'\" t -*- coding: us-ascii -*- .if \n(.g .ds T< \\FC .if \n(.g .ds T> \\F[\n[.fam]] .de URL \\$2 \(la\\$1\(ra\\$3 .. .if \n(.g .mso www.tmac .TH nft 8 "20 June 2018" "" "" .SH NAME nft \- Administration tool for packet filtering and classification .SH SYNOPSIS 'nh .fi .ad l \fBnft\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [\fB-n\fR | \fB--numeric\fR] [\fB-N\fR | \fB--reversedns\fR] [\fB-s\fR | \fB--stateless\fR] [\fB-c\fR | \fB--check\fR] [\fB-a\fR | \fB--handle\fR] [\fB-e\fR | \fB--echo\fR] [ {\fB-I\fR | \fB--includepath\fR} \fIdirectory\fR ] [ {\fB-f\fR | \fB--file\fR} \fIfilename\fR | {\fB-i\fR | \fB--interactive\fR} | \fIcmd\fR \&...] 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l \fBnft\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [\fB-h\fR | \fB--help\fR] [\fB-v\fR | \fB--version\fR] 'in \n(.iu-\nxu .ad b 'hy .SH DESCRIPTION nft is used to set up, maintain and inspect packet filtering and classification rules in the Linux kernel. .SH OPTIONS For a full summary of options, run \fBnft --help\fR. .TP \*(T<\fB\-h, \-\-help\fR\*(T> Show help message and all options. .TP \*(T<\fB\-v, \-\-version\fR\*(T> Show version. .TP \*(T<\fB\-n, \-\-numeric\fR\*(T> Show data numerically. When used once (the default behaviour), skip lookup of addresses to symbolic names. Use twice to also show Internet services (port numbers) numerically. Use three times to also show protocols and UIDs/GIDs numerically. .TP \*(T<\fB\-s, \-\-stateless\fR\*(T> Omit stateful information of rules and stateful objects. .TP \*(T<\fB\-c, \-\-check\fR\*(T> Check commands validity without actually applying the changes. .TP \*(T<\fB\-N, \-\-reversedns\fR\*(T> Translate IP addresses to names. Usually requires network traffic for DNS lookup. .TP \*(T<\fB\-a, \-\-handle\fR\*(T> Show rule handles in output. .TP \*(T<\fB\-e, \-\-echo\fR\*(T> When inserting items into the ruleset using \fBadd\fR, \fBinsert\fR or \fBreplace\fR commands, print notifications just like \fBnft monitor\fR. .TP \*(T<\fB\-I, \-\-includepath \fR\*(T>\fIdirectory\fR Add the directory \fIdirectory\fR to the list of directories to be searched for included files. This option may be specified multiple times. .TP \*(T<\fB\-f, \-\-file \fR\*(T>\fIfilename\fR Read input from \fIfilename\fR. .TP \*(T<\fB\-i, \-\-interactive\fR\*(T> Read input from an interactive readline CLI. .SH "INPUT FILE FORMAT" .SS "LEXICAL CONVENTIONS" Input is parsed line-wise. When the last character of a line, just before the newline character, is a non-quoted backslash (\*(T<\e\*(T>), the next line is treated as a continuation. Multiple commands on the same line can be separated using a semicolon (\*(T<;\*(T>). .PP A hash sign (\*(T<#\*(T>) begins a comment. All following characters on the same line are ignored. .PP Identifiers begin with an alphabetic character (\*(T), followed zero or more alphanumeric characters (\*(T) and the characters slash (\*(T), backslash (\*(T<\e\*(T>), underscore (\*(T<_\*(T>) and dot (\*(T<.\*(T>). Identifiers using different characters or clashing with a keyword need to be enclosed in double quotes (\*(T<"\*(T>). .PP .SS "INCLUDE FILES" 'nh .fi .ad l \fBinclude\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu \fIfilename\fR 'in \n(.iu-\nxu .ad b 'hy .PP Other files can be included by using the \fBinclude\fR statement. The directories to be searched for include files can be specified using the \*(T<\fB\-I/\-\-includepath\fR\*(T> option. You can override this behaviour either by prepending ./ to your path to force inclusion of files located in the current working directory (ie. relative path) or / for file location expressed as an absolute path. .PP If -I/--includepath is not specified, then nft relies on the default directory that is specified at compile time. You can retrieve this default directory via -h/--help option. .PP Include statements support the usual shell wildcard symbols (\*(T<*,?,[]\*(T>). Having no matches for an include statement is not an error, if wildcard symbols are used in the include statement. This allows having potentially empty include directories for statements like \*(T. The wildcard matches are loaded in alphabetical order. Files beginning with dot (\*(T<.\*(T>) are not matched by include statements. .SS "SYMBOLIC VARIABLES" 'nh .fi .ad l \fBdefine\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu variable \fIexpr\fR 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l \fB$variable\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu 'in \n(.iu-\nxu .ad b 'hy .PP Symbolic variables can be defined using the \fBdefine\fR statement. Variable references are expressions and can be used initialize other variables. The scope of a definition is the current block and all blocks contained within. \fBUsing symbolic variables\fR .PP .nf \*(T< define int_if1 = eth0 define int_if2 = eth1 define int_ifs = { $int_if1, $int_if2 } filter input iif $int_ifs accept \*(T> .fi .SH "ADDRESS FAMILIES" Address families determine the type of packets which are processed. For each address family the kernel contains so called hooks at specific stages of the packet processing paths, which invoke nftables if rules for these hooks exist. .PP .TP \*(T<\fBip\fR\*(T> IPv4 address family. .TP \*(T<\fBip6\fR\*(T> IPv6 address family. .TP \*(T<\fBinet\fR\*(T> Internet (IPv4/IPv6) address family. .TP \*(T<\fBarp\fR\*(T> ARP address family, handling IPv4 ARP packets. .TP \*(T<\fBbridge\fR\*(T> Bridge address family, handling packets which traverse a bridge device. .TP \*(T<\fBnetdev\fR\*(T> Netdev address family, handling packets from ingress. .PP All nftables objects exist in address family specific namespaces, therefore all identifiers include an address family. If an identifier is specified without an address family, the \*(T family is used by default. .SS "IPV4/IPV6/INET ADDRESS FAMILIES" The IPv4/IPv6/Inet address families handle IPv4, IPv6 or both types of packets. They contain five hooks at different packet processing stages in the network stack. .PP \fBIPv4/IPv6/Inet address family hooks\fR .TS allbox ; l | l. T{ Hook T} T{ Description T} .T& l | l. T{ prerouting T} T{ All packets entering the system are processed by the prerouting hook. It is invoked before the routing process and is used for early filtering or changing packet attributes that affect routing. T} T{ input T} T{ Packets delivered to the local system are processed by the input hook. T} T{ forward T} T{ Packets forwarded to a different host are processed by the forward hook. T} T{ output T} T{ Packets sent by local processes are processed by the output hook. T} T{ postrouting T} T{ All packets leaving the system are processed by the postrouting hook. T} .TE .SS "ARP ADDRESS FAMILY" The ARP address family handles ARP packets received and sent by the system. It is commonly used to mangle ARP packets for clustering. .PP \fBARP address family hooks\fR .TS allbox ; l | l. T{ Hook T} T{ Description T} .T& l | l l | l. T{ input T} T{ Packets delivered to the local system are processed by the input hook. T} T{ output T} T{ Packets send by the local system are processed by the output hook. T} .TE .SS "BRIDGE ADDRESS FAMILY" The bridge address family handles ethernet packets traversing bridge devices. .PP The list of supported hooks is identical to IPv4/IPv6/Inet address families above. .SS "NETDEV ADDRESS FAMILY" The Netdev address family handles packets from ingress. .PP \fBNetdev address family hooks\fR .TS allbox ; l | l. T{ Hook T} T{ Description T} .T& l | l. T{ ingress T} T{ All packets entering the system are processed by this hook. It is invoked before layer 3 protocol handlers and it can be used for early filtering and policing. T} .TE .SH RULESET 'nh .fi .ad l {list | flush} \fBruleset\fR [\fIfamily\fR] .ad b 'hy 'nh .fi .ad l {export} [\fBruleset\fR] {\fIformat\fR} .ad b 'hy .PP The \fBruleset\fR keyword is used to identify the whole set of tables, chains, etc. currently in place in kernel. The following \fBruleset\fR commands exist: .TP \*(T<\fBlist\fR\*(T> Print the ruleset in human-readable format. .TP \*(T<\fBflush\fR\*(T> Clear the whole ruleset. Note that unlike iptables, this will remove all tables and whatever they contain, effectively leading to an empty ruleset - no packet filtering will happen anymore, so the kernel accepts any valid packet it receives. .TP \*(T<\fBexport\fR\*(T> Print the ruleset in machine readable format. The mandatory \fIformat\fR parameter may be either \*(T or \*(T. .PP It is possible to limit \fBlist\fR and \fBflush\fR to a specific address family only. For a list of valid family names, see \*(T
above. .PP Note that contrary to what one might assume, the output generated by \fBexport\fR is not parseable by \fBnft -f\fR. Instead, the output of \fBlist\fR command serves well for that purpose. .SH TABLES 'nh .fi .ad l {add | delete | list | flush} \fBtable\fR [\fIfamily\fR] {\fItable\fR} .ad b 'hy .PP Tables are containers for chains, sets and stateful objects. They are identified by their address family and their name. The address family must be one of \*(T, \*(T, \*(T, \*(T, \*(T, \*(T. The \*(T address family is a dummy family which is used to create hybrid IPv4/IPv6 tables. The \*(T expression \*(T keyword can be used to test which family (ipv4 or ipv6) context the packet is being processed in. When no address family is specified, \*(T is used by default. .TP \*(T<\fBadd\fR\*(T> Add a new table for the given family with the given name. .TP \*(T<\fBdelete\fR\*(T> Delete the specified table. .TP \*(T<\fBlist\fR\*(T> List all chains and rules of the specified table. .TP \*(T<\fBflush\fR\*(T> Flush all chains and rules of the specified table. .SH CHAINS 'nh .fi .ad l {add | create} \fBchain\fR [\fIfamily\fR] \fItable\fR \fIchain\fR [ { {\fItype\fR} {\fIhook\fR} [\fIdevice\fR] {\fIpriority\fR ;} [\fIpolicy\fR ;] } ] .ad b 'hy 'nh .fi .ad l {delete | list | flush} \fBchain\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} .ad b 'hy 'nh .fi .ad l {rename} \fBchain\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} {\fInewname\fR} .ad b 'hy .PP Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization. .TP \*(T<\fBadd\fR\*(T> Add a new chain in the specified table. When a hook and priority value are specified, the chain is created as a base chain and hooked up to the networking stack. .TP \*(T<\fBcreate\fR\*(T> Similar to the \fBadd\fR command, but returns an error if the chain already exists. .TP \*(T<\fBdelete\fR\*(T> Delete the specified chain. The chain must not contain any rules or be used as jump target. .TP \*(T<\fBrename\fR\*(T> Rename the specified chain. .TP \*(T<\fBlist\fR\*(T> List all rules of the specified chain. .TP \*(T<\fBflush\fR\*(T> Flush all rules of the specified chain. .PP For base chains, \fBtype\fR, \fBhook\fR and \fBpriority\fR parameters are mandatory. .PP \fBSupported chain types\fR .TS allbox ; l | l | l | l. T{ Type T} T{ Families T} T{ Hooks T} T{ Description T} .T& l | l | l | l l | l | l | l l | l | l | l. T{ filter T} T{ all T} T{ all T} T{ Standard chain type to use in doubt. T} T{ nat T} T{ ip, ip6 T} T{ prerouting, input, output, postrouting T} T{ Chains of this type perform Native Address Translation based on conntrack entries. Only the first packet of a connection actually traverses this chain - its rules usually define details of the created conntrack entry (NAT statements for instance). T} T{ route T} T{ ip, ip6 T} T{ output T} T{ If a packet has traversed a chain of this type and is about to be accepted, a new route lookup is performed if relevant parts of the IP header have changed. This allows to e.g. implement policy routing selectors in nftables. T} .TE .PP Apart from the special cases illustrated above (e.g. \*(T type not supporting \*(T hook or \*(T type only supporting \*(T hook), there are two further quirks worth noticing: .TP 0.2i \(bu \*(T family supports merely a single combination, namely \*(T type and \*(T hook. Base chains in this family also require the \*(T parameter to be present since they exist per incoming interface only. .TP 0.2i \(bu \*(T family supports only \*(T and \*(T hooks, both in chains of type \*(T. .PP The \*(T parameter accepts a signed integer value which specifies the order in which chains with same \*(T value are traversed. The ordering is ascending, i.e. lower priority values have precedence over higher ones. .PP Base chains also allow to set the chain's \*(T, i.e. what happens to packets not explicitly accepted or refused in contained rules. Supported policy values are \*(T (which is the default) or \*(T. .SH RULES 'nh .fi .ad l [add | insert] \fBrule\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} [ {handle | position} \fIhandle\fR ] {\fIstatement\fR}\&... .ad b 'hy 'nh .fi .ad l {replace} \fBrule\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} {handle \fIhandle\fR} {\fIstatement\fR}\&... .ad b 'hy 'nh .fi .ad l {delete} \fBrule\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} {handle \fIhandle\fR} .ad b 'hy .PP Rules are constructed from two kinds of components according to a set of grammatical rules: expressions and statements. .TP \*(T<\fBadd\fR\*(T> Add a new rule described by the list of statements. The rule is appended to the given chain unless a \*(T is specified, in which case the rule is appended to the rule given by the \fIhandle\fR. The alternative name \*(T is deprecated and should not be used anymore. .TP \*(T<\fBinsert\fR\*(T> Similar to the \fBadd\fR command, but the rule is prepended to the beginning of the chain or before the rule with the given \fIhandle\fR. .TP \*(T<\fBreplace\fR\*(T> Similar to the \fBadd\fR command, but the rule replaces the specified rule. .TP \*(T<\fBdelete\fR\*(T> Delete the specified rule. .SH SETS 'nh .fi .ad l {add} \fBset\fR [\fIfamily\fR] {\fItable\fR} {\fIset\fR} { {\fItype\fR} [\fIflags\fR] [\fItimeout\fR] [\fIgc-interval\fR] [\fIelements\fR] [\fIsize\fR] [\fIpolicy\fR] } .ad b 'hy 'nh .fi .ad l {delete | list | flush} \fBset\fR [\fIfamily\fR] {\fItable\fR} {\fIset\fR} .ad b 'hy 'nh .fi .ad l {add | delete} \fBelement\fR [\fIfamily\fR] {\fItable\fR} {\fIset\fR} { {\fIelements\fR} } .ad b 'hy .PP Sets are elements containers of an user-defined data type, they are uniquely identified by an user-defined name and attached to tables. .TP \*(T<\fBadd\fR\*(T> Add a new set in the specified table. .TP \*(T<\fBdelete\fR\*(T> Delete the specified set. .TP \*(T<\fBlist\fR\*(T> Display the elements in the specified set. .TP \*(T<\fBflush\fR\*(T> Remove all elements from the specified set. .TP \*(T<\fBadd element\fR\*(T> Comma-separated list of elements to add into the specified set. .TP \*(T<\fBdelete element\fR\*(T> Comma-separated list of elements to delete from the specified set. .PP \fBSet specifications\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l. T{ type T} T{ data type of set elements T} T{ string: ipv4_addr, ipv6_addr, ether_addr, inet_proto, inet_service, mark T} T{ flags T} T{ set flags T} T{ string: constant, interval, timeout T} T{ timeout T} T{ time an element stays in the set T} T{ string, decimal followed by unit. Units are: d, h, m, s T} T{ gc-interval T} T{ garbage collection interval, only available when timeout or flag timeout are active T} T{ string, decimal followed by unit. Units are: d, h, m, s T} T{ elements T} T{ elements contained by the set T} T{ set data type T} T{ size T} T{ maximun number of elements in the set T} T{ unsigned integer (64 bit) T} T{ policy T} T{ set policy T} T{ string: performance [default], memory T} .TE .SH MAPS 'nh .fi .ad l {add} \fBmap\fR [\fIfamily\fR] {\fItable\fR} {\fImap\fR} { {\fItype\fR} [\fIflags\fR] [\fIelements\fR] [\fIsize\fR] [\fIpolicy\fR] } .ad b 'hy 'nh .fi .ad l {delete | list | flush} \fBmap\fR [\fIfamily\fR] {\fItable\fR} {\fImap\fR} .ad b 'hy 'nh .fi .ad l {add | delete} \fBelement\fR [\fIfamily\fR] {\fItable\fR} {\fImap\fR} { {\fIelements\fR} } .ad b 'hy .PP Maps store data based on some specific key used as input, they are uniquely identified by an user-defined name and attached to tables. .TP \*(T<\fBadd\fR\*(T> Add a new map in the specified table. .TP \*(T<\fBdelete\fR\*(T> Delete the specified map. .TP \*(T<\fBlist\fR\*(T> Display the elements in the specified map. .TP \*(T<\fBflush\fR\*(T> Remove all elements from the specified map. .TP \*(T<\fBadd element\fR\*(T> Comma-separated list of elements to add into the specified map. .TP \*(T<\fBdelete element\fR\*(T> Comma-separated list of element keys to delete from the specified map. .PP \fBMap specifications\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l. T{ type T} T{ data type of map elements T} T{ string ':' string: ipv4_addr, ipv6_addr, ether_addr, inet_proto, inet_service, mark, counter, quota. Counter and quota can't be used as keys T} T{ flags T} T{ map flags T} T{ string: constant, interval T} T{ elements T} T{ elements contained by the map T} T{ map data type T} T{ size T} T{ maximun number of elements in the map T} T{ unsigned integer (64 bit) T} T{ policy T} T{ map policy T} T{ string: performance [default], memory T} .TE .SH "STATEFUL OBJECTS" 'nh .fi .ad l {add | delete | list | reset} \fBtype\fR [\fIfamily\fR] {\fItable\fR} {\fIobject\fR} .ad b 'hy .PP Stateful objects are attached to tables and are identified by an unique name. They group stateful information from rules, to reference them in rules the keywords "type name" are used e.g. "counter name". .TP \*(T<\fBadd\fR\*(T> Add a new stateful object in the specified table. .TP \*(T<\fBdelete\fR\*(T> Delete the specified object. .TP \*(T<\fBlist\fR\*(T> Display stateful information the object holds. .TP \*(T<\fBreset\fR\*(T> List-and-reset stateful object. .SS CT 'nh .fi .ad l \fBct\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu {helper} {type} {\fItype\fR} {protocol} {\fIprotocol\fR} [l3proto] [\fIfamily\fR] 'in \n(.iu-\nxu .ad b 'hy .PP Ct helper is used to define connection tracking helpers that can then be used in combination with the \*(T<"ct helper set"\*(T> statement. type and protocol are mandatory, l3proto is derived from the table family by default, i.e. in the inet table the kernel will try to load both the ipv4 and ipv6 helper backends, if they are supported by the kernel. .PP \fBconntrack helper specifications\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l l | l | l l | l | l. T{ type T} T{ name of helper type T} T{ quoted string (e.g. "ftp") T} T{ protocol T} T{ layer 4 protocol of the helper T} T{ string (e.g. tcp) T} T{ l3proto T} T{ layer 3 protocol of the helper T} T{ address family (e.g. ip) T} .TE .PP \fBdefining and assigning ftp helper\fR .PP Unlike iptables, helper assignment needs to be performed after the conntrack lookup has completed, for example with the default 0 hook priority. .PP .nf \*(T< table inet myhelpers { ct helper ftp\-standard { type "ftp" protocol tcp } chain prerouting { type filter hook prerouting priority 0; tcp dport 21 ct helper set "ftp\-standard" } } \*(T> .fi .SS COUNTER 'nh .fi .ad l \fBcounter\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [packets bytes] 'in \n(.iu-\nxu .ad b 'hy .PP \fBCounter specifications\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l l | l | l. T{ packets T} T{ initial count of packets T} T{ unsigned integer (64 bit) T} T{ bytes T} T{ initial count of bytes T} T{ unsigned integer (64 bit) T} .TE .SS QUOTA 'nh .fi .ad l \fBquota\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [over | until] [used] 'in \n(.iu-\nxu .ad b 'hy .PP \fBQuota specifications\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l l | l | l. T{ quota T} T{ quota limit, used as the quota name T} T{ Two arguments, unsigned interger (64 bit) and string: bytes, kbytes, mbytes. "over" and "until" go before these arguments T} T{ used T} T{ initial value of used quota T} T{ Two arguments, unsigned interger (64 bit) and string: bytes, kbytes, mbytes T} .TE .SH EXPRESSIONS Expressions represent values, either constants like network addresses, port numbers etc. or data gathered from the packet during ruleset evaluation. Expressions can be combined using binary, logical, relational and other types of expressions to form complex or relational (match) expressions. They are also used as arguments to certain types of operations, like NAT, packet marking etc. .PP Each expression has a data type, which determines the size, parsing and representation of symbolic values and type compatibility with other expressions. .SS "DESCRIBE COMMAND" 'nh .fi .ad l \fBdescribe\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu {\fIexpression\fR} 'in \n(.iu-\nxu .ad b 'hy .PP The \fBdescribe\fR command shows information about the type of an expression and its data type. .PP \fBThe describe command\fR .PP .nf \*(T< $ nft describe tcp flags payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits pre\-defined symbolic constants: fin 0x01 syn 0x02 rst 0x04 psh 0x08 ack 0x10 urg 0x20 ecn 0x40 cwr 0x80 \*(T> .fi .SH "DATA TYPES" Data types determine the size, parsing and representation of symbolic values and type compatibility of expressions. A number of global data types exist, in addition some expression types define further data types specific to the expression type. Most data types have a fixed size, some however may have a dynamic size, f.i. the string type. .PP Types may be derived from lower order types, f.i. the IPv4 address type is derived from the integer type, meaning an IPv4 address can also be specified as an integer value. .PP In certain contexts (set and map definitions) it is necessary to explicitly specify a data type. Each type has a name which is used for this. .SS "INTEGER TYPE" .TS allbox ; l | l | l | l. T{ Name T} T{ Keyword T} T{ Size T} T{ Base type T} .T& l | l | l | l. T{ Integer T} T{ integer T} T{ variable T} T{ - T} .TE .PP The integer type is used for numeric values. It may be specified as decimal, hexadecimal or octal number. The integer type doesn't have a fixed size, its size is determined by the expression for which it is used. .SS "BITMASK TYPE" .TS allbox ; l | l | l | l. T{ Name T} T{ Keyword T} T{ Size T} T{ Base type T} .T& l | l | l | l. T{ Bitmask T} T{ bitmask T} T{ variable T} T{ integer T} .TE .PP The bitmask type (\fBbitmask\fR) is used for bitmasks. .SS "STRING TYPE" .TS allbox ; l | l | l | l. T{ Name T} T{ Keyword T} T{ Size T} T{ Base type T} .T& l | l | l | l. T{ String T} T{ string T} T{ variable T} T{ - T} .TE .PP The string type is used to for character strings. A string begins with an alphabetic character (a-zA-Z) followed by zero or more alphanumeric characters or the characters \*(T, \*(T<\-\*(T>, \*(T<_\*(T> and \*(T<.\*(T>. In addition anything enclosed in double quotes (\*(T<"\*(T>) is recognized as a string. .PP \fBString specification\fR .PP .nf \*(T< # Interface name filter input iifname eth0 # Weird interface name filter input iifname "(eth0)" \*(T> .fi .SS "LINK LAYER ADDRESS TYPE" .TS allbox ; l | l | l | l. T{ Name T} T{ Keyword T} T{ Size T} T{ Base type T} .T& l | l | l | l. T{ Link layer address T} T{ lladdr T} T{ variable T} T{ integer T} .TE .PP The link layer address type is used for link layer addresses. Link layer addresses are specified as a variable amount of groups of two hexadecimal digits separated using colons (\*(T<:\*(T>). .PP \fBLink layer address specification\fR .PP .nf \*(T< # Ethernet destination MAC address filter input ether daddr 20:c9:d0:43:12:d9 \*(T> .fi .SS "IPV4 ADDRESS TYPE" .TS allbox ; l | l | l | l. T{ Name T} T{ Keyword T} T{ Size T} T{ Base type T} .T& l | l | l | l. T{ IPv4 address T} T{ ipv4_addr T} T{ 32 bit T} T{ integer T} .TE .PP The IPv4 address type is used for IPv4 addresses. Addresses are specified in either dotted decimal, dotted hexadecimal, dotted octal, decimal, hexadecimal, octal notation or as a host name. A host name will be resolved using the standard system resolver. .PP \fBIPv4 address specification\fR .PP .nf \*(T< # dotted decimal notation filter output ip daddr 127.0.0.1 # host name filter output ip daddr localhost \*(T> .fi .SS "IPV6 ADDRESS TYPE" .TS allbox ; l | l | l | l. T{ Name T} T{ Keyword T} T{ Size T} T{ Base type T} .T& l | l | l | l. T{ IPv6 address T} T{ ipv6_addr T} T{ 128 bit T} T{ integer T} .TE .PP The IPv6 address type is used for IPv6 addresses. FIXME .PP \fBIPv6 address specification\fR .PP .nf \*(T< # abbreviated loopback address filter output ip6 daddr ::1 \*(T> .fi .SS "BOOLEAN TYPE" .TS allbox ; l | l | l | l. T{ Name T} T{ Keyword T} T{ Size T} T{ Base type T} .T& l | l | l | l. T{ Boolean T} T{ boolean T} T{ 1 bit T} T{ integer T} .TE .PP The boolean type is a syntactical helper type in user space. It's use is in the right-hand side of a (typically implicit) relational expression to change the expression on the left-hand side into a boolean check (usually for existence). .PP The following keywords will automatically resolve into a boolean type with given value: .TS allbox ; l | l. T{ Keyword T} T{ Value T} .T& l | l l | l. T{ exists T} T{ 1 T} T{ missing T} T{ 0 T} .TE .PP \fBBoolean specification\fR .PP The following expressions support a boolean comparison: .TS allbox ; l | l. T{ Expression T} T{ Behaviour T} .T& l | l l | l l | l. T{ fib T} T{ Check route existence. T} T{ exthdr T} T{ Check IPv6 extension header existence. T} T{ tcp option T} T{ Check TCP option header existence. T} .TE .PP .nf \*(T< # match if route exists filter input fib daddr . iif oif exists # match only non\-fragmented packets in IPv6 traffic filter input exthdr frag missing # match if TCP timestamp option is present filter input tcp option timestamp exists \*(T> .fi .SS "ICMP TYPE TYPE" .TS allbox ; l | l | l | l. T{ Name T} T{ Keyword T} T{ Size T} T{ Base type T} .T& l | l | l | l. T{ ICMP Type T} T{ icmp_type T} T{ 8 bit T} T{ integer T} .TE .PP The ICMP Type type is used to conveniently specify the ICMP header's type field. .PP The following keywords may be used when specifying the ICMP type: .TS allbox ; l | l. T{ Keyword T} T{ Value T} .T& l | l. T{ echo-reply T} T{ 0 T} T{ destination-unreachable T} T{ 3 T} T{ source-quench T} T{ 4 T} T{ redirect T} T{ 5 T} T{ echo-request T} T{ 8 T} T{ router-advertisement T} T{ 9 T} T{ router-solicitation T} T{ 10 T} T{ time-exceeded T} T{ 11 T} T{ parameter-problem T} T{ 12 T} T{ timestamp-request T} T{ 13 T} T{ timestamp-reply T} T{ 14 T} T{ info-request T} T{ 15 T} T{ info-reply T} T{ 16 T} T{ address-mask-request T} T{ 17 T} T{ address-mask-reply T} T{ 18 T} .TE .PP \fBICMP Type specification\fR .PP .nf \*(T< # match ping packets filter output icmp type { echo\-request, echo\-reply } \*(T> .fi .SS "ICMP CODE TYPE" .TS allbox ; l | l | l | l. T{ Name T} T{ Keyword T} T{ Size