1LIBNFTABLES-JSON(5)                                        LIBNFTABLES-JSON(5)
2
3
4

NAME

6       libnftables-json - Supported JSON schema by libnftables
7

SYNOPSIS

9       { "nftables": [ OBJECTS ] }
10
11       OBJECTS := LIST_OBJECTS | CMD_OBJECTS
12
13       LIST_OBJECTS := LIST_OBJECT [ , LIST_OBJECTS ]
14
15       CMD_OBJECTS := CMD_OBJECT [ , CMD_OBJECTS ]
16
17       CMD_OBJECT := { CMD: LIST_OBJECT } | METAINFO_OBJECT
18
19       CMD := "add" | "replace" | "create" | "insert" | "delete" | "list" |
20       "reset" | "flush" | "rename"
21
22       LIST_OBJECT := TABLE | CHAIN | RULE | SET | MAP | ELEMENT | FLOWTABLE |
23       COUNTER | QUOTA | CT_HELPER | LIMIT | METAINFO_OBJECT | CT_TIMEOUT
24

DESCRIPTION

26       libnftables supports JSON formatted input and output. This is
27       implemented as an alternative frontend to the standard CLI syntax
28       parser, therefore basic behaviour is identical and, for (almost) any
29       operation available in standard syntax, there should be an equivalent
30       one in JSON.
31
32       JSON input may be provided in a single string as parameter to
33       nft_run_cmd_from_buffer() or in a file identified by the filename
34       parameter of the nft_run_cmd_from_filename() function.
35
36       JSON output has to be enabled via the nft_ctx_output_set_json()
37       function, turning library standard output into JSON format. Error
38       output remains unaffected.
39

GLOBAL STRUCTURE

41       In general, any JSON input or output is enclosed in an object with a
42       single property named nftables. Its value is an array containing
43       commands (for input) or ruleset elements (for output).
44
45       A command is an object with a single property whose name identifies the
46       command. Its value is a ruleset element - basically identical to output
47       elements, apart from certain properties which may be interpreted
48       differently or are required when output generally omits them.
49

METAINFO OBJECT

51       In output, the first object in an nftables array is a special one
52       containing library information. Its content is as follows:
53
54           { "metainfo": {
55                   "version": STRING,
56                   "release_name": STRING,
57                   "json_schema_version": NUMBER
58           }}
59
60       The values of version and release_name properties are equal to the
61       package version and release name as printed by nft -v. The value of the
62       json_schema_version property is an integer indicating the schema
63       version.
64
65       If supplied in library input, the parser will verify the
66       json_schema_version value to not exceed the internally hardcoded one
67       (to make sure the given schema is fully understood). In future, a lower
68       number than the internal one may activate compatibility mode to parse
69       outdated and incompatible JSON input.
70

