1nft(8)                                                                  nft(8)
2
3
4

NAME

6       nft  - Administration tool of the nftables framework for packet filter‐
7       ing and classification
8

SYNOPSIS

10       nft [ -nNscae ] [ -I directory ] [ -f filename | -i | cmd ...]
11       nft -h
12       nft -v
13

DESCRIPTION

15       nft is the command line tool used to set up, maintain and inspect pack‐
16       et filtering and classification rules in the Linux kernel, in the nfta‐
17       bles framework.  The Linux kernel subsystem is known as nf_tables,  and
18       'nf' stands for Netfilter.
19

OPTIONS

21       For a full summary of options, run nft --help.
22
23       -h, --help
24              Show help message and all options.
25
26       -v, --version
27              Show version.
28
29       -n, --numeric
30              Show  data  numerically. When used once (the default behaviour),
31              skip lookup of addresses to symbolic names. Use  twice  to  also
32              show  Internet  services  (port  numbers) numerically. Use three
33              times to also show protocols and UIDs/GIDs numerically.
34
35       -N, --reversedns
36              Translate IP addresses to names. Usually requires network  traf‐
37              fic for DNS lookup.
38
39       -s, --stateless
40              Omit stateful information of rules and stateful objects.
41
42       -c, --check
43              Check commands validity without actually applying the changes.
44
45       -a, --handle
46              Show object handles in output.
47
48       -e, --echo
49              When  inserting  items into the ruleset using add, insert or re‐
50              place commands, print notifications just like nft monitor.
51
52       -I, --includepath directory
53              Add the directory directory to the list  of  directories  to  be
54              searched for included files. This option may be specified multi‐
55              ple times.
56
57       -f, --file filename
58              Read input from filename. If filename is -, read from stdin.
59
60              nft scripts must start #!/usr/sbin/nft -f
61
62       -i, --interactive
63              Read input from an interactive readline CLI. You can use quit to
64              exit, or use the EOF marker, normally this is CTRL-D.
65

INPUT FILE FORMAT

67   LEXICAL CONVENTIONS
68       Input  is parsed line-wise. When the last character of a line, just be‐
69       fore the newline character, is a non-quoted  backslash  (\),  the  next
70       line  is  treated as a continuation. Multiple commands on the same line
71       can be separated using a semicolon (;).
72
73       A hash sign (#) begins a comment. All following characters on the  same
74       line are ignored.
75
76       Identifiers begin with an alphabetic character (a-z,A-Z), followed zero
77       or more alphanumeric characters (a-z,A-Z,0-9) and the characters  slash
78       (/),  backslash (\), underscore (_) and dot (.). Identifiers using dif‐
79       ferent characters or clashing with a keyword need  to  be  enclosed  in
80       double quotes (").
81
82   INCLUDE FILES
83       include filename
84
85       Other files can be included by using the include statement.  The direc‐
86       tories to be searched for include files  can  be  specified  using  the
87       -I/--includepath  option.  You  can  override  this behaviour either by
88       prepending ./ to your path to force inclusion of files located  in  the
89       current  working  directory (i.e. relative path) or / for file location
90       expressed as an absolute path.
91
92       If -I/--includepath is not specified, then nft relies  on  the  default
93       directory  that is specified at compile time. You can retrieve this de‐
94       fault directory via -h/--help option.
95
96       Include statements support the usual shell wildcard  symbols  (*,?,[]).
97       Having no matches for an include statement is not an error, if wildcard
98       symbols are used in the include statement. This  allows  having  poten‐
99       tially   empty   include   directories   for  statements  like  include
100       "/etc/firewall/rules/*". The wildcard matches are loaded in  alphabeti‐
101       cal  order.  Files  beginning  with  dot (.) are not matched by include
102       statements.
103
104   SYMBOLIC VARIABLES
105       define variable expr
106       $variable
107
108       Symbolic variables can be defined using the define statement.  Variable
109       references  are expressions and can be used initialize other variables.
110       The scope of a definition is the current block and all blocks contained
111       within.
112
113       Using symbolic variables
114
115       define int_if1 = eth0
116       define int_if2 = eth1
117       define int_ifs = { $int_if1, $int_if2 }
118
119       filter input iif $int_ifs accept
120
121

