source-git / nftables

Clone
Source Code
GIT

Blame doc/payload-expression.txt

c8 c8s master
  1.   58bdb0a24b28ad29de54623df4413ec0686988da
  2.   doc
  3.   payload-expression.txt
Blob History Raw
Packit c5a612 
ETHERNET HEADER EXPRESSION
Packit c5a612 
~~~~~~~~~~~~~~~~~~~~~~~~~~
Packit c5a612 
[verse]
Packit c5a612 
*ether* {*daddr* | *saddr* | *type*}
Packit c5a612
Packit c5a612 
.Ethernet header expression types
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword| Description| Type
Packit c5a612 
|daddr|
Packit c5a612 
Destination MAC address|
Packit c5a612 
ether_addr
Packit c5a612 
|saddr|
Packit c5a612 
Source MAC address|
Packit c5a612 
ether_addr
Packit c5a612 
|type|
Packit c5a612 
EtherType|
Packit c5a612 
ether_type
Packit c5a612 
|==================
Packit c5a612
Packit c5a612 
VLAN HEADER EXPRESSION
Packit c5a612 
~~~~~~~~~~~~~~~~~~~~~~
Packit c5a612 
[verse]
Packit c5a612 
*vlan* {*id* | *cfi* | *pcp* | *type*}
Packit c5a612
Packit c5a612 
.VLAN header expression
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword| Description| Type
Packit c5a612 
|id|
Packit c5a612 
VLAN ID (VID) |
Packit c5a612 
integer (12 bit)
Packit c5a612 
|cfi|
Packit c5a612 
Canonical Format Indicator|
Packit c5a612 
integer (1 bit)
Packit c5a612 
|pcp|
Packit c5a612 
Priority code point|
Packit c5a612 
integer (3 bit)
Packit c5a612 
|type|
Packit c5a612 
EtherType|
Packit c5a612 
ether_type
Packit c5a612 
|==================
Packit c5a612
Packit c5a612 
ARP HEADER EXPRESSION
Packit c5a612 
~~~~~~~~~~~~~~~~~~~~~
Packit c5a612 
[verse]
Packit c5a612 
*arp* {*htype* | *ptype* | *hlen* | *plen* | *operation* | *saddr* { *ip* | *ether* } | *daddr* { *ip* | *ether* }
Packit c5a612
Packit c5a612 
.ARP header expression
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword| Description| Type
Packit c5a612 
|htype|
Packit c5a612 
ARP hardware type|
Packit c5a612 
integer (16 bit)
Packit c5a612 
|ptype|
Packit c5a612 
EtherType|
Packit c5a612 
ether_type
Packit c5a612 
|hlen|
Packit c5a612 
Hardware address len|
Packit c5a612 
integer (8 bit)
Packit c5a612 
|plen|
Packit c5a612 
Protocol address len |
Packit c5a612 
integer (8 bit)
Packit c5a612 
|operation|
Packit c5a612 
Operation |
Packit c5a612 
arp_op
Packit c5a612 
|saddr ether|
Packit c5a612 
Ethernet sender address|
Packit c5a612 
ether_addr
Packit c5a612 
|daddr ether|
Packit c5a612 
Ethernet target address|
Packit c5a612 
ether_addr
Packit c5a612 
|saddr ip|
Packit c5a612 
IPv4 sender address|
Packit c5a612 
ipv4_addr
Packit c5a612 
|daddr ip|
Packit c5a612 
IPv4 target address|
Packit c5a612 
ipv4_addr
Packit c5a612 
|======================
Packit c5a612
Packit c5a612 
IPV4 HEADER EXPRESSION
Packit c5a612 
~~~~~~~~~~~~~~~~~~~~~~
Packit c5a612 
[verse]
Packit c5a612 
*ip* {*version* | *hdrlength* | *dscp* | *ecn* | *length* | *id* | *frag-off* | *ttl* | *protocol* | *checksum* | *saddr* | *daddr* }
Packit c5a612
Packit c5a612 
.IPv4 header expression
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword| Description| Type
