These are some common commands with nftables.
nft -f /etc/nftables.conf -c
nft -f /etc/nftables.conf
nft list tables
nft list table $FAMILY $TABLE
As an example, a host may have a single inet (family) table named filter:
~ # nft list tables
table inet filter
To view the rules set:
nft list table inet filter
To add an address to an address set:
nft add element inet filter input_timeout_ipv4 '{ 192.0.2.1, 192.0.2.250 }'
To remove an address from an address set:
nft delete element inet filter input_timeout_ipv4 '{ 192.0.2.1, 192.0.2.250 }'
To convert an iptables rule to the equivilent nftables rule, iptables-translate and ip6tables-translate can be used. Simply call the tool with the iptables rule to convert.
An iptables rule to permit inbound port 22 TCP may look like this:
-A INPUT -p tcp --dport 22 -j ACCEPT
To convert the rule:
iptables-translate -A INPUT -p tcp --dport 22 -j ACCEPT
Resulting output:
~ # iptables-translate -A INPUT -p tcp --dport 22 -j ACCEPT
nft add rule ip filter INPUT tcp dport 22 counter accept