T} T{ Base type T} .T& l | l | l | l. T{ ICMP Code T} T{ icmp_code T} T{ 8 bit T} T{ integer T} .TE .PP The ICMP Code type is used to conveniently specify the ICMP header's code field. .PP The following keywords may be used when specifying the ICMP code: .TS allbox ; l | l. T{ Keyword T} T{ Value T} .T& l | l. T{ net-unreachable T} T{ 0 T} T{ host-unreachable T} T{ 1 T} T{ prot-unreachable T} T{ 2 T} T{ port-unreachable T} T{ 3 T} T{ net-prohibited T} T{ 9 T} T{ host-prohibited T} T{ 10 T} T{ admin-prohibited T} T{ 13 T} .TE .SS "ICMPV6 TYPE TYPE" .TS allbox ; l | l | l | l. T{ Name T} T{ Keyword T} T{ Size T} T{ Base type T} .T& l | l | l | l. T{ ICMPv6 Type T} T{ icmpv6_type T} T{ 8 bit T} T{ integer T} .TE .PP The ICMPv6 Type type is used to conveniently specify the ICMPv6 header's type field. .PP The following keywords may be used when specifying the ICMPv6 type: .TS allbox ; l | l. T{ Keyword T} T{ Value T} .T& l | l. T{ destination-unreachable T} T{ 1 T} T{ packet-too-big T} T{ 2 T} T{ time-exceeded T} T{ 3 T} T{ parameter-problem T} T{ 4 T} T{ echo-request T} T{ 128 T} T{ echo-reply T} T{ 129 T} T{ mld-listener-query T} T{ 130 T} T{ mld-listener-report T} T{ 131 T} T{ mld-listener-done T} T{ 132 T} T{ mld-listener-reduction T} T{ 132 T} T{ nd-router-solicit T} T{ 133 T} T{ nd-router-advert T} T{ 134 T} T{ nd-neighbor-solicit T} T{ 135 T} T{ nd-neighbor-advert T} T{ 136 T} T{ nd-redirect T} T{ 137 T} T{ router-renumbering T} T{ 138 T} T{ ind-neighbor-solicit T} T{ 141 T} T{ ind-neighbor-advert T} T{ 142 T} T{ mld2-listener-report T} T{ 143 T} .TE .PP \fBICMPv6 Type specification\fR .PP .nf \*(T< # match ICMPv6 ping packets filter output icmpv6 type { echo\-request, echo\-reply } \*(T> .fi .SS "ICMPV6 CODE TYPE" .TS allbox ; l | l | l | l. T{ Name T} T{ Keyword T} T{ Size T} T{ Base type T} .T& l | l | l | l. T{ ICMPv6 Code T} T{ icmpv6_code T} T{ 8 bit T} T{ integer T} .TE .PP The ICMPv6 Code type is used to conveniently specify the ICMPv6 header's code field. .PP The following keywords may be used when specifying the ICMPv6 code: .TS allbox ; l | l. T{ Keyword T} T{ Value T} .T& l | l. T{ no-route T} T{ 0 T} T{ admin-prohibited T} T{ 1 T} T{ addr-unreachable T} T{ 3 T} T{ port-unreachable T} T{ 4 T} T{ policy-fail T} T{ 5 T} T{ reject-route T} T{ 6 T} .TE .SS "ICMPVX CODE TYPE" .TS allbox ; l | l | l | l. T{ Name T} T{ Keyword T} T{ Size T} T{ Base type T} .T& l | l | l | l. T{ ICMPvX Code T} T{ icmpx_code T} T{ 8 bit T} T{ integer T} .TE .PP The ICMPvX Code type abstraction is a set of values which overlap between ICMP and ICMPv6 Code types to be used from the inet family. .PP The following keywords may be used when specifying the ICMPvX code: .TS allbox ; l | l. T{ Keyword T} T{ Value T} .T& l | l. T{ no-route T} T{ 0 T} T{ port-unreachable T} T{ 1 T} T{ host-unreachable T} T{ 2 T} T{ admin-prohibited T} T{ 3 T} .TE .SS "CONNTRACK TYPES" This is an overview of types used in \fBct\fR expression and statement: .TS allbox ; l | l | l | l. T{ Name T} T{ Keyword T} T{ Size T} T{ Base type T} .T& l | l | l | l. T{ conntrack state T} T{ ct_state T} T{ 4 byte T} T{ bitmask T} T{ conntrack direction T} T{ ct_dir T} T{ 8 bit T} T{ integer T} T{ conntrack status T} T{ ct_status T} T{ 4 byte T} T{ bitmask T} T{ conntrack event bits T} T{ ct_event T} T{ 4 byte T} T{ bitmask T} T{ conntrack label T} T{ ct_label T} T{ 128 bit T} T{ bitmask T} .TE .PP For each of the types above, keywords are available for convenience: \fBconntrack state (ct_state)\fR .TS allbox ; l | l. T{ Keyword T} T{ Value T} .T& l | l. T{ invalid T} T{ 1 T} T{ established T} T{ 2 T} T{ related T} T{ 4 T} T{ new T} T{ 8 T} T{ untracked T} T{ 64 T} .TE .PP \fBconntrack direction (ct_dir)\fR .TS allbox ; l | l. T{ Keyword T} T{ Value T} .T& l | l l | l. T{ original T} T{ 0 T} T{ reply T} T{ 1 T} .TE .PP \fBconntrack status (ct_status)\fR .TS allbox ; l | l. T{ Keyword T} T{ Value T} .T& l | l. T{ expected T} T{ 1 T} T{ seen-reply T} T{ 2 T} T{ assured T} T{ 4 T} T{ confirmed T} T{ 8 T} T{ snat T} T{ 16 T} T{ dnat T} T{ 32 T} T{ dying T} T{ 512 T} .TE .PP \fBconntrack event bits (ct_event)\fR .TS allbox ; l | l. T{ Keyword T} T{ Value T} .T& l | l. T{ new T} T{ 1 T} T{ related T} T{ 2 T} T{ destroy T} T{ 4 T} T{ reply T} T{ 8 T} T{ assured T} T{ 16 T} T{ protoinfo T} T{ 32 T} T{ helper T} T{ 64 T} T{ mark T} T{ 128 T} T{ seqadj T} T{ 256 T} T{ secmark T} T{ 512 T} T{ label T} T{ 1024 T} .TE .PP Possible keywords for conntrack label type (\fBct_label\fR) are read at runtime from \*(T. .SH "PRIMARY EXPRESSIONS" The lowest order expression is a primary expression, representing either a constant or a single datum from a packet's payload, meta data or a stateful module. .SS "META EXPRESSIONS" 'nh .fi .ad l \fBmeta\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu {length | nfproto | l4proto | protocol | priority} 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l [meta] {mark | iif | iifname | iiftype | oif | oifname | oiftype | skuid | skgid | nftrace | rtclassid | ibriport | obriport | pkttype | cpu | iifgroup | oifgroup | cgroup | random} .ad b 'hy .PP A meta expression refers to meta data associated with a packet. .PP There are two types of meta expressions: unqualified and qualified meta expressions. Qualified meta expressions require the \fBmeta\fR keyword before the meta key, unqualified meta expressions can be specified by using the meta key directly or as qualified meta expressions. .PP \fBMeta expression types\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l. T{ length T} T{ Length of the packet in bytes T} T{ integer (32 bit) T} T{ nfproto T} T{ real hook protocol family, useful only in inet table T} T{ integer (32 bit) T} T{ protocol T} T{ Ethertype protocol value T} T{ ether_type T} T{ priority T} T{ TC packet priority T} T{ tc_handle T} T{ mark T} T{ Packet mark T} T{ mark T} T{ iif T} T{ Input interface index T} T{ iface_index T} T{ iifname T} T{ Input interface name T} T{ string T} T{ iiftype T} T{ Input interface type T} T{ iface_type T} T{ oif T} T{ Output interface index T} T{ iface_index T} T{ oifname T} T{ Output interface name T} T{ string T} T{ oiftype T} T{ Output interface hardware type T} T{ iface_type T} T{ skuid T} T{ UID associated with originating socket T} T{ uid T} T{ skgid T} T{ GID associated with originating socket T} T{ gid T} T{ rtclassid T} T{ Routing realm T} T{ realm T} T{ ibriport T} T{ Input bridge interface name T} T{ string T} T{ obriport T} T{ Output bridge interface name T} T{ string T} T{ pkttype T} T{ packet type T} T{ pkt_type T} T{ cpu T} T{ cpu number processing the packet T} T{ integer (32 bits) T} T{ iifgroup T} T{ incoming device group T} T{ devgroup T} T{ oifgroup T} T{ outgoing device group T} T{ devgroup T} T{ cgroup T} T{ control group id T} T{ integer (32 bits) T} T{ random T} T{ pseudo-random number T} T{ integer (32 bits) T} .TE .PP \fBMeta expression specific types\fR .TS allbox ; l | l. T{ Type T} T{ Description T} .T& l | l. T{ iface_index T} T{ Interface index (32 bit number). Can be specified numerically or as name of an existing interface. T} T{ ifname T} T{ Interface name (16 byte string). Does not have to exist. T} T{ iface_type T} T{ Interface type (16 bit number). T} T{ uid T} T{ User ID (32 bit number). Can be specified numerically or as user name. T} T{ gid T} T{ Group ID (32 bit number). Can be specified numerically or as group name. T} T{ realm T} T{ Routing Realm (32 bit number). Can be specified numerically or as symbolic name defined in /etc/iproute2/rt_realms. T} T{ devgroup_type T} T{ Device group (32 bit number). Can be specified numerically or as symbolic name defined in /etc/iproute2/group. T} T{ pkt_type T} T{ Packet type: Unicast (addressed to local host), Broadcast (to all), Multicast (to group). T} .TE .PP \fBUsing meta expressions\fR .PP .nf \*(T< # qualified meta expression filter output meta oif eth0 # unqualified meta expression filter output oif eth0 \*(T> .fi .SS "FIB EXPRESSIONS" 'nh .fi .ad l \fBfib\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu {saddr | daddr | [mark | iif | oif]} {oif | oifname | type} 'in \n(.iu-\nxu .ad b 'hy .PP A fib expression queries the fib (forwarding information base) to obtain information such as the output interface index a particular address would use. The input is a tuple of elements that is used as input to the fib lookup functions. .PP \fBfib expression specific types\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l l | l | l l | l | l. T{ oif T} T{ Output interface index T} T{ integer (32 bit) T} T{ oifname T} T{ Output interface name T} T{ string T} T{ type T} T{ Address type T} T{ fib_addrtype T} .TE .PP \fBUsing fib expressions\fR .PP .nf \*(T< # drop packets without a reverse path filter prerouting fib saddr . iif oif missing drop # drop packets to address not configured on ininterface filter prerouting fib daddr . iif