The NftFirewall object represents a network firewall configuration and can be used to implement all kinds of networking and packet filtering scenarios. It uses nftables, a modern firewall software solution provided in the Linux kernel. Consequently NftFirewall and all subobjects (such as NftTable, NftChain and NftRule) follow the nftables concepts and semantics while providing QML syntax including dynamic updates on any property change. See the nftables Wiki for more information on how nftables-based firewalling and packet filtering works.

This object was introduced in InCore 2.1.

› Inherits:Object



This property holds a path to an external file containing the ruleset to load. If set, the tables and ruleset properties are ignored and the specified ruleset file is loaded instead.

› Type:String
› Signal:externalRulesetFileChanged()
› Attributes:Writable


This property holds the effective ruleset in nftables syntax which is being loaded and used.

› Type:String
› Signal:rulesetChanged()
› Attributes:Readonly


This property holds a list of tables containing chains and rules.

› Type:List<NftTable>
› Signal:tablesChanged()
› Attributes:Readonly





tablesDataChanged(SignedInteger index)

This signal is emitted whenever the List.dataChanged() signal is emitted, i.e. the item at index in the tables list itself emitted the dataChanged() signal.


import InCore.Foundation 2.5

Application {

    id: app

    System {
        id: system
        Polling on cpuLoad { }

    NftFirewall {

        NftTable {
            family: NftTable.IP
            name: "example"

            NftChain {
                name: "incoming"
                type: NftChain.Filter
                hook: NftChain.Input
                priority: NftChain.FilterPriority
                policy: NftChain.Drop
                rawRules: [ "ip protocol icmp icmp type { echo-request } accept" ]
                NftRule { inputInterface: "lo"; statement.type: NftStatement.Accept }
                NftRule { protocol: NftRule.Icmp; statement.type: NftStatement.Accept }
                NftRule { connectionStates: NftRule.Established | NftRule.Related; statement.type: NftStatement.Accept }
                // disable new SSH connections if system load is too high
                NftRule {
                    connectionStates: NftRule.New
                    protocol: NftRule.Tcp
                    destinationPorts: 22
                    statement.type: system.cpuLoad < 1 ? NftStatement.Accept : NftStatement.Drop

            NftChain {
                id: proxy
                enabled: app.commandLineArguments[0] === "proxy"
                name: "transparentwebproxy"
                type: NftChain.Nat
                hook: NftChain.Postrouting
                priority: NftChain.SourceNatPriority
                policy: NftChain.Accept
                NftRule {
                    protocol: NftRule.Tcp
                    sourceAddress: ""
                    destinationPorts: [ 80, 443 ]
                    statement.type: NftStatement.Masquerade

        onRulesetChanged: console.log(ruleset)