source-git / nftables

Clone
Source Code
GIT

Files

  1.   b9db0725b5f8da29381cb2f342406425886bc0f2
  2.   doc
  3.   data-types.txt
Blob Blame History Raw 
INTEGER TYPE
~~~~~~~~~~~
[options="header"]
|==================
|Name | Keyword | Size | Base type
|Integer |
integer |
variable |
-
|===================

The integer type is used for numeric values. It may be specified as a decimal,
hexadecimal or octal number. The integer type does not have a fixed size, its
size is determined by the expression for which it is used.

BITMASK TYPE
~~~~~~~~~~~~
[options="header"]
|==================
|Name | Keyword | Size | Base type
|Bitmask |
bitmask |
variable |
integer
|===================

The bitmask type (*bitmask*) is used for bitmasks.

STRING TYPE
~~~~~~~~~~~~
[options="header"]
|==================
|Name | Keyword | Size | Base type
|String |
string |
variable |
-
|===================

The string type is used for character strings. A string begins with an
alphabetic character (a-zA-Z) followed by zero or more alphanumeric characters
or the characters /, -, _ and .. In addition, anything enclosed in double
quotes (") is recognized as a string.

.String specification
----------------------
# Interface name
filter input iifname eth0

# Weird interface name
filter input iifname "(eth0)"
----------------------------

LINK LAYER ADDRESS TYPE
~~~~~~~~~~~~~~~~~~~~~~~
[options="header"]
|==================
|Name | Keyword | Size | Base type
|Link layer address |
lladdr|
variable |
integer
|===================

The link layer address type is used for link layer addresses. Link layer
addresses are specified as a variable amount of groups of two hexadecimal digits
separated using colons (:).

.Link layer address specification
----------------------
# Ethernet destination MAC address
filter input ether daddr 20:c9:d0:43:12:d9
----------------------------

IPV4 ADDRESS TYPE
~~~~~~~~~~~~~~~~~
[options="header"]
|==================
|Name | Keyword | Size | Base type
|IPV4 address|
ipv4_addr|
32 bit|
integer
|===================

The IPv4 address type is used for IPv4 addresses. Addresses are specified in
either dotted decimal, dotted hexadecimal, dotted octal, decimal, hexadecimal,
octal notation or as a host name. A host name will be resolved using the
standard system resolver.

.IPv4 address specification
----------------------
# dotted decimal notation
filter output ip daddr 127.0.0.1

# host name
filter output ip daddr localhost
----------------------------

IPV6 ADDRESS TYPE
~~~~~~~~~~~~~~~~~
[options="header"]
|==================
|Name | Keyword | Size | Base type
|IPv6 address|
ipv6_addr|
128 bit|
integer
|===================

The IPv6 address type is used for IPv6 addresses. Addresses are specified as a
host name or as hexadecimal halfwords separated by colons. Addresses might be
enclosed in square brackets ("[]") to differentiate them from port numbers.

.IPv6 address specification
----------------------
# abbreviated loopback address
filter output ip6 daddr ::1
----------------------------

.IPv6 address specification with bracket notation
----------------------
# without [] the port number (22) would be parsed as part of the
# ipv6 address
ip6 nat prerouting tcp dport 2222 dnat to [1ce::d0]:22
----------------------------

BOOLEAN TYPE
~~~~~~~~~~~~
[options="header"]
|==================
|Name | Keyword | Size | Base type
|Boolean |
boolean |
1 bit |
integer
|===================

The boolean type is a syntactical helper type in userspace. Its use is in the
right-hand side of a (typically implicit) relational expression to change the
expression on the left-hand side into a boolean check (usually for existence). +

.The following keywords will automatically resolve into a boolean type with given value

[options="header"]
|==================
|Keyword | Value
|exists |
1 |
missing |
0
|===================

.expressions support a boolean comparison
[options="header"]
|======================================
|Expression | Behaviour
|fib |
Check route existence.
|exthdr|
Check IPv6 extension header existence.
|tcp option |
Check TCP option header existence.
|===================

.Boolean specification
----------------------
# match if route exists
filter input fib daddr . iif oif exists

# match only non-fragmented packets in IPv6 traffic
filter input exthdr frag missing

# match if TCP timestamp option is present
filter input tcp option timestamp exists
------------------------------------------

ICMP TYPE TYPE
~~~~~~~~~~~~~~
[options="header"]
|==================
|Name | Keyword | Size | Base type
|ICMP Type |
icmp_type |
8 bit |
integer
|===================
The ICMP Type type is used to conveniently specify the ICMP header's type field.