type != { local, broadcast, multicast } drop # perform lookup in a specific 'blackhole' table (0xdead, needs ip appropriate ip rule) filter prerouting meta mark set 0xdead fib daddr . mark type vmap { blackhole : drop, prohibit : jump prohibited, unreachable : drop } \*(T> .fi .SS "ROUTING EXPRESSIONS" 'nh .fi .ad l \fBrt\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu {classid | nexthop} 'in \n(.iu-\nxu .ad b 'hy .PP A routing expression refers to routing data associated with a packet. .PP \fBRouting expression types\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l l | l | l l | l | l. T{ classid T} T{ Routing realm T} T{ realm T} T{ nexthop T} T{ Routing nexthop T} T{ ipv4_addr/ipv6_addr T} T{ mtu T} T{ TCP maximum segment size of route T} T{ integer (16 bit) T} .TE .PP \fBRouting expression specific types\fR .TS allbox ; l | l. T{ Type T} T{ Description T} .T& l | l. T{ realm T} T{ Routing Realm (32 bit number). Can be specified numerically or as symbolic name defined in /etc/iproute2/rt_realms. T} .TE .PP \fBUsing routing expressions\fR .PP .nf \*(T< # IP family independent rt expression filter output rt classid 10 # IP family dependent rt expressions ip filter output rt nexthop 192.168.0.1 ip6 filter output rt nexthop fd00::1 inet filter output rt ip nexthop 192.168.0.1 inet filter output rt ip6 nexthop fd00::1 \*(T> .fi .SH "PAYLOAD EXPRESSIONS" Payload expressions refer to data from the packet's payload. .SS "ETHERNET HEADER EXPRESSION" 'nh .fi .ad l \fBether\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [\fIethernet header field\fR] 'in \n(.iu-\nxu .ad b 'hy .PP \fBEthernet header expression types\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l l | l | l l | l | l. T{ daddr T} T{ Destination MAC address T} T{ ether_addr T} T{ saddr T} T{ Source MAC address T} T{ ether_addr T} T{ type T} T{ EtherType T} T{ ether_type T} .TE .SS "VLAN HEADER EXPRESSION" 'nh .fi .ad l \fBvlan\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [\fIVLAN header field\fR] 'in \n(.iu-\nxu .ad b 'hy .PP \fBVLAN header expression\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l. T{ id T} T{ VLAN ID (VID) T} T{ integer (12 bit) T} T{ cfi T} T{ Canonical Format Indicator T} T{ integer (1 bit) T} T{ pcp T} T{ Priority code point T} T{ integer (3 bit) T} T{ type T} T{ EtherType T} T{ ether_type T} .TE .SS "ARP HEADER EXPRESSION" 'nh .fi .ad l \fBarp\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [\fIARP header field\fR] 'in \n(.iu-\nxu .ad b 'hy .PP \fBARP header expression\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l. T{ htype T} T{ ARP hardware type T} T{ integer (16 bit) T} T{ ptype T} T{ EtherType T} T{ ether_type T} T{ hlen T} T{ Hardware address len T} T{ integer (8 bit) T} T{ plen T} T{ Protocol address len T} T{ integer (8 bit) T} T{ operation T} T{ Operation T} T{ arp_op T} .TE .SS "IPV4 HEADER EXPRESSION" 'nh .fi .ad l \fBip\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [\fIIPv4 header field\fR] 'in \n(.iu-\nxu .ad b 'hy .PP \fBIPv4 header expression\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l. T{ version T} T{ IP header version (4) T} T{ integer (4 bit) T} T{ hdrlength T} T{ IP header length including options T} T{ integer (4 bit) FIXME scaling T} T{ dscp T} T{ Differentiated Services Code Point T} T{ dscp T} T{ ecn T} T{ Explicit Congestion Notification T} T{ ecn T} T{ length T} T{ Total packet length T} T{ integer (16 bit) T} T{ id T} T{ IP ID T} T{ integer (16 bit) T} T{ frag-off T} T{ Fragment offset T} T{ integer (16 bit) T} T{ ttl T} T{ Time to live T} T{ integer (8 bit) T} T{ protocol T} T{ Upper layer protocol T} T{ inet_proto T} T{ checksum T} T{ IP header checksum T} T{ integer (16 bit) T} T{ saddr T} T{ Source address T} T{ ipv4_addr T} T{ daddr T} T{ Destination address T} T{ ipv4_addr T} .TE .SS "ICMP HEADER EXPRESSION" 'nh .fi .ad l \fBicmp\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [\fIICMP header field\fR] 'in \n(.iu-\nxu .ad b 'hy .PP \fBICMP header expression\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l. T{ type T} T{ ICMP type field T} T{ icmp_type T} T{ code T} T{ ICMP code field T} T{ integer (8 bit) T} T{ checksum T} T{ ICMP checksum field T} T{ integer (16 bit) T} T{ id T} T{ ID of echo request/response T} T{ integer (16 bit) T} T{ sequence T} T{ sequence number of echo request/response T} T{ integer (16 bit) T} T{ gateway T} T{ gateway of redirects T} T{ integer (32 bit) T} T{ mtu T} T{ MTU of path MTU discovery T} T{ integer (16 bit) T} .TE .SS "IPV6 HEADER EXPRESSION" 'nh .fi .ad l \fBip6\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [\fIIPv6 header field\fR] 'in \n(.iu-\nxu .ad b 'hy .PP \fBIPv6 header expression\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l. T{ version T} T{ IP header version (6) T} T{ integer (4 bit) T} T{ dscp T} T{ Differentiated Services Code Point T} T{ dscp T} T{ ecn T} T{ Explicit Congestion Notification T} T{ ecn T} T{ flowlabel T} T{ Flow label T} T{ integer (20 bit) T} T{ length T} T{ Payload length T} T{ integer (16 bit) T} T{ nexthdr T} T{ Nexthdr protocol T} T{ inet_proto T} T{ hoplimit T} T{ Hop limit T} T{ integer (8 bit) T} T{ saddr T} T{ Source address T} T{ ipv6_addr T} T{ daddr T} T{ Destination address T} T{ ipv6_addr T} .TE .SS "ICMPV6 HEADER EXPRESSION" 'nh .fi .ad l \fBicmpv6\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [\fIICMPv6 header field\fR] 'in \n(.iu-\nxu .ad b 'hy .PP \fBICMPv6 header expression\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l. T{ type T} T{ ICMPv6 type field T} T{ icmpv6_type T} T{ code T} T{ ICMPv6 code field T} T{ integer (8 bit) T} T{ checksum T} T{ ICMPv6 checksum field T} T{ integer (16 bit) T} T{ parameter-problem T} T{ pointer to problem T} T{ integer (32 bit) T} T{ packet-too-big T} T{ oversized MTU T} T{ integer (32 bit) T} T{ id T} T{ ID of echo request/response T} T{ integer (16 bit) T} T{ sequence T} T{ sequence number of echo request/response T} T{ integer (16 bit) T} T{ max-delay T} T{ maximum response delay of MLD queries T} T{ integer (16 bit) T} .TE .SS "TCP HEADER EXPRESSION" 'nh .fi .ad l \fBtcp\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [\fITCP header field\fR] 'in \n(.iu-\nxu .ad b 'hy .PP \fBTCP header expression\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l. T{ sport T} T{ Source port T} T{ inet_service T} T{ dport T} T{ Destination port T} T{ inet_service T} T{ sequence T} T{ Sequence number T} T{ integer (32 bit) T} T{ ackseq T} T{ Acknowledgement number T} T{ integer (32 bit) T} T{ doff T} T{ Data offset T} T{ integer (4 bit) FIXME scaling T} T{ reserved T} T{ Reserved area T} T{ integer (4 bit) T} T{ flags T} T{ TCP flags T} T{ tcp_flag T} T{ window T} T{ Window T} T{ integer (16 bit) T} T{ checksum T} T{ Checksum T} T{ integer (16 bit) T} T{ urgptr T} T{ Urgent pointer T} T{ integer (16 bit) T} .TE .SS "UDP HEADER EXPRESSION" 'nh .fi .ad l \fBudp\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [\fIUDP header field\fR] 'in \n(.iu-\nxu .ad b 'hy .PP \fBUDP header expression\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l. T{ sport T} T{ Source port T} T{ inet_service T} T{ dport T} T{ Destination port T} T{ inet_service T} T{ length T} T{ Total packet length T} T{ integer (16 bit) T} T{ checksum T} T{ Checksum T} T{ integer (16 bit) T} .TE .SS "UDP-LITE HEADER EXPRESSION" 'nh .fi .ad l \fBudplite\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [\fIUDP-Lite header field\fR] 'in \n(.iu-\nxu .ad b 'hy .PP \fBUDP-Lite header expression\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l l | l | l l | l | l. T{ sport T} T{ Source port T} T{ inet_service T} T{ dport T} T{ Destination port T} T{ inet_service T} T{ checksum T} T{ Checksum T} T{ integer (16 bit) T} .TE .SS "SCTP HEADER EXPRESSION" 'nh .fi .ad l \fBsctp\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [\fISCTP header field\fR] 'in \n(.iu-\nxu .ad b 'hy .PP \fBSCTP header expression\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l. T{ sport T} T{ Source port T} T{ inet_service T} T{ dport T} T{ Destination port T} T{ inet_service T} T{ vtag T} T{ Verfication Tag T} T{ integer (32 bit) T} T{ checksum T} T{ Checksum T} T{ integer (32 bit) T} .TE .SS "DCCP HEADER EXPRESSION" 'nh .fi .ad l \fBdccp\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [\fIDCCP header field\fR] 'in \n(.iu-\nxu .ad b 'hy .PP \fBDCCP header expression\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l l | l | l. T{ sport T} T{ Source port T} T{ inet_service T} T{ dport T} T{ Destination port T} T{ inet_service T} .TE .SS "AUTHENTICATION HEADER EXPRESSION" 'nh .fi .ad l \fBah\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [\fIAH header field\fR] 'in \n(.iu-\nxu .ad b 'hy .PP \fBAH header expression\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l. T{ nexthdr T} T{ Next header protocol T} T{ inet_proto T} T{ hdrlength T} T{ AH Header length T} T{ integer (8 bit) T} T{ reserved T} T{ Reserved area T} T{ integer (16 bit) T} T{ spi T} T{ Security Parameter Index T} T{ integer (32 bit) T} T{ sequence T} T{ Sequence number T} T{ integer (32 bit) T} .TE .SS "ENCRYPTED SECURITY PAYLOAD HEADER EXPRESSION" 'nh .fi .ad l \fBesp\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [\fIESP header field\fR] 'in \n(.iu-\nxu .ad b 'hy .PP \fBESP header expression\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l l | l | l. T{ spi T} T{ Security Parameter Index T} T{ integer (32 bit) T} T{ sequence T} T{ Sequence number T} T{ integer (32 bit) T} .TE .SS "IPCOMP HEADER EXPRESSION" 'nh .fi .ad l \fBcomp\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [\fIIPComp header field\fR] 'in \n(.iu-\nxu .ad b 'hy .PP \fBIPComp header expression\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l l | l | l l | l | l. T{ nexthdr T} T{ Next header protocol T} T{ inet_proto T} T{ flags T} T{ Flags T} T{ bitmask T} T{ cpi T} T{ Compression Parameter Index T} T{ integer (16 bit) T} .TE .SS "EXTENSION HEADER EXPRESSIONS" Extension header expressions refer to data from variable-sized protocol headers, such as IPv6 extension headers and TCPs options. .PP nftables currently supports matching (finding) a given ipv6 extension header or TCP option. 'nh .fi .ad l \fBhbh\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu {nexthdr | hdrlength} 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l \fBfrag\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu {nexthdr | frag-off | more-fragments | id} 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l \fBrt\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu {nexthdr | hdrlength | type | seg-left} 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l \fBdst\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu {nexthdr | hdrlength} 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l \fBmh\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu {nexthdr | hdrlength | checksum | type} 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l \fBtcp option\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu {eol | noop | maxseg | window | sack-permitted | sack | sack0 | sack1 | sack2 | sack3 | timestamp} \fItcp_option_field\fR 'in \n(.iu-\nxu .ad b 'hy .PP The following syntaxes are valid only in a relational expression with boolean type on right-hand side for checking header existence only: 'nh .fi .ad l \fBexthdr\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu {hbh | frag | rt | dst | mh} 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l \fBtcp option\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu {eol | noop | maxseg | window | sack-permitted | sack | sack0 | sack1 | sack2 | sack3 | timestamp} 'in \n(.iu-\nxu .ad b 'hy .PP \fBIPv6 extension headers\fR .TS allbox ; l | l. T{ Keyword T} T{ Description T} .T& l | l. T{ hbh T} T{ Hop by Hop T} T{ rt T} T{ Routing Header T} T{ frag T} T{ Fragmentation header T} T{ dst T} T{ dst options T} T{ mh T} T{ Mobility Header T} .TE .PP \fBTCP Options\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ TCP option fields T} .T& l | l | l. T{ eol T} T{ End of option list T} T{ kind T} T{ noop T} T{ 1 Byte TCP No-op options T} T{ kind T} T{ maxseg T} T{ TCP Maximum Segment Size T} T{ kind, length, size T} T{ window T} T{ TCP Window Scaling T} T{ kind, length, count T} T{ sack-permitted T} T{ TCP SACK permitted T} T{ kind, length T} T{ sack T} T{ TCP Selective Acknowledgement (alias of block 0) T} T{ kind, length, left, right T} T{ sack0 T} T{ TCP Selective Acknowledgement (block 0) T} T{ kind, length, left, right T} T{ sack1 T} T{ TCP Selective Acknowledgement (block 1) T} T{ kind, length, left, right T} T{ sack2 T} T{ TCP Selective Acknowledgement (block 2) T} T{ kind, length, left, right T} T{ sack3 T} T{ TCP Selective Acknowledgement (block 3) T} T{ kind, length, left, right T} T{ timestamp T} T{ TCP Timestamps T} T{ kind, length, tsval, tsecr T} .TE .PP \fBfinding TCP options\fR .PP .nf \*(T< filter input tcp option sack\-permitted kind 1 counter \*(T> .fi .PP \fBmatching IPv6 exthdr\fR .PP .nf \*(T< ip6 filter input frag more\-fragments 1 counter \*(T> .fi .SS "CONNTRACK EXPRESSIONS" Conntrack expressions refer to meta data of the connection tracking entry associated with a packet. .PP There are three types of conntrack expressions. Some conntrack expressions require the flow direction before the conntrack key, others must be used directly because they are direction agnostic. The \fBpackets\fR, \fBbytes\fR and \fBavgpkt\fR keywords can be used with or without a direction. If the direction is omitted, the sum of the original and the reply direction is returned. The same is true for the \fBzone\fR, if a direction is given, the zone is only matched if the zone id is tied to the given direction. .PP 'nh .fi .ad l \fBct\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu {state | direction | status | mark | expiration | helper | label | l3proto | protocol | bytes | packets | avgpkt | zone} 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l \fBct\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu {original | reply} {l3proto | protocol | proto-src | proto-dst | bytes | packets | avgpkt | zone} 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l \fBct\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu {original | reply} {ip | ip6} {saddr | daddr} 'in \n(.iu-\nxu .ad b 'hy .PP \fBConntrack expressions\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l. T{ state T} T{ State of the connection T} T{ ct_state T} T{ direction T} T{ Direction of the packet relative to the connection T} T{ ct_dir T} T{ status T} T{ Status of the connection T} T{ ct_status T} T{ mark T} T{ Connection mark T} T{ mark T} T{ expiration T} T{ Connection expiration time T} T{ time T} T{ helper T} T{ Helper associated with the connection T} T{ string T} T{ label T} T{ Connection tracking label bit or symbolic name defined in connlabel.conf in the nftables include path T} T{ ct_label T} T{ l3proto T} T{ Layer 3 protocol of the connection T} T{ nf_proto T} T{ saddr T} T{ Source address of the connection for the given direction T} T{ ipv4_addr/ipv6_addr T} T{ daddr T} T{ Destination address of the connection for the given direction T} T{ ipv4_addr/ipv6_addr T} T{ protocol T} T{ Layer 4 protocol of the connection for the given direction T} T{ inet_proto T} T{ proto-src T} T{ Layer 4 protocol source for the given direction T} T{ integer (16 bit) T} T{ proto-dst T} T{ Layer 4 protocol destination for the given direction T} T{ integer (16 bit) T} T{ packets T} T{ packet count seen in the given direction or sum of original and reply T} T{ integer (64 bit) T} T{ bytes T} T{ bytecount seen, see description for \fBpackets\fR keyword T} T{ integer (64 bit) T} T{ avgpkt T} T{ average bytes per packet, see description for \fBpackets\fR keyword T} T{ integer (64 bit) T} T{ zone T} T{ conntrack zone T} T{ integer (16 bit) T} .TE .PP A description of conntrack-specific types listed above can be found sub-section \*(T above. .SH STATEMENTS Statements represent actions to be performed. They can alter control flow (return, jump to a different chain, accept or drop the packet) or can perform actions, such as logging, rejecting a packet, etc. .PP Statements exist in two kinds. Terminal statements unconditionally terminate evaluation of the current rule, non-terminal statements either only conditionally or never terminate evaluation of the current rule, in other words, they are passive from the ruleset evaluation perspective. There can be an arbitrary amount of non-terminal statements in a rule, but only a single terminal statement as the final statement. .SS "VERDICT STATEMENT" The verdict statement alters control flow in the ruleset and issues policy decisions for packets. .PP 'nh .fi .ad l {accept | drop | queue | continue | return} .ad b 'hy 'nh .fi .ad l {jump | goto} {\fIchain\fR} .ad b 'hy .PP .TP \*(T<\fBaccept\fR\*(T> Terminate ruleset evaluation and accept the packet. .TP \*(T<\fBdrop\fR\*(T> Terminate ruleset evaluation and drop the packet. .TP \*(T<\fBqueue\fR\*(T> Terminate ruleset evaluation and queue the packet to userspace. .TP \*(T<\fBcontinue\fR\*(T> Continue ruleset evaluation with the next rule. FIXME .TP \*(T<\fBreturn\fR\*(T> Return from the current chain and continue evaluation at the next rule in the last chain. If issued in a base chain, it is equivalent to \fBaccept\fR. .TP \*(T<\fBjump \fR\*(T>\fIchain\fR Continue evaluation at the first rule in \fIchain\fR. The current position in the ruleset is pushed to a call stack and evaluation will continue there when the new chain is entirely evaluated of a \fBreturn\fR verdict is issued. .TP \*(T<\fBgoto \fR\*(T>\fIchain\fR Similar to \fBjump\fR, but the current position is not pushed to the call stack, meaning that after the new chain