source-git / nftables

Clone
Source Code
GIT

Blame doc/data-types.txt

c8 c8s master
  1.   c8
  2.   doc
  3.   data-types.txt
Blob History Raw
Packit Service e7ae83 
INTEGER TYPE
Packit Service e7ae83 
~~~~~~~~~~~
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Name | Keyword | Size | Base type
Packit Service e7ae83 
|Integer |
Packit Service e7ae83 
integer |
Packit Service e7ae83 
variable |
Packit Service e7ae83 
-
Packit Service e7ae83 
|===================
Packit Service e7ae83
Packit Service e7ae83 
The integer type is used for numeric values. It may be specified as a decimal,
Packit Service e7ae83 
hexadecimal or octal number. The integer type does not have a fixed size, its
Packit Service e7ae83 
size is determined by the expression for which it is used.
Packit Service e7ae83
Packit Service e7ae83 
BITMASK TYPE
Packit Service e7ae83 
~~~~~~~~~~~~
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Name | Keyword | Size | Base type
Packit Service e7ae83 
|Bitmask |
Packit Service e7ae83 
bitmask |
Packit Service e7ae83 
variable |
Packit Service e7ae83 
integer
Packit Service e7ae83 
|===================
Packit Service e7ae83
Packit Service e7ae83 
The bitmask type (*bitmask*) is used for bitmasks.
Packit Service e7ae83
Packit Service e7ae83 
STRING TYPE
Packit Service e7ae83 
~~~~~~~~~~~~
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Name | Keyword | Size | Base type
Packit Service e7ae83 
|String |
Packit Service e7ae83 
string |
Packit Service e7ae83 
variable |
Packit Service e7ae83 
-
Packit Service e7ae83 
|===================
Packit Service e7ae83
Packit Service e7ae83 
The string type is used for character strings. A string begins with an
Packit Service e7ae83 
alphabetic character (a-zA-Z) followed by zero or more alphanumeric characters
Packit Service e7ae83 
or the characters /, -, _ and .. In addition, anything enclosed in double
Packit Service e7ae83 
quotes (") is recognized as a string.
Packit Service e7ae83
Packit Service e7ae83 
.String specification
Packit Service e7ae83 
----------------------
Packit Service e7ae83 
# Interface name
Packit Service e7ae83 
filter input iifname eth0
Packit Service e7ae83
Packit Service e7ae83 
# Weird interface name
Packit Service e7ae83 
filter input iifname "(eth0)"
Packit Service e7ae83 
----------------------------
Packit Service e7ae83
Packit Service e7ae83 
LINK LAYER ADDRESS TYPE
Packit Service e7ae83 
~~~~~~~~~~~~~~~~~~~~~~~
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Name | Keyword | Size | Base type
Packit Service e7ae83 
|Link layer address |
Packit Service e7ae83 
lladdr|
Packit Service e7ae83 
variable |
Packit Service e7ae83 
integer
Packit Service e7ae83 
|===================
Packit Service e7ae83
Packit Service e7ae83 
The link layer address type is used for link layer addresses. Link layer
Packit Service e7ae83 
addresses are specified as a variable amount of groups of two hexadecimal digits
Packit Service e7ae83 
separated using colons (:).
Packit Service e7ae83
Packit Service e7ae83 
.Link layer address specification
Packit Service e7ae83 
----------------------
Packit Service e7ae83 
# Ethernet destination MAC address
Packit Service e7ae83 
filter input ether daddr 20:c9:d0:43:12:d9
Packit Service e7ae83 
----------------------------
Packit Service e7ae83
Packit Service e7ae83 
IPV4 ADDRESS TYPE
Packit Service e7ae83 
~~~~~~~~~~~~~~~~~
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Name | Keyword | Size | Base type
Packit Service e7ae83 
|IPV4 address|
Packit Service e7ae83 
ipv4_addr|
Packit Service e7ae83 
32 bit|
Packit Service e7ae83 
integer
Packit Service e7ae83 
|===================
Packit Service e7ae83
Packit Service e7ae83 
The IPv4 address type is used for IPv4 addresses. Addresses are specified in
Packit Service e7ae83 
either dotted decimal, dotted hexadecimal, dotted octal, decimal, hexadecimal,
Packit Service e7ae83 
octal notation or as a host name. A host name will be resolved using the
Packit Service e7ae83 
standard system resolver.