Packit c5a612 
|version|
Packit c5a612 
IP header version (4)|
Packit c5a612 
integer (4 bit)
Packit c5a612 
|hdrlength|
Packit c5a612 
IP header length including options|
Packit c5a612 
integer (4 bit) FIXME scaling
Packit c5a612 
|dscp|
Packit c5a612 
Differentiated Services Code Point|
Packit c5a612 
dscp
Packit c5a612 
|ecn|
Packit c5a612 
Explicit Congestion Notification|
Packit c5a612 
ecn
Packit c5a612 
|length|
Packit c5a612 
Total packet length |
Packit c5a612 
integer (16 bit)
Packit c5a612 
|id|
Packit c5a612 
IP ID|
Packit c5a612 
integer (16 bit)
Packit c5a612 
|frag-off|
Packit c5a612 
Fragment offset |
Packit c5a612 
integer (16 bit)
Packit c5a612 
|ttl|
Packit c5a612 
Time to live|
Packit c5a612 
integer (8 bit)
Packit c5a612 
|protocol|
Packit c5a612 
Upper layer protocol |
Packit c5a612 
inet_proto
Packit c5a612 
|checksum|
Packit c5a612 
IP header checksum|
Packit c5a612 
integer (16 bit)
Packit c5a612 
|saddr|
Packit c5a612 
Source address|
Packit c5a612 
ipv4_addr
Packit c5a612 
|daddr|
Packit c5a612 
Destination address |
Packit c5a612 
ipv4_addr
Packit c5a612 
|======================
Packit c5a612
Packit c5a612 
ICMP HEADER EXPRESSION
Packit c5a612 
~~~~~~~~~~~~~~~~~~~~~~
Packit c5a612 
[verse]
Packit c5a612 
*icmp* {*type* | *code* | *checksum* | *id* | *sequence* | *gateway* | *mtu*}
Packit c5a612
Packit c5a612 
This expression refers to ICMP header fields. When using it in *inet*,
Packit c5a612 
*bridge* or *netdev* families, it will cause an implicit dependency on IPv4 to
Packit c5a612 
be created. To match on unusual cases like ICMP over IPv6, one has to add an
Packit c5a612 
explicit *meta protocol ip6* match to the rule.
Packit c5a612
Packit c5a612 
.ICMP header expression
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword|Description| Type
Packit c5a612 
|type|
Packit c5a612 
ICMP type field |
Packit c5a612 
icmp_type
Packit c5a612 
|code|
Packit c5a612 
ICMP code field |
Packit c5a612 
integer (8 bit)
Packit c5a612 
|checksum|
Packit c5a612 
ICMP checksum field |
Packit c5a612 
integer (16 bit)
Packit c5a612 
|id|
Packit c5a612 
ID of echo request/response |
Packit c5a612 
integer (16 bit)
Packit c5a612 
|sequence|
Packit c5a612 
sequence number of echo request/response|
Packit c5a612 
integer (16 bit)
Packit c5a612 
|gateway|
Packit c5a612 
gateway of redirects|
Packit c5a612 
integer (32 bit)
Packit c5a612 
|mtu|
Packit c5a612 
MTU of path MTU discovery|
Packit c5a612 
integer (16 bit)
Packit c5a612 
|============================
Packit c5a612
Packit c5a612 
IGMP HEADER EXPRESSION
Packit c5a612 
~~~~~~~~~~~~~~~~~~~~~~
Packit c5a612 
[verse]
Packit c5a612 
*igmp* {*type* | *mrt* | *checksum* | *group*}
Packit c5a612
Packit c5a612 
This expression refers to IGMP header fields. When using it in *inet*,
Packit c5a612 
*bridge* or *netdev* families, it will cause an implicit dependency on IPv4 to
Packit c5a612 
be created. To match on unusual cases like IGMP over IPv6, one has to add an
Packit c5a612 
explicit *meta protocol ip6* match to the rule.
