|
Packit |
c5a612 |
META EXPRESSIONS
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*meta* {*length* | *nfproto* | *l4proto* | *protocol* | *priority*}
|
|
Packit |
c5a612 |
[*meta*] {*mark* | *iif* | *iifname* | *iiftype* | *oif* | *oifname* | *oiftype* | *skuid* | *skgid* | *nftrace* | *rtclassid* | *ibrname* | *obrname* | *pkttype* | *cpu* | *iifgroup* | *oifgroup* | *cgroup* | *random* | *ipsec* | *iifkind* | *oifkind* | *time* | *hour* | *day* }
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
A meta expression refers to meta data associated with a packet.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
There are two types of meta expressions: unqualified and qualified meta
|
|
Packit |
c5a612 |
expressions. Qualified meta expressions require the meta keyword before the meta
|
|
Packit |
c5a612 |
key, unqualified meta expressions can be specified by using the meta key
|
|
Packit |
c5a612 |
directly or as qualified meta expressions. Meta l4proto is useful to match a
|
|
Packit |
c5a612 |
particular transport protocol that is part of either an IPv4 or IPv6 packet. It
|
|
Packit |
c5a612 |
will also skip any IPv6 extension headers present in an IPv6 packet.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
meta iif, oif, iifname and oifname are used to match the interface a packet
|
|
Packit |
c5a612 |
arrived on or is about to be sent out on.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
iif and oif are used to match on the interface index, whereas iifname and
|
|
Packit |
c5a612 |
oifname are used to match on the interface name.
|
|
Packit |
c5a612 |
This is not the same -- assuming the rule
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
filter input meta iif "foo"
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Then this rule can only be added if the interface "foo" exists.
|
|
Packit |
c5a612 |
Also, the rule will continue to match even if the
|
|
Packit |
c5a612 |
interface "foo" is renamed to "bar".
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
This is because internally the interface index is used.
|
|
Packit |
c5a612 |
In case of dynamically created interfaces, such as tun/tap or dialup
|
|
Packit |
c5a612 |
interfaces (ppp for example), it might be better to use iifname or oifname
|
|
Packit |
c5a612 |
instead.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
In these cases, the name is used so the interface doesn't have to exist to
|
|
Packit |
c5a612 |
add such a rule, it will stop matching if the interface gets renamed and it
|
|
Packit |
c5a612 |
will match again in case interface gets deleted and later a new interface
|
|
Packit |
c5a612 |
with the same name is created.
|
|
Packit |
c5a612 |
|
|
Packit Service |
c0a046 |
Like with iptables, wildcard matching on interface name prefixes is available for
|
|
Packit Service |
c0a046 |
*iifname* and *oifname* matches by appending an asterisk (*) character. Note
|
|
Packit Service |
c0a046 |
however that unlike iptables, nftables does not accept interface names
|
|
Packit Service |
c0a046 |
consisting of the wildcard character only - users are supposed to just skip
|
|
Packit Service |
c0a046 |
those always matching expressions. In order to match on literal asterisk
|
|
Packit Service |
c0a046 |
character, one may escape it using backslash (\).
|
|
Packit Service |
c0a046 |
|
|
Packit |
c5a612 |
.Meta expression types
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword | Description | Type
|
|
Packit |
c5a612 |
|length|
|
|
Packit |
c5a612 |
Length of the packet in bytes|
|
|
Packit |
c5a612 |
integer (32-bit)
|
|
Packit |
c5a612 |
|nfproto|
|
|
Packit |
c5a612 |
real hook protocol family, useful only in inet table|
|
|
Packit |
c5a612 |
integer (32 bit)
|
|
Packit |
c5a612 |
|l4proto|
|
|
Packit |
c5a612 |
layer 4 protocol, skips ipv6 extension headers|
|
|
Packit |
c5a612 |
integer (8 bit)
|
|
Packit |
c5a612 |
|protocol|
|
|
Packit |
c5a612 |
EtherType protocol value|
|
|
Packit |
c5a612 |
ether_type
|
|
Packit |
c5a612 |
|priority|
|
|
Packit |
c5a612 |
TC packet priority|
|
|
Packit |
c5a612 |
tc_handle
|
|
Packit |
c5a612 |
|mark|
|
|
Packit |
c5a612 |
Packet mark |
|
|
Packit |
c5a612 |
mark
|
|
Packit |
c5a612 |
|iif|
|
|
Packit |
c5a612 |
Input interface index |
|
|
Packit |
c5a612 |
iface_index
|
|
Packit |
c5a612 |
|iifname|
|
|
Packit |
c5a612 |
Input interface name |
|
|
Packit |
c5a612 |
ifname
|
|
Packit |
c5a612 |
|iiftype|
|
|
Packit |
c5a612 |
Input interface type|
|
|
Packit |
c5a612 |
iface_type
|
|
Packit |
c5a612 |
|oif|
|
|
Packit |
c5a612 |
Output interface index|
|
|
Packit |
c5a612 |
iface_index
|
|
Packit |
c5a612 |
|oifname|
|
|
Packit |
c5a612 |
Output interface name|
|
|
Packit |
c5a612 |
ifname
|
|
Packit |
c5a612 |
|oiftype|
|
|
Packit |
c5a612 |
Output interface hardware type|
|
|
Packit |
c5a612 |
iface_type
|
|
Packit |
c5a612 |
|skuid|
|
|
Packit |
c5a612 |
UID associated with originating socket|
|
|
Packit |
c5a612 |
uid
|
|
Packit |
c5a612 |
|skgid|
|
|
Packit |
c5a612 |
GID associated with originating socket|
|
|
Packit |
c5a612 |
gid
|
|
Packit |
c5a612 |
|rtclassid|
|
|
Packit |
c5a612 |
Routing realm|
|
|
Packit |
c5a612 |
realm
|
|
Packit |
c5a612 |
|ibrname|
|
|
Packit |
c5a612 |
Input bridge interface name|
|
|
Packit |
c5a612 |
ifname
|
|
Packit |
c5a612 |
|obrname|
|
|
Packit |
c5a612 |
Output bridge interface name|
|
|
Packit |
c5a612 |
ifname
|
|
Packit |
c5a612 |
|pkttype|
|
|
Packit |
c5a612 |
packet type|
|
|
Packit |
c5a612 |
pkt_type
|
|
Packit |
c5a612 |
|cpu|
|
|
Packit |
c5a612 |
cpu number processing the packet|
|
|
Packit |
c5a612 |
integer (32 bit)
|
|
Packit |
c5a612 |
|iifgroup|
|
|
Packit |
c5a612 |
incoming device group|
|
|
Packit |
c5a612 |
devgroup
|
|
Packit |
c5a612 |
|oifgroup|
|
|
Packit |
c5a612 |
outgoing device group|
|
|
Packit |
c5a612 |
devgroup
|
|
Packit |
c5a612 |
|cgroup|
|
|
Packit |
c5a612 |
control group id |
|
|
Packit |
c5a612 |
integer (32 bit)
|
|
Packit |
c5a612 |
|random|
|
|
Packit |
c5a612 |
pseudo-random number|
|
|
Packit |
c5a612 |
integer (32 bit)
|
|
Packit |
c5a612 |
|ipsec|
|
|
Packit |
c5a612 |
boolean|
|
|
Packit |
c5a612 |
boolean (1 bit)
|
|
Packit |
c5a612 |
|iifkind|
|
|
Packit |
c5a612 |
Input interface kind |
|
|
Packit |
c5a612 |
|oifkind|
|
|
Packit |
c5a612 |
Output interface kind|
|
|
Packit |
c5a612 |
|time|
|
|
Packit |
c5a612 |
Absolute time of packet reception|
|
|
Packit |
c5a612 |
Integer (32 bit) or string
|
|
Packit |
c5a612 |
|day|
|
|
Packit |
c5a612 |
Day of week|
|
|
Packit |
c5a612 |
Integer (8 bit) or string
|
|
Packit |
c5a612 |
|hour|
|
|
Packit |
c5a612 |
Hour of day|
|
|
Packit |
c5a612 |
String
|
|
Packit |
c5a612 |
|====================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.Meta expression specific types
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Type | Description
|
|
Packit |
c5a612 |
|iface_index |
|
|
Packit |
c5a612 |
Interface index (32 bit number). Can be specified numerically or as name of an existing interface.