evaluation will continue at the last chain instead of the one containing the goto statement. .PP \fBVerdict statements\fR .PP .nf \*(T< # process packets from eth0 and the internal network in from_lan # chain, drop all packets from eth0 with different source addresses. filter input iif eth0 ip saddr 192.168.0.0/24 jump from_lan filter input iif eth0 drop \*(T> .fi .SS "PAYLOAD STATEMENT" The payload statement alters packet content. It can be used for example to set ip DSCP (differv) header field or ipv6 flow labels. .PP \fBroute some packets instead of bridging\fR .PP .nf \*(T< # redirect tcp:http from 192.160.0.0/16 to local machine for routing instead of bridging # assumes 00:11:22:33:44:55 is local MAC address. bridge input meta iif eth0 ip saddr 192.168.0.0/16 tcp dport 80 meta pkttype set unicast ether daddr set 00:11:22:33:44:55 \*(T> .fi .PP \fBSet IPv4 DSCP header field\fR .PP .nf \*(T< ip forward ip dscp set 42 \*(T> .fi .SS "EXTENSION HEADER STATEMENT" The extension header statement alters packet content in variable-sized headers. This can currently be used to alter the TCP Maximum segment size of packets, similar to TCPMSS. .PP \fBchange tcp mss\fR .PP .nf \*(T< tcp flags syn tcp option maxseg size set 1360 # set a size based on route information: tcp flags syn tcp option maxseg size set rt mtu \*(T> .fi .SS "LOG STATEMENT" 'nh .fi .ad l \fBlog\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [prefix \fIquoted_string\fR] [level \fIsyslog-level\fR] [flags \fIlog-flags\fR] 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l \fBlog\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu group \fInflog_group\fR [prefix \fIquoted_string\fR] [queue-threshold \fIvalue\fR] [snaplen \fIsize\fR] 'in \n(.iu-\nxu .ad b 'hy .PP The log statement enables logging of matching packets. When this statement is used from a rule, the Linux kernel will print some information on all matching packets, such as header fields, via the kernel log (where it can be read with dmesg(1) or read in the syslog). If the group number is specified, the Linux kernel will pass the packet to nfnetlink_log which will multicast the packet through a netlink socket to the specified multicast group. One or more userspace processes may subscribe to the group to receive the packets, see libnetfilter_queue documentation for details. This is a non-terminating statement, so the rule evaluation continues after the packet is logged. .PP \fBlog statement options\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Type T} .T& l | l | l. T{ prefix T} T{ Log message prefix T} T{ quoted string T} T{ syslog-level T} T{ Syslog level of logging T} T{ string: emerg, alert, crit, err, warn [default], notice, info, debug T} T{ group T} T{ NFLOG group to send messages to T} T{ unsigned integer (16 bit) T} T{ snaplen T} T{ Length of packet payload to include in netlink message T} T{ unsigned integer (32 bit) T} T{ queue-threshold T} T{ Number of packets to queue inside the kernel before sending them to userspace T} T{ unsigned integer (32 bit) T} .TE .PP \fBlog-flags\fR .TS allbox ; l | l. T{ Flag T} T{ Description T} .T& l | l. T{ tcp sequence T} T{ Log TCP sequence numbers. T} T{ tcp options T} T{ Log options from the TCP packet header. T} T{ ip options T} T{ Log options from the IP/IPv6 packet header. T} T{ skuid T} T{ Log the userid of the process which generated the packet. T} T{ ether T} T{ Decode MAC addresses and protocol. T} T{ all T} T{ Enable all log flags listed above. T} .TE .PP \fBUsing log statement\fR .PP .nf \*(T< # log the UID which generated the packet and ip options ip filter output log flags skuid flags ip options # log the tcp sequence numbers and tcp options from the TCP packet ip filter output log flags tcp sequence,options # enable all supported log flags ip6 filter output log flags all \*(T> .fi .SS "REJECT STATEMENT" 'nh .fi .ad l \fBreject\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [ with {icmp | icmpv6 | icmpx} type {icmp_code | icmpv6_code | icmpx_code} ] 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l \fBreject\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [ with {tcp} {reset} ] 'in \n(.iu-\nxu .ad b 'hy .PP A reject statement is used to send back an error packet in response to the matched packet otherwise it is equivalent to drop so it is a terminating statement, ending rule traversal. This statement is only valid in the input, forward and output chains, and user-defined chains which are only called from those chains. .PP The different ICMP reject variants are meant for use in different table families: .TS allbox ; l | l | l. T{ Variant T} T{ Family T} T{ Type T} .T& l | l | l l | l | l l | l | l. T{ icmp T} T{ ip T} T{ icmp_code T} T{ icmpv6 T} T{ ip6 T} T{ icmpv6_code T} T{ icmpx T} T{ inet T} T{ icmpx_code T} .TE .PP For a description of the different types and a list of supported keywords refer to \*(T section above. The common default reject value is \fBport-unreachable\fR. .SS "COUNTER STATEMENT" A counter statement sets the hit count of packets along with the number of bytes. .PP 'nh .fi .ad l \fBcounter\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu {packets \fInumber\fR } {bytes \fInumber\fR } 'in \n(.iu-\nxu .ad b 'hy .SS "CONNTRACK STATEMENT" The conntrack statement can be used to set the conntrack mark and conntrack labels. .PP 'nh .fi .ad l \fBct\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu {mark | event | label | zone} set \fIvalue\fR 'in \n(.iu-\nxu .ad b 'hy .PP The ct statement sets meta data associated with a connection. The zone id has to be assigned before a conntrack lookup takes place, i.e. this has to be done in prerouting and possibly output (if locally generated packets need to be placed in a distinct zone), with a hook priority of -300. .PP \fBConntrack statement types\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Value T} .T& l | l | l. T{ event T} T{ conntrack event bits T} T{ bitmask, integer (32 bit) T} T{ helper T} T{ name of ct helper object to assign to the connection T} T{ quoted string T} T{ mark T} T{ Connection tracking mark T} T{ mark T} T{ label T} T{ Connection tracking label T} T{ label T} T{ zone T} T{ conntrack zone T} T{ integer (16 bit) T} .TE .PP \fBsave packet nfmark in conntrack\fR .PP .nf \*(T< ct mark set meta mark \*(T> .fi .PP \fBset zone mapped via interface\fR .PP .nf \*(T< table inet raw { chain prerouting { type filter hook prerouting priority \-300; ct zone set iif map { "eth1" : 1, "veth1" : 2 } } chain output { type filter hook output priority \-300; ct zone set oif map { "eth1" : 1, "veth1" : 2 } } } \*(T> .fi .PP \fBrestrict events reported by ctnetlink\fR .PP .nf \*(T< ct event set new,related,destroy \*(T> .fi .SS "META STATEMENT" A meta statement sets the value of a meta expression. The existing meta fields are: priority, mark, pkttype, nftrace. .PP 'nh .fi .ad l \fBmeta\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu {mark | priority | pkttype | nftrace} set \fIvalue\fR 'in \n(.iu-\nxu .ad b 'hy .PP A meta statement sets meta data associated with a packet. .PP \fBMeta statement types\fR .TS allbox ; l | l | l. T{ Keyword T} T{ Description T} T{ Value T} .T& l | l | l. T{ priority T} T{ TC packet priority T} T{ tc_handle T} T{ mark T} T{ Packet mark T} T{ mark T} T{ pkttype T} T{ packet type T} T{ pkt_type T} T{ nftrace T} T{ ruleset packet tracing on/off. Use \fBmonitor trace\fR command to watch traces T} T{ 0, 1 T} .TE .SS "LIMIT STATEMENT" 'nh .fi .ad l \fBlimit\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu rate [over] \fIpacket_number\fR / {second | minute | hour | day} [burst \fIpacket_number\fR packets] 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l \fBlimit\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu rate [over] \fIbyte_number\fR {bytes | kbytes | mbytes} / {second | minute | hour | day | week} [burst \fIbyte_number\fR bytes] 'in \n(.iu-\nxu .ad b 'hy .PP A limit statement matches at a limited rate using a token bucket filter. A rule using this statement will match until this limit is reached. It can be used in combination with the log statement to give limited logging. The \fBover\fR keyword, that is optional, makes it match over the specified rate. .PP \fBlimit statement values\fR .TS allbox ; l | l | l. T{ Value T} T{ Description T} T{ Type T} .T& l | l | l l | l | l. T{ packet_number T} T{ Number of packets T} T{ unsigned integer (32 bit) T} T{ byte_number T} T{ Number of bytes T} T{ unsigned integer (32 bit) T} .TE .SS "NAT STATEMENTS" 'nh .fi .ad l \fBsnat\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu to \fIaddress\fR [:port] [persistent, random, fully-random] 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l \fBsnat\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu to \fIaddress\fR - \fIaddress\fR [:\fIport\fR - \fIport\fR] [persistent, random, fully-random] 