COMMAND OBJECTS

72       The structure accepts an arbitrary amount of commands which are
73       interpreted in order of appearance. For instance, the following
74       standard syntax input:
75
76           flush ruleset
77           add table inet mytable
78           add chain inet mytable mychain
79           add rule inet mytable mychain tcp dport 22 accept
80
81       translates into JSON as such:
82
83           { "nftables": [
84                   { "flush": { "ruleset": null }},
85                   { "add": { "table": {
86                                   "family": "inet",
87                                   "name": "mytable"
88                   }}},
89                   { "add": { "chain": {
90                                   "family": "inet",
91                                   "table": "mytable",
92                                   "chain": "mychain"
93                   }}}
94                   { "add": { "rule": {
95                                   "family": "inet",
96                                   "table": "mytable",
97                                   "chain": "mychain",
98                                   "expr": [
99                                           { "match": {
100                                                   "left": { "payload": {
101                                                                   "protocol": "tcp",
102                                                                   "field": "dport"
103                                                   }},
104                                                   "right": 22
105                                           }},
106                                           { "accept": null }
107                                   ]
108                   }}}
109           ]}
110
111   ADD
112           { "add": ADD_OBJECT }
113
114           ADD_OBJECT := TABLE | CHAIN | RULE | SET | MAP | ELEMENT |
115                           FLOWTABLE | COUNTER | QUOTA | CT_HELPER | LIMIT |
116                           CT_TIMEOUT
117
118       Add a new ruleset element to the kernel.
119
120   REPLACE
121           { "replace": RULE }
122
123       Replace a rule. In RULE, the handle property is mandatory and
124       identifies the rule to be replaced.
125
126   CREATE
127           { "create": ADD_OBJECT }
128
129       Identical to add command, but returns an error if the object already
130       exists.
131
132   INSERT
133           { "insert": RULE }
134
135       This command is identical to add for rules, but instead of appending
136       the rule to the chain by default, it inserts at first position. If a
137       handle or index property is given, the rule is inserted before the rule
138       identified by those properties.
139
140   DELETE
141           { "delete": ADD_OBJECT }
142
143       Delete an object from the ruleset. Only the minimal number of
144       properties required to uniquely identify an object is generally needed
145       in ADD_OBJECT. For most ruleset elements, this is family and table plus
146       either handle or name (except rules since they don’t have a name).
147
148   LIST
149           { "list": LIST_OBJECT }
150
151           LIST_OBJECT := TABLE | TABLES | CHAIN | CHAINS | SET | SETS |
152                            MAP | MAPS | COUNTER | COUNTERS | QUOTA | QUOTAS |
153                            CT_HELPER | CT_HELPERS | LIMIT | LIMITS | RULESET |
154                            METER | METERS | FLOWTABLES | CT_TIMEOUT
155
156       List ruleset elements. The plural forms are used to list all objects of
157       that kind, optionally filtered by family and for some, also table.
158
159   RESET
160           { "reset": RESET_OBJECT }
161
162           RESET_OBJECT := COUNTER | COUNTERS | QUOTA | QUOTAS
163
164       Reset state in suitable objects, i.e. zero their internal counter.
165
166   FLUSH
167           { "flush": FLUSH_OBJECT }
168
169           FLUSH_OBJECT := TABLE | CHAIN | SET | MAP | METER | RULESET
170
171       Empty contents in given object, e.g. remove all chains from given table
172       or remove all elements from given set.
173
174   RENAME
175           { "rename": CHAIN }
176
177       Rename a chain. The new name is expected in a dedicated property named
178       newname.
179