|
|
Packit |
c5a612 |
|ifname|
|
|
Packit |
c5a612 |
Interface name (16 byte string). Does not have to exist.
|
|
Packit |
c5a612 |
|iface_type|
|
|
Packit |
c5a612 |
Interface type (16 bit number).
|
|
Packit |
c5a612 |
|uid|
|
|
Packit |
c5a612 |
User ID (32 bit number). Can be specified numerically or as user name.
|
|
Packit |
c5a612 |
|gid|
|
|
Packit |
c5a612 |
Group ID (32 bit number). Can be specified numerically or as group name.
|
|
Packit |
c5a612 |
|realm|
|
|
Packit |
c5a612 |
Routing Realm (32 bit number). Can be specified numerically or as symbolic name defined in /etc/iproute2/rt_realms.
|
|
Packit |
c5a612 |
|devgroup_type|
|
|
Packit |
c5a612 |
Device group (32 bit number). Can be specified numerically or as symbolic name defined in /etc/iproute2/group.
|
|
Packit |
c5a612 |
|pkt_type|
|
|
Packit |
c5a612 |
Packet type: *host* (addressed to local host), *broadcast* (to all),
|
|
Packit |
c5a612 |
*multicast* (to group), *other* (addressed to another host).
|
|
Packit |
c5a612 |
|ifkind|
|
|
Packit |
c5a612 |
Interface kind (16 byte string). Does not have to exist.
|
|
Packit |
c5a612 |
|time|
|
|
Packit |
c5a612 |
Either an integer or a date in ISO format. For example: "2019-06-06 17:00".
|
|
Packit |
c5a612 |
Hour and seconds are optional and can be omitted if desired. If omitted,
|
|
Packit |
c5a612 |
midnight will be assumed.
|
|
Packit |
c5a612 |
The following three would be equivalent: "2019-06-06", "2019-06-06 00:00"
|
|
Packit |
c5a612 |
and "2019-06-06 00:00:00".
|
|
Packit |
c5a612 |
When an integer is given, it is assumed to be a UNIX timestamp.
|
|
Packit |
c5a612 |
|day|
|
|
Packit |
c5a612 |
Either a day of week ("Monday", "Tuesday", etc.), or an integer between 0 and 6.
|
|
Packit |
c5a612 |
Strings are matched case-insensitively, and a full match is not expected (e.g. "Mon" would match "Monday").
|
|
Packit |
c5a612 |
When an integer is given, 0 is Sunday and 6 is Saturday.
|
|
Packit |
c5a612 |
|hour|
|
|
Packit |
c5a612 |
A string representing an hour in 24-hour format. Seconds can optionally be specified.
|
|
Packit |
c5a612 |
For example, 17:00 and 17:00:00 would be equivalent.
|
|
Packit |
c5a612 |
|=============================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.Using meta expressions
|
|
Packit |
c5a612 |
-----------------------
|
|
Packit |
c5a612 |
# qualified meta expression
|
|
Packit |
c5a612 |
filter output meta oif eth0
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
# unqualified meta expression
|
|
Packit |
c5a612 |
filter output oif eth0
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
# packet was subject to ipsec processing
|
|
Packit |
c5a612 |
raw prerouting meta ipsec exists accept
|
|
Packit |
c5a612 |
-----------------------
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
SOCKET EXPRESSION
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*socket* {*transparent* | *mark*}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Socket expression can be used to search for an existing open TCP/UDP socket and
|
|
Packit |
c5a612 |
its attributes that can be associated with a packet. It looks for an established
|
|
Packit |
c5a612 |
or non-zero bound listening socket (possibly with a non-local address).
