|
Packit |
c5a612 |
ETHERNET HEADER EXPRESSION
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*ether* {*daddr* | *saddr* | *type*}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.Ethernet header expression types
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword| Description| Type
|
|
Packit |
c5a612 |
|daddr|
|
|
Packit |
c5a612 |
Destination MAC address|
|
|
Packit |
c5a612 |
ether_addr
|
|
Packit |
c5a612 |
|saddr|
|
|
Packit |
c5a612 |
Source MAC address|
|
|
Packit |
c5a612 |
ether_addr
|
|
Packit |
c5a612 |
|type|
|
|
Packit |
c5a612 |
EtherType|
|
|
Packit |
c5a612 |
ether_type
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
VLAN HEADER EXPRESSION
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*vlan* {*id* | *cfi* | *pcp* | *type*}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.VLAN header expression
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword| Description| Type
|
|
Packit |
c5a612 |
|id|
|
|
Packit |
c5a612 |
VLAN ID (VID) |
|
|
Packit |
c5a612 |
integer (12 bit)
|
|
Packit |
c5a612 |
|cfi|
|
|
Packit |
c5a612 |
Canonical Format Indicator|
|
|
Packit |
c5a612 |
integer (1 bit)
|
|
Packit |
c5a612 |
|pcp|
|
|
Packit |
c5a612 |
Priority code point|
|
|
Packit |
c5a612 |
integer (3 bit)
|
|
Packit |
c5a612 |
|type|
|
|
Packit |
c5a612 |
EtherType|
|
|
Packit |
c5a612 |
ether_type
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
ARP HEADER EXPRESSION
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*arp* {*htype* | *ptype* | *hlen* | *plen* | *operation* | *saddr* { *ip* | *ether* } | *daddr* { *ip* | *ether* }
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.ARP header expression
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword| Description| Type
|
|
Packit |
c5a612 |
|htype|
|
|
Packit |
c5a612 |
ARP hardware type|
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|ptype|
|
|
Packit |
c5a612 |
EtherType|
|
|
Packit |
c5a612 |
ether_type
|
|
Packit |
c5a612 |
|hlen|
|
|
Packit |
c5a612 |
Hardware address len|
|
|
Packit |
c5a612 |
integer (8 bit)
|
|
Packit |
c5a612 |
|plen|
|
|
Packit |
c5a612 |
Protocol address len |
|
|
Packit |
c5a612 |
integer (8 bit)
|
|
Packit |
c5a612 |
|operation|
|
|
Packit |
c5a612 |
Operation |
|
|
Packit |
c5a612 |
arp_op
|
|
Packit |
c5a612 |
|saddr ether|
|
|
Packit |
c5a612 |
Ethernet sender address|
|
|
Packit |
c5a612 |
ether_addr
|
|
Packit |
c5a612 |
|daddr ether|
|
|
Packit |
c5a612 |
Ethernet target address|
|
|
Packit |
c5a612 |
ether_addr
|
|
Packit |
c5a612 |
|saddr ip|
|
|
Packit |
c5a612 |
IPv4 sender address|
|
|
Packit |
c5a612 |
ipv4_addr
|
|
Packit |
c5a612 |
|daddr ip|
|
|
Packit |
c5a612 |
IPv4 target address|
|
|
Packit |
c5a612 |
ipv4_addr
|
|
Packit |
c5a612 |
|======================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
IPV4 HEADER EXPRESSION
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*ip* {*version* | *hdrlength* | *dscp* | *ecn* | *length* | *id* | *frag-off* | *ttl* | *protocol* | *checksum* | *saddr* | *daddr* }
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.IPv4 header expression
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword| Description| Type
|
|
Packit |
c5a612 |
|version|
|
|
Packit |
c5a612 |
IP header version (4)|
|
|
Packit |
c5a612 |
integer (4 bit)
|
|
Packit |
c5a612 |
|hdrlength|
|
|
Packit |
c5a612 |
IP header length including options|
|
|
Packit |
c5a612 |
integer (4 bit) FIXME scaling
|
|
Packit |
c5a612 |
|dscp|
|
|
Packit |
c5a612 |
Differentiated Services Code Point|
|
|
Packit |
c5a612 |
dscp
|
|
Packit |
c5a612 |
|ecn|
|
|
Packit |
c5a612 |
Explicit Congestion Notification|
|
|
Packit |
c5a612 |
ecn
|
|
Packit |
c5a612 |
|length|
|
|
Packit |
c5a612 |
Total packet length |
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|id|
|
|
Packit |
c5a612 |
IP ID|
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|frag-off|
|
|
Packit |
c5a612 |
Fragment offset |
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|ttl|
|
|
Packit |
c5a612 |
Time to live|
|
|
Packit |