RULESET ELEMENTS

181   TABLE
182           { "table": {
183                   "family": STRING,
184                   "name": STRING,
185                   "handle": NUMBER
186           }}
187
188       This object describes a table.
189
190       family
191           The table’s family, e.g.  "ip" or "ip6".
192
193       name
194           The table’s name.
195
196       handle
197           The table’s handle. In input, it is used only in delete command as
198           alternative to name.
199
200   CHAIN
201           { "chain": {
202                   "family": STRING,
203                   "table": STRING,
204                   "name": STRING,
205                   "newname": STRING,
206                   "handle": NUMBER,
207                   "type": STRING,
208                   "hook": STRING,
209                   "prio": NUMBER,
210                   "dev": STRING,
211                   "policy": STRING
212           }}
213
214       This object describes a chain.
215
216       family
217           The table’s family.
218
219       table
220           The table’s name.
221
222       name
223           The chain’s name.
224
225       handle
226           The chain’s handle. In input, it is used only in delete command as
227           alternative to name.
228
229       newname
230           A new name for the chain, only relevant in the rename command.
231
232       The following properties are required for base chains:
233
234       type
235           The chain’s type.
236
237       hook
238           The chain’s hook.
239
240       prio
241           The chain’s priority.
242
243       dev
244           The chain’s bound interface (if in the netdev family).
245
246       policy
247           The chain’s policy.
248
249   RULE
250           { "rule": {
251                   "family": STRING,
252                   "table": STRING,
253                   "chain": STRING,
254                   "expr": [ STATEMENTS ],
255                   "handle": NUMBER,
256                   "index": NUMBER,
257                   "comment": STRING
258           }}
259
260           STATEMENTS := STATEMENT [, STATEMENTS ]
261
262       This object describes a rule. Basic building blocks of rules are
263       statements. Each rule consists of at least one.
264
265       family
266           The table’s family.
267
268       table
269           The table’s name.
270
271       chain
272           The chain’s name.
273
274       expr
275           An array of statements this rule consists of. In input, it is used
276           in add/insert/replace commands only.
277
278       handle
279           The rule’s handle. In delete/replace commands, it serves as an
280           identifier of the rule to delete/replace. In add/insert commands,
281           it serves as an identifier of an existing rule to append/prepend
282           the rule to.
283
284       index
285           The rule’s position for add/insert commands. It is used as an
286           alternative to handle then.
287
288       comment
289           Optional rule comment.
290
291   SET / MAP
292           { "set": {
293                   "family": STRING,
294                   "table": STRING,
295                   "name": STRING,
296                   "handle": NUMBER,
297                   "type": SET_TYPE,
298                   "policy": SET_POLICY,
299                   "flags": [ SET_FLAG_LIST ],
300                   "elem": SET_ELEMENTS,
301                   "timeout": NUMBER,
302                   "gc-interval": NUMBER,
303                   "size": NUMBER
304           }}
305
306           { "map": {
307                   "family": STRING,
308                   "table": STRING,
309                   "name": STRING,
310                   "handle": NUMBER,
311                   "type": SET_TYPE,
312                   "map": STRING,
313                   "policy": SET_POLICY,
314                   "flags": [ SET_FLAG_LIST ],
315                   "elem": SET_ELEMENTS,
316                   "timeout": NUMBER,
317                   "gc-interval": NUMBER,
318                   "size": NUMBER
319           }}
320
321           SET_TYPE := STRING | [ SET_TYPE_LIST ]
322           SET_TYPE_LIST := STRING [, SET_TYPE_LIST ]
323           SET_POLICY := "performance" | "memory"
324           SET_FLAG_LIST := SET_FLAG [, SET_FLAG_LIST ]
325           SET_FLAG := "constant" | "interval" | "timeout"
326           SET_ELEMENTS := EXPRESSION | [ EXPRESSION_LIST ]
327           EXPRESSION_LIST := EXPRESSION [, EXPRESSION_LIST ]
328
329       These objects describe a named set or map. Maps are a special form of
330       sets in that they translate a unique key to a value.
331
332       family
333           The table’s family.
334
335       table
336           The table’s name.
337
338       name
339           The set’s name.
340
341       handle
342           The set’s handle. For input, it is used in the delete command only.
343
344       type
345           The set’s datatype, see below.
346
347       map
348           Type of values this set maps to (i.e. this set is a map).
349
350       policy
351           The set’s policy.
352
353       flags
354           The set’s flags.
355
356       elem
357           Initial set element(s), see below.
358
359       timeout
360           Element timeout in seconds.
361
362       gc-interval
363           Garbage collector interval in seconds.
364
365       size
366           Maximum number of elements supported.
367
368       TYPE
369           The set type might be a string, such as "ipv4_addr" or an array
370           consisting of strings (for concatenated types).
371
372       ELEM
373           A single set element might be given as string, integer or boolean
374           value for simple cases. If additional properties are required, a
375           formal elem object may be used.
376
377           Multiple elements may be given in an array.
378
379   ELEMENT
380           { "element": {
381                   "family": STRING,
382                   "table": STRING,
383                   "name": STRING,
384                   "elem": SET_ELEM
385           }}
386
387           SET_ELEM := EXPRESSION | [ EXPRESSION_LIST ]
388           EXPRESSION_LIST := EXPRESSION [, EXPRESSION ]
389
390       Manipulate element(s) in a named set.
391
392       family
393           The table’s family.
394
395       table
396           The table’s name.
397
398       name
399           The set’s name.
400
401       elem
402           See elem property of set object.
403
404   FLOWTABLE
405           { "flowtable": {
406                   "family": STRING,
407                   "table": STRING,
408                   "name": STRING,
409                   "hook": STRING,
410                   "prio": NUMBER,
411                   "dev": FT_INTERFACE
412           }}
413
414           FT_INTERFACE := STRING | [ FT_INTERFACE_LIST ]
415           FT_INTERFACE_LIST := STRING [, STRING ]
416
417       This object represents a named flowtable.
418
419       family
420           The table’s family.
421
422       table
423           The table’s name.
424
425       name
426           The flow table’s name.
427
428       hook
429           The flow table’s hook.
430
431       prio
432           The flow table’s priority.
433
434       dev
435           The flow table’s interface(s).
436
437   COUNTER
438           { "counter": {
439                   "family": STRING,
440                   "table": STRING,
441                   "name": STRING,
442                   "handle": NUMBER,
443                   "packets": NUMBER,
444                   "bytes": NUMBER
445           }}
446
447       This object represents a named counter.
448
449       family
450           The table’s family.
451
452       table
453           The table’s name.
454
455       name
456           The counter’s name.
457
458       handle
459           The counter’s handle. In input, it is used by the delete command
460           only.
461
462       packets
463           Packet counter value.
464
465       bytes
466           Byte counter value.
467
468   QUOTA
469           { "quota": {
470                   "family": STRING,
471                   "table": STRING,
472                   "name": STRING,
473                   "handle": NUMBER,
474                   "bytes": NUMBER,
475                   "used": NUMBER,
476                   "inv": BOOLEAN
477           }}
478
479       This object represents a named quota.
480
481       family
482           The table’s family.
483
484       table
485           The table’s name.
486
487       name
488           The quota’s name.
489
490       handle
491           The quota’s handle. In input, it is used by the delete command
492           only.
493
494       bytes
495           Quota threshold.
496
497       used
498           Quota used so far.
499
500       inv
501           If true, match if the quota has been exceeded.
502
503   CT HELPER
504           { "ct helper": {
505                   "family": STRING,
506                   "table": STRING,
507                   "name": STRING,
508                   "handle": ... ',
509                   "type": 'STRING,
510                   "protocol": CTH_PROTO,
511                   "l3proto": STRING
512           }}
513
514           CTH_PROTO := "tcp" | "udp"
515
516       This object represents a named conntrack helper.
517
518       family
519           The table’s family.
520
521       table
522           The table’s name.
523
524       name
525           The ct helper’s name.
526
527       handle
528           The ct helper’s handle. In input, it is used by the delete command
529           only.
530
531       type
532           The ct helper type name, e.g.  "ftp" or "tftp".
533
534       protocol
535           The ct helper’s layer 4 protocol.
536
537       l3proto
538           The ct helper’s layer 3 protocol, e.g.  "ip" or "ip6".
539
540   LIMIT
541           { "limit": {
542                   "family": STRING,
543                   "table": STRING,
544                   "name": STRING,
545                   "handle": NUMBER,
546                   "rate": NUMBER,
547                   "per": STRING,
548                   "burst": NUMBER,
549                   "unit": LIMIT_UNIT,
550                   "inv": BOOLEAN
551           }}
552
553           LIMIT_UNIT := "packets" | "bytes"
554
555       This object represents a named limit.
556
557       family
558           The table’s family.
559
560       table
561           The table’s name.
562
563       name
564           The limit’s name.
565
566       handle
567           The limit’s handle. In input, it is used by the delete command
568           only.
569
570       rate
571           The limit’s rate value.
572
573       per
574           Time unit to apply the limit to, e.g.  "week", "day", "hour", etc.
575           If omitted, defaults to "second".
576
577       burst
578           The limit’s burst value. If omitted, defaults to 0.
579
580       unit
581           Unit of rate and burst values. If omitted, defaults to "packets".
582
583       inv
584           If true, match if limit was exceeded. If omitted, defaults to
585           false.
586
587   CT TIMEOUT
588           { "ct timeout": {
589                   "family": STRING,
590                   "table": STRING,
591                   "name": STRING,
592                   "handle": NUMBER,
593                   "protocol": CTH_PROTO,
594                   "state": STRING,
595                   "value: NUMBER,
596                   "l3proto": STRING
597           }}
598
599           CTH_PROTO := "tcp" | "udp" | "dccp" | "sctp" | "gre" | "icmpv6" | "icmp" | "generic"
600
601       This object represents a named conntrack timeout policy.
602
603       family
604           The table’s family.
605
606       table
607           The table’s name.
608
609       name
610           The ct timeout object’s name.
611
612       handle
613           The ct timeout object’s handle. In input, it is used by delete
614           command only.
615
616       protocol
617           The ct timeout object’s layer 4 protocol.
618
619       state
620           The connection state name, e.g.  "established", "syn_sent", "close"
621           or "close_wait", for which the timeout value has to be updated.
622
623       value
624           The updated timeout value for the specified connection state.
625
626       l3proto
627           The ct timeout object’s layer 3 protocol, e.g.  "ip" or "ip6".
628