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.Available socket attributes
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Name |Description| Type
|
|
Packit |
c5a612 |
|transparent|
|
|
Packit |
c5a612 |
Value of the IP_TRANSPARENT socket option in the found socket. It can be 0 or 1.|
|
|
Packit |
c5a612 |
boolean (1 bit)
|
|
Packit |
c5a612 |
|mark| Value of the socket mark (SOL_SOCKET, SO_MARK). | mark
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.Using socket expression
|
|
Packit |
c5a612 |
------------------------
|
|
Packit |
c5a612 |
# Mark packets that correspond to a transparent socket
|
|
Packit |
c5a612 |
table inet x {
|
|
Packit |
c5a612 |
chain y {
|
|
Packit |
c5a612 |
type filter hook prerouting priority -150; policy accept;
|
|
Packit |
c5a612 |
socket transparent 1 mark set 0x00000001 accept
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
# Trace packets that corresponds to a socket with a mark value of 15
|
|
Packit |
c5a612 |
table inet x {
|
|
Packit |
c5a612 |
chain y {
|
|
Packit |
c5a612 |
type filter hook prerouting priority -150; policy accept;
|
|
Packit |
c5a612 |
socket mark 0x0000000f nftrace set 1
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
# Set packet mark to socket mark
|
|
Packit |
c5a612 |
table inet x {
|
|
Packit |
c5a612 |
chain y {
|
|
Packit |
c5a612 |
type filter hook prerouting priority -150; policy accept;
|
|
Packit |
c5a612 |
tcp dport 8080 mark set socket mark
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
----------------------
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
OSF EXPRESSION
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*osf* [*ttl* {*loose* | *skip*}] {*name* | *version*}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
The osf expression does passive operating system fingerprinting. This
|
|
Packit |
c5a612 |
expression compares some data (Window Size, MSS, options and their order, DF,
|
|
Packit |
c5a612 |
and others) from packets with the SYN bit set.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.Available osf attributes
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Name |Description| Type
|
|
Packit |
c5a612 |
|ttl|
|
|
Packit |
c5a612 |
Do TTL checks on the packet to determine the operating system.|
|
|
Packit |
c5a612 |
string
|
|
Packit |
c5a612 |
|version|
|
|
Packit |
c5a612 |
Do OS version checks on the packet.|
|
|
Packit |
c5a612 |
|name|
|
|
Packit |
c5a612 |
Name of the OS signature to match. All signatures can be found at pf.os file.
|
|
Packit |
c5a612 |
Use "unknown" for OS signatures that the expression could not detect.|
|
|
Packit |
c5a612 |
string
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.Available ttl values
|
|
Packit |
c5a612 |
---------------------
|
|
Packit |
c5a612 |
If no TTL attribute is passed, make a true IP header and fingerprint TTL true comparison. This generally works for LANs.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
* loose: Check if the IP header's TTL is less than the fingerprint one. Works for globally-routable addresses.
|
|
Packit |
c5a612 |
* skip: Do not compare the TTL at all.
|
|
Packit |
c5a612 |
---------------------
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.Using osf expression
|
|
Packit |
c5a612 |
---------------------
|
|
Packit |
c5a612 |
# Accept packets that match the "Linux" OS genre signature without comparing TTL.
|
|
Packit |
c5a612 |
table inet x {
|
|
Packit |
c5a612 |
chain y {
|
|
Packit |
c5a612 |
type filter hook input priority 0; policy accept;
|
|
Packit |
c5a612 |
osf ttl skip name "Linux"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
-----------------------
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
FIB EXPRESSIONS
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*fib* {*saddr* | *daddr* | *mark* | *iif* | *oif*} [*.* ...] {*oif* | *oifname* | *type*}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
A fib expression queries the fib (forwarding information base) to obtain
|
|
Packit |
c5a612 |
information such as the output interface index a particular address would use.
|
|
Packit |
c5a612 |
The input is a tuple of elements that is used as input to the fib lookup
|
|
Packit |
c5a612 |
functions.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.fib expression specific types
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|==================
|
|
Packit |
c5a612 |
|Keyword| Description| Type
|
|
Packit |
c5a612 |
|oif|
|
|
Packit |
c5a612 |
Output interface index|
|
|
Packit |
c5a612 |
integer (32 bit)
|
|
Packit |
c5a612 |
|oifname|
|
|
Packit |
c5a612 |
Output interface name|
|
|
Packit |
c5a612 |
string
|
|
Packit |
c5a612 |
|type|
|
|
Packit |
c5a612 |
Address type |
|
|
Packit |
c5a612 |
fib_addrtype
|
|
Packit |
c5a612 |
|=======================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Use *nft* *describe* *fib_addrtype* to get a list of all address types.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.Using fib expressions
|
|
Packit |
c5a612 |
----------------------
|
|
Packit |
c5a612 |
# drop packets without a reverse path
|
|
Packit |
c5a612 |
filter prerouting fib saddr . iif oif missing drop
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
In this example, 'saddr . iif' looks up routing information based on the source address and the input interface.
|
|
Packit |
c5a612 |
oif picks the output interface index from the routing information.
|
|
Packit |
c5a612 |
If no route was found for the source address/input interface combination, the output interface index is zero.
|
|
Packit |
c5a612 |
In case the input interface is specified as part of the input key, the output interface index is always the same as the input interface index or zero.
|
|
Packit |
c5a612 |
If only 'saddr oif' is given, then oif can be any interface index or zero.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
In this example, 'saddr . iif' lookups up routing information based on the source address and the input interface.
|
|
Packit |
c5a612 |
oif picks the output interface index from the routing information.
|
|
Packit |
c5a612 |
If no route was found for the source address/input interface combination, the output interface index is zero.
|
|
Packit |
c5a612 |
In case the input interface is specified as part of the input key, the output interface index is always the same as the input interface index or zero.
|
|
Packit |
c5a612 |
If only 'saddr oif' is given, then oif can be any interface index or zero.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
# drop packets to address not configured on ininterface
|
|
Packit |
c5a612 |
filter prerouting fib daddr . iif type != { local, broadcast, multicast } drop
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
# perform lookup in a specific 'blackhole' table (0xdead, needs ip appropriate ip rule)
|
|
Packit |
c5a612 |
filter prerouting meta mark set 0xdead fib daddr . mark type vmap { blackhole : drop, prohibit : jump prohibited, unreachable : drop }
|
|
Packit |
c5a612 |
----------------------
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
ROUTING EXPRESSIONS
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*rt* [*ip* | *ip6*] {*classid* | *nexthop* | *mtu* | *ipsec*}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
A routing expression refers to routing data associated with a packet.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.Routing expression types
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|=======================
|
|
Packit |
c5a612 |
|Keyword| Description| Type
|
|
Packit |
c5a612 |
|classid|
|
|
Packit |
c5a612 |
Routing realm|
|
|
Packit |
c5a612 |
realm
|
|
Packit |
c5a612 |
|nexthop|
|
|
Packit |
c5a612 |
Routing nexthop|
|
|
Packit |
c5a612 |
ipv4_addr/ipv6_addr
|
|
Packit |
c5a612 |
|mtu|
|
|
Packit |
c5a612 |
TCP maximum segment size of route |
|
|
Packit |
c5a612 |
integer (16 bit)
|
|
Packit |
c5a612 |
|ipsec|
|
|
Packit |
c5a612 |
route via ipsec tunnel or transport |
|
|
Packit |
c5a612 |
boolean
|
|
Packit |
c5a612 |
|=================================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.Routing expression specific types
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|=======================
|
|
Packit |
c5a612 |
|Type| Description
|
|
Packit |
c5a612 |
|realm|
|
|
Packit |
c5a612 |
Routing Realm (32 bit number). Can be specified numerically or as symbolic name defined in /etc/iproute2/rt_realms.
