Unlocking nftables in Kubernetes 1.29: A Practical Guide to Feature Gates and Rules

What changed in Kubernetes 1.29

Kubernetes 1.29 adds nftables as a FeatureGate. Enabling the NFTablesProxyMode gate and setting mode: nftables in KubeProxyConfiguration allows the kube‑proxy to use nftables for service routing.

nftables vs iptables

New syntax : nftables uses a compact, tcpdump‑like syntax.

Full table/chain control : No pre‑defined tables or chains; you define them explicitly.

Multiple actions per rule : A rule can contain several expressions and statements.

Optional counters : Counters are not built‑in; they must be enabled.

Dynamic updates : Adding or removing a rule does not affect other rules.

IPv4/IPv6 dual‑stack : The inet family handles both protocols in one chain.

nftables structure

Like iptables, nftables uses table → chain → rule . Families ( ip, ip6, inet, arp, bridge, netdev) determine which hooks are available.

Address families and hooks

prerouting

, input, forward, output, postrouting,

ingress

Special syntax

Concatenation uses . (e.g., ip saddr . ip daddr . ip protocol). Intervals are expressed as value-value.

nft add rule ip filter input ip saddr 10.0.0.1 tcp dport 22 accept

Objects

Tables

Created with add table [family] name. The inet family supports both IPv4 and IPv6.

Chains

Chains are added with

add chain [family] table chain { type hook priority ; policy accept; }

. Base chains need type, hook, and priority.

nft add chain inet filter INPUT { type filter hook input priority 0; policy accept; }

Rules

Rules consist of expressions (match) and statements (action). Example:

nft add rule inet filter INPUT ip protocol tcp tcp dport 80 accept

Sets

Sets store collections of elements. They can be named or anonymous.

nft add set ip filter blackhole { type ipv4_addr; flags constant; }

Maps

Maps associate keys with values, useful for DNAT/SNAT.

nft add rule ip nat prerouting dnat tcp dport map { 80 : 192.168.1.100, 8888 : 192.168.1.101 }

Counters

Track packet and byte counts.

nft add rule filter INPUT ip protocol tcp counter accept

Quotas

Limit total bytes for a flow.

nft add quota filter http { over 500 mbytes; comment "cap http"; }

Limits

Rate‑limit traffic.

nft add rule filter INPUT icmp type echo-request limit rate 10/second accept

Statements

Verdicts : accept, drop, queue, continue, return, jump, goto.

Reject : reject with icmp port-unreachable.

Log : log prefix "msg" level info.

Counter : counter packets 0 bytes 0.

Map / Vmap : Translate keys to values or verdicts.

NAT : snat, dnat, masquerade, redirect.

NAT examples

# DNAT based on destination port
nft add rule ip nat prerouting dnat tcp dport map { 80 : 192.168.1.100, 8888 : 192.168.1.101 }
# SNAT all traffic leaving eth0
nft add rule nat postrouting oif eth0 snat to 1.2.3.4
# Masquerade (dynamic SNAT)
nft add rule nat postrouting oif eth0 masquerade
# Redirect SSH to port 2222
nft add rule nat prerouting tcp dport 22 redirect to :2222

Monitoring and nftrace

Enable tracing with meta nftrace set 1 on a rule or in a dedicated chain.

nft add chain filter trace_chain { type filter hook prerouting priority -301; }
nft add rule filter trace_chain meta nftrace set 1

Use nft monitor to watch events, or nft monitor trace for traced packets.

Enabling nftables in Kubernetes

Configure KubeProxyConfiguration with the feature gate and mode, then bootstrap a single‑node cluster with kubeadm:

apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
featureGates:
  NFTablesProxyMode: true
mode: nftables

After the cluster is up, nftables rules can be applied to manage service traffic.