STATEMENTS

630       Statements are the building blocks for rules. Each rule consists of at
631       least one.
632
633   VERDICT
634           { "accept": null }
635           { "drop": null }
636           { "continue": null }
637           { "return": null }
638           { "jump": { "target": * STRING *}}
639           { "goto": { "target": * STRING *}}
640
641       A verdict either terminates packet traversal through the current chain
642       or delegates to a different one.
643
644       jump and goto statements expect a target chain name.
645
646   MATCH
647           { "match": {
648                   "left": EXPRESSION,
649                   "right": EXPRESSION,
650                   "op": STRING
651           }}
652
653       This matches the expression on left hand side (typically a packet
654       header or packet meta info) with the expression on right hand side
655       (typically a constant value). If the statement evaluates to true, the
656       next statement in this rule is considered. If not, processing continues
657       with the next rule in the same chain.
658
659       left
660           Left hand side of this match.
661
662       right
663           Right hand side of this match.
664
665       op
666           Operator indicating the type of comparison.
667
668       OPERATORS
669           &    Binary AND
670
671           |    Binary OR
672
673           ^    Binary XOR
674
675           <<   Left shift
676
677           >>   Right shift
678
679
680           ==   Equal
681
682           !=   Not equal
683
684           <    Less than
685
686           >    Greater than
687
688           Less than or equal to
689
690           >=   Greater than or equal to
691
692           in   Perform a lookup, i.e.
693                test if bits on RHS are
694                contained in LHS value
695
696
697           Unlike with the standard API, the operator is mandatory here. In
698           the standard API, a missing operator may be resolved in two ways,
699           depending on the type of expression on the RHS:
700
701           ·   If the RHS is a bitmask or a list of bitmasks, the expression
702               resolves into a binary operation with the inequality operator,
703               like this: LHS & RHS != 0.
704
705           ·   In any other case, the equality operator is simply inserted.
706
707           For the non-trivial first case, the JSON API supports the in
708           operator.
709
710   COUNTER
711           { "counter": {
712                   "packets": NUMBER,
713                   "bytes": NUMBER
714           }}
715
716           { "counter": STRING }
717
718       This object represents a byte/packet counter. In input, no properties
719       are required. If given, they act as initial values for the counter.
720
721       The first form creates an anonymous counter which lives in the rule it
722       appears in. The second form specifies a reference to a named counter
723       object.
724
725       packets
726           Packets counted.
727
728       bytes
729           Bytes counted.
730
731   MANGLE
732           { "mangle": {
733                   "key": EXPRESSION,
734                   "value": EXPRESSION
735           }}
736
737       This changes the packet data or meta info.
738
739       key
740           The packet data to be changed, given as an exthdr, payload, meta,
741           ct or ct helper expression.
742
743       value
744           Value to change data to.
745
746   QUOTA
747           { "quota": {
748                   "val": NUMBER,
749                   "val_unit": STRING,
750                   "used": NUMBER,
751                   "used_unit": STRING,
752                   "inv": BOOLEAN
753           }}
754
755           { "quota": STRING }
756
757       The first form creates an anonymous quota which lives in the rule it
758       appears in. The second form specifies a reference to a named quota
759       object.
760
761       val
762           Quota value.
763
764       val_unit
765           Unit of val, e.g.  "kbytes" or "mbytes". If omitted, defaults to
766           "bytes".
767
768       used
769           Quota used so far. Optional on input. If given, serves as initial
770           value.
771
772       used_unit
773           Unit of used. Defaults to "bytes".
774
775       inv
776           If true, will match if quota was exceeded. Defaults to false.
777
778   LIMIT
779           { "limit": {
780                   "rate": NUMBER,
781                   "rate_unit": STRING,
782                   "per": STRING,
783                   "burst": NUMBER,
784                   "burst_unit": STRING,
785                   "inv": BOOLEAN
786           }}
787
788           { "limit": STRING }
789
790       The first form creates an anonymous limit which lives in the rule it
791       appears in. The second form specifies a reference to a named limit
792       object.
793
794       rate
795           Rate value to limit to.
796
797       rate_unit
798           Unit of rate, e.g.  "packets" or "mbytes". Defaults to "packets".
799
800       per
801           Denominator of rate, e.g.  "week" or "minutes".
802
803       burst
804           Burst value. Defaults to 0.
805
806       burst_unit
807           Unit of burst, ignored if rate_unit is "packets". Defaults to
808           "bytes".
809
810       inv
811           If true, matches if the limit was exceeded. Defaults to false.
812
813   FWD
814           { "fwd": {
815                   "dev": EXPRESSION,
816                   "family": FWD_FAMILY,
817                   "addr": EXPRESSION
818           }}
819
820           FWD_FAMILY := "ip" | "ip6"
821
822       Forward a packet to a different destination.
823
824       dev
825           Interface to forward the packet on.
826
827       family
828           Family of addr.
829
830       addr
831           IP(v6) address to forward the packet to.
832
833       Both family and addr are optional, but if at least one is given, both
834       must be present.
835
836   NOTRACK
837           { "notrack": null }
838
839       Disable connection tracking for the packet.
840
841   DUP
842           { "dup": {
843                   "addr": EXPRESSION,
844                   "dev": EXPRESSION
845           }}
846
847       Duplicate a packet to a different destination.
848
849       addr
850           Address to duplicate packet to.
851
852       dev
853           Interface to duplicate packet on. May be omitted to not specify an
854           interface explicitly.
855
856   NETWORK ADDRESS TRANSLATION
857           { "snat": {
858                   "addr": EXPRESSION,
859                   "family": STRING,
860                   "port": EXPRESSION,
861                   "flags": FLAGS
862           }}
863
864           { "dnat": {
865                   "addr": EXPRESSION,
866                   "family": STRING,
867                   "port": EXPRESSION,
868                   "flags": FLAGS
869           }}
870
871           { "masquerade": {
872                   "port": EXPRESSION,
873                   "flags": FLAGS
874           }}
875
876           { "redirect": {
877                   "port": EXPRESSION,
878                   "flags": FLAGS
879           }}
880
881           FLAGS := FLAG | [ FLAG_LIST ]
882           FLAG_LIST := FLAG [, FLAG_LIST ]
883           FLAG := "random" | "fully-random" | "persistent"
884
885       Perform Network Address Translation.
886
887       addr
888           Address to translate to.
889
890       family
891           Family of addr, either ip or ip6. Required in inet table family.
892
893       port
894           Port to translate to.
895
896       flags
897           Flag(s).
898
899       All properties are optional and default to none.
900
901   REJECT
902           { "reject": {
903                   "type": STRING,
904                   "expr": EXPRESSION
905           }}
906
907       Reject the packet and send the given error reply.
908
909       type
910           Type of reject, either "tcp reset", "icmpx", "icmp" or "icmpv6".
911
912       expr
913           ICMP type to reject with.
914
915       All properties are optional.
916
917   SET
918           { "set": {
919                   "op": STRING,
920                   "elem": EXPRESSION,
921                   "set": STRING
922           }}
923
924       Dynamically add/update elements to a set.
925
926       op
927           Operator on set, either "add" or "update".
928
929       elem
930           Set element to add or update.
931
932       set
933           Set reference.
934
935   LOG
936           { "log": {
937                   "prefix": STRING,
938                   "group": NUMBER,
939                   "snaplen": NUMBER,
940                   "queue-threshold": NUMBER,
941                   "level": LEVEL,
942                   "flags": FLAGS
943           }}
944
945           LEVEL := "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
946                      "info" | "debug" | "audit"
947
948           FLAGS := FLAG | [ FLAG_LIST ]
949           FLAG_LIST := FLAG [, FLAG_LIST ]
950           FLAG := "tcp sequence" | "tcp options" | "ip options" | "skuid" |
951                     "ether" | "all"
952
953       Log the packet.
954
955       prefix
956           Prefix for log entries.
957
958       group
959           Log group.
960
961       snaplen
962           Snaplen for logging.
963
964       queue-threshold
965           Queue threshold.
966
967       level
968           Log level. Defaults to "warn".
969
970       flags
971           Log flags.
972
973       All properties are optional.
974
975   CT HELPER
976           { "ct helper": EXPRESSION }
977
978       Enable the specified conntrack helper for this packet.
979
980       ct helper
981           CT helper reference.
982
983   METER
984           { "meter": {
985                   "name": STRING,
986                   "key": EXPRESSION,
987                   "stmt": STATEMENT
988           }}
989
990       Apply a given statement using a meter.
991
992       name
993           Meter name.
994
995       key
996           Meter key.
997
998       stmt
999           Meter statement.
1000
1001   QUEUE
1002           { "queue": {
1003                   "num": EXPRESSION,
1004                   "flags": FLAGS
1005           }}
1006
1007           FLAGS := FLAG | [ FLAG_LIST ]
1008           FLAG_LIST := FLAG [, FLAG_LIST ]
1009           FLAG := "bypass" | "fanout"
1010
1011       Queue the packet to userspace.
1012
1013       num
1014           Queue number.
1015
1016       flags
1017           Queue flags.
1018
1019   VERDICT MAP
1020           { "vmap": {
1021                   "key": EXPRESSION,
1022                   "data": EXPRESSION
1023           }}
1024
1025       Apply a verdict conditionally.
1026
1027       key
1028           Map key.
1029
1030       data
1031           Mapping expression consisting of value/verdict pairs.
1032
1033   CT COUNT
1034           { "ct count": {
1035                   "val": NUMBER,
1036                   "inv": BOOLEAN
1037           }}
1038
1039       Limit the number of connections using conntrack.
1040
1041       val
1042           Connection count threshold.
1043
1044       inv
1045           If true, match if val was exceeded. If omitted, defaults to false.
1046
1047   CT TIMEOUT
1048           { "ct timeout": EXPRESSION }
1049
1050       Assign connection tracking timeout policy.
1051
1052       ct timeout
1053           CT timeout reference.
1054
1055   XT
1056           { "xt": null }
1057
1058       This represents an xt statement from xtables compat interface. Sadly,
1059       at this point, it is not possible to provide any further information
1060       about its content.
1061