Packit c5a612
Packit c5a612 
.IGMP header expression
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword|Description| Type
Packit c5a612 
|type|
Packit c5a612 
IGMP type field |
Packit c5a612 
igmp_type
Packit c5a612 
|mrt|
Packit c5a612 
IGMP maximum response time field |
Packit c5a612 
integer (8 bit)
Packit c5a612 
|checksum|
Packit c5a612 
ICMP checksum field |
Packit c5a612 
integer (16 bit)
Packit c5a612 
|group|
Packit c5a612 
Group address|
Packit c5a612 
integer (32 bit)
Packit c5a612 
|============================
Packit c5a612
Packit c5a612 
IPV6 HEADER EXPRESSION
Packit c5a612 
~~~~~~~~~~~~~~~~~~~~~~
Packit c5a612 
[verse]
Packit c5a612 
*ip6* {*version* | *dscp* | *ecn* | *flowlabel* | *length* | *nexthdr* | *hoplimit* | *saddr* | *daddr*}
Packit c5a612
Packit c5a612 
This expression refers to the ipv6 header fields. Caution when using *ip6
Packit c5a612 
nexthdr*, the value only refers to the next header, i.e. *ip6 nexthdr tcp* will
Packit c5a612 
only match if the ipv6 packet does not contain any extension headers. Packets
Packit c5a612 
that are fragmented or e.g. contain a routing extension headers will not be
Packit c5a612 
matched. Please use *meta l4proto* if you wish to match the real transport header
Packit c5a612 
and ignore any additional extension headers instead.
Packit c5a612
Packit c5a612 
.IPv6 header expression
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword|Description| Type
Packit c5a612 
|version|
Packit c5a612 
IP header version (6)|
Packit c5a612 
integer (4 bit)
Packit c5a612 
|dscp|
Packit c5a612 
Differentiated Services Code Point|
Packit c5a612 
dscp
Packit c5a612 
|ecn|
Packit c5a612 
Explicit Congestion Notification|
Packit c5a612 
ecn
Packit c5a612 
|flowlabel|
Packit c5a612 
Flow label|
Packit c5a612 
integer (20 bit)
Packit c5a612 
|length|
Packit c5a612 
Payload length|
Packit c5a612 
integer (16 bit)
Packit c5a612 
|nexthdr|
Packit c5a612 
Nexthdr protocol|
Packit c5a612 
inet_proto
Packit c5a612 
|hoplimit|
Packit c5a612 
Hop limit|
Packit c5a612 
integer (8 bit)
Packit c5a612 
|saddr|
Packit c5a612 
Source address|
Packit c5a612 
ipv6_addr
Packit c5a612 
|daddr|
Packit c5a612 
Destination address |
Packit c5a612 
ipv6_addr
Packit c5a612 
|=======================
Packit c5a612
Packit c5a612 
.Using ip6 header expressions
Packit c5a612 
-----------------------------
Packit c5a612 
# matching if first extension header indicates a fragment
Packit c5a612 
ip6 nexthdr ipv6-frag
Packit c5a612 
-----------------------------
Packit c5a612
Packit c5a612 
ICMPV6 HEADER EXPRESSION
Packit c5a612 
~~~~~~~~~~~~~~~~~~~~~~~~
Packit c5a612 
[verse]
Packit c5a612 
*icmpv6* {*type* | *code* | *checksum* | *parameter-problem* | *packet-too-big* | *id* | *sequence* | *max-delay*}
Packit c5a612
Packit c5a612 
This expression refers to ICMPv6 header fields. When using it in *inet*,
Packit c5a612 
*bridge* or *netdev* families, it will cause an implicit dependency on IPv6 to
Packit c5a612 
be created. To match on unusual cases like ICMPv6 over IPv4, one has to add an
Packit c5a612 
explicit *meta protocol ip* match to the rule.
Packit c5a612
Packit c5a612 
.ICMPv6 header expression
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword| Description| Type
Packit c5a612 
|type|
Packit c5a612 
ICMPv6 type field|
Packit c5a612 
icmpv6_type
Packit c5a612 
|code|
Packit c5a612 
ICMPv6 code field|
Packit c5a612 
integer (8 bit)
Packit c5a612 
|checksum|
Packit c5a612 
ICMPv6 checksum field|
Packit c5a612 
integer (16 bit)
Packit c5a612 
|parameter-problem|
Packit c5a612 
pointer to problem|
Packit c5a612 
integer (32 bit)
Packit c5a612 
|packet-too-big|
Packit c5a612 
oversized MTU|
Packit c5a612 
integer (32 bit)
Packit c5a612 
|id|
Packit c5a612 
ID of echo request/response |
Packit c5a612 
integer (16 bit)
Packit c5a612 
|sequence|
Packit c5a612 
sequence number of echo request/response|
Packit c5a612 
integer (16 bit)
Packit c5a612 
|max-delay|
Packit c5a612 
maximum response delay of MLD queries|
Packit c5a612 
integer (16 bit)
Packit c5a612 
|==============================
Packit c5a612
Packit c5a612 
TCP HEADER EXPRESSION
Packit c5a612 
~~~~~~~~~~~~~~~~~~~~~
Packit c5a612 
[verse]
Packit c5a612 
*tcp* {*sport* | *dport* | *sequence* | *ackseq* | *doff* | *reserved* | *flags* | *window* | *checksum* | *urgptr*}
Packit c5a612
Packit c5a612 
.TCP header expression
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword| Description| Type
Packit c5a612 
|sport|
Packit c5a612 
Source port|
Packit c5a612 
inet_service
Packit c5a612 
|dport|
Packit c5a612 
Destination port|
Packit c5a612 
inet_service
Packit c5a612 
|sequence|
Packit c5a612 
Sequence number|
Packit c5a612 
integer (32 bit)
Packit c5a612 
|ackseq|
Packit c5a612 
Acknowledgement number |
Packit c5a612 
integer (32 bit)
Packit c5a612 
|doff|
Packit c5a612 
Data offset |
Packit c5a612 
integer (4 bit) FIXME scaling
Packit c5a612 
|reserved|
Packit c5a612 
Reserved area |
Packit c5a612 
integer (4 bit)
Packit c5a612 
|flags|
Packit c5a612 
TCP flags|
Packit c5a612 
tcp_flag
Packit c5a612 
|window|
Packit c5a612 
Window|
Packit c5a612 
integer (16 bit)
Packit c5a612 
|checksum|
Packit c5a612 
Checksum|
Packit c5a612 
integer (16 bit)
Packit c5a612 
|urgptr|
Packit c5a612 
Urgent pointer|
Packit c5a612 
integer (16 bit)
Packit c5a612 
|======================
Packit c5a612
Packit c5a612 
UDP HEADER EXPRESSION
Packit c5a612 
~~~~~~~~~~~~~~~~~~~~~
Packit c5a612 
[verse]
Packit c5a612 
*udp* {*sport* | *dport* | *length* | *checksum*}
Packit c5a612
Packit c5a612 
.UDP header expression
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword| Description| Type
Packit c5a612 
|sport|
Packit c5a612 
Source port|
Packit c5a612 
inet_service
Packit c5a612 
|dport|
Packit c5a612 
Destination port|
Packit c5a612 
inet_service
Packit c5a612 
|length|
Packit c5a612 
Total packet length|
Packit c5a612 
integer (16 bit)
Packit c5a612 
|checksum|
Packit c5a612 
Checksum|
Packit c5a612 
integer (16 bit)
Packit c5a612 
|================
Packit c5a612
Packit c5a612 
UDP-LITE HEADER EXPRESSION
Packit c5a612 
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packit c5a612 
[verse]
Packit c5a612 
*udplite* {*sport* | *dport* | *checksum*}
Packit c5a612
Packit c5a612 
.UDP-Lite header expression
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword| Description| Type
Packit c5a612 
|sport|
Packit c5a612 
Source port|
Packit c5a612 
inet_service
Packit c5a612 
|dport|
Packit c5a612 
Destination port|
Packit c5a612 
inet_service
Packit c5a612 
|checksum|
Packit c5a612 
Checksum|
Packit c5a612 