c5a612 |
integer (8 bit)
|
|
Packit |
c5a612 |
|protocol|
|
|
Packit |
c5a612 |
Upper layer protocol |
|
|
Packit |
c5a612 |
inet_proto
|
|
Packit |
c5a612 |
|checksum|
|
|
Packit |
c5a612 |
IP header checksum|
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|saddr|
|
|
Packit |
c5a612 |
Source address|
|
|
Packit |
c5a612 |
ipv4_addr
|
|
Packit |
c5a612 |
|daddr|
|
|
Packit |
c5a612 |
Destination address |
|
|
Packit |
c5a612 |
ipv4_addr
|
|
Packit |
c5a612 |
|======================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
ICMP HEADER EXPRESSION
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*icmp* {*type* | *code* | *checksum* | *id* | *sequence* | *gateway* | *mtu*}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
This expression refers to ICMP header fields. When using it in *inet*,
|
|
Packit |
c5a612 |
*bridge* or *netdev* families, it will cause an implicit dependency on IPv4 to
|
|
Packit |
c5a612 |
be created. To match on unusual cases like ICMP over IPv6, one has to add an
|
|
Packit |
c5a612 |
explicit *meta protocol ip6* match to the rule.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.ICMP header expression
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword|Description| Type
|
|
Packit |
c5a612 |
|type|
|
|
Packit |
c5a612 |
ICMP type field |
|
|
Packit |
c5a612 |
icmp_type
|
|
Packit |
c5a612 |
|code|
|
|
Packit |
c5a612 |
ICMP code field |
|
|
Packit |
c5a612 |
integer (8 bit)
|
|
Packit |
c5a612 |
|checksum|
|
|
Packit |
c5a612 |
ICMP checksum field |
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|id|
|
|
Packit |
c5a612 |
ID of echo request/response |
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|sequence|
|
|
Packit |
c5a612 |
sequence number of echo request/response|
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|gateway|
|
|
Packit |
c5a612 |
gateway of redirects|
|
|
Packit |
c5a612 |
integer (32 bit)
|
|
Packit |
c5a612 |
|mtu|
|
|
Packit |
c5a612 |
MTU of path MTU discovery|
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|============================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
IGMP HEADER EXPRESSION
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*igmp* {*type* | *mrt* | *checksum* | *group*}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
This expression refers to IGMP header fields. When using it in *inet*,
|
|
Packit |
c5a612 |
*bridge* or *netdev* families, it will cause an implicit dependency on IPv4 to
|
|
Packit |
c5a612 |
be created. To match on unusual cases like IGMP over IPv6, one has to add an
|
|
Packit |
c5a612 |
explicit *meta protocol ip6* match to the rule.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.IGMP header expression
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword|Description| Type
|
|
Packit |
c5a612 |
|type|
|
|
Packit |
c5a612 |
IGMP type field |
|
|
Packit |
c5a612 |
igmp_type
|
|
Packit |
c5a612 |
|mrt|
|
|
Packit |
c5a612 |
IGMP maximum response time field |
|
|
Packit |
c5a612 |
integer (8 bit)
|
|
Packit |
c5a612 |
|checksum|
|
|
Packit |
c5a612 |
ICMP checksum field |
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|group|
|
|
Packit |
c5a612 |
Group address|
|
|
Packit |
c5a612 |
integer (32 bit)
|
|
Packit |
c5a612 |
|============================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
IPV6 HEADER EXPRESSION
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*ip6* {*version* | *dscp* | *ecn* | *flowlabel* | *length* | *nexthdr* | *hoplimit* | *saddr* | *daddr*}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
This expression refers to the ipv6 header fields. Caution when using *ip6
|
|
Packit |
c5a612 |
nexthdr*, the value only refers to the next header, i.e. *ip6 nexthdr tcp* will
|
|
Packit |
c5a612 |
only match if the ipv6 packet does not contain any extension headers. Packets
|
|
Packit |
c5a612 |
that are fragmented or e.g. contain a routing extension headers will not be
|
|
Packit |
c5a612 |
matched. Please use *meta l4proto* if you wish to match the real transport header
|
|
Packit |
c5a612 |
and ignore any additional extension headers instead.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.IPv6 header expression
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword|Description| Type
|
|
Packit |
c5a612 |
|version|
|
|
Packit |
c5a612 |
IP header version (6)|
|
|
Packit |
c5a612 |
integer (4 bit)
|
|
Packit |
c5a612 |
|dscp|
|
|
Packit |
c5a612 |
Differentiated Services Code Point|
|
|
Packit |
c5a612 |
dscp
|
|
Packit |
c5a612 |
|ecn|
|
|
Packit |
c5a612 |
Explicit Congestion Notification|
|
|
Packit |
c5a612 |
ecn
|
|
Packit |
c5a612 |
|flowlabel|
|
|
Packit |
c5a612 |
Flow label|
|
|
Packit |
c5a612 |
integer (20 bit)
|
|
Packit |
c5a612 |
|length|
|
|
Packit |
c5a612 |
Payload length|
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|nexthdr|
|
|
Packit |
c5a612 |
Nexthdr protocol|
|
|
Packit |
c5a612 |
inet_proto
|
|
Packit |
c5a612 |
|hoplimit|
|
|
Packit |
c5a612 |
Hop limit|
|
|
Packit |
c5a612 |
integer (8 bit)
|
|
Packit |
c5a612 |
|saddr|
|
|
Packit |
c5a612 |
Source address|
|
|
Packit |
c5a612 |
ipv6_addr
|
|
Packit |
c5a612 |
|daddr|
|
|
Packit |
c5a612 |
Destination address |
|
|
Packit |
c5a612 |
ipv6_addr
|
|
Packit |
c5a612 |
|=======================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.Using ip6 header expressions
|
|
Packit |
c5a612 |
-----------------------------
|
|
Packit |
c5a612 |
# matching if first extension header indicates a fragment
|
|
Packit |
c5a612 |
ip6 nexthdr ipv6-frag
|
|
Packit |
c5a612 |
-----------------------------
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
ICMPV6 HEADER EXPRESSION
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*icmpv6* {*type* | *code* | *checksum* | *parameter-problem* | *packet-too-big* | *id* | *sequence* | *max-delay*}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
This expression refers to ICMPv6 header fields. When using it in *inet*,
|
|
Packit |
c5a612 |
*bridge* or *netdev* families, it will cause an implicit dependency on IPv6 to
|
|
Packit |
c5a612 |
be created. To match on unusual cases like ICMPv6 over IPv4, one has to add an
|
|
Packit |
c5a612 |
explicit *meta protocol ip* match to the rule.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.ICMPv6 header expression
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword| Description| Type
|
|
Packit |
c5a612 |
|type|
|
|
Packit |
c5a612 |
ICMPv6 type field|
|
|
Packit |
c5a612 |
icmpv6_type
|
|
Packit |
c5a612 |
|code|
|
|
Packit |
c5a612 |
ICMPv6 code field|
|
|
Packit |
c5a612 |
integer (8 bit)
|
|
Packit |
c5a612 |
|checksum|
|
|
Packit |
c5a612 |
ICMPv6 checksum field|
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|parameter-problem|
|
|
Packit |
c5a612 |
pointer to problem|
|
|
Packit |
c5a612 |
integer (32 bit)
|
|
Packit |
c5a612 |
|packet-too-big|
|
|
Packit |
c5a612 |
oversized MTU|
|
|
Packit |
c5a612 |
integer (32 bit)
|
|
Packit |
c5a612 |
|id|
|
|
Packit |
c5a612 |
ID of echo request/response |
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|sequence|
|
|
Packit |
c5a612 |
sequence number of echo request/response|
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|max-delay|
|
|
Packit |
c5a612 |
maximum response delay of MLD queries|
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|==============================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
TCP HEADER EXPRESSION
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*tcp* {*sport* | *dport* | *sequence* | *ackseq* | *doff* | *reserved* | *flags* | *window* | *checksum* | *urgptr*}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.TCP header expression
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword| Description| Type
|
|
Packit |
c5a612 |
|sport|
|
|
Packit |
c5a612 |
Source port|
|
|
Packit |
c5a612 |
inet_service
|
|
Packit |
c5a612 |
|dport|
|
|
Packit |
c5a612 |
Destination port|
|
|
Packit |
c5a612 |
inet_service
|
|
Packit |
c5a612 |
|sequence|
|
|
Packit |
c5a612 |
Sequence number|
|
|
Packit |
c5a612 |