EXPRESSIONS

1063       Expressions are the building blocks of (most) statements. In their most
1064       basic form, they are just immediate values represented as a JSON
1065       string, integer or boolean type.
1066
1067   IMMEDIATES
1068           STRING
1069           NUMBER
1070           BOOLEAN
1071
1072       Immediate expressions are typically used for constant values. For
1073       strings, there are two special cases:
1074
1075       @STRING
1076           The remaining part is taken as set name to create a set reference.
1077
1078       \*
1079           Construct a wildcard expression.
1080
1081   LISTS
1082           ARRAY
1083
1084       List expressions are constructed by plain arrays containing of an
1085       arbitrary number of expressions.
1086
1087   CONCAT
1088           { "concat": CONCAT }
1089
1090           CONCAT := [ EXPRESSION_LIST ]
1091           EXPRESSION_LIST := EXPRESSION [, EXPRESSION_LIST ]
1092
1093       Concatenate several expressions.
1094
1095   SET
1096           { "set": SET }
1097
1098           SET := EXPRESSION | [ EXPRESSION_LIST ]
1099
1100       This object constructs an anonymous set. For mappings, an array of
1101       arrays with exactly two elements is expected.
1102
1103   MAP
1104           { "map": {
1105                   "key": EXPRESSION,
1106                   "data": EXPRESSION
1107           }}
1108
1109       Map a key to a value.
1110
1111       key
1112           Map key.
1113
1114       data
1115           Mapping expression consisting of value/target pairs.
1116
1117   PREFIX
1118           { "prefix": {
1119                   "addr": EXPRESSION,
1120                   "len": NUMBER
1121           }}
1122
1123       Construct an IPv4 or IPv6 prefix consisting of address part in addr and
1124       prefix length in len.
1125
1126   RANGE
1127           { "range": [ EXPRESSION , EXPRESSION ] }
1128
1129       Construct a range of values. The first array item denotes the lower
1130       boundary, the second one the upper boundary.
1131
1132   PAYLOAD
1133           { "payload": {
1134                   "base": BASE,
1135                   "offset": NUMBER,
1136                   "len": NUMBER
1137           }}
1138
1139           { "payload": {
1140                   "protocol": STRING,
1141                   "field": STRING
1142           }}
1143
1144           BASE := "ll" | "nh" | "th"
1145
1146       Construct a payload expression, i.e. a reference to a certain part of
1147       packet data. The first form creates a raw payload expression to point
1148       at a random number (len) of bytes at a certain offset (offset) from a
1149       given reference point (base). The following base values are accepted:
1150
1151       "ll"
1152           The offset is relative to Link Layer header start offset.
1153
1154       "nh"
1155           The offset is relative to Network Layer header start offset.
1156
1157       "th"
1158           The offset is relative to Transport Layer header start offset.
1159
1160       The second form allows to reference a field by name (field) in a named
1161       packet header (protocol).
1162
1163   EXTHDR
1164           { "exthdr": {
1165                   "name": STRING,
1166                   "field": STRING,
1167                   "offset": NUMBER
1168           }}
1169
1170       Create a reference to a field (field) in an IPv6 extension header
1171       (name). offset is used only for rt0 protocol.
1172
1173       If the field property is not given, the expression is to be used as a
1174       header existence check in a match statement with a boolean on the right
1175       hand side.
1176
1177   TCP OPTION
1178           { "tcp option": {
1179                   "name": STRING,
1180                   "field": STRING
1181           }}
1182
1183       Create a reference to a field (field) of a TCP option header (name).
1184
1185       If the field property is not given, the expression is to be used as a
1186       TCP option existence check in a match statement with a boolean on the
1187       right hand side.
1188
1189   META
1190           { "meta": {
1191                   "key": META_KEY
1192           }}
1193
1194           META_KEY := "length" | "protocol" | "priority" | "random" | "mark" |
1195                         "iif" | "iifname" | "iiftype" | "oif" | "oifname" |
1196                         "oiftype" | "skuid" | "skgid" | "nftrace" |
1197                         "rtclassid" | "ibriport" | "obriport" | "ibridgename" |
1198                         "obridgename" | "pkttype" | "cpu" | "iifgroup" |
1199                         "oifgroup" | "cgroup" | "nfproto" | "l4proto" |