Packit Service e7ae83
Packit Service e7ae83 
.IPv4 address specification
Packit Service e7ae83 
----------------------
Packit Service e7ae83 
# dotted decimal notation
Packit Service e7ae83 
filter output ip daddr 127.0.0.1
Packit Service e7ae83
Packit Service e7ae83 
# host name
Packit Service e7ae83 
filter output ip daddr localhost
Packit Service e7ae83 
----------------------------
Packit Service e7ae83
Packit Service e7ae83 
IPV6 ADDRESS TYPE
Packit Service e7ae83 
~~~~~~~~~~~~~~~~~
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Name | Keyword | Size | Base type
Packit Service e7ae83 
|IPv6 address|
Packit Service e7ae83 
ipv6_addr|
Packit Service e7ae83 
128 bit|
Packit Service e7ae83 
integer
Packit Service e7ae83 
|===================
Packit Service e7ae83
Packit Service e7ae83 
The IPv6 address type is used for IPv6 addresses. Addresses are specified as a
Packit Service e7ae83 
host name or as hexadecimal halfwords separated by colons. Addresses might be
Packit Service e7ae83 
enclosed in square brackets ("[]") to differentiate them from port numbers.
Packit Service e7ae83
Packit Service e7ae83 
.IPv6 address specification
Packit Service e7ae83 
----------------------
Packit Service e7ae83 
# abbreviated loopback address
Packit Service e7ae83 
filter output ip6 daddr ::1
Packit Service e7ae83 
----------------------------
Packit Service e7ae83
Packit Service e7ae83 
.IPv6 address specification with bracket notation
Packit Service e7ae83 
----------------------
Packit Service e7ae83 
# without [] the port number (22) would be parsed as part of the
Packit Service e7ae83 
# ipv6 address
Packit Service e7ae83 
ip6 nat prerouting tcp dport 2222 dnat to [1ce::d0]:22
Packit Service e7ae83 
----------------------------
Packit Service e7ae83
Packit Service e7ae83 
BOOLEAN TYPE
Packit Service e7ae83 
~~~~~~~~~~~~
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Name | Keyword | Size | Base type
Packit Service e7ae83 
|Boolean |
Packit Service e7ae83 
boolean |
Packit Service e7ae83 
1 bit |
Packit Service e7ae83 
integer
Packit Service e7ae83 
|===================
Packit Service e7ae83
Packit Service e7ae83 
The boolean type is a syntactical helper type in userspace. Its use is in the
Packit Service e7ae83 
right-hand side of a (typically implicit) relational expression to change the
Packit Service e7ae83 
expression on the left-hand side into a boolean check (usually for existence). +
Packit Service e7ae83
Packit Service e7ae83 
.The following keywords will automatically resolve into a boolean type with given value
Packit Service e7ae83
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Keyword | Value
Packit Service e7ae83 
|exists |
Packit Service e7ae83 
1 |
Packit Service e7ae83 
missing |
Packit Service e7ae83 
0
Packit Service e7ae83 
|===================
Packit Service e7ae83
Packit Service e7ae83 
.expressions support a boolean comparison
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|======================================
Packit Service e7ae83 
|Expression | Behaviour
Packit Service e7ae83 
|fib |
Packit Service e7ae83 
Check route existence.
Packit Service e7ae83 
|exthdr|
Packit Service e7ae83 
Check IPv6 extension header existence.
Packit Service e7ae83 
|tcp option |
Packit Service e7ae83 
Check TCP option header existence.
Packit Service e7ae83 
|===================
Packit Service e7ae83
Packit Service e7ae83 
.Boolean specification
Packit Service e7ae83 
----------------------
Packit Service e7ae83 
# match if route exists
Packit Service e7ae83 
filter input fib daddr . iif oif exists
Packit Service e7ae83
Packit Service e7ae83 
# match only non-fragmented packets in IPv6 traffic
Packit Service e7ae83 
filter input exthdr frag missing
Packit Service e7ae83
Packit Service e7ae83 
# match if TCP timestamp option is present
Packit Service e7ae83 
filter input tcp option timestamp exists
Packit Service e7ae83 
------------------------------------------
Packit Service e7ae83
Packit Service e7ae83 
ICMP TYPE TYPE
Packit Service e7ae83 
~~~~~~~~~~~~~~
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Name | Keyword | Size | Base type
Packit Service e7ae83 
|ICMP Type |
Packit Service e7ae83 
icmp_type |
Packit Service e7ae83 
8 bit |
Packit Service e7ae83 
integer
Packit Service e7ae83 
|===================
Packit Service e7ae83 
The ICMP Type type is used to conveniently specify the ICMP header's type field.
Packit Service e7ae83
Packit Service e7ae83 
.Keywords may be used when specifying the ICMP type
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Keyword | Value
Packit Service e7ae83 
|echo-reply |
Packit Service e7ae83 
0
Packit Service e7ae83 
|destination-unreachable |
Packit Service e7ae83 
3
Packit Service e7ae83 
|source-quench|
Packit Service e7ae83 
4
Packit Service e7ae83 
|redirect|
Packit Service e7ae83 
5
Packit Service e7ae83 
|echo-request|
Packit Service e7ae83 
8
Packit Service e7ae83 
|router-advertisement|
Packit Service e7ae83 
9
Packit Service e7ae83 
|router-solicitation|
Packit Service e7ae83 
10
Packit Service e7ae83 
|time-exceeded|
Packit Service e7ae83 
11
Packit Service e7ae83 
|parameter-problem|
Packit Service e7ae83 
12
Packit Service e7ae83 
|timestamp-request|
Packit Service e7ae83 
13
Packit Service e7ae83 
|timestamp-reply|
Packit Service e7ae83 
14
Packit Service e7ae83 
|info-request|
Packit Service e7ae83 
15
Packit Service e7ae83 
|info-reply|
Packit Service e7ae83 
16
Packit Service e7ae83 
|address-mask-request|
Packit Service e7ae83 
17
Packit Service e7ae83 
|address-mask-reply|
Packit Service e7ae83 
18
Packit Service e7ae83 
|===================
Packit Service e7ae83
Packit Service e7ae83 
.ICMP Type specification
Packit Service e7ae83 
------------------------
Packit Service e7ae83 
# match ping packets
Packit Service e7ae83 
filter output icmp type { echo-request, echo-reply }
Packit Service e7ae83 
------------------------
Packit Service e7ae83
Packit Service e7ae83 
ICMP CODE TYPE
Packit Service e7ae83 
~~~~~~~~~~~~~~
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Name | Keyword | Size | Base type
Packit Service e7ae83 
|ICMP Code |
Packit Service e7ae83 
icmp_code |
Packit Service e7ae83 
8 bit |
Packit Service e7ae83 
integer
Packit Service e7ae83 
|===================
Packit Service e7ae83
Packit Service e7ae83 
The ICMP Code type is used to conveniently specify the ICMP header's code field.
Packit Service e7ae83
Packit Service e7ae83 
.Keywords may be used when specifying the ICMP code
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Keyword | Value
Packit Service e7ae83 
|net-unreachable |
Packit Service e7ae83 
0
Packit Service e7ae83 
|host-unreachable |
Packit Service e7ae83 
1
Packit Service e7ae83 
|prot-unreachable|
Packit Service e7ae83 
2
Packit Service e7ae83 
|port-unreachable|
Packit Service e7ae83 
3
Packit Service e7ae83 
|net-prohibited|
Packit Service e7ae83 
9
Packit Service e7ae83 
|host-prohibited|
Packit Service e7ae83 
10
Packit Service e7ae83 
|admin-prohibited|
Packit Service e7ae83 
13
Packit Service e7ae83 
|===================
Packit Service e7ae83
Packit Service e7ae83 
ICMPV6 TYPE TYPE
Packit Service e7ae83 
~~~~~~~~~~~~~~~~
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Name | Keyword | Size | Base type
Packit Service e7ae83 
|ICMPv6 Type |
Packit Service e7ae83 
icmpx_code |
Packit Service e7ae83 
8 bit |
Packit Service e7ae83 
integer
Packit Service e7ae83 
|===================
Packit Service e7ae83
Packit Service e7ae83 
The ICMPv6 Type type is used to conveniently specify the ICMPv6 header's type field.
