documentation_complete: true
title: 'Ensure a Table Exists for Nftables'
description: |-
Tables in nftables hold chains. Each table only has one address family and only applies
to packets of this family. Tables can have one of six families.
{{% if "rhel" in product %}}
{{{ full_name }}} uses firewalld for firewall management. When nftables is
the firewall backend used by firewalld, an {{{ xccdf_value("var_nftables_family") }}}
family table called {{{ xccdf_value("var_nftables_table") }}} is used.
To verify that the nftables table used by firewalld exists, run the following
command:
$ sudo nft list tables
table {{{ xccdf_value("var_nftables_family") }}} {{{ xccdf_value("var_nftables_table") }}}
This table is automatically created by firewalld when it is started.
{{%- endif %}}
rationale: |-
Nftables doesn't have any default tables. Without a table being built, nftables will not
filter network traffic.
severity: medium
platform: package[nftables]
identifiers:
cce@rhel8: CCE-86162-5
cce@rhel9: CCE-86163-3
cce@sle15: CCE-92569-3
cce@slmicro5: CCE-93976-9
references:
cis@sle15: 3.5.2.4
ocil_clause: 'a nftables table does not exist'
warnings:
- general: |-
Adding or editing rules in a running nftables can cause loss of connectivity to the system.
- general: |-
Both the SCE check and remediation for this rule only consider runtime settings.
There is no specific file to check as it depends on each site's policy. Therefore, check
and remediation use the nft command directly. The fix is not persistent across system
reboots.
- functionality: |-
SCE check does not support variables, therefore the SCE check in this rule only checks the
address family, regardless of the table name.
ocil: |-
To verify that a nftables table exists, run the following command:
$ sudo nft list tables
Output should include a list of nftables similar to:
table {{{ xccdf_value("var_nftables_family") }}} {{{ xccdf_value("var_nftables_table") }}}