|
|
Packit |
c5a612 |
|========================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.Using routing expressions
|
|
Packit |
c5a612 |
--------------------------
|
|
Packit |
c5a612 |
# IP family independent rt expression
|
|
Packit |
c5a612 |
filter output rt classid 10
|
|
Packit |
c5a612 |
filter output rt ipsec missing
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
# IP family dependent rt expressions
|
|
Packit |
c5a612 |
ip filter output rt nexthop 192.168.0.1
|
|
Packit |
c5a612 |
ip6 filter output rt nexthop fd00::1
|
|
Packit |
c5a612 |
inet filter output rt ip nexthop 192.168.0.1
|
|
Packit |
c5a612 |
inet filter output rt ip6 nexthop fd00::1
|
|
Packit |
c5a612 |
--------------------------
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
IPSEC EXPRESSIONS
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*ipsec* {*in* | *out*} [ *spnum* 'NUM' ] {*reqid* | *spi*}
|
|
Packit |
c5a612 |
*ipsec* {*in* | *out*} [ *spnum* 'NUM' ] {*ip* | *ip6*} {*saddr* | *daddr*}
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
An ipsec expression refers to ipsec data associated with a packet.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
The 'in' or 'out' keyword needs to be used to specify if the expression should
|
|
Packit |
c5a612 |
examine inbound or outbound policies. The 'in' keyword can be used in the
|
|
Packit |
c5a612 |
prerouting, input and forward hooks. The 'out' keyword applies to forward,
|
|
Packit |
c5a612 |
output and postrouting hooks.
|
|
Packit |
c5a612 |
The optional keyword spnum can be used to match a specific state in a chain,
|
|
Packit |
c5a612 |
it defaults to 0.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.Ipsec expression types
|
|
Packit |
c5a612 |
[options="header"]
|
|
Packit |
c5a612 |
|=======================
|
|
Packit |
c5a612 |
|Keyword| Description| Type
|
|
Packit |
c5a612 |
|reqid|
|
|
Packit |
c5a612 |
Request ID|
|
|
Packit |
c5a612 |
integer (32 bit)
|
|
Packit |
c5a612 |
|spi|
|
|
Packit |
c5a612 |
Security Parameter Index|
|
|
Packit |
c5a612 |
integer (32 bit)
|
|
Packit |
c5a612 |
|saddr|
|
|
Packit |
c5a612 |
Source address of the tunnel|
|
|
Packit |
c5a612 |
ipv4_addr/ipv6_addr
|
|
Packit |
c5a612 |
|daddr|
|
|
Packit |
c5a612 |
Destination address of the tunnel|
|
|
Packit |
c5a612 |
ipv4_addr/ipv6_addr
|
|
Packit |
c5a612 |
|=================================
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
NUMGEN EXPRESSION
|
|
Packit |
c5a612 |
~~~~~~~~~~~~~~~~~
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
[verse]
|
|
Packit |
c5a612 |
*numgen* {*inc* | *random*} *mod* 'NUM' [ *offset* 'NUM' ]
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
Create a number generator. The *inc* or *random* keywords control its
|
|
Packit |
c5a612 |
operation mode: In *inc* mode, the last returned value is simply incremented.
|
|
Packit |
c5a612 |
In *random* mode, a new random number is returned. The value after *mod*
|
|
Packit |
c5a612 |
keyword specifies an upper boundary (read: modulus) which is not reached by
|
|
Packit |
c5a612 |
returned numbers. The optional *offset* allows to increment the returned value
|
|
Packit |
c5a612 |
by a fixed offset.
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
A typical use-case for *numgen* is load-balancing:
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
.Using numgen expression
|
|
Packit |
c5a612 |
------------------------
|
|
Packit |
c5a612 |
# round-robin between 192.168.10.100 and 192.168.20.200:
|
|
Packit |
c5a612 |
add rule nat prerouting dnat to numgen inc mod 2 map \
|
|
Packit |
c5a612 |
{ 0 : 192.168.10.100, 1 : 192.168.20.200 }
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
# probability-based with odd bias using intervals:
|
|
Packit |
c5a612 |
add rule nat prerouting dnat to numgen random mod 10 map \
|
|
Packit |
c5a612 |
{ 0-2 : 192.168.10.100, 3-9 : 192.168.20.200 }
|
|
Packit |
c5a612 |
------------------------
|