diff --git a/Makefile b/Makefile
index 5ab12cba..c7e27c37 100644
--- a/Makefile
+++ b/Makefile
@@ -28,7 +28,7 @@ tags: *.c *.h
 $(CONF):
 	@case `uname` in \
 	Linux*) \
-		echo "#define USE_IPTABLES" >$(CONF) \
+		echo "#define USE_NETFILTER" >$(CONF) \
 		;; \
 	OpenBSD) \
 		echo "#define USE_PF" >$(CONF) \
diff --git a/README.md b/README.md
index aba93a78..4682814f 100644
--- a/README.md
+++ b/README.md
@@ -231,6 +231,42 @@ luser$ sg socksified -c "firefox"
 root# iptables -t nat -A PREROUTING --in-interface eth_int -p tcp -j REDSOCKS
 ```
 
+## nftables example
+
+https://wiki.nftables.org/ - more modern replacemnt for iptables
+
+```
+# required to do redirects
+modprobe nft_redir
+
+nft -f - <<EOF
+table ip nat {
+	chain REDSOCKS {
+		# hook to the output
+		type nat hook output priority 0; policy accept;
+
+		# skip if the user is not uid 1000
+		ip protocol tcp skuid != 1000 return
+
+		# skip for local ip ranges
+		ip daddr 0.0.0.0/8      return
+		ip daddr 10.0.0.0/8     return
+		ip daddr 100.64.0.0/10  return
+		ip daddr 127.0.0.0/8    return
+		ip daddr 169.254.0.0/16 return
+		ip daddr 172.16.0.0/12  return
+		ip daddr 192.168.0.0/16 return
+		ip daddr 198.18.0.0/15  return
+		ip daddr 224.0.0.0/4    return
+		ip daddr 240.0.0.0/4    return
+
+		# everything else tcp = redirect to redsocks
+		ip protocol tcp redirect to 12345
+	}
+}
+EOF
+```
+
 ### Note about GID-based redirection
 
 Keep in mind, that changed GID affects filesystem permissions, so if your
diff --git a/base.c b/base.c
index 1dfe98fc..0d4ea0b3 100644
--- a/base.c
+++ b/base.c
@@ -28,7 +28,7 @@
 #include <grp.h>
 #include <stdlib.h>
 #include "config.h"
-#if defined USE_IPTABLES
+#if defined USE_NETFILTER
 # include <limits.h>
 # include <linux/netfilter_ipv4.h>
 #endif
@@ -214,8 +214,8 @@ static int getdestaddr_pf(
 }
 #endif
 
-#ifdef USE_IPTABLES
-static int getdestaddr_iptables(int fd, const struct sockaddr_in *client, const struct sockaddr_in *bindaddr, struct sockaddr_in *destaddr)
+#ifdef USE_NETFILTER
+static int getdestaddr_netfilter(int fd, const struct sockaddr_in *client, const struct sockaddr_in *bindaddr, struct sockaddr_in *destaddr)
 {
 	socklen_t socklen = sizeof(*destaddr);
 	int error;
@@ -290,8 +290,9 @@ static redirector_subsys redirector_subsystems[] =
 #ifdef USE_PF
 	{ .name = "pf",  .init = redir_init_pf,  .fini = redir_close_private, .getdestaddr = getdestaddr_pf },
 #endif
-#ifdef USE_IPTABLES
-	{ .name = "iptables", .getdestaddr = getdestaddr_iptables },
+#ifdef USE_NETFILTER
+	{ .name = "netfilter", .getdestaddr = getdestaddr_netfilter },
+	{ .name = "iptables", .getdestaddr = getdestaddr_netfilter },
 #endif
 	{ .name = "generic",  .getdestaddr = getdestaddr_generic  },
 };
diff --git a/dnsu2t.c b/dnsu2t.c
index a072bd46..bff68673 100644
--- a/dnsu2t.c
+++ b/dnsu2t.c
@@ -46,12 +46,6 @@ static void dnsu2t_pkt_from_relay(int fd, short what, void *_arg);
 static void dnsu2t_relay_writable(int fd, short what, void *_arg);
 static void dnsu2t_close_relay(dnsu2t_instance *self);
 
-// this DNS query (IN SOA for `.`) acts as in-band DNS ping
-static const uint8_t dnsq_soa_root[] = {
-	0x00, 0x00, 0x01, 0x20,
-	0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x06, 0x00, 0x01};
-
 typedef struct inflight_req_t {
 	uint16_t id; // in network byte order
 	struct sockaddr_in clientaddr;
diff --git a/redsocks.conf.example b/redsocks.conf.example
index 67bdf965..5be73f73 100644
--- a/redsocks.conf.example
+++ b/redsocks.conf.example
@@ -30,12 +30,12 @@ base {
 	// chroot = "/var/chroot";
 
 	/* possible `redirector' values are:
-	 *   iptables   - for Linux
+	 *   netfilter  - for Linux
 	 *   ipf        - for FreeBSD
 	 *   pf         - for OpenBSD
 	 *   generic    - some generic redirector that MAY work
 	 */
-	redirector = iptables;
+	redirector = netfilter;
 
 	/* Override per-socket values for TCP_KEEPIDLE, TCP_KEEPCNT,
 	 * and TCP_KEEPINTVL. see man 7 tcp for details.