.Keywords may be used when specifying the ICMP type
[options="header"]
|==================
|Keyword | Value
|echo-reply |
0
|destination-unreachable |
3
|source-quench|
4
|redirect|
5
|echo-request|
8
|router-advertisement|
9
|router-solicitation|
10
|time-exceeded|
11
|parameter-problem|
12
|timestamp-request|
13
|timestamp-reply|
14
|info-request|
15
|info-reply|
16
|address-mask-request|
17
|address-mask-reply|
18
|===================

.ICMP Type specification
------------------------
# match ping packets
filter output icmp type { echo-request, echo-reply }
------------------------

ICMP CODE TYPE
~~~~~~~~~~~~~~
[options="header"]
|==================
|Name | Keyword | Size | Base type
|ICMP Code |
icmp_code |
8 bit |
integer
|===================

The ICMP Code type is used to conveniently specify the ICMP header's code field.

.Keywords may be used when specifying the ICMP code
[options="header"]
|==================
|Keyword | Value
|net-unreachable |
0
|host-unreachable |
1
|prot-unreachable|
2
|port-unreachable|
3
|net-prohibited|
9
|host-prohibited|
10
|admin-prohibited|
13
|===================

ICMPV6 TYPE TYPE
~~~~~~~~~~~~~~~~
[options="header"]
|==================
|Name | Keyword | Size | Base type
|ICMPv6 Type |
icmpx_code |
8 bit |
integer
|===================

The ICMPv6 Type type is used to conveniently specify the ICMPv6 header's type field.

.keywords may be used when specifying the ICMPv6 type:
[options="header"]
|==================
|Keyword | Value
|destination-unreachable |
1
|packet-too-big|
2
|time-exceeded|
3
|parameter-problem|
4
|echo-request|
128
|echo-reply|
129
|mld-listener-query|
130
|mld-listener-report|
131
|mld-listener-done |
132
|mld-listener-reduction|
132
|nd-router-solicit |
133
|nd-router-advert|
134
|nd-neighbor-solicit|
135
|nd-neighbor-advert|
136
|nd-redirect|
137
|router-renumbering|
138
|ind-neighbor-solicit|
141
|ind-neighbor-advert|
142
|mld2-listener-report|
143
|===================

.ICMPv6 Type specification
--------------------------
# match ICMPv6 ping packets
filter output icmpv6 type { echo-request, echo-reply }
--------------------------

ICMPV6 CODE TYPE
~~~~~~~~~~~~~~~~
[options="header"]
|==================
|Name | Keyword | Size | Base type
|ICMPv6 Code |
icmpv6_code |
8 bit |
integer
|===================

The ICMPv6 Code type is used to conveniently specify the ICMPv6 header's code field.

.keywords may be used when specifying the ICMPv6 code
[options="header"]
|==================
|Keyword |Value
|no-route|
0
|admin-prohibited|
1
|addr-unreachable|
3
|port-unreachable|
4
|policy-fail|
5
|reject-route|
6
|==================

ICMPVX CODE TYPE
~~~~~~~~~~~~~~~~
[options="header"]
|==================
|Name | Keyword | Size | Base type
|ICMPvX Code |
icmpv6_type |
8 bit |
integer
|===================

The ICMPvX Code type abstraction is a set of values which overlap between ICMP
and ICMPv6 Code types to be used from the inet family.

.keywords may be used when specifying the ICMPvX code
[options="header"]
|==================
|Keyword |Value
|no-route|
0
|port-unreachable|
1
|host-unreachable|
2
|admin-prohibited|
3
|=================

CONNTRACK TYPES
~~~~~~~~~~~~~~~

.overview of types used in ct expression and statement
[options="header"]
|==================
|Name | Keyword |Size |Base type
|conntrack state|
ct_state|
4 byte|
bitmask
|conntrack direction|
ct_dir |
8 bit|
integer
|conntrack status|
ct_status|
4 byte|
bitmask
|conntrack event bits|
ct_event |
4 byte |
bitmask
|conntrack label|
ct_label |
128 bit|
bitmask
|=================

For each of the types above, keywords are available for convenience:

.conntrack state (ct_state)
[options="header"]
|==================
|Keyword| Value
|invalid|
1
|established|
2
|related|
4
|new|
8
|untracked|
64
|================

.conntrack direction (ct_dir)
[options="header"]
|==================
|Keyword| Value
|original|
0
|reply|
1
|================

.conntrack status (ct_status)
[options="header"]
|==================
|Keyword| Value
|expected|
1
|seen-reply|
2
|assured|
4
|confirmed|
8
|snat|
16
|dnat|
32
|dying|
512
|================

.conntrack event bits (ct_event)
[options="header"]
|==================
|Keyword| Value
|new|
1
|related|
2
|destroy|
4
|reply|
8
|assured|
16
|protoinfo|
32
|helper|
64
|mark|
128
|seqadj|
256
|secmark|
512
|label|
1024
|==================

Possible keywords for conntrack label type (ct_label) are read at runtime from /etc/connlabel.conf.

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation