The NftChain object represents a nftables chain. It consists of a set of rules which are being processed depending on the type, hook, priority and policy properties.

This object was introduced in InCore 2.1.

› Inherits:Object



This property holds whether the chain is enabled, i.e. it should be included in the corresponding table.

› Type:Boolean
› Default:true
› Signal:enabledChanged()
› Attributes:Writable


This property holds a the stage of the packet while it’s being processed through the kernel. See the nftables documentation on chains for details

› Type:Hook
› Default:NftChain.Input
› Signal:hookChanged()
› Attributes:Writable


This property holds the name of the firewall chain, e.g. input.

› Type:String
› Signal:nameChanged()
› Attributes:Writable


This property holds the default verdict statement to control the flow in the chain. See the Policy enumeration or details.

› Type:Policy
› Default:NftChain.Accept
› Signal:policyChanged()
› Attributes:Writable


This property holds a number used to order the chains or to set them between some Netfilter operations. See the nftables documentation on chains for details

› Type:Priority
› Default:NftChain.FilterPriority
› Signal:priorityChanged()
› Attributes:Writable


This property holds a list of nftables rules as defined inside nftables chains, e.g. [ "ip daddr counter packets 0 bytes 0", "tcp dport ssh counter packets 0 bytes 0" ].

Consider using NftRule objects with the rules property.

› Type:StringList
› Signal:rawRulesChanged()
› Attributes:Writable


This property holds a list of nftables rules described by NftRule objects.

› Type:List<NftRule>
› Signal:rulesChanged()
› Attributes:Readonly


This property holds the type of the nftables chain. See the nftables documentation on chains for details

› Type:Type
› Default:NftChain.Filter
› Signal:typeChanged()
› Attributes:Writable


rulesDataChanged(SignedInteger index)

This signal is emitted whenever the List.dataChanged() signal is emitted, i.e. the item at index in the rules list itself emitted the dataChanged() signal.



This enumeration describes stages of the packet processing at which the chains are processed.

Name Value Description
NftChain.Prerouting 0 Process chain before routing decision when it’s not known if packets are addressed to the local or remote systems.
NftChain.Input 1 Process chain after the routing decision for packets which are directed to the local system and/or processes running in system.
NftChain.Forward 2 Process chain after the routing decision for packets which are not directed to the local system and/or processes running in system.
NftChain.Output 3 Process chain for packets originating from processes on the local system.
NftChain.Postrouting 4 Process chain after the routing decision for packets leaving the local system.
NftChain.Ingress 5 Process chain to filter traffic even before prerouting, right after the packet is received by the NIC driver. This hook is available for the NftTable.NetDev family only.


Name Value Description
NftChain.Accept 0
NftChain.Drop 1
NftChain.Queue 2
NftChain.Continue 3
NftChain.Return 4  


This enumeration describes priorities which can be used to order the chains or to put them before or after some Netfilter internal operations. For example, a chain on the prerouting hook with the priority -300 will be placed before connection tracking operations.

Name Value Description
NftChain.FirstPriority -2147483648 Highest priority to process the chain before all other chains with lower priorities.
NftChain.ConnTrackDefragPriority -400 Priority of defragmentation.
NftChain.RawPriority -300 Traditional priority of the raw table placed before connection tracking operation.
NftChain.SeLinuxFirstPriority -225 Priority for SELinux operations.
NftChain.ConnTrackPriority -200 Priority for connection tracking operations.
NftChain.ManglePriority -150 Priority for mangle operations.
NftChain.DestinationNatPriority -100 Priority for chains implementing destination NAT.
NftChain.FilterPriority 0 Priority for chains implementing packet filtering operations.
NftChain.SecurityPriority 50 Priority for chains implementing source NAT.
NftChain.SourceNatPriority 100 Place of security table where secmark can be set for example.
NftChain.SeLinuxLastPriority 225 Priority for SELinux at packet exit.
NftChain.ConnTrackHelperPriority 300 Priority for connection tracking at exit.
NftChain.ConnTrackConfirmPriority 2147483646 Priority for connection tracking confirmation operations.
NftChain.LastPriority 2147483647 Lowest priority to process the chain after all other chains with higher priorities.


This enumeration describes supported chain types to implement different kinds of operations.

Name Value Description
NftChain.Filter 0 Implement a packet filter chain. This is supported by the NftTable.ARP, NftTable.Bridge, NftTable.IP, NftTable.IP6 and NftTable.INet table families.
NftChain.Rule 1
NftChain.Nat 2 Perform Networking Address Translation (NAT). The first packet that belongs to a flow always hits this chain, follow up packets not. Therefore, never use this chain for filtering. This is supported by the NftTable.IP and NftTable.IP6 table families.


See NftFirewall example on how to use NftChain.