Change policy with nftables on command line

Server Fault Asked on January 3, 2022

With iptables I can change the for example INPUT policy with iptables -P INPUT DROP to drop. Is there any option to do the same with nft?

Editing /etc/nftables.conf would work of course but that is not what I want.

One Answer

Yes you can redefine an already existing base chain's policy without changing its content. There's no separate keyword for this, it's still add:

nft add chain family mytable mychain '{ policy drop; }'

Complete example in a namespace:


flush ruleset

table ip t {
    chain c {
        type filter hook output priority 0; policy accept;
        oif lo accept


# ip netns add test
# ip netns exec test nft -f test.nft


# ip netns exec test nft add 'chain ip t c { policy drop; }'
# ip netns exec test nft list ruleset
table ip t {
    chain c {
        type filter hook output priority filter; policy drop;
        oif "lo" accept
        counter packets 0 bytes 0

The policy was changed, without altering the rules. Using here nft 0.9.5 and kernel 5.7.x . Depending on version behaviour might differ.

There's a kernel commit from 2015 allowing to do only this:

netfilter: nf_tables: allow to change chain policy without hook if it exists

If there's an existing base chain, we have to allow to change the default policy without indicating the hook information.

However, if the chain doesn't exists, we have to enforce the presence of the hook attribute.

Signed-off-by: Pablo Neira Ayuso [email protected]

Before this (around kernel 4.1), one had to provide again the base chain definition (which can't be changed by the way):

# ip netns exec test nft add 'chain ip t c { type filter hook output priority 0;  policy drop; }'

Answered by A.B on January 3, 2022

Add your own answers!

Related Questions

Why are only 3 ip xfrm policies needed for a IPsec tunnel?

2  Asked on October 28, 2020 by dorian


Install more_set_headers in nginx 1.15.8

3  Asked on October 28, 2020 by curious-sam


Stop and prevent brute force attacks on Ubuntu 14.04

2  Asked on October 27, 2020 by joo-cerqueira


Virtual-kubelet install fail, missing file?

0  Asked on October 22, 2020 by l-minh-qun


Setup ssl on nginx for a django project

1  Asked on October 16, 2020 by mohammad-mahzoun


Nginx: How do I forward an HTTP request to another port?

4  Asked on October 13, 2020 by wooohaaaa


Where is IIS Manager for Remote Administration for Windows 10?

0  Asked on October 9, 2020 by soleil-mathieu-prvot


zywall usg 100 log website visits

1  Asked on October 5, 2020 by user331495


Can’t connect to network share

0  Asked on October 5, 2020 by nebu


OpenVPN Install: Can’t access to Client UI page

1  Asked on October 2, 2020 by the-one


NGINX Reverse Proxy to Dynamic DNS

1  Asked on September 23, 2020 by tempster102


Ask a Question

Get help from others!

© 2023 All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP, SolveDir