integer (16 bit)
Packit c5a612 
|================
Packit c5a612
Packit c5a612 
SCTP HEADER EXPRESSION
Packit c5a612 
~~~~~~~~~~~~~~~~~~~~~~~
Packit c5a612 
[verse]
Packit c5a612 
*sctp* {*sport* | *dport* | *vtag* | *checksum*}
Packit c5a612
Packit c5a612 
.SCTP header expression
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword| Description| Type
Packit c5a612 
|sport|
Packit c5a612 
Source port|
Packit c5a612 
inet_service
Packit c5a612 
|dport|
Packit c5a612 
Destination port|
Packit c5a612 
inet_service
Packit c5a612 
|vtag|
Packit c5a612 
Verification Tag|
Packit c5a612 
integer (32 bit)
Packit c5a612 
|checksum|
Packit c5a612 
Checksum|
Packit c5a612 
integer (32 bit)
Packit c5a612 
|================
Packit c5a612
Packit c5a612 
DCCP HEADER EXPRESSION
Packit c5a612 
~~~~~~~~~~~~~~~~~~~~~~
Packit c5a612 
[verse]
Packit c5a612 
*dccp* {*sport* | *dport*}
Packit c5a612
Packit c5a612 
.DCCP header expression
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword| Description| Type
Packit c5a612 
|sport|
Packit c5a612 
Source port|
Packit c5a612 
inet_service
Packit c5a612 
|dport|
Packit c5a612 
Destination port|
Packit c5a612 
inet_service
Packit c5a612 
|========================
Packit c5a612
Packit c5a612 
AUTHENTICATION HEADER EXPRESSION
Packit c5a612 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packit c5a612 
[verse]
Packit c5a612 
*ah* {*nexthdr* | *hdrlength* | *reserved* | *spi* | *sequence*}
Packit c5a612
Packit c5a612 
.AH header expression
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword| Description| Type
Packit c5a612 
|nexthdr|
Packit c5a612 
Next header protocol|
Packit c5a612 
inet_proto
Packit c5a612 
|hdrlength|
Packit c5a612 
AH Header length|
Packit c5a612 
integer (8 bit)
Packit c5a612 
|reserved|
Packit c5a612 
Reserved area|
Packit c5a612 
integer (16 bit)
Packit c5a612 
|spi|
Packit c5a612 
Security Parameter Index |
Packit c5a612 
integer (32 bit)
Packit c5a612 
|sequence|
Packit c5a612 
Sequence number|
Packit c5a612 
integer (32 bit)
Packit c5a612 
|========================
Packit c5a612
Packit c5a612 
ENCRYPTED SECURITY PAYLOAD HEADER EXPRESSION
Packit c5a612 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packit c5a612 
[verse]
Packit c5a612 
*esp* {*spi* | *sequence*}
Packit c5a612
Packit c5a612 
.ESP header expression
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword| Description| Type
Packit c5a612 
|spi|
Packit c5a612 
Security Parameter Index |
Packit c5a612 
integer (32 bit)
Packit c5a612 
|sequence|
Packit c5a612 
Sequence number|
Packit c5a612 
integer (32 bit)
Packit c5a612 
|===========================
Packit c5a612
Packit c5a612 
IPCOMP HEADER EXPRESSION
Packit c5a612 
~~~~~~~~~~~~~~~~~~~~~~~~~
Packit c5a612 
*comp* {*nexthdr* | *flags* | *cpi*}
Packit c5a612
Packit c5a612 
.IPComp header expression
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword| Description| Type
Packit c5a612 
|nexthdr|
Packit c5a612 
Next header protocol|
Packit c5a612 
inet_proto
Packit c5a612 
|flags|
Packit c5a612 
Flags|
Packit c5a612 
bitmask
Packit c5a612 
|cpi|
Packit c5a612 
compression Parameter Index |
Packit c5a612 
integer (16 bit)
Packit c5a612 
|============================
Packit c5a612
Packit c5a612 
RAW PAYLOAD EXPRESSION
Packit c5a612 
~~~~~~~~~~~~~~~~~~~~~~
Packit c5a612 
[verse]
Packit c5a612 
*@*'base'*,*'offset'*,*'length'
Packit c5a612
Packit c5a612 
The raw payload expression instructs to load 'length' bits starting at 'offset' bits.
Packit c5a612 
Bit 0 refers to the very first bit -- in the C programming language, this
Packit c5a612 
corresponds to the topmost bit, i.e. 0x80 in case of an octet. They are useful
Packit c5a612 
to match headers that do not have a human-readable template expression yet. Note
Packit c5a612 
that nft will not add dependencies for Raw payload expressions. If you e.g. want
Packit c5a612 
to match protocol fields of a transport header with protocol number 5, you need
Packit c5a612 
to manually exclude packets that have a different transport header, for instance
Packit c5a612 
by using *meta l4proto 5* before the raw expression.
Packit c5a612
Packit c5a612 
.Supported payload protocol bases
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Base| Description
Packit c5a612 
|ll|
Packit c5a612 
Link layer, for example the Ethernet header
Packit c5a612 
|nh|
Packit c5a612 
Network header, for example IPv4 or IPv6
Packit c5a612 
|th|
Packit c5a612 
Transport Header, for example TCP
Packit c5a612 
|==============================
Packit c5a612
Packit c5a612 
.Matching destination port of both UDP and TCP
Packit c5a612 
----------------------------------------------
Packit c5a612 
inet filter input meta l4proto {tcp, udp} @th,16,16 { 53, 80 }
Packit c5a612 
-----------------------------------------------------------------
Packit c5a612 
The above can also be written as
Packit c5a612 
-----------------------------------------------------------------
Packit c5a612 
inet filter input meta l4proto {tcp, udp} th dport { 53, 80 }
Packit c5a612 
-----------------------------------------------------------------
Packit c5a612 
it is more convenient, but like the raw expression notation no
Packit c5a612 
dependencies are created or checked. It is the users responsibility
Packit c5a612 
to restrict matching to those header types that have a notion of ports.
Packit c5a612 
Otherwise, rules using raw expressions will errnously match unrelated
Packit c5a612 
packets, e.g. mis-interpreting ESP packets SPI field as a port.
Packit c5a612
Packit c5a612 
.Rewrite arp packet target hardware address if target protocol address matches a given address
Packit c5a612 
----------------------------------------------------------------------------------------------
Packit c5a612 
input meta iifname enp2s0 arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 accept
Packit c5a612 
-----------------------------------------------------------------------------------------------
Packit c5a612
Packit c5a612 
EXTENSION HEADER EXPRESSIONS
Packit c5a612 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packit c5a612 
Extension header expressions refer to data from variable-sized protocol headers, such as IPv6 extension headers, TCP options and IPv4 options.
Packit c5a612
Packit c5a612 
nftables currently supports matching (finding) a given ipv6 extension header, TCP option or IPv4 option.
Packit c5a612 
[verse]
Packit c5a612 
*hbh* {*nexthdr* | *hdrlength*}
Packit c5a612 
*frag* {*nexthdr* | *frag-off* | *more-fragments* | *id*}
Packit c5a612 
*rt* {*nexthdr* | *hdrlength* | *type* | *seg-left*}
Packit c5a612 
*dst* {*nexthdr* | *hdrlength*}
Packit c5a612 
*mh* {*nexthdr* | *hdrlength* | *checksum* | *type*}
Packit c5a612 
*srh* {*flags* | *tag* | *sid* | *seg-left*}
Packit c5a612 
*tcp option* {*eol* | *noop* | *maxseg* | *window* | *sack-permitted* | *sack* | *sack0* | *sack1* | *sack2* | *sack3* | *timestamp*} 'tcp_option_field'
Packit c5a612 
*ip option* { lsrr | ra | rr | ssrr } 'ip_option_field'
Packit c5a612
Packit c5a612 