integer (32 bit)
|
|
Packit |
c5a612 |
|ackseq|
|
|
Packit |
c5a612 |
Acknowledgement number |
|
|
Packit |
c5a612 |
integer (32 bit)
|
|
Packit |
c5a612 |
|doff|
|
|
Packit |
c5a612 |
Data offset |
|
|
Packit |
c5a612 |
integer (4 bit) FIXME scaling
|
|
Packit |
c5a612 |
|reserved|
|
|
Packit |
c5a612 |
Reserved area |
|
|
Packit |
c5a612 |
integer (4 bit)
|
|
Packit |
c5a612 |
|flags|
|
|
Packit |
c5a612 |
TCP flags|
|
|
Packit |
c5a612 |
tcp_flag
|
|
Packit |
c5a612 |
|window|
|
|
Packit |
c5a612 |
Window|
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|checksum|
|
|
Packit |
c5a612 |
Checksum|
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|urgptr|
|
|
Packit |
c5a612 |
Urgent pointer|
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|======================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
UDP HEADER EXPRESSION
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*udp* {*sport* | *dport* | *length* | *checksum*}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.UDP header expression
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword| Description| Type
|
|
Packit |
c5a612 |
|sport|
|
|
Packit |
c5a612 |
Source port|
|
|
Packit |
c5a612 |
inet_service
|
|
Packit |
c5a612 |
|dport|
|
|
Packit |
c5a612 |
Destination port|
|
|
Packit |
c5a612 |
inet_service
|
|
Packit |
c5a612 |
|length|
|
|
Packit |
c5a612 |
Total packet length|
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|checksum|
|
|
Packit |
c5a612 |
Checksum|
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
UDP-LITE HEADER EXPRESSION
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*udplite* {*sport* | *dport* | *checksum*}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.UDP-Lite header expression
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword| Description| Type
|
|
Packit |
c5a612 |
|sport|
|
|
Packit |
c5a612 |
Source port|
|
|
Packit |
c5a612 |
inet_service
|
|
Packit |
c5a612 |
|dport|
|
|
Packit |
c5a612 |
Destination port|
|
|
Packit |
c5a612 |
inet_service
|
|
Packit |
c5a612 |
|checksum|
|
|
Packit |
c5a612 |
Checksum|
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
SCTP HEADER EXPRESSION
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*sctp* {*sport* | *dport* | *vtag* | *checksum*}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.SCTP header expression
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword| Description| Type
|
|
Packit |
c5a612 |
|sport|
|
|
Packit |
c5a612 |
Source port|
|
|
Packit |
c5a612 |
inet_service
|
|
Packit |
c5a612 |
|dport|
|
|
Packit |
c5a612 |
Destination port|
|
|
Packit |
c5a612 |
inet_service
|
|
Packit |
c5a612 |
|vtag|
|
|
Packit |
c5a612 |
Verification Tag|
|
|
Packit |
c5a612 |
integer (32 bit)
|
|
Packit |
c5a612 |
|checksum|
|
|
Packit |
c5a612 |
Checksum|
|
|
Packit |
c5a612 |
integer (32 bit)
|
|
Packit |
c5a612 |
|================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
DCCP HEADER EXPRESSION
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*dccp* {*sport* | *dport*}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.DCCP header expression
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword| Description| Type
|
|
Packit |
c5a612 |
|sport|
|
|
Packit |
c5a612 |
Source port|
|
|
Packit |
c5a612 |
inet_service
|
|
Packit |
c5a612 |
|dport|
|
|
Packit |
c5a612 |
Destination port|
|
|
Packit |
c5a612 |
inet_service
|
|
Packit |
c5a612 |
|========================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
AUTHENTICATION HEADER EXPRESSION
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*ah* {*nexthdr* | *hdrlength* | *reserved* | *spi* | *sequence*}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.AH header expression
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword| Description| Type
|
|
Packit |
c5a612 |
|nexthdr|
|
|
Packit |
c5a612 |
Next header protocol|
|
|
Packit |
c5a612 |
inet_proto
|
|
Packit |
c5a612 |
|hdrlength|
|
|
Packit |
c5a612 |
AH Header length|
|
|
Packit |
c5a612 |
integer (8 bit)
|
|
Packit |
