Nftables

nftables is a newer replacement for iptables, ip6tables, arptables and ebtables. It has a serialisation format for defining rules and it supports using the same rulefile for IPv4 and IPv6.

The first kernel with nftables support is 3.13

Installing
The kernel on the device needs to have the kconfig options enabled for nftables, the main options for this are  and.

The userspace part is in the Alpine package  which provides the nftables openrc service and the   command to do runtime changes.

The default configuration when adding the nftables package and enabling the service will drop all incoming connections and blocks no outbound connections. It will also ratelimit incoming icmp packets. This config is stored in  and will include any ruleset files that are put in . This is a good place to put your own extra rules.

Allowing SSH
Since the default ruleset drops all incoming connections you will no longer be able to SSH into the device after starting the nftables service. To allow connections again you can create an extra ruleset that allows connections over USB networking and over wifi:

These rules will be amended to the default ruleset and allow all connections from usb0, which is the network interface created by the usb networking in postmarketOS. The second added rule will allow incoming SSH connections on any interface starting with.

After creating or changing the rules files you can make them active with the reload command on the nftables service:

Logs

 * Install the  package
 * Restart the  service with
 * Logs should be available in the kernel through

More information
the nftables wiki