The following syntaxes are valid only in a relational expression with boolean type on right-hand side for checking header existence only:
Packit c5a612 
[verse]
Packit c5a612 
*exthdr* {*hbh* | *frag* | *rt* | *dst* | *mh*}
Packit c5a612 
*tcp option* {*eol* | *noop* | *maxseg* | *window* | *sack-permitted* | *sack* | *sack0* | *sack1* | *sack2* | *sack3* | *timestamp*}
Packit c5a612 
*ip option* { lsrr | ra | rr | ssrr }
Packit c5a612
Packit c5a612 
.IPv6 extension headers
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword| Description
Packit c5a612 
|hbh|
Packit c5a612 
Hop by Hop
Packit c5a612 
|rt|
Packit c5a612 
Routing Header
Packit c5a612 
|frag|
Packit c5a612 
Fragmentation header
Packit c5a612 
|dst|
Packit c5a612 
dst options
Packit c5a612 
|mh|
Packit c5a612 
Mobility Header
Packit c5a612 
|srh|
Packit c5a612 
Segment Routing Header
Packit c5a612 
|=====================
Packit c5a612
Packit c5a612 
.TCP Options
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword| Description | TCP option fields
Packit c5a612 
|eol|
Packit c5a612 
End if option list|
Packit c5a612 
kind
Packit c5a612 
|noop|
Packit c5a612 
1 Byte TCP No-op options |
Packit c5a612 
kind
Packit c5a612 
|maxseg|
Packit c5a612 
TCP Maximum Segment Size|
Packit c5a612 
kind, length, size
Packit c5a612 
|window|
Packit c5a612 
TCP Window Scaling |
Packit c5a612 
kind, length, count
Packit c5a612 
|sack-permitted|
Packit c5a612 
TCP SACK permitted |
Packit c5a612 
kind, length
Packit c5a612 
|sack|
Packit c5a612 
TCP Selective Acknowledgement (alias of block 0) |
Packit c5a612 
kind, length, left, right
Packit c5a612 
|sack0|
Packit c5a612 
TCP Selective Acknowledgement (block 0) |
Packit c5a612 
kind, length, left, right
Packit c5a612 
|sack1|
Packit c5a612 
TCP Selective Acknowledgement (block 1) |
Packit c5a612 
kind, length, left, right
Packit c5a612 
|sack2|
Packit c5a612 
TCP Selective Acknowledgement (block 2) |
Packit c5a612 
kind, length, left, right
Packit c5a612 
|sack3|
Packit c5a612 
TCP Selective Acknowledgement (block 3) |
Packit c5a612 
kind, length, left, right
Packit c5a612 
|timestamp|
Packit c5a612 
TCP Timestamps |
Packit c5a612 
kind, length, tsval, tsecr
Packit c5a612 
|============================
Packit c5a612
Packit c5a612 
.IP Options
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword| Description | IP option fields
Packit c5a612 
|lsrr|
Packit c5a612 
Loose Source Route |
Packit c5a612 
type, length, ptr, addr
Packit c5a612 
|ra|
Packit c5a612 
Router Alert |
Packit c5a612 
type, length, value
Packit c5a612 
|rr|
Packit c5a612 
Record Route |
Packit c5a612 
type, length, ptr, addr
Packit c5a612 
|ssrr|
Packit c5a612 
Strict Source Route |
Packit c5a612 
type, length, ptr, addr
Packit c5a612 
|============================
Packit c5a612
Packit c5a612 
.finding TCP options
Packit c5a612 
--------------------
Packit c5a612 
filter input tcp option sack-permitted kind 1 counter
Packit c5a612 
--------------------
Packit c5a612
Packit c5a612 
.matching IPv6 exthdr
Packit c5a612 
---------------------
Packit c5a612 
ip6 filter input frag more-fragments 1 counter
Packit c5a612 
---------------------------------------
Packit c5a612
Packit c5a612 
.finding IP option
Packit c5a612 
------------------
Packit c5a612 
filter input ip option lsrr exists counter
Packit c5a612 
---------------------------------------
Packit c5a612
Packit c5a612 
CONNTRACK EXPRESSIONS
Packit c5a612 
~~~~~~~~~~~~~~~~~~~~~
Packit c5a612 
Conntrack expressions refer to meta data of the connection tracking entry associated with a packet. +
Packit c5a612
Packit c5a612 
There are three types of conntrack expressions. Some conntrack expressions
Packit c5a612 
require the flow direction before the conntrack key, others must be used
Packit c5a612 
directly because they are direction agnostic. The *packets*, *bytes* and
Packit c5a612 
*avgpkt* keywords can be used with or without a direction. If the direction is
Packit c5a612 
omitted, the sum of the original and the reply direction is returned. The same
Packit c5a612 
is true for the *zone*, if a direction is given, the zone is only matched if the
Packit c5a612 
zone id is tied to the given direction. +
Packit c5a612
Packit c5a612 
[verse]
Packit c5a612 
*ct* {*state* | *direction* | *status* | *mark* | *expiration* | *helper* | *label*}
Packit c5a612 
*ct* [*original* | *reply*] {*l3proto* | *protocol* | *bytes* | *packets* | *avgpkt* | *zone*}
Packit c5a612 
*ct* {*original* | *reply*} {*proto-src* | *proto-dst*}
Packit c5a612 
*ct* {*original* | *reply*} {*ip* | *ip6*} {*saddr* | *daddr*}
Packit c5a612
Packit c5a612 
.Conntrack expressions
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword| Description | Type
Packit c5a612 
|state|
Packit c5a612 
State of the connection |
Packit c5a612 
ct_state
Packit c5a612 
|direction|
Packit c5a612 
Direction of the packet relative to the connection |
Packit c5a612 
ct_dir
Packit c5a612 
|status|
Packit c5a612 
Status of the connection |
Packit c5a612 
ct_status
Packit c5a612 
|mark|
Packit c5a612 
Connection mark |
Packit c5a612 
mark
Packit c5a612 
|expiration|
Packit c5a612 
Connection expiration time |
Packit c5a612 
time
Packit c5a612 
|helper|
Packit c5a612 
Helper associated with the connection|
Packit c5a612 
string
Packit c5a612 
|label|
Packit c5a612 
Connection tracking label bit or symbolic name defined in connlabel.conf in the nftables include path|
Packit c5a612 
ct_label
Packit c5a612 
|l3proto|
Packit c5a612 
Layer 3 protocol of the connection|
Packit c5a612 
nf_proto
Packit c5a612 
|saddr|
Packit c5a612 
Source address of the connection for the given direction |
Packit c5a612 
ipv4_addr/ipv6_addr
Packit c5a612 
|daddr|
Packit c5a612 
Destination address of the connection for the given direction |
Packit c5a612 
ipv4_addr/ipv6_addr
Packit c5a612 
|protocol|
Packit c5a612 
Layer 4 protocol of the connection for the given direction |
Packit c5a612 
inet_proto
Packit c5a612 
|proto-src|
Packit c5a612 
Layer 4 protocol source for the given direction|
Packit c5a612 
integer (16 bit)
Packit c5a612 
|proto-dst|
Packit c5a612 
Layer 4 protocol destination for the given direction |
Packit c5a612 
integer (16 bit)
Packit c5a612 
|packets|
Packit c5a612 
packet count seen in the given direction or sum of original and reply |
Packit c5a612 
integer (64 bit)
Packit c5a612 
|bytes|
Packit c5a612 
byte count seen, see description for *packets* keyword |
Packit c5a612 
integer (64 bit)
Packit c5a612 
|avgpkt|
Packit c5a612 
average bytes per packet, see description for *packets* keyword |
Packit c5a612 
integer (64 bit)
Packit c5a612 
|zone|
Packit c5a612 
conntrack zone |
Packit c5a612 
integer (16 bit)
Packit c5a612 
|count|
Packit c5a612 
count number of connections
Packit c5a612 
integer (32 bit)
Packit c5a612 
|==========================================
Packit c5a612 
A description of conntrack-specific types listed above can be found sub-section CONNTRACK TYPES above.
Packit c5a612
Packit c5a612 
.restrict the number of parallel connections to a server
Packit c5a612 
--------------------
Packit c5a612 
filter input tcp dport 22 meter test { ip saddr ct count over 2 } reject
Packit c5a612 
--------------------

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation