|
Packit |
c5a612 |
libnftables-json(5)
|
|
Packit |
c5a612 |
===================
|
|
Packit |
c5a612 |
Phil Sutter <phil@nwl.cc>
|
|
Packit |
c5a612 |
:doctype: manpage
|
|
Packit |
c5a612 |
:compat-mode!:
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
== NAME
|
|
Packit |
c5a612 |
libnftables-json - Supported JSON schema by libnftables
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
== SYNOPSIS
|
|
Packit |
c5a612 |
*{ "nftables": [* 'OBJECTS' *] }*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'OBJECTS' := 'LIST_OBJECTS' | 'CMD_OBJECTS'
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'LIST_OBJECTS' := 'LIST_OBJECT' [ *,* 'LIST_OBJECTS' ]
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'CMD_OBJECTS' := 'CMD_OBJECT' [ *,* 'CMD_OBJECTS' ]
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'CMD_OBJECT' := *{* 'CMD'*:* 'LIST_OBJECT' *}* | 'METAINFO_OBJECT'
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'CMD' := *"add"* | *"replace"* | *"create"* | *"insert"* | *"delete"* |
|
|
Packit |
c5a612 |
*"list"* | *"reset"* | *"flush"* | *"rename"*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'LIST_OBJECT' := 'TABLE' | 'CHAIN' | 'RULE' | 'SET' | 'MAP' | 'ELEMENT' |
|
|
Packit |
c5a612 |
'FLOWTABLE' | 'COUNTER' | 'QUOTA' | 'CT_HELPER' | 'LIMIT' |
|
|
Packit |
c5a612 |
'METAINFO_OBJECT' | 'CT_TIMEOUT' | 'CT_EXPECTATION'
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
== DESCRIPTION
|
|
Packit |
c5a612 |
libnftables supports JSON formatted input and output. This is implemented as an
|
|
Packit |
c5a612 |
alternative frontend to the standard CLI syntax parser, therefore basic
|
|
Packit |
c5a612 |
behaviour is identical and, for (almost) any operation available in standard
|
|
Packit |
c5a612 |
syntax, there should be an equivalent one in JSON.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
JSON input may be provided in a single string as parameter to
|
|
Packit |
c5a612 |
*nft_run_cmd_from_buffer()* or in a file identified by the 'filename' parameter
|
|
Packit |
c5a612 |
of the *nft_run_cmd_from_filename()* function.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
JSON output has to be enabled via the *nft_ctx_output_set_json()* function, turning
|
|
Packit |
c5a612 |
library standard output into JSON format. Error output remains unaffected.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
== GLOBAL STRUCTURE
|
|
Packit |
c5a612 |
In general, any JSON input or output is enclosed in an object with a single
|
|
Packit |
c5a612 |
property named 'nftables'. Its value is an array containing commands (for
|
|
Packit |
c5a612 |
input) or ruleset elements (for output).
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
A command is an object with a single property whose name identifies the command.
|
|
Packit |
c5a612 |
Its value is a ruleset element - basically identical to output elements, apart
|
|
Packit |
c5a612 |
from certain properties which may be interpreted differently or are required
|
|
Packit |
c5a612 |
when output generally omits them.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
== METAINFO OBJECT
|
|
Packit |
c5a612 |
In output, the first object in an *nftables* array is a special one containing
|
|
Packit |
c5a612 |
library information. Its content is as follows:
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "metainfo": {
|
|
Packit |
c5a612 |
"version":* 'STRING'*,
|
|
Packit |
c5a612 |
"release_name":* 'STRING'*,
|
|
Packit |
c5a612 |
"json_schema_version":* 'NUMBER'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
The values of *version* and *release_name* properties are equal to the package
|
|
Packit |
c5a612 |
version and release name as printed by *nft -v*. The value of the
|
|
Packit |
c5a612 |
*json_schema_version* property is an integer indicating the schema version.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
If supplied in library input, the parser will verify the *json_schema_version* value
|
|
Packit |
c5a612 |
to not exceed the internally hardcoded one (to make sure the given schema is
|
|
Packit |
c5a612 |
fully understood). In future, a lower number than the internal one may activate
|
|
Packit |
c5a612 |
compatibility mode to parse outdated and incompatible JSON input.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
== COMMAND OBJECTS
|
|
Packit |
c5a612 |
The structure accepts an arbitrary amount of commands which are interpreted in
|
|
Packit |
c5a612 |
order of appearance. For instance, the following standard syntax input:
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
----
|
|
Packit |
c5a612 |
flush ruleset
|
|
Packit |
c5a612 |
add table inet mytable
|
|
Packit |
c5a612 |
add chain inet mytable mychain
|
|
Packit |
c5a612 |
add rule inet mytable mychain tcp dport 22 accept
|
|
Packit |
c5a612 |
----
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
translates into JSON as such:
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
----
|
|
Packit |
c5a612 |
{ "nftables": [
|
|
Packit |
c5a612 |
{ "flush": { "ruleset": null }},
|
|
Packit |
c5a612 |
{ "add": { "table": {
|
|
Packit |
c5a612 |
"family": "inet",
|
|
Packit |
c5a612 |
"name": "mytable"
|
|
Packit |
c5a612 |
}}},
|
|
Packit |
c5a612 |
{ "add": { "chain": {
|
|
Packit |
c5a612 |
"family": "inet",
|
|
Packit |
c5a612 |
"table": "mytable",
|
|
Packit |
c5a612 |
"chain": "mychain"
|
|
Packit |
c5a612 |
}}}
|
|
Packit |
c5a612 |
{ "add": { "rule": {
|
|
Packit |
c5a612 |
"family": "inet",
|
|
Packit |
c5a612 |
"table": "mytable",
|
|
Packit |
c5a612 |
"chain": "mychain",
|
|
Packit |
c5a612 |
"expr": [
|
|
Packit |
c5a612 |
{ "match": {
|
|
Packit |
c5a612 |
"left": { "payload": {
|
|
Packit |
c5a612 |
"protocol": "tcp",
|
|
Packit |
c5a612 |
"field": "dport"
|
|
Packit |
c5a612 |
}},
|
|
Packit |
c5a612 |
"right": 22
|
|
Packit |
c5a612 |
}},
|
|
Packit |
c5a612 |
{ "accept": null }
|
|
Packit |
c5a612 |
]
|
|
Packit |
c5a612 |
}}}
|
|
Packit |
c5a612 |
]}
|
|
Packit |
c5a612 |
----
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== ADD
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "add":* 'ADD_OBJECT' *}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'ADD_OBJECT' := 'TABLE' | 'CHAIN' | 'RULE' | 'SET' | 'MAP' | 'ELEMENT' |
|
|
Packit |
c5a612 |
'FLOWTABLE' | 'COUNTER' | 'QUOTA' | 'CT_HELPER' | 'LIMIT' |
|
|
Packit |
c5a612 |
'CT_TIMEOUT' | 'CT_EXPECTATION'
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Add a new ruleset element to the kernel.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== REPLACE
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "replace":* 'RULE' *}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Replace a rule. In 'RULE', the *handle* property is mandatory and identifies the
|
|
Packit |
c5a612 |
rule to be replaced.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== CREATE
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "create":* 'ADD_OBJECT' *}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Identical to *add* command, but returns an error if the object already exists.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== INSERT
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "insert":* 'RULE' *}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
This command is identical to *add* for rules, but instead of appending the rule
|
|
Packit |
c5a612 |
to the chain by default, it inserts at first position. If a *handle* or *index*
|
|
Packit |
c5a612 |
property is given, the rule is inserted before the rule identified by those
|
|
Packit |
c5a612 |
properties.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== DELETE
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "delete":* 'ADD_OBJECT' *}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Delete an object from the ruleset. Only the minimal number of properties
|
|
Packit |
c5a612 |
required to uniquely identify an object is generally needed in 'ADD_OBJECT'. For
|
|
Packit |
c5a612 |
most ruleset elements, this is *family* and *table* plus either *handle* or
|
|
Packit |
c5a612 |
*name* (except rules since they don't have a name).
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== LIST
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "list":* 'LIST_OBJECT' *}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'LIST_OBJECT' := 'TABLE' | 'TABLES' | 'CHAIN' | 'CHAINS' | 'SET' | 'SETS' |
|
|
Packit |
c5a612 |
'MAP' | 'MAPS | COUNTER' | 'COUNTERS' | 'QUOTA' | 'QUOTAS' |
|
|
Packit |
c5a612 |
'CT_HELPER' | 'CT_HELPERS' | 'LIMIT' | 'LIMITS' | 'RULESET' |
|
|
Packit |
c5a612 |
'METER' | 'METERS' | 'FLOWTABLE' | 'FLOWTABLES' |
|
|
Packit |
c5a612 |
'CT_TIMEOUT' | 'CT_EXPECTATION'
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
List ruleset elements. The plural forms are used to list all objects of that
|
|
Packit |
c5a612 |
kind, optionally filtered by *family* and for some, also *table*.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== RESET
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "reset":* 'RESET_OBJECT' *}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'RESET_OBJECT' := 'COUNTER' | 'COUNTERS' | 'QUOTA' | 'QUOTAS'
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Reset state in suitable objects, i.e. zero their internal counter.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== FLUSH
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "flush":* 'FLUSH_OBJECT' *}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'FLUSH_OBJECT' := 'TABLE' | 'CHAIN' | 'SET' | 'MAP' | 'METER' | 'RULESET'
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Empty contents in given object, e.g. remove all chains from given *table* or
|
|
Packit |
c5a612 |
remove all elements from given *set*.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== RENAME
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "rename":* 'CHAIN' *}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Rename a chain. The new name is expected in a dedicated property named
|
|
Packit |
c5a612 |
*newname*.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
== RULESET ELEMENTS
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== TABLE
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "table": {
|
|
Packit |
c5a612 |
"family":* 'STRING'*,
|
|
Packit |
c5a612 |
"name":* 'STRING'*,
|
|
Packit |
c5a612 |
"handle":* 'NUMBER'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
This object describes a table.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*family*::
|
|
Packit |
c5a612 |
The table's family, e.g. *"ip"* or *"ip6"*.
|
|
Packit |
c5a612 |
*name*::
|
|
Packit |
c5a612 |
The table's name.
|
|
Packit |
c5a612 |
*handle*::
|
|
Packit |
c5a612 |
The table's handle. In input, it is used only in *delete* command as
|
|
Packit |
c5a612 |
alternative to *name*.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== CHAIN
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "chain": {
|
|
Packit |
c5a612 |
"family":* 'STRING'*,
|
|
Packit |
c5a612 |
"table":* 'STRING'*,
|
|
Packit |
c5a612 |
"name":* 'STRING'*,
|
|
Packit |
c5a612 |
"newname":* 'STRING'*,
|
|
Packit |
c5a612 |
"handle":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"type":* 'STRING'*,
|
|
Packit |
c5a612 |
"hook":* 'STRING'*,
|
|
Packit |
c5a612 |
"prio":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"dev":* 'STRING'*,
|
|
Packit |
c5a612 |
"policy":* 'STRING'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
This object describes a chain.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*family*::
|
|
Packit |
c5a612 |
The table's family.
|
|
Packit |
c5a612 |
*table*::
|
|
Packit |
c5a612 |
The table's name.
|
|
Packit |
c5a612 |
*name*::
|
|
Packit |
c5a612 |
The chain's name.
|
|
Packit |
c5a612 |
*handle*::
|
|
Packit |
c5a612 |
The chain's handle. In input, it is used only in *delete* command as
|
|
Packit |
c5a612 |
alternative to *name*.
|
|
Packit |
c5a612 |
*newname*::
|
|
Packit |
c5a612 |
A new name for the chain, only relevant in the *rename* command.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
The following properties are required for base chains:
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*type*::
|
|
Packit |
c5a612 |
The chain's type.
|
|
Packit |
c5a612 |
*hook*::
|
|
Packit |
c5a612 |
The chain's hook.
|
|
Packit |
c5a612 |
*prio*::
|
|
Packit |
c5a612 |
The chain's priority.
|
|
Packit |
c5a612 |
*dev*::
|
|
Packit |
c5a612 |
The chain's bound interface (if in the netdev family).
|
|
Packit |
c5a612 |
*policy*::
|
|
Packit |
c5a612 |
The chain's policy.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== RULE
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "rule": {
|
|
Packit |
c5a612 |
"family":* 'STRING'*,
|
|
Packit |
c5a612 |
"table":* 'STRING'*,
|
|
Packit |
c5a612 |
"chain":* 'STRING'*,
|
|
Packit |
c5a612 |
"expr": [* 'STATEMENTS' *],
|
|
Packit |
c5a612 |
"handle":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"index":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"comment":* 'STRING'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'STATEMENTS' := 'STATEMENT' [*,* 'STATEMENTS' ]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
This object describes a rule. Basic building blocks of rules are statements.
|
|
Packit |
c5a612 |
Each rule consists of at least one.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*family*::
|
|
Packit |
c5a612 |
The table's family.
|
|
Packit |
c5a612 |
*table*::
|
|
Packit |
c5a612 |
The table's name.
|
|
Packit |
c5a612 |
*chain*::
|
|
Packit |
c5a612 |
The chain's name.
|
|
Packit |
c5a612 |
*expr*::
|
|
Packit |
c5a612 |
An array of statements this rule consists of. In input, it is used in
|
|
Packit |
c5a612 |
*add*/*insert*/*replace* commands only.
|
|
Packit |
c5a612 |
*handle*::
|
|
Packit |
c5a612 |
The rule's handle. In *delete*/*replace* commands, it serves as an identifier
|
|
Packit |
c5a612 |
of the rule to delete/replace. In *add*/*insert* commands, it serves as
|
|
Packit |
c5a612 |
an identifier of an existing rule to append/prepend the rule to.
|
|
Packit |
c5a612 |
*index*::
|
|
Packit |
c5a612 |
The rule's position for *add*/*insert* commands. It is used as an alternative to
|
|
Packit |
c5a612 |
*handle* then.
|
|
Packit |
c5a612 |
*comment*::
|
|
Packit |
c5a612 |
Optional rule comment.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== SET / MAP
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "set": {
|
|
Packit |
c5a612 |
"family":* 'STRING'*,
|
|
Packit |
c5a612 |
"table":* 'STRING'*,
|
|
Packit |
c5a612 |
"name":* 'STRING'*,
|
|
Packit |
c5a612 |
"handle":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"type":* 'SET_TYPE'*,
|
|
Packit |
c5a612 |
"policy":* 'SET_POLICY'*,
|
|
Packit |
c5a612 |
"flags": [* 'SET_FLAG_LIST' *],
|
|
Packit |
c5a612 |
"elem":* 'SET_ELEMENTS'*,
|
|
Packit |
c5a612 |
"timeout":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"gc-interval":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"size":* 'NUMBER'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*{ "map": {
|
|
Packit |
c5a612 |
"family":* 'STRING'*,
|
|
Packit |
c5a612 |
"table":* 'STRING'*,
|
|
Packit |
c5a612 |
"name":* 'STRING'*,
|
|
Packit |
c5a612 |
"handle":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"type":* 'SET_TYPE'*,
|
|
Packit |
c5a612 |
"map":* 'STRING'*,
|
|
Packit |
c5a612 |
"policy":* 'SET_POLICY'*,
|
|
Packit |
c5a612 |
"flags": [* 'SET_FLAG_LIST' *],
|
|
Packit |
c5a612 |
"elem":* 'SET_ELEMENTS'*,
|
|
Packit |
c5a612 |
"timeout":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"gc-interval":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"size":* 'NUMBER'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'SET_TYPE' := 'STRING' | *[* 'SET_TYPE_LIST' *]*
|
|
Packit |
c5a612 |
'SET_TYPE_LIST' := 'STRING' [*,* 'SET_TYPE_LIST' ]
|
|
Packit |
c5a612 |
'SET_POLICY' := *"performance"* | *"memory"*
|
|
Packit |
c5a612 |
'SET_FLAG_LIST' := 'SET_FLAG' [*,* 'SET_FLAG_LIST' ]
|
|
Packit |
c5a612 |
'SET_FLAG' := *"constant"* | *"interval"* | *"timeout"*
|
|
Packit |
c5a612 |
'SET_ELEMENTS' := 'EXPRESSION' | *[* 'EXPRESSION_LIST' *]*
|
|
Packit |
c5a612 |
'EXPRESSION_LIST' := 'EXPRESSION' [*,* 'EXPRESSION_LIST' ]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
These objects describe a named set or map. Maps are a special form of sets in
|
|
Packit |
c5a612 |
that they translate a unique key to a value.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*family*::
|
|
Packit |
c5a612 |
The table's family.
|
|
Packit |
c5a612 |
*table*::
|
|
Packit |
c5a612 |
The table's name.
|
|
Packit |
c5a612 |
*name*::
|
|
Packit |
c5a612 |
The set's name.
|
|
Packit |
c5a612 |
*handle*::
|
|
Packit |
c5a612 |
The set's handle. For input, it is used in the *delete* command only.
|
|
Packit |
c5a612 |
*type*::
|
|
Packit |
c5a612 |
The set's datatype, see below.
|
|
Packit |
c5a612 |
*map*::
|
|
Packit |
c5a612 |
Type of values this set maps to (i.e. this set is a map).
|
|
Packit |
c5a612 |
*policy*::
|
|
Packit |
c5a612 |
The set's policy.
|
|
Packit |
c5a612 |
*flags*::
|
|
Packit |
c5a612 |
The set's flags.
|
|
Packit |
c5a612 |
*elem*::
|
|
Packit |
c5a612 |
Initial set element(s), see below.
|
|
Packit |
c5a612 |
*timeout*::
|
|
Packit |
c5a612 |
Element timeout in seconds.
|
|
Packit |
c5a612 |
*gc-interval*::
|
|
Packit |
c5a612 |
Garbage collector interval in seconds.
|
|
Packit |
c5a612 |
*size*::
|
|
Packit |
c5a612 |
Maximum number of elements supported.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
==== TYPE
|
|
Packit |
c5a612 |
The set type might be a string, such as *"ipv4_addr"* or an array
|
|
Packit |
c5a612 |
consisting of strings (for concatenated types).
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
==== ELEM
|
|
Packit |
c5a612 |
A single set element might be given as string, integer or boolean value for
|
|
Packit |
c5a612 |
simple cases. If additional properties are required, a formal *elem* object may
|
|
Packit |
c5a612 |
be used.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Multiple elements may be given in an array.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== ELEMENT
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "element": {
|
|
Packit |
c5a612 |
"family":* 'STRING'*,
|
|
Packit |
c5a612 |
"table":* 'STRING'*,
|
|
Packit |
c5a612 |
"name":* 'STRING'*,
|
|
Packit |
c5a612 |
"elem":* 'SET_ELEM'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'SET_ELEM' := 'EXPRESSION' | *[* 'EXPRESSION_LIST' *]*
|
|
Packit |
c5a612 |
'EXPRESSION_LIST' := 'EXPRESSION' [*,* 'EXPRESSION' ]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Manipulate element(s) in a named set.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*family*::
|
|
Packit |
c5a612 |
The table's family.
|
|
Packit |
c5a612 |
*table*::
|
|
Packit |
c5a612 |
The table's name.
|
|
Packit |
c5a612 |
*name*::
|
|
Packit |
c5a612 |
The set's name.
|
|
Packit |
c5a612 |
*elem*::
|
|
Packit |
c5a612 |
See elem property of set object.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== FLOWTABLE
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "flowtable": {
|
|
Packit |
c5a612 |
"family":* 'STRING'*,
|
|
Packit |
c5a612 |
"table":* 'STRING'*,
|
|
Packit |
c5a612 |
"name":* 'STRING'*,
|
|
Packit |
c5a612 |
"handle":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"hook":* 'STRING'*,
|
|
Packit |
c5a612 |
"prio":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"dev":* 'FT_INTERFACE'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'FT_INTERFACE' := 'STRING' | *[* 'FT_INTERFACE_LIST' *]*
|
|
Packit |
c5a612 |
'FT_INTERFACE_LIST' := 'STRING' [*,* 'STRING' ]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
This object represents a named flowtable.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*family*::
|
|
Packit |
c5a612 |
The table's family.
|
|
Packit |
c5a612 |
*table*::
|
|
Packit |
c5a612 |
The table's name.
|
|
Packit |
c5a612 |
*name*::
|
|
Packit |
c5a612 |
The flow table's name.
|
|
Packit |
c5a612 |
*handle*::
|
|
Packit |
c5a612 |
The flow table's handle. In input, it is used by the *delete* command only.
|
|
Packit |
c5a612 |
*hook*::
|
|
Packit |
c5a612 |
The flow table's hook.
|
|
Packit |
c5a612 |
*prio*::
|
|
Packit |
c5a612 |
The flow table's priority.
|
|
Packit |
c5a612 |
*dev*::
|
|
Packit |
c5a612 |
The flow table's interface(s).
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== COUNTER
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "counter": {
|
|
Packit |
c5a612 |
"family":* 'STRING'*,
|
|
Packit |
c5a612 |
"table":* 'STRING'*,
|
|
Packit |
c5a612 |
"name":* 'STRING'*,
|
|
Packit |
c5a612 |
"handle":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"packets":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"bytes":* 'NUMBER'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
This object represents a named counter.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*family*::
|
|
Packit |
c5a612 |
The table's family.
|
|
Packit |
c5a612 |
*table*::
|
|
Packit |
c5a612 |
The table's name.
|
|
Packit |
c5a612 |
*name*::
|
|
Packit |
c5a612 |
The counter's name.
|
|
Packit |
c5a612 |
*handle*::
|
|
Packit |
c5a612 |
The counter's handle. In input, it is used by the *delete* command only.
|
|
Packit |
c5a612 |
*packets*::
|
|
Packit |
c5a612 |
Packet counter value.
|
|
Packit |
c5a612 |
*bytes*::
|
|
Packit |
c5a612 |
Byte counter value.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== QUOTA
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "quota": {
|
|
Packit |
c5a612 |
"family":* 'STRING'*,
|
|
Packit |
c5a612 |
"table":* 'STRING'*,
|
|
Packit |
c5a612 |
"name":* 'STRING'*,
|
|
Packit |
c5a612 |
"handle":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"bytes":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"used":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"inv":* 'BOOLEAN'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
This object represents a named quota.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*family*::
|
|
Packit |
c5a612 |
The table's family.
|
|
Packit |
c5a612 |
*table*::
|
|
Packit |
c5a612 |
The table's name.
|
|
Packit |
c5a612 |
*name*::
|
|
Packit |
c5a612 |
The quota's name.
|
|
Packit |
c5a612 |
*handle*::
|
|
Packit |
c5a612 |
The quota's handle. In input, it is used by the *delete* command only.
|
|
Packit |
c5a612 |
*bytes*::
|
|
Packit |
c5a612 |
Quota threshold.
|
|
Packit |
c5a612 |
*used*::
|
|
Packit |
c5a612 |
Quota used so far.
|
|
Packit |
c5a612 |
*inv*::
|
|
Packit |
c5a612 |
If true, match if the quota has been exceeded.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== CT HELPER
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "ct helper": {
|
|
Packit |
c5a612 |
"family":* 'STRING'*,
|
|
Packit |
c5a612 |
"table":* 'STRING'*,
|
|
Packit |
c5a612 |
"name":* 'STRING'*,
|
|
Packit |
c5a612 |
"handle":* '... '*,
|
|
Packit |
c5a612 |
"type":* 'STRING'*,
|
|
Packit |
c5a612 |
"protocol":* 'CTH_PROTO'*,
|
|
Packit |
c5a612 |
"l3proto":* 'STRING'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'CTH_PROTO' := *"tcp"* | *"udp"*
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
This object represents a named conntrack helper.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*family*::
|
|
Packit |
c5a612 |
The table's family.
|
|
Packit |
c5a612 |
*table*::
|
|
Packit |
c5a612 |
The table's name.
|
|
Packit |
c5a612 |
*name*::
|
|
Packit |
c5a612 |
The ct helper's name.
|
|
Packit |
c5a612 |
*handle*::
|
|
Packit |
c5a612 |
The ct helper's handle. In input, it is used by the *delete* command only.
|
|
Packit |
c5a612 |
*type*::
|
|
Packit |
c5a612 |
The ct helper type name, e.g. *"ftp"* or *"tftp"*.
|
|
Packit |
c5a612 |
*protocol*::
|
|
Packit |
c5a612 |
The ct helper's layer 4 protocol.
|
|
Packit |
c5a612 |
*l3proto*::
|
|
Packit |
c5a612 |
The ct helper's layer 3 protocol, e.g. *"ip"* or *"ip6"*.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== LIMIT
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "limit": {
|
|
Packit |
c5a612 |
"family":* 'STRING'*,
|
|
Packit |
c5a612 |
"table":* 'STRING'*,
|
|
Packit |
c5a612 |
"name":* 'STRING'*,
|
|
Packit |
c5a612 |
"handle":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"rate":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"per":* 'STRING'*,
|
|
Packit |
c5a612 |
"burst":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"unit":* 'LIMIT_UNIT'*,
|
|
Packit |
c5a612 |
"inv":* 'BOOLEAN'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'LIMIT_UNIT' := *"packets"* | *"bytes"*
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
This object represents a named limit.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*family*::
|
|
Packit |
c5a612 |
The table's family.
|
|
Packit |
c5a612 |
*table*::
|
|
Packit |
c5a612 |
The table's name.
|
|
Packit |
c5a612 |
*name*::
|
|
Packit |
c5a612 |
The limit's name.
|
|
Packit |
c5a612 |
*handle*::
|
|
Packit |
c5a612 |
The limit's handle. In input, it is used by the *delete* command only.
|
|
Packit |
c5a612 |
*rate*::
|
|
Packit |
c5a612 |
The limit's rate value.
|
|
Packit |
c5a612 |
*per*::
|
|
Packit |
c5a612 |
Time unit to apply the limit to, e.g. *"week"*, *"day"*, *"hour"*, etc.
|
|
Packit |
c5a612 |
If omitted, defaults to *"second"*.
|
|
Packit |
c5a612 |
*burst*::
|
|
Packit |
c5a612 |
The limit's burst value. If omitted, defaults to *0*.
|
|
Packit |
c5a612 |
*unit*::
|
|
Packit |
c5a612 |
Unit of rate and burst values. If omitted, defaults to *"packets"*.
|
|
Packit |
c5a612 |
*inv*::
|
|
Packit |
c5a612 |
If true, match if limit was exceeded. If omitted, defaults to *false*.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== CT TIMEOUT
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "ct timeout": {
|
|
Packit |
c5a612 |
"family":* 'STRING'*,
|
|
Packit |
c5a612 |
"table":* 'STRING'*,
|
|
Packit |
c5a612 |
"name":* 'STRING'*,
|
|
Packit |
c5a612 |
"handle":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"protocol":* 'CTH_PROTO'*,
|
|
Packit |
c5a612 |
"state":* 'STRING'*,
|
|
Packit |
c5a612 |
"value:* 'NUMBER'*,
|
|
Packit |
c5a612 |
"l3proto":* 'STRING'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'CTH_PROTO' := *"tcp"* | *"udp"* | *"dccp"* | *"sctp"* | *"gre"* | *"icmpv6"* | *"icmp"* | *"generic"*
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
This object represents a named conntrack timeout policy.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*family*::
|
|
Packit |
c5a612 |
The table's family.
|
|
Packit |
c5a612 |
*table*::
|
|
Packit |
c5a612 |
The table's name.
|
|
Packit |
c5a612 |
*name*::
|
|
Packit |
c5a612 |
The ct timeout object's name.
|
|
Packit |
c5a612 |
*handle*::
|
|
Packit |
c5a612 |
The ct timeout object's handle. In input, it is used by *delete* command only.
|
|
Packit |
c5a612 |
*protocol*::
|
|
Packit |
c5a612 |
The ct timeout object's layer 4 protocol.
|
|
Packit |
c5a612 |
*state*::
|
|
Packit |
c5a612 |
The connection state name, e.g. *"established"*, *"syn_sent"*, *"close"* or
|
|
Packit |
c5a612 |
*"close_wait"*, for which the timeout value has to be updated.
|
|
Packit |
c5a612 |
*value*::
|
|
Packit |
c5a612 |
The updated timeout value for the specified connection state.
|
|
Packit |
c5a612 |
*l3proto*::
|
|
Packit |
c5a612 |
The ct timeout object's layer 3 protocol, e.g. *"ip"* or *"ip6"*.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== CT EXPECTATION
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "ct expectation": {
|
|
Packit |
c5a612 |
"family":* 'STRING'*,
|
|
Packit |
c5a612 |
"table":* 'STRING'*,
|
|
Packit |
c5a612 |
"name":* 'STRING'*,
|
|
Packit |
c5a612 |
"handle":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"l3proto":* 'STRING'
|
|
Packit |
c5a612 |
"protocol":* 'CTH_PROTO'*,
|
|
Packit |
c5a612 |
"dport":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"timeout:* 'NUMBER'*,
|
|
Packit |
c5a612 |
"size:* 'NUMBER'*,
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'CTH_PROTO' := *"tcp"* | *"udp"* | *"dccp"* | *"sctp"* | *"gre"* | *"icmpv6"* | *"icmp"* | *"generic"*
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
This object represents a named conntrack expectation.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*family*::
|
|
Packit |
c5a612 |
The table's family.
|
|
Packit |
c5a612 |
*table*::
|
|
Packit |
c5a612 |
The table's name.
|
|
Packit |
c5a612 |
*name*::
|
|
Packit |
c5a612 |
The ct expectation object's name.
|
|
Packit |
c5a612 |
*handle*::
|
|
Packit |
c5a612 |
The ct expectation object's handle. In input, it is used by *delete* command only.
|
|
Packit |
c5a612 |
*l3proto*::
|
|
Packit |
c5a612 |
The ct expectation object's layer 3 protocol, e.g. *"ip"* or *"ip6"*.
|
|
Packit |
c5a612 |
*protocol*::
|
|
Packit |
c5a612 |
The ct expectation object's layer 4 protocol.
|
|
Packit |
c5a612 |
*dport*::
|
|
Packit |
c5a612 |
The destination port of the expected connection.
|
|
Packit |
c5a612 |
*timeout*::
|
|
Packit |
c5a612 |
The time in millisecond that this expectation will live.
|
|
Packit |
c5a612 |
*size*::
|
|
Packit |
c5a612 |
The maximum count of expectations to be living in the same time.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
== STATEMENTS
|
|
Packit |
c5a612 |
Statements are the building blocks for rules. Each rule consists of at least
|
|
Packit |
c5a612 |
one.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== VERDICT
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "accept": null }*
|
|
Packit |
c5a612 |
*{ "drop": null }*
|
|
Packit |
c5a612 |
*{ "continue": null }*
|
|
Packit |
c5a612 |
*{ "return": null }*
|
|
Packit |
c5a612 |
*{ "jump": { "target": * 'STRING' *}}*
|
|
Packit |
c5a612 |
*{ "goto": { "target": * 'STRING' *}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
A verdict either terminates packet traversal through the current chain or
|
|
Packit |
c5a612 |
delegates to a different one.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*jump* and *goto* statements expect a target chain name.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== MATCH
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "match": {
|
|
Packit |
c5a612 |
"left":* 'EXPRESSION'*,
|
|
Packit |
c5a612 |
"right":* 'EXPRESSION'*,
|
|
Packit |
c5a612 |
"op":* 'STRING'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
This matches the expression on left hand side (typically a packet header or packet meta
|
|
Packit |
c5a612 |
info) with the expression on right hand side (typically a constant value). If the
|
|
Packit |
c5a612 |
statement evaluates to true, the next statement in this rule is considered. If not,
|
|
Packit |
c5a612 |
processing continues with the next rule in the same chain.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*left*::
|
|
Packit |
c5a612 |
Left hand side of this match.
|
|
Packit |
c5a612 |
*right*::
|
|
Packit |
c5a612 |
Right hand side of this match.
|
|
Packit |
c5a612 |
*op*::
|
|
Packit |
c5a612 |
Operator indicating the type of comparison.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
==== OPERATORS
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
[horizontal]
|
|
Packit |
c5a612 |
*&*:: Binary AND
|
|
Packit |
c5a612 |
*|*:: Binary OR
|
|
Packit |
c5a612 |
*^*:: Binary XOR
|
|
Packit |
c5a612 |
*<<*:: Left shift
|
|
Packit |
c5a612 |
*>>*:: Right shift
|
|
Packit |
c5a612 |
*==*:: Equal
|
|
Packit |
c5a612 |
*!=*:: Not equal
|
|
Packit |
c5a612 |
*<*:: Less than
|
|
Packit |
c5a612 |
*>*:: Greater than
|
|
Packit |
c5a612 |
*<=*:: Less than or equal to
|
|
Packit |
c5a612 |
*>=*:: Greater than or equal to
|
|
Packit |
c5a612 |
*in*:: Perform a lookup, i.e. test if bits on RHS are contained in LHS value
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Unlike with the standard API, the operator is mandatory here. In the standard API,
|
|
Packit |
c5a612 |
a missing operator may be resolved in two ways, depending on the type of expression
|
|
Packit |
c5a612 |
on the RHS:
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
- If the RHS is a bitmask or a list of bitmasks, the expression resolves into a
|
|
Packit |
c5a612 |
binary operation with the inequality operator, like this: '+LHS & RHS != 0+'.
|
|
Packit |
c5a612 |
- In any other case, the equality operator is simply inserted.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
For the non-trivial first case, the JSON API supports the *in* operator.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== COUNTER
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "counter": {
|
|
Packit |
c5a612 |
"packets":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"bytes":* 'NUMBER'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*{ "counter":* 'STRING' *}*
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
This object represents a byte/packet counter. In input, no properties are
|
|
Packit |
c5a612 |
required. If given, they act as initial values for the counter.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
The first form creates an anonymous counter which lives in the rule it appears
|
|
Packit |
c5a612 |
in. The second form specifies a reference to a named counter object.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*packets*::
|
|
Packit |
c5a612 |
Packets counted.
|
|
Packit |
c5a612 |
*bytes*::
|
|
Packit |
c5a612 |
Bytes counted.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== MANGLE
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "mangle": {
|
|
Packit |
c5a612 |
"key":* 'EXPRESSION'*,
|
|
Packit |
c5a612 |
"value":* 'EXPRESSION'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
This changes the packet data or meta info.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*key*::
|
|
Packit |
c5a612 |
The packet data to be changed, given as an *exthdr*, *payload*, *meta*, *ct* or
|
|
Packit |
c5a612 |
*ct helper* expression.
|
|
Packit |
c5a612 |
*value*::
|
|
Packit |
c5a612 |
Value to change data to.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== QUOTA
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "quota": {
|
|
Packit |
c5a612 |
"val":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"val_unit":* 'STRING'*,
|
|
Packit |
c5a612 |
"used":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"used_unit":* 'STRING'*,
|
|
Packit |
c5a612 |
"inv":* 'BOOLEAN'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*{ "quota":* 'STRING' *}*
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
The first form creates an anonymous quota which lives in the rule it appears in.
|
|
Packit |
c5a612 |
The second form specifies a reference to a named quota object.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*val*::
|
|
Packit |
c5a612 |
Quota value.
|
|
Packit |
c5a612 |
*val_unit*::
|
|
Packit |
c5a612 |
Unit of *val*, e.g. *"kbytes"* or *"mbytes"*. If omitted, defaults to
|
|
Packit |
c5a612 |
*"bytes"*.
|
|
Packit |
c5a612 |
*used*::
|
|
Packit |
c5a612 |
Quota used so far. Optional on input. If given, serves as initial value.
|
|
Packit |
c5a612 |
*used_unit*::
|
|
Packit |
c5a612 |
Unit of *used*. Defaults to *"bytes"*.
|
|
Packit |
c5a612 |
*inv*::
|
|
Packit |
c5a612 |
If *true*, will match if quota was exceeded. Defaults to *false*.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== LIMIT
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "limit": {
|
|
Packit |
c5a612 |
"rate":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"rate_unit":* 'STRING'*,
|
|
Packit |
c5a612 |
"per":* 'STRING'*,
|
|
Packit |
c5a612 |
"burst":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"burst_unit":* 'STRING'*,
|
|
Packit |
c5a612 |
"inv":* 'BOOLEAN'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*{ "limit":* 'STRING' *}*
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
The first form creates an anonymous limit which lives in the rule it appears in.
|
|
Packit |
c5a612 |
The second form specifies a reference to a named limit object.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*rate*::
|
|
Packit |
c5a612 |
Rate value to limit to.
|
|
Packit |
c5a612 |
*rate_unit*::
|
|
Packit |
c5a612 |
Unit of *rate*, e.g. *"packets"* or *"mbytes"*. Defaults to *"packets"*.
|
|
Packit |
c5a612 |
*per*::
|
|
Packit |
c5a612 |
Denominator of *rate*, e.g. *"week"* or *"minutes"*.
|
|
Packit |
c5a612 |
*burst*::
|
|
Packit |
c5a612 |
Burst value. Defaults to *0*.
|
|
Packit |
c5a612 |
*burst_unit*::
|
|
Packit |
c5a612 |
Unit of *burst*, ignored if *rate_unit* is *"packets"*. Defaults to
|
|
Packit |
c5a612 |
*"bytes"*.
|
|
Packit |
c5a612 |
*inv*::
|
|
Packit |
c5a612 |
If *true*, matches if the limit was exceeded. Defaults to *false*.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== FWD
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "fwd": {
|
|
Packit |
c5a612 |
"dev":* 'EXPRESSION'*,
|
|
Packit |
c5a612 |
"family":* 'FWD_FAMILY'*,
|
|
Packit |
c5a612 |
"addr":* 'EXPRESSION'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'FWD_FAMILY' := *"ip"* | *"ip6"*
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Forward a packet to a different destination.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*dev*::
|
|
Packit |
c5a612 |
Interface to forward the packet on.
|
|
Packit |
c5a612 |
*family*::
|
|
Packit |
c5a612 |
Family of *addr*.
|
|
Packit |
c5a612 |
*addr*::
|
|
Packit |
c5a612 |
IP(v6) address to forward the packet to.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Both *family* and *addr* are optional, but if at least one is given, both must be present.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== NOTRACK
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "notrack": null }*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Disable connection tracking for the packet.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== DUP
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "dup": {
|
|
Packit |
c5a612 |
"addr":* 'EXPRESSION'*,
|
|
Packit |
c5a612 |
"dev":* 'EXPRESSION'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Duplicate a packet to a different destination.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*addr*::
|
|
Packit |
c5a612 |
Address to duplicate packet to.
|
|
Packit |
c5a612 |
*dev*::
|
|
Packit |
c5a612 |
Interface to duplicate packet on. May be omitted to not specify an
|
|
Packit |
c5a612 |
interface explicitly.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== NETWORK ADDRESS TRANSLATION
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "snat": {
|
|
Packit |
c5a612 |
"addr":* 'EXPRESSION'*,
|
|
Packit |
c5a612 |
"family":* 'STRING'*,
|
|
Packit |
c5a612 |
"port":* 'EXPRESSION'*,
|
|
Packit |
c5a612 |
"flags":* 'FLAGS'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*{ "dnat": {
|
|
Packit |
c5a612 |
"addr":* 'EXPRESSION'*,
|
|
Packit |
c5a612 |
"family":* 'STRING'*,
|
|
Packit |
c5a612 |
"port":* 'EXPRESSION'*,
|
|
Packit |
c5a612 |
"flags":* 'FLAGS'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*{ "masquerade": {
|
|
Packit |
c5a612 |
"port":* 'EXPRESSION'*,
|
|
Packit |
c5a612 |
"flags":* 'FLAGS'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*{ "redirect": {
|
|
Packit |
c5a612 |
"port":* 'EXPRESSION'*,
|
|
Packit |
c5a612 |
"flags":* 'FLAGS'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'FLAGS' := 'FLAG' | *[* 'FLAG_LIST' *]*
|
|
Packit |
c5a612 |
'FLAG_LIST' := 'FLAG' [*,* 'FLAG_LIST' ]
|
|
Packit |
c5a612 |
'FLAG' := *"random"* | *"fully-random"* | *"persistent"*
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Perform Network Address Translation.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*addr*::
|
|
Packit |
c5a612 |
Address to translate to.
|
|
Packit |
c5a612 |
*family*::
|
|
Packit |
c5a612 |
Family of *addr*, either *ip* or *ip6*. Required in *inet*
|
|
Packit |
c5a612 |
table family.
|
|
Packit |
c5a612 |
*port*::
|
|
Packit |
c5a612 |
Port to translate to.
|
|
Packit |
c5a612 |
*flags*::
|
|
Packit |
c5a612 |
Flag(s).
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
All properties are optional and default to none.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== REJECT
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "reject": {
|
|
Packit |
c5a612 |
"type":* 'STRING'*,
|
|
Packit |
c5a612 |
"expr":* 'EXPRESSION'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Reject the packet and send the given error reply.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*type*::
|
|
Packit |
c5a612 |
Type of reject, either *"tcp reset"*, *"icmpx"*, *"icmp"* or *"icmpv6"*.
|
|
Packit |
c5a612 |
*expr*::
|
|
Packit |
c5a612 |
ICMP type to reject with.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
All properties are optional.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== SET
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "set": {
|
|
Packit |
c5a612 |
"op":* 'STRING'*,
|
|
Packit |
c5a612 |
"elem":* 'EXPRESSION'*,
|
|
Packit |
c5a612 |
"set":* 'STRING'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Dynamically add/update elements to a set.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*op*::
|
|
Packit |
c5a612 |
Operator on set, either *"add"* or *"update"*.
|
|
Packit |
c5a612 |
*elem*::
|
|
Packit |
c5a612 |
Set element to add or update.
|
|
Packit |
c5a612 |
*set*::
|
|
Packit |
c5a612 |
Set reference.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== LOG
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "log": {
|
|
Packit |
c5a612 |
"prefix":* 'STRING'*,
|
|
Packit |
c5a612 |
"group":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"snaplen":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"queue-threshold":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"level":* 'LEVEL'*,
|
|
Packit |
c5a612 |
"flags":* 'FLAGS'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'LEVEL' := *"emerg"* | *"alert"* | *"crit"* | *"err"* | *"warn"* | *"notice"* |
|
|
Packit |
c5a612 |
*"info"* | *"debug"* | *"audit"*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'FLAGS' := 'FLAG' | *[* 'FLAG_LIST' *]*
|
|
Packit |
c5a612 |
'FLAG_LIST' := 'FLAG' [*,* 'FLAG_LIST' ]
|
|
Packit |
c5a612 |
'FLAG' := *"tcp sequence"* | *"tcp options"* | *"ip options"* | *"skuid"* |
|
|
Packit |
c5a612 |
*"ether"* | *"all"*
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Log the packet.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*prefix*::
|
|
Packit |
c5a612 |
Prefix for log entries.
|
|
Packit |
c5a612 |
*group*::
|
|
Packit |
c5a612 |
Log group.
|
|
Packit |
c5a612 |
*snaplen*::
|
|
Packit |
c5a612 |
Snaplen for logging.
|
|
Packit |
c5a612 |
*queue-threshold*::
|
|
Packit |
c5a612 |
Queue threshold.