Packit Service e7ae83
Packit Service e7ae83 
.keywords may be used when specifying the ICMPv6 type:
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Keyword | Value
Packit Service e7ae83 
|destination-unreachable |
Packit Service e7ae83 
1
Packit Service e7ae83 
|packet-too-big|
Packit Service e7ae83 
2
Packit Service e7ae83 
|time-exceeded|
Packit Service e7ae83 
3
Packit Service e7ae83 
|parameter-problem|
Packit Service e7ae83 
4
Packit Service e7ae83 
|echo-request|
Packit Service e7ae83 
128
Packit Service e7ae83 
|echo-reply|
Packit Service e7ae83 
129
Packit Service e7ae83 
|mld-listener-query|
Packit Service e7ae83 
130
Packit Service e7ae83 
|mld-listener-report|
Packit Service e7ae83 
131
Packit Service e7ae83 
|mld-listener-done |
Packit Service e7ae83 
132
Packit Service e7ae83 
|mld-listener-reduction|
Packit Service e7ae83 
132
Packit Service e7ae83 
|nd-router-solicit |
Packit Service e7ae83 
133
Packit Service e7ae83 
|nd-router-advert|
Packit Service e7ae83 
134
Packit Service e7ae83 
|nd-neighbor-solicit|
Packit Service e7ae83 
135
Packit Service e7ae83 
|nd-neighbor-advert|
Packit Service e7ae83 
136
Packit Service e7ae83 
|nd-redirect|
Packit Service e7ae83 
137
Packit Service e7ae83 
|router-renumbering|
Packit Service e7ae83 
138
Packit Service e7ae83 
|ind-neighbor-solicit|
Packit Service e7ae83 
141
Packit Service e7ae83 
|ind-neighbor-advert|
Packit Service e7ae83 
142
Packit Service e7ae83 
|mld2-listener-report|
Packit Service e7ae83 
143
Packit Service e7ae83 
|===================
Packit Service e7ae83
Packit Service e7ae83 
.ICMPv6 Type specification
Packit Service e7ae83 
--------------------------
Packit Service e7ae83 
# match ICMPv6 ping packets
Packit Service e7ae83 
filter output icmpv6 type { echo-request, echo-reply }
Packit Service e7ae83 
--------------------------
Packit Service e7ae83
Packit Service e7ae83 
ICMPV6 CODE TYPE
Packit Service e7ae83 
~~~~~~~~~~~~~~~~
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Name | Keyword | Size | Base type
Packit Service e7ae83 
|ICMPv6 Code |
Packit Service e7ae83 
icmpv6_code |
Packit Service e7ae83 
8 bit |
Packit Service e7ae83 
integer
Packit Service e7ae83 
|===================
Packit Service e7ae83
Packit Service e7ae83 
The ICMPv6 Code type is used to conveniently specify the ICMPv6 header's code field.
Packit Service e7ae83
Packit Service e7ae83 
.keywords may be used when specifying the ICMPv6 code
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Keyword |Value
Packit Service e7ae83 
|no-route|
Packit Service e7ae83 
0
Packit Service e7ae83 
|admin-prohibited|
Packit Service e7ae83 
1
Packit Service e7ae83 
|addr-unreachable|
Packit Service e7ae83 
3
Packit Service e7ae83 
|port-unreachable|
Packit Service e7ae83 
4
Packit Service e7ae83 
|policy-fail|
Packit Service e7ae83 
5
Packit Service e7ae83 
|reject-route|
Packit Service e7ae83 
6
Packit Service e7ae83 
|==================
Packit Service e7ae83
Packit Service e7ae83 
ICMPVX CODE TYPE
Packit Service e7ae83 
~~~~~~~~~~~~~~~~
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Name | Keyword | Size | Base type
Packit Service e7ae83 
|ICMPvX Code |
Packit Service e7ae83 
icmpv6_type |
Packit Service e7ae83 
8 bit |
Packit Service e7ae83 
integer
Packit Service e7ae83 
|===================
Packit Service e7ae83
Packit Service e7ae83 
The ICMPvX Code type abstraction is a set of values which overlap between ICMP
Packit Service e7ae83 
and ICMPv6 Code types to be used from the inet family.
Packit Service e7ae83
Packit Service e7ae83 
.keywords may be used when specifying the ICMPvX code
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Keyword |Value
Packit Service e7ae83 
|no-route|
Packit Service e7ae83 
0
Packit Service e7ae83 
|port-unreachable|
Packit Service e7ae83 
1
Packit Service e7ae83 
|host-unreachable|
Packit Service e7ae83 
2
Packit Service e7ae83 
|admin-prohibited|
Packit Service e7ae83 
3
Packit Service e7ae83 
|=================
Packit Service e7ae83
Packit Service e7ae83 
CONNTRACK TYPES
Packit Service e7ae83 
~~~~~~~~~~~~~~~
Packit Service e7ae83
Packit Service e7ae83 
.overview of types used in ct expression and statement
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Name | Keyword |Size |Base type
Packit Service e7ae83 
|conntrack state|
Packit Service e7ae83 
ct_state|
Packit Service e7ae83 
4 byte|
Packit Service e7ae83 
bitmask
Packit Service e7ae83 
|conntrack direction|
Packit Service e7ae83 
ct_dir |
Packit Service e7ae83 
8 bit|
Packit Service e7ae83 
integer
Packit Service e7ae83 
|conntrack status|
Packit Service e7ae83 
ct_status|
Packit Service e7ae83 
4 byte|
Packit Service e7ae83 
bitmask
Packit Service e7ae83 
|conntrack event bits|
Packit Service e7ae83 
ct_event |
Packit Service e7ae83 
4 byte |
Packit Service e7ae83 
bitmask
Packit Service e7ae83 
|conntrack label|
Packit Service e7ae83 
ct_label |
Packit Service e7ae83 
128 bit|
Packit Service e7ae83 
bitmask
Packit Service e7ae83 
|=================
Packit Service e7ae83
Packit Service e7ae83 
For each of the types above, keywords are available for convenience:
Packit Service e7ae83
Packit Service e7ae83 
.conntrack state (ct_state)
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Keyword| Value
Packit Service e7ae83 
|invalid|
Packit Service e7ae83 
1
Packit Service e7ae83 
|established|
Packit Service e7ae83 
2
Packit Service e7ae83 
|related|
Packit Service e7ae83 
4
Packit Service e7ae83 
|new|
Packit Service e7ae83 
8
Packit Service e7ae83 
|untracked|
Packit Service e7ae83 
64
Packit Service e7ae83 
|================
Packit Service e7ae83
Packit Service e7ae83 
.conntrack direction (ct_dir)
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Keyword| Value
Packit Service e7ae83 
|original|
Packit Service e7ae83 
0
Packit Service e7ae83 
|reply|
Packit Service e7ae83 
1
Packit Service e7ae83 
|================
Packit Service e7ae83
Packit Service e7ae83 
.conntrack status (ct_status)
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Keyword| Value
Packit Service e7ae83 
|expected|
Packit Service e7ae83 
1
Packit Service e7ae83 
|seen-reply|
Packit Service e7ae83 
2
Packit Service e7ae83 
|assured|
Packit Service e7ae83 
4
Packit Service e7ae83 
|confirmed|
Packit Service e7ae83 
8
Packit Service e7ae83 
|snat|
Packit Service e7ae83 
16
Packit Service e7ae83 
|dnat|
Packit Service e7ae83 
32
Packit Service e7ae83 
|dying|
Packit Service e7ae83 
512
Packit Service e7ae83 
|================
Packit Service e7ae83
Packit Service e7ae83 
.conntrack event bits (ct_event)
Packit Service e7ae83 
[options="header"]
Packit Service e7ae83 
|==================
Packit Service e7ae83 
|Keyword| Value
Packit Service e7ae83 
|new|
Packit Service e7ae83 
1
Packit Service e7ae83 
|related|
Packit Service e7ae83 
2
Packit Service e7ae83 
|destroy|
Packit Service e7ae83 
4
Packit Service e7ae83 
|reply|
Packit Service e7ae83 
8
Packit Service e7ae83 
|assured|
Packit Service e7ae83 
16
Packit Service e7ae83 
|protoinfo|
Packit Service e7ae83 
32
Packit Service e7ae83 
|helper|
Packit Service e7ae83 
64
Packit Service e7ae83 
|mark|
Packit Service e7ae83 
128
Packit Service e7ae83 
|seqadj|
Packit Service e7ae83 
256
Packit Service e7ae83 
|secmark|
Packit Service e7ae83 
512
Packit Service e7ae83 
|label|
Packit Service e7ae83 
1024
Packit Service e7ae83 
|==================
Packit Service e7ae83
Packit Service e7ae83 
Possible keywords for conntrack label type (ct_label) are read at runtime from /etc/connlabel.conf.

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation