Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Guide to the Secure Configuration of Debian 11
System Settings
Network Configuration and Firewalls
nftables
Nftables Base Chain Types
Nftables Base Chain Types
An XCCDF Value
Details
Profiles
Prose
Nftables Base Chain Types
Base chains are those that are registered into the Netfilter hooks, i.e. these chains see packets flowing through the Linux TCP/IP stack. The possible chain types are:
filter
, which is used to filter packets. This is supported by the arp, bridge, ip, ip6 and inet table families.
route
, which is used to reroute packets if any relevant IP header field or the packet mark is modified. This chain type provides equivalent semantics to the mangle table but only for the output hook (for other hooks use type filter instead). This is supported by the ip, ip6 and inet table families.
nat
, which is used to perform Networking Address Translation (NAT). Only the first packet of a given flow hits this chain; subsequent packets bypass it. This chain should be never used for filtering. The nat chain type is supported by the ip, ip6 and inet table families.