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l \fBdnat\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu to \fIaddress\fR [:\fIport\fR] [persistent, random, fully-random] 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l \fBdnat\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu to \fIaddress\fR [:\fIport\fR - \fIport\fR] [persistent, random, fully-random] 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l \fBmasquerade\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu to [:\fIport\fR] [persistent, random, fully-random] 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l \fBmasquerade\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu to [:\fIport\fR - \fIport\fR] [persistent, random, fully-random] 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l \fBredirect\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu to [:\fIport\fR] [persistent, random, fully-random] 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l \fBredirect\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu to [:\fIport\fR - \fIport\fR] [persistent, random, fully-random] 'in \n(.iu-\nxu .ad b 'hy .PP The nat statements are only valid from nat chain types. .PP The \fBsnat\fR and \fBmasquerade\fR statements specify that the source address of the packet should be modified. While \fBsnat\fR is only valid in the postrouting and input chains, \fBmasquerade\fR makes sense only in postrouting. The \fBdnat\fR and \fBredirect\fR statements are only valid in the prerouting and output chains, they specify that the destination address of the packet should be modified. You can use non-base chains which are called from base chains of nat chain type too. All future packets in this connection will also be mangled, and rules should cease being examined. .PP The \fBmasquerade\fR statement is a special form of \fBsnat\fR which always uses the outgoing interface's IP address to translate to. It is particularly useful on gateways with dynamic (public) IP addresses. .PP The \fBredirect\fR statement is a special form of \fBdnat\fR which always translates the destination address to the local host's one. It comes in handy if one only wants to alter the destination port of incoming traffic on different interfaces. .PP Note that all nat statements require both prerouting and postrouting base chains to be present since otherwise packets on the return path won't be seen by netfilter and therefore no reverse translation will take place. .PP \fBNAT statement values\fR .TS allbox ; l | l | l. T{ Expression T} T{ Description T} T{ Type T} .T& l | l | l l | l | l. T{ address T} T{ Specifies that the source/destination address of the packet should be modified. You may specify a mapping to relate a list of tuples composed of arbitrary expression key with address value. T} T{ ipv4_addr, ipv6_addr, eg. abcd::1234, or you can use a mapping, eg. meta mark map { 10 : 192.168.1.2, 20 : 192.168.1.3 } T} T{ port T} T{ Specifies that the source/destination address of the packet should be modified. T} T{ port number (16 bits) T} .TE .PP \fBNAT statement flags\fR .TS allbox ; l | l. T{ Flag T} T{ Description T} .T& l | l l | l l | l. T{ persistent T} T{ Gives a client the same source-/destination-address for each connection. T} T{ random T} T{ If used then port mapping will be randomized using a random seeded MD5 hash mix using source and destination address and destination port. T} T{ fully-random T} T{ If used then port mapping is generated based on a 32-bit pseudo-random algorithm. T} .TE .PP \fBUsing NAT statements\fR .PP .nf \*(T< # create a suitable table/chain setup for all further examples add table nat add chain nat prerouting { type nat hook prerouting priority 0; } add chain nat postrouting { type nat hook postrouting priority 100; } # translate source addresses of all packets leaving via eth0 to address 1.2.3.4 add rule nat postrouting oif eth0 snat to 1.2.3.4 # redirect all traffic entering via eth0 to destination address 192.168.1.120 add rule nat prerouting iif eth0 dnat to 192.168.1.120 # translate source addresses of all packets leaving via eth0 to whatever # locally generated packets would use as source to reach the same destination add rule nat postrouting oif eth0 masquerade # redirect incoming TCP traffic for port 22 to port 2222 add rule nat prerouting tcp dport 22 redirect to :2222 \*(T> .fi .SS "QUEUE STATEMENT" This statement passes the packet to userspace using the nfnetlink_queue handler. The packet is put into the queue identified by its 16-bit queue number. Userspace can inspect and modify the packet if desired. Userspace must then drop or reinject the packet into the kernel. See libnetfilter_queue documentation for details. .PP 'nh .fi .ad l \fBqueue\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [num \fIqueue_number\fR] [bypass] 'in \n(.iu-\nxu .ad b 'hy 'nh .fi .ad l \fBqueue\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [num \fIqueue_number_from\fR - \fIqueue_number_to\fR] [bypass,fanout] 'in \n(.iu-\nxu .ad b 'hy .PP \fBqueue statement values\fR .TS allbox ; l | l | l. T{ Value T} T{ Description T} T{ Type T} .T& l | l | l l | l | l l | l | l. T{ queue_number T} T{ Sets queue number, default is 0. T} T{ unsigned integer (16 bit) T} T{ queue_number_from T} T{ Sets initial queue in the range, if fanout is used. T} T{ unsigned integer (16 bit) T} T{ queue_number_to T} T{ Sets closing queue in the range, if fanout is used. T} T{ unsigned integer (16 bit) T} .TE .PP \fBqueue statement flags\fR .TS allbox ; l | l. T{ Flag T} T{ Description T} .T& l | l l | l. T{ bypass T} T{ Let packets go through if userspace application cannot back off. Before using this flag, read libnetfilter_queue documentation for performance tuning recomendations. T} T{ fanout T} T{ Distribute packets between several queues. T} .TE .SH "ADDITIONAL COMMANDS" These are some additional commands included in nft. .SS MONITOR The monitor command allows you to listen to Netlink events produced by the nf_tables subsystem, related to creation and deletion of objects. When they occur, nft will print to stdout the monitored events in either XML, JSON or native nft format. .PP To filter events related to a concrete object, use one of the keywords 'tables', 'chains', 'sets', 'rules', 'elements' , 'ruleset'. .PP To filter events related to a concrete action, use keyword 'new' or 'destroy'. .PP Hit ^C to finish the monitor operation. .PP \fBListen to all events, report in native nft format\fR .PP .nf \*(T< % nft monitor \*(T> .fi .PP \fBListen to added tables, report in XML format\fR .PP .nf \*(T< % nft monitor new tables xml \*(T> .fi .PP \fBListen to deleted rules, report in JSON format\fR .PP .nf \*(T< % nft monitor destroy rules json \*(T> .fi .PP \fBListen to both new and destroyed chains, in native nft format\fR .PP .nf \*(T< % nft monitor chains \*(T> .fi .PP \fBListen to ruleset events such as table, chain, rule, set, counters and quotas, in native nft format\fR .PP .nf \*(T< % nft monitor ruleset \*(T> .fi .SH "ERROR REPORTING" When an error is detected, nft shows the line(s) containing the error, the position of the erroneous parts in the input stream and marks up the erroneous parts using carrets (\*(T<^\*(T>). If the error results from the combination of two expressions or statements, the part imposing the constraints which are violated is marked using tildes (\*(T<~\*(T>). .PP For errors returned by the kernel, nft can't detect which parts of the input caused the error and the entire command is marked. .PP \fBError caused by single incorrect expression\fR .PP .nf \*(T< :1:19\-22: Error: Interface does not exist filter output oif eth0 ^^^^ \*(T> .fi .PP \fBError caused by invalid combination of two expressions\fR .PP .nf \*(T< :1:28\-36: Error: Right hand side of relational expression (==) must be constant filter output tcp dport == tcp dport ~~ ^^^^^^^^^ \*(T> .fi .PP \fBError returned by the kernel\fR .PP .nf \*(T< :0:0\-23: Error: Could not process rule: Operation not permitted filter output oif wlan0 ^^^^^^^^^^^^^^^^^^^^^^^ \*(T> .fi .SH "EXIT STATUS" On success, nft exits with a status of 0. Unspecified errors cause it to exit with a status of 1, memory allocation errors with a status of 2, unable to open Netlink socket with 3. .SH "SEE ALSO" iptables(8), ip6tables(8), arptables(8), ebtables(8), ip(8), tc(8) .PP There is an official wiki at: https://wiki.nftables.org .SH AUTHORS nftables was written by Patrick McHardy and Pablo Neira Ayuso, among many other contributors from the Netfilter community. .SH COPYRIGHT .nf Copyright \(co 2008\-2014 Patrick McHardy <\*(T> Copyright \(co 2013\-2016 Pablo Neira Ayuso <\*(T> .fi .PP nftables is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. .PP This documentation is licenced under the terms of the Creative Commons Attribution-ShareAlike 4.0 license, .URL http://creativecommons.org/licenses/by-sa/4.0/ "CC BY-SA 4.0" \&.