c5a612 |
|reserved|
|
|
Packit |
c5a612 |
Reserved area|
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|spi|
|
|
Packit |
c5a612 |
Security Parameter Index |
|
|
Packit |
c5a612 |
integer (32 bit)
|
|
Packit |
c5a612 |
|sequence|
|
|
Packit |
c5a612 |
Sequence number|
|
|
Packit |
c5a612 |
integer (32 bit)
|
|
Packit |
c5a612 |
|========================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
ENCRYPTED SECURITY PAYLOAD HEADER EXPRESSION
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*esp* {*spi* | *sequence*}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.ESP header expression
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword| Description| Type
|
|
Packit |
c5a612 |
|spi|
|
|
Packit |
c5a612 |
Security Parameter Index |
|
|
Packit |
c5a612 |
integer (32 bit)
|
|
Packit |
c5a612 |
|sequence|
|
|
Packit |
c5a612 |
Sequence number|
|
|
Packit |
c5a612 |
integer (32 bit)
|
|
Packit |
c5a612 |
|===========================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
IPCOMP HEADER EXPRESSION
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
*comp* {*nexthdr* | *flags* | *cpi*}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.IPComp header expression
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword| Description| Type
|
|
Packit |
c5a612 |
|nexthdr|
|
|
Packit |
c5a612 |
Next header protocol|
|
|
Packit |
c5a612 |
inet_proto
|
|
Packit |
c5a612 |
|flags|
|
|
Packit |
c5a612 |
Flags|
|
|
Packit |
c5a612 |
bitmask
|
|
Packit |
c5a612 |
|cpi|
|
|
Packit |
c5a612 |
compression Parameter Index |
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|============================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
RAW PAYLOAD EXPRESSION
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*@*'base'*,*'offset'*,*'length'
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
The raw payload expression instructs to load 'length' bits starting at 'offset' bits.
|
|
Packit |
c5a612 |
Bit 0 refers to the very first bit -- in the C programming language, this
|
|
Packit |
c5a612 |
corresponds to the topmost bit, i.e. 0x80 in case of an octet. They are useful
|
|
Packit |
c5a612 |
to match headers that do not have a human-readable template expression yet. Note
|
|
Packit |
c5a612 |
that nft will not add dependencies for Raw payload expressions. If you e.g. want
|
|
Packit |
c5a612 |
to match protocol fields of a transport header with protocol number 5, you need
|
|
Packit |
c5a612 |
to manually exclude packets that have a different transport header, for instance
|
|
Packit |
c5a612 |
by using *meta l4proto 5* before the raw expression.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.Supported payload protocol bases
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Base| Description
|
|
Packit |
c5a612 |
|ll|
|
|
Packit |
c5a612 |
Link layer, for example the Ethernet header
|
|
Packit |
c5a612 |
|nh|
|
|
Packit |
c5a612 |
Network header, for example IPv4 or IPv6
|
|
Packit |
c5a612 |
|th|
|
|
Packit |
c5a612 |
Transport Header, for example TCP
|
|
Packit |
c5a612 |
|==============================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.Matching destination port of both UDP and TCP
|
|
Packit |
c5a612 |
----------------------------------------------
|
|
Packit |
c5a612 |
inet filter input meta l4proto {tcp, udp} @th,16,16 { 53, 80 }
|
|
Packit |
c5a612 |
-----------------------------------------------------------------
|
|
Packit |
c5a612 |
The above can also be written as
|
|
Packit |
c5a612 |
-----------------------------------------------------------------
|
|
Packit |
c5a612 |
inet filter input meta l4proto {tcp, udp} th dport { 53, 80 }
|
|
Packit |
c5a612 |
-----------------------------------------------------------------
|
|
Packit |
c5a612 |
it is more convenient, but like the raw expression notation no
|
|
Packit |
c5a612 |
dependencies are created or checked. It is the users responsibility
|
|
Packit |
c5a612 |
to restrict matching to those header types that have a notion of ports.
|
|
Packit |
c5a612 |
Otherwise, rules using raw expressions will errnously match unrelated
|
|
Packit |
c5a612 |
packets, e.g. mis-interpreting ESP packets SPI field as a port.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.Rewrite arp packet target hardware address if target protocol address matches a given address
|
|
Packit |
c5a612 |
----------------------------------------------------------------------------------------------
|
|
Packit |
c5a612 |
input meta iifname enp2s0 arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 accept
|
|
Packit |
c5a612 |
-----------------------------------------------------------------------------------------------
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
EXTENSION HEADER EXPRESSIONS
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
Extension header expressions refer to data from variable-sized protocol headers, such as IPv6 extension headers, TCP options and IPv4 options.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
nftables currently supports matching (finding) a given ipv6 extension header, TCP option or IPv4 option.
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*hbh* {*nexthdr* | *hdrlength*}
|
|
Packit |
c5a612 |
*frag* {*nexthdr* | *frag-off* | *more-fragments* | *id*}
|
|
Packit |
c5a612 |
*rt* {*nexthdr* | *hdrlength* | *type* | *seg-left*}
|
|
Packit |
c5a612 |
*dst* {*nexthdr* | *hdrlength*}
|
|
Packit |
c5a612 |
*mh* {*nexthdr* | *hdrlength* | *checksum* | *type*}
|
|
Packit |
c5a612 |
*srh* {*flags* | *tag* | *sid* | *seg-left*}
|
|
Packit |
c5a612 |
*tcp option* {*eol* | *noop* | *maxseg* | *window* | *sack-permitted* | *sack* | *sack0* | *sack1* | *sack2* | *sack3* | *timestamp*} 'tcp_option_field'
|
|
Packit |
c5a612 |
*ip option* { lsrr | ra | rr | ssrr } 'ip_option_field'
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
The following syntaxes are valid only in a relational expression with boolean type on right-hand side for checking header existence only:
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*exthdr* {*hbh* | *frag* | *rt* | *dst* | *mh*}
|
|
Packit |
c5a612 |
*tcp option* {*eol* | *noop* | *maxseg* | *window* | *sack-permitted* | *sack* | *sack0* | *sack1* | *sack2* | *sack3* | *timestamp*}
|
|
Packit |
c5a612 |
*ip option* { lsrr | ra | rr | ssrr }
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.IPv6 extension headers
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword| Description
|
|
Packit |
c5a612 |
|hbh|
|
|
Packit |
c5a612 |
Hop by Hop
|
|
Packit |
c5a612 |
|rt|
|
|
Packit |
c5a612 |
Routing Header
|
|
Packit |
c5a612 |
|frag|
|
|
Packit |
c5a612 |
Fragmentation header
|
|
Packit |
c5a612 |
|dst|
|
|
Packit |
c5a612 |
dst options
|
|
Packit |
c5a612 |
|mh|
|
|
Packit |
c5a612 |
Mobility Header
|
|
Packit |
c5a612 |
|srh|
|
|
Packit |
c5a612 |
Segment Routing Header
|
|
Packit |
c5a612 |
|=====================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.TCP Options
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword| Description | TCP option fields
|
|
Packit |
c5a612 |
|eol|
|
|
Packit |
c5a612 |
End if option list|
|
|
Packit |
c5a612 |
kind
|
|
Packit |
c5a612 |
|noop|
|
|
Packit |
c5a612 |
1 Byte TCP No-op options |
|
|
Packit |
c5a612 |
kind
|
|
Packit |
c5a612 |
|maxseg|
|
|
Packit |
c5a612 |
TCP Maximum Segment Size|
|
|
Packit |
c5a612 |
kind, length, size
|
|
Packit |
c5a612 |
|window|
|
|
Packit |
c5a612 |
TCP Window Scaling |
|
|
Packit |
c5a612 |
kind, length, count
|
|
Packit |
c5a612 |
|sack-permitted|
|
|
Packit |
c5a612 |
TCP SACK permitted |
|
|
Packit |
c5a612 |
kind, length
|
|
Packit |
c5a612 |
|sack|
|
|
Packit |
c5a612 |
TCP Selective Acknowledgement (alias of block 0) |
|
|
Packit |
c5a612 |
kind, length, left, right
|
|
Packit |
c5a612 |
|sack0|
|
|
Packit |
c5a612 |
TCP Selective Acknowledgement (block 0) |
|
|
Packit |
c5a612 |
kind, length, left, right
|
|
Packit |
c5a612 |
|sack1|
|
|
Packit |
c5a612 |
TCP Selective Acknowledgement (block 1) |
|
|
Packit |
c5a612 |
kind, length, left, right
|
|
Packit |
c5a612 |
|sack2|
|
|
Packit |
c5a612 |
TCP Selective Acknowledgement (block 2) |
|
|
Packit |
c5a612 |
kind, length, left, right
|
|
Packit |
c5a612 |
|sack3|
|
|
Packit |
c5a612 |
TCP Selective Acknowledgement (block 3) |
|
|
Packit |
c5a612 |
kind, length, left, right
|
|
Packit |
c5a612 |
|timestamp|
|
|
Packit |
c5a612 |
TCP Timestamps |
|
|
Packit |
c5a612 |
kind, length, tsval, tsecr
|
|
Packit |
c5a612 |
|============================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.IP Options
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword| Description | IP option fields
|
|
Packit |
c5a612 |
|lsrr|
|
|
Packit |
c5a612 |
Loose Source Route |
|
|
Packit |
c5a612 |
type, length, ptr, addr
|
|
Packit |
c5a612 |
|ra|
|
|
Packit |
c5a612 |
Router Alert |
|
|
Packit |
c5a612 |
type, length, value
|
|
Packit |
c5a612 |
|rr|
|
|
Packit |
c5a612 |
Record Route |
|
|
Packit |
c5a612 |
type, length, ptr, addr
|
|
Packit |
c5a612 |
|ssrr|
|
|
Packit |
c5a612 |
Strict Source Route |
|
|
Packit |
c5a612 |
type, length, ptr, addr
|
|
Packit |
c5a612 |
|============================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.finding TCP options
|
|
Packit |
c5a612 |
--------------------
|
|
Packit |
c5a612 |
filter input tcp option sack-permitted kind 1 counter
|
|
Packit |
c5a612 |
--------------------
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.matching IPv6 exthdr
|
|
Packit |
c5a612 |
---------------------
|
|
Packit |
c5a612 |
ip6 filter input frag more-fragments 1 counter
|
|
Packit |
c5a612 |
---------------------------------------
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.finding IP option
|
|
Packit |
c5a612 |
------------------
|
|
Packit |
c5a612 |
filter input ip option lsrr exists counter
|
|
Packit |
c5a612 |
---------------------------------------
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
CONNTRACK EXPRESSIONS
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
Conntrack expressions refer to meta data of the connection tracking entry associated with a packet. +
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
There are three types of conntrack expressions. Some conntrack expressions
|
|
Packit |
c5a612 |
require the flow direction before the conntrack key, others must be used
|
|
Packit |
c5a612 |
directly because they are direction agnostic. The *packets*, *bytes* and
|
|
Packit |
c5a612 |
*avgpkt* keywords can be used with or without a direction. If the direction is
|
|
Packit |
c5a612 |
omitted, the sum of the original and the reply direction is returned. The same
|
|
Packit |
c5a612 |
is true for the *zone*, if a direction is given, the zone is only matched if the
|
|
Packit |
c5a612 |
zone id is tied to the given direction. +