1200                         "secpath"
1201
1202       Create a reference to packet meta data.
1203
1204   RT
1205           { "rt": {
1206                   "key": RT_KEY,
1207                   "family": RT_FAMILY
1208           }}
1209
1210           RT_KEY := "classid" | "nexthop" | "mtu"
1211           RT_FAMILY := "ip" | "ip6"
1212
1213       Create a reference to packet routing data.
1214
1215       The family property is optional and defaults to unspecified.
1216
1217   CT
1218           { "ct": {
1219                   "key": STRING,
1220                   "family": CT_FAMILY,
1221                   "dir": CT_DIRECTION
1222           }}
1223
1224           CT_FAMILY := "ip" | "ip6"
1225           CT_DIRECTION := "original" | "reply"
1226
1227       Create a reference to packet conntrack data.
1228
1229       Some CT keys do not support a direction. In this case, dir must not be
1230       given.
1231
1232   NUMGEN
1233           { "numgen": {
1234                   "mode": NG_MODE,
1235                   "mod": NUMBER,
1236                   "offset": NUMBER
1237           }}
1238
1239           NG_MODE := "inc" | "random"
1240
1241       Create a number generator.
1242
1243       The offset property is optional and defaults to 0.
1244
1245   HASH
1246           { "jhash": {
1247                   "mod": NUMBER,
1248                   "offset": NUMBER,
1249                   "expr": EXPRESSION,
1250                   "seed": NUMBER
1251           }}
1252
1253           { "symhash": {
1254                   "mod": NUMBER,
1255                   "offset": NUMBER
1256           }}
1257
1258       Hash packet data.
1259
1260       The offset and seed properties are optional and default to 0.
1261
1262   FIB
1263           { "fib": {
1264                   "result": FIB_RESULT,
1265                   "flags": FIB_FLAGS
1266           }}
1267
1268           FIB_RESULT := "oif" | "oifname" | "type"
1269
1270           FIB_FLAGS := FIB_FLAG | [ FIB_FLAG_LIST ]
1271           FIB_FLAG_LIST := FIB_FLAG [, FIB_FLAG_LIST ]
1272           FIB_FLAG := "saddr" | "daddr" | "mark" | "iif" | "oif"
1273
1274       Perform kernel Forwarding Information Base lookups.
1275
1276   BINARY OPERATION
1277           { "|": [ EXPRESSION, EXPRESSION ] }
1278           { "^": [ EXPRESSION, EXPRESSION ] }
1279           { "&": [ EXPRESSION, EXPRESSION ] }
1280           { "<<": [ EXPRESSION, EXPRESSION ] }
1281           { ">>": [ EXPRESSION, EXPRESSION ] }
1282
1283       All binary operations expect an array of exactly two expressions, of
1284       which the first element denotes the left hand side and the second one
1285       the right hand side.
1286
1287   VERDICT
1288           { "accept": null }
1289           { "drop": null }
1290           { "continue": null }
1291           { "return": null }
1292           { "jump": { "target": STRING }}
1293           { "goto": { "target": STRING }}
1294
1295       Same as the verdict statement, but for use in verdict maps.
1296
1297       jump and goto verdicts expect a target chain name.
1298
1299   ELEM
1300           { "elem": {
1301                   "val": EXPRESSION,
1302                   "timeout": NUMBER,
1303                   "expires": NUMBER,
1304                   "comment": STRING
1305           }}
1306
1307       Explicitly set element object, in case timeout, expires or comment are
1308       desired. Otherwise, it may be replaced by the value of val.
1309
1310   SOCKET
1311           { "socket": {
1312                   "key": SOCKET_KEY
1313           }}
1314
1315           SOCKET_KEY := "transparent"
1316
1317       Construct a reference to packet’s socket.
1318
1319   OSF
1320           { "osf": {
1321                   "key": OSF_KEY,
1322                   "ttl": OSF_TTL
1323           }}
1324
1325           OSF_KEY := "name"
1326           OSF_TTL := "loose" | "skip"
1327
1328       Perform OS fingerprinting. This expression is typically used in the LHS
1329       of a match statement.
1330
1331       key
1332           Which part of the fingerprint info to match against. At this point,
1333           only the OS name is supported.
1334
1335       ttl
1336           Define how the packet’s TTL value is to be matched. This property
1337           is optional. If omitted, the TTL value has to match exactly. A
1338           value of loose accepts TTL values less than the fingerprint one. A
1339           value of skip omits TTL value comparison entirely.
1340

AUTHOR

1342       Phil Sutter <phil@nwl.cc>
1343           Author.
1344
1345
1346
1347                                  07/25/2019               LIBNFTABLES-JSON(5)
Impressum