|
|
Packit |
c5a612 |
*level*::
|
|
Packit |
c5a612 |
Log level. Defaults to *"warn"*.
|
|
Packit |
c5a612 |
*flags*::
|
|
Packit |
c5a612 |
Log flags.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
All properties are optional.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== CT HELPER
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "ct helper":* 'EXPRESSION' *}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Enable the specified conntrack helper for this packet.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*ct helper*::
|
|
Packit |
c5a612 |
CT helper reference.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== METER
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "meter": {
|
|
Packit |
c5a612 |
"name":* 'STRING'*,
|
|
Packit |
c5a612 |
"key":* 'EXPRESSION'*,
|
|
Packit |
c5a612 |
"stmt":* 'STATEMENT'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Apply a given statement using a meter.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*name*::
|
|
Packit |
c5a612 |
Meter name.
|
|
Packit |
c5a612 |
*key*::
|
|
Packit |
c5a612 |
Meter key.
|
|
Packit |
c5a612 |
*stmt*::
|
|
Packit |
c5a612 |
Meter statement.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== QUEUE
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "queue": {
|
|
Packit |
c5a612 |
"num":* 'EXPRESSION'*,
|
|
Packit |
c5a612 |
"flags":* 'FLAGS'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'FLAGS' := 'FLAG' | *[* 'FLAG_LIST' *]*
|
|
Packit |
c5a612 |
'FLAG_LIST' := 'FLAG' [*,* 'FLAG_LIST' ]
|
|
Packit |
c5a612 |
'FLAG' := *"bypass"* | *"fanout"*
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Queue the packet to userspace.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*num*::
|
|
Packit |
c5a612 |
Queue number.
|
|
Packit |
c5a612 |
*flags*::
|
|
Packit |
c5a612 |
Queue flags.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== VERDICT MAP
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "vmap": {
|
|
Packit |
c5a612 |
"key":* 'EXPRESSION'*,
|
|
Packit |
c5a612 |
"data":* 'EXPRESSION'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Apply a verdict conditionally.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*key*::
|
|
Packit |
c5a612 |
Map key.
|
|
Packit |
c5a612 |
*data*::
|
|
Packit |
c5a612 |
Mapping expression consisting of value/verdict pairs.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== CT COUNT
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "ct count": {
|
|
Packit |
c5a612 |
"val":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"inv":* 'BOOLEAN'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Limit the number of connections using conntrack.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*val*::
|
|
Packit |
c5a612 |
Connection count threshold.
|
|
Packit |
c5a612 |
*inv*::
|
|
Packit |
c5a612 |
If *true*, match if *val* was exceeded. If omitted, defaults to
|
|
Packit |
c5a612 |
*false*.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== CT TIMEOUT
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "ct timeout":* 'EXPRESSION' *}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Assign connection tracking timeout policy.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*ct timeout*::
|
|
Packit |
c5a612 |
CT timeout reference.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== CT EXPECTATION
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "ct expectation":* 'EXPRESSION' *}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Assign connection tracking expectation.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*ct expectation*::
|
|
Packit |
c5a612 |
CT expectation reference.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== XT
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "xt": null }*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
This represents an xt statement from xtables compat interface. Sadly, at this
|
|
Packit |
c5a612 |
point, it is not possible to provide any further information about its content.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
== EXPRESSIONS
|
|
Packit |
c5a612 |
Expressions are the building blocks of (most) statements. In their most basic
|
|
Packit |
c5a612 |
form, they are just immediate values represented as a JSON string, integer or
|
|
Packit |
c5a612 |
boolean type.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== IMMEDIATES
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
'STRING'
|
|
Packit |
c5a612 |
'NUMBER'
|
|
Packit |
c5a612 |
'BOOLEAN'
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Immediate expressions are typically used for constant values. For strings, there
|
|
Packit |
c5a612 |
are two special cases:
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*@STRING*::
|
|
Packit |
c5a612 |
The remaining part is taken as set name to create a set reference.
|
|
Packit |
c5a612 |
*\**::
|
|
Packit |
c5a612 |
Construct a wildcard expression.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== LISTS
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
'ARRAY'
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
List expressions are constructed by plain arrays containing of an arbitrary
|
|
Packit |
c5a612 |
number of expressions.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== CONCAT
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "concat":* 'CONCAT' *}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'CONCAT' := *[* 'EXPRESSION_LIST' *]*
|
|
Packit |
c5a612 |
'EXPRESSION_LIST' := 'EXPRESSION' [*,* 'EXPRESSION_LIST' ]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Concatenate several expressions.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== SET
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "set":* 'SET' *}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'SET' := 'EXPRESSION' | *[* 'EXPRESSION_LIST' *]*
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
This object constructs an anonymous set. For mappings, an array of arrays with
|
|
Packit |
c5a612 |
exactly two elements is expected.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== MAP
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "map": {
|
|
Packit |
c5a612 |
"key":* 'EXPRESSION'*,
|
|
Packit |
c5a612 |
"data":* 'EXPRESSION'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Map a key to a value.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*key*::
|
|
Packit |
c5a612 |
Map key.
|
|
Packit |
c5a612 |
*data*::
|
|
Packit |
c5a612 |
Mapping expression consisting of value/target pairs.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== PREFIX
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "prefix": {
|
|
Packit |
c5a612 |
"addr":* 'EXPRESSION'*,
|
|
Packit |
c5a612 |
"len":* 'NUMBER'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Construct an IPv4 or IPv6 prefix consisting of address part in *addr* and prefix
|
|
Packit |
c5a612 |
length in *len*.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== RANGE
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "range": [* 'EXPRESSION' *,* 'EXPRESSION' *] }*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Construct a range of values. The first array item denotes the lower boundary,
|
|
Packit |
c5a612 |
the second one the upper boundary.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== PAYLOAD
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "payload": {
|
|
Packit |
c5a612 |
"base":* 'BASE'*,
|
|
Packit |
c5a612 |
"offset":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"len":* 'NUMBER'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*{ "payload": {
|
|
Packit |
c5a612 |
"protocol":* 'STRING'*,
|
|
Packit |
c5a612 |
"field":* 'STRING'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'BASE' := *"ll"* | *"nh"* | *"th"*
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Construct a payload expression, i.e. a reference to a certain part of packet
|
|
Packit |
c5a612 |
data. The first form creates a raw payload expression to point at a random
|
|
Packit |
c5a612 |
number (*len*) of bytes at a certain offset (*offset*) from a given reference
|
|
Packit |
c5a612 |
point (*base*). The following *base* values are accepted:
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*"ll"*::
|
|
Packit |
c5a612 |
The offset is relative to Link Layer header start offset.
|
|
Packit |
c5a612 |
*"nh"*::
|
|
Packit |
c5a612 |
The offset is relative to Network Layer header start offset.
|
|
Packit |
c5a612 |
*"th"*::
|
|
Packit |
c5a612 |
The offset is relative to Transport Layer header start offset.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
The second form allows to reference a field by name (*field*) in a named packet
|
|
Packit |
c5a612 |
header (*protocol*).
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== EXTHDR
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "exthdr": {
|
|
Packit |
c5a612 |
"name":* 'STRING'*,
|
|
Packit |
c5a612 |
"field":* 'STRING'*,
|
|
Packit |
c5a612 |
"offset":* 'NUMBER'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Create a reference to a field (*field*) in an IPv6 extension header (*name*).
|
|
Packit |
c5a612 |
*offset* is used only for *rt0* protocol.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
If the *field* property is not given, the expression is to be used as a header
|
|
Packit |
c5a612 |
existence check in a *match* statement with a boolean on the right hand side.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== TCP OPTION
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "tcp option": {
|
|
Packit |
c5a612 |
"name":* 'STRING'*,
|
|
Packit |
c5a612 |
"field":* 'STRING'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Create a reference to a field (*field*) of a TCP option header (*name*).
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
If the *field* property is not given, the expression is to be used as a TCP option
|
|
Packit |
c5a612 |
existence check in a *match* statement with a boolean on the right hand side.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== META
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "meta": {
|
|
Packit |
c5a612 |
"key":* 'META_KEY'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'META_KEY' := *"length"* | *"protocol"* | *"priority"* | *"random"* | *"mark"* |
|
|
Packit |
c5a612 |
*"iif"* | *"iifname"* | *"iiftype"* | *"oif"* | *"oifname"* |
|
|
Packit |
c5a612 |
*"oiftype"* | *"skuid"* | *"skgid"* | *"nftrace"* |
|
|
Packit |
c5a612 |
*"rtclassid"* | *"ibriport"* | *"obriport"* | *"ibridgename"* |
|
|
Packit |
c5a612 |
*"obridgename"* | *"pkttype"* | *"cpu"* | *"iifgroup"* |
|
|
Packit |
c5a612 |
*"oifgroup"* | *"cgroup"* | *"nfproto"* | *"l4proto"* |
|
|
Packit |
c5a612 |
*"secpath"*
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Create a reference to packet meta data.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== RT
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "rt": {
|
|
Packit |
c5a612 |
"key":* 'RT_KEY'*,
|
|
Packit |
c5a612 |
"family":* 'RT_FAMILY'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'RT_KEY' := *"classid"* | *"nexthop"* | *"mtu"*
|
|
Packit |
c5a612 |
'RT_FAMILY' := *"ip"* | *"ip6"*
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Create a reference to packet routing data.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
The *family* property is optional and defaults to unspecified.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== CT
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "ct": {
|
|
Packit |
c5a612 |
"key":* 'STRING'*,
|
|
Packit |
c5a612 |
"family":* 'CT_FAMILY'*,
|
|
Packit |
c5a612 |
"dir":* 'CT_DIRECTION'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'CT_FAMILY' := *"ip"* | *"ip6"*
|
|
Packit |
c5a612 |
'CT_DIRECTION' := *"original"* | *"reply"*
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Create a reference to packet conntrack data.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Some CT keys do not support a direction. In this case, *dir* must not be
|
|
Packit |
c5a612 |
given.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== NUMGEN
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "numgen": {
|
|
Packit |
c5a612 |
"mode":* 'NG_MODE'*,
|
|
Packit |
c5a612 |
"mod":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"offset":* 'NUMBER'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'NG_MODE' := *"inc"* | *"random"*
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Create a number generator.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
The *offset* property is optional and defaults to 0.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== HASH
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "jhash": {
|
|
Packit |
c5a612 |
"mod":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"offset":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"expr":* 'EXPRESSION'*,
|
|
Packit |
c5a612 |
"seed":* 'NUMBER'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*{ "symhash": {
|
|
Packit |
c5a612 |
"mod":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"offset":* 'NUMBER'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Hash packet data.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
The *offset* and *seed* properties are optional and default to 0.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== FIB
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "fib": {
|
|
Packit |
c5a612 |
"result":* 'FIB_RESULT'*,
|
|
Packit |
c5a612 |
"flags":* 'FIB_FLAGS'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'FIB_RESULT' := *"oif"* | *"oifname"* | *"type"*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'FIB_FLAGS' := 'FIB_FLAG' | *[* 'FIB_FLAG_LIST' *]*
|
|
Packit |
c5a612 |
'FIB_FLAG_LIST' := 'FIB_FLAG' [*,* 'FIB_FLAG_LIST' ]
|
|
Packit |
c5a612 |
'FIB_FLAG' := *"saddr"* | *"daddr"* | *"mark"* | *"iif"* | *"oif"*
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Perform kernel Forwarding Information Base lookups.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== BINARY OPERATION
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "|": [* 'EXPRESSION'*,* 'EXPRESSION' *] }*
|
|
Packit |
c5a612 |
*{ "^": [* 'EXPRESSION'*,* 'EXPRESSION' *] }*
|
|
Packit |
c5a612 |
*{ "&": [* 'EXPRESSION'*,* 'EXPRESSION' *] }*
|
|
Packit |
c5a612 |
*{ "+<<+": [* 'EXPRESSION'*,* 'EXPRESSION' *] }*
|
|
Packit |
c5a612 |
*{ ">>": [* 'EXPRESSION'*,* 'EXPRESSION' *] }*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
All binary operations expect an array of exactly two expressions, of which the
|
|
Packit |
c5a612 |
first element denotes the left hand side and the second one the right hand
|
|
Packit |
c5a612 |
side.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== VERDICT
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "accept": null }*
|
|
Packit |
c5a612 |
*{ "drop": null }*
|
|
Packit |
c5a612 |
*{ "continue": null }*
|
|
Packit |
c5a612 |
*{ "return": null }*
|
|
Packit |
c5a612 |
*{ "jump": { "target":* 'STRING' *}}*
|
|
Packit |
c5a612 |
*{ "goto": { "target":* 'STRING' *}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Same as the *verdict* statement, but for use in verdict maps.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*jump* and *goto* verdicts expect a target chain name.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== ELEM
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*{ "elem": {
|
|
Packit |
c5a612 |
"val":* 'EXPRESSION'*,
|
|
Packit |
c5a612 |
"timeout":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"expires":* 'NUMBER'*,
|
|
Packit |
c5a612 |
"comment":* 'STRING'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Explicitly set element object, in case *timeout*, *expires* or *comment* are
|
|
Packit |
c5a612 |
desired. Otherwise, it may be replaced by the value of *val*.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== SOCKET
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "socket": {
|
|
Packit |
c5a612 |
"key":* 'SOCKET_KEY'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'SOCKET_KEY' := *"transparent"*
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Construct a reference to packet's socket.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
=== OSF
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
*{ "osf": {
|
|
Packit |
c5a612 |
"key":* 'OSF_KEY'*,
|
|
Packit |
c5a612 |
"ttl":* 'OSF_TTL'
|
|
Packit |
c5a612 |
*}}*
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
'OSF_KEY' := *"name"*
|
|
Packit |
c5a612 |
'OSF_TTL' := *"loose"* | *"skip"*
|
|
Packit |
c5a612 |
____
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Perform OS fingerprinting. This expression is typically used in the LHS of a *match*
|
|
Packit |
c5a612 |
statement.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
*key*::
|
|
Packit |
c5a612 |
Which part of the fingerprint info to match against. At this point, only
|
|
Packit |
c5a612 |
the OS name is supported.
|
|
Packit |
c5a612 |
*ttl*::
|
|
Packit |
c5a612 |
Define how the packet's TTL value is to be matched. This property is
|
|
Packit |
c5a612 |
optional. If omitted, the TTL value has to match exactly. A value of *loose*
|
|
Packit |
c5a612 |
accepts TTL values less than the fingerprint one. A value of *skip*
|
|
Packit |
c5a612 |
omits TTL value comparison entirely.
|