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*ct* {*state* | *direction* | *status* | *mark* | *expiration* | *helper* | *label*}
|
|
Packit |
c5a612 |
*ct* [*original* | *reply*] {*l3proto* | *protocol* | *bytes* | *packets* | *avgpkt* | *zone*}
|
|
Packit |
c5a612 |
*ct* {*original* | *reply*} {*proto-src* | *proto-dst*}
|
|
Packit |
c5a612 |
*ct* {*original* | *reply*} {*ip* | *ip6*} {*saddr* | *daddr*}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.Conntrack expressions
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword| Description | Type
|
|
Packit |
c5a612 |
|state|
|
|
Packit |
c5a612 |
State of the connection |
|
|
Packit |
c5a612 |
ct_state
|
|
Packit |
c5a612 |
|direction|
|
|
Packit |
c5a612 |
Direction of the packet relative to the connection |
|
|
Packit |
c5a612 |
ct_dir
|
|
Packit |
c5a612 |
|status|
|
|
Packit |
c5a612 |
Status of the connection |
|
|
Packit |
c5a612 |
ct_status
|
|
Packit |
c5a612 |
|mark|
|
|
Packit |
c5a612 |
Connection mark |
|
|
Packit |
c5a612 |
mark
|
|
Packit |
c5a612 |
|expiration|
|
|
Packit |
c5a612 |
Connection expiration time |
|
|
Packit |
c5a612 |
time
|
|
Packit |
c5a612 |
|helper|
|
|
Packit |
c5a612 |
Helper associated with the connection|
|
|
Packit |
c5a612 |
string
|
|
Packit |
c5a612 |
|label|
|
|
Packit |
c5a612 |
Connection tracking label bit or symbolic name defined in connlabel.conf in the nftables include path|
|
|
Packit |
c5a612 |
ct_label
|
|
Packit |
c5a612 |
|l3proto|
|
|
Packit |
c5a612 |
Layer 3 protocol of the connection|
|
|
Packit |
c5a612 |
nf_proto
|
|
Packit |
c5a612 |
|saddr|
|
|
Packit |
c5a612 |
Source address of the connection for the given direction |
|
|
Packit |
c5a612 |
ipv4_addr/ipv6_addr
|
|
Packit |
c5a612 |
|daddr|
|
|
Packit |
c5a612 |
Destination address of the connection for the given direction |
|
|
Packit |
c5a612 |
ipv4_addr/ipv6_addr
|
|
Packit |
c5a612 |
|protocol|
|
|
Packit |
c5a612 |
Layer 4 protocol of the connection for the given direction |
|
|
Packit |
c5a612 |
inet_proto
|
|
Packit |
c5a612 |
|proto-src|
|
|
Packit |
c5a612 |
Layer 4 protocol source for the given direction|
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|proto-dst|
|
|
Packit |
c5a612 |
Layer 4 protocol destination for the given direction |
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|packets|
|
|
Packit |
c5a612 |
packet count seen in the given direction or sum of original and reply |
|
|
Packit |
c5a612 |
integer (64 bit)
|
|
Packit |
c5a612 |
|bytes|
|
|
Packit |
c5a612 |
byte count seen, see description for *packets* keyword |
|
|
Packit |
c5a612 |
integer (64 bit)
|
|
Packit |
c5a612 |
|avgpkt|
|
|
Packit |
c5a612 |
average bytes per packet, see description for *packets* keyword |
|
|
Packit |
c5a612 |
integer (64 bit)
|
|
Packit |
c5a612 |
|zone|
|
|
Packit |
c5a612 |
conntrack zone |
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|count|
|
|
Packit |
c5a612 |
count number of connections
|
|
Packit |
c5a612 |
integer (32 bit)
|
|
Packit |
c5a612 |
|==========================================
|
|
Packit |
c5a612 |
A description of conntrack-specific types listed above can be found sub-section CONNTRACK TYPES above.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.restrict the number of parallel connections to a server
|
|
Packit |
c5a612 |
--------------------
|
|
Packit |
c5a612 |
filter input tcp dport 22 meter test { ip saddr ct count over 2 } reject
|
|
Packit |
c5a612 |
--------------------
|