

I did find out that man libnftables-json at least lists "binary operations", but there's no context.

Just in case someone ends up needing it, you can do stuff like this:

ip daddr 10.240.1.0/24 dnat to ip daddr & 0.0.0.255 | 10.140.7.0;

I don't even remember how I figured that out the first time, but it wasn't thanks to the documentation.

Nftables reaches 1.0

Posted Sep 9, 2021 4:48 UTC (Thu) by chaispaquichui (guest, #77035) [Link]

Very useful, thanks !

Nftables reaches 1.0

Posted Sep 2, 2021 5:19 UTC (Thu) by carORcdr (guest, #141301) [Link] (1 responses)

I can appreciate the concern for the lack of examples, but if you actually look at all the manual pages for the 100+ programs (arpd...tipc-socket) there are actually a significant number of examples. If I decide to list them I will update this comment.

There are many non-iproute2 programs, including significant ones, that have far fewer examples. Some have null.

My definition of an example in the context of a program is a command string--

$|# program argument[s] file|filepath

I realize some may limit the definition of string to alphabetic characters. I do not. My definition of string is a string of characters--alphabetic, numeric and/or symbolic.

Nftables reaches 1.0

Posted Sep 3, 2021 19:10 UTC (Fri) by Chousuke (subscriber, #54562) [Link]

Maybe picking on iproute2 was a bit unfair; I just remembered spending a lot of time trying to decipher the dense synopsis notation way back when. Taking another look, they're definitely better than what nft has

Lately I've felt a bit spoiled by OpenBSD manual pages. If you want to know what good documentation with man pages can look like, you can take a look at some of them. If everything were documented to the same standard I would never need Google...

For example, If I want a quick overview on how OSPF works, I can just "man ospfd" on OpenBSD. The explanation may not strictly speaking have much to do with configuring ospfd itself, but well-placed context "fluff" is a huge quality-of-life improvement as it helps me understand the kinds of problems I can solve with the software.