ADDRESS FAMILIES

123       Address families determine the type of packets which are processed. For
124       each address family the kernel contains so  called  hooks  at  specific
125       stages  of  the packet processing paths, which invoke nftables if rules
126       for these hooks exist.
127
128       ip     IPv4 address family.
129
130       ip6    IPv6 address family.
131
132       inet   Internet (IPv4/IPv6) address family.
133
134       arp    ARP address family, handling IPv4 ARP packets.
135
136       bridge Bridge address family, handling packets which traverse a  bridge
137              device.
138
139       netdev Netdev address family, handling packets from ingress.
140
141       All  nftables  objects  exist  in  address  family specific namespaces,
142       therefore all identifiers include an address family. If  an  identifier
143       is  specified  without  an address family, the ip family is used by de‐
144       fault.
145
146   IPV4/IPV6/INET ADDRESS FAMILIES
147       The IPv4/IPv6/Inet address families handle IPv4, IPv6 or both types  of
148       packets.  They contain five hooks at different packet processing stages
149       in the network stack.
150
151       IPv4/IPv6/Inet address family hooks
152
153       ┌────────────┬────────────────────────────┐
154       │Hook        │ Description                │
155       ├────────────┼────────────────────────────┤
156       │prerouting  │ All packets  entering  the │
157       │            │ system  are  processed  by │
158       │            │ the prerouting hook. It is │
159       │            │ invoked before the routing │
160       │            │ process and  is  used  for │
161       │            │ early  filtering or chang‐ │
162       │            │ ing packet attributes that │
163       │            │ affect routing.            │
164       ├────────────┼────────────────────────────┤
165       │input       │ Packets  delivered  to the │
166       │            │ local system are processed │
167       │            │ by the input hook.         │
168       ├────────────┼────────────────────────────┤
169       │forward     │ Packets   forwarded  to  a │
170       │            │ different  host  are  pro‐ │
171       │            │ cessed   by   the  forward │
172       │            │ hook.                      │
173       ├────────────┼────────────────────────────┤
174       │output      │ Packets sent by local pro‐ │
175       │            │ cesses  are  processed  by │
176       │            │ the output hook.           │
177       ├────────────┼────────────────────────────┤
178       │postrouting │ All  packets  leaving  the │
179       │            │ system  are  processed  by │
180       │            │ the postrouting hook.      │
181       └────────────┴────────────────────────────┘
182   ARP ADDRESS FAMILY
183       The ARP address family handles ARP packets received  and  sent  by  the
184       system. It is commonly used to mangle ARP packets for clustering.
185
186       ARP address family hooks
187
188       ┌───────┬────────────────────────────┐
189       │Hook   │ Description                │
190       ├───────┼────────────────────────────┤
191       │input  │ Packets  delivered  to the │
192       │       │ local system are processed │
193       │       │ by the input hook.         │
194       ├───────┼────────────────────────────┤
195       │output │ Packets  send by the local │
196       │       │ system  are  processed  by │
197       │       │ the output hook.           │
198       └───────┴────────────────────────────┘
199   BRIDGE ADDRESS FAMILY
200       The  bridge  address  family handles Ethernet packets traversing bridge
201       devices.
202
203       The list of supported hooks is identical to IPv4/IPv6/Inet address fam‐
204       ilies above.
205
206   NETDEV ADDRESS FAMILY
207       The Netdev address family handles packets from ingress.
208
209       Netdev address family hooks
210
211       ┌────────┬────────────────────────────┐
212       │Hook    │ Description                │
213       ├────────┼────────────────────────────┤
214       │ingress │ All  packets  entering the │
215       │        │ system  are  processed  by │
216       │        │ this  hook.  It is invoked │
217       │        │ before  layer  3  protocol │
218       │        │ handlers  and  it  can  be │
219       │        │ used for  early  filtering │
220       │        │ and policing.              │
221       └────────┴────────────────────────────┘

RULESET

223       {list | flush} ruleset [family]
224       export [ruleset] format
225
226       The  ruleset  keyword  is  used  to  identify  the whole set of tables,
227       chains, etc. currently in place in kernel. The following  ruleset  com‐
228       mands exist:
229
230       list   Print the ruleset in human-readable format.
231
232       flush  Clear  the  whole  ruleset. Note that unlike iptables, this will
233              remove all tables and whatever they contain, effectively leading
234              to  an  empty ruleset - no packet filtering will happen anymore,
235              so the kernel accepts any valid packet it receives.
236
237       export Print the ruleset in machine readable format. The mandatory for‐
238              mat parameter may be either xml or json.
239
240       It is possible to limit list and flush to a specific address family on‐
241       ly. For a list of valid family names, see ADDRESS FAMILIES above.
242
243       Note that contrary to what one might assume, the  output  generated  by
244       export  is not parseable by nft -f. Instead, the output of list command
245       serves well for that purpose.
246

TABLES

248       {add | create} table [family] table [ { flags flags } ]
249       {delete | list | flush} table [family] table
250       delete table [family] handle handle
251
252       Tables are containers for chains, sets and stateful objects.  They  are
253       identified  by  their address family and their name. The address family
254       must be one of ip, ip6, inet, arp, bridge, netdev.   The  inet  address
255       family  is  a dummy family which is used to create hybrid IPv4/IPv6 ta‐
256       bles. The meta expression nfproto keyword can be  used  to  test  which
257       family  (IPv4  or IPv6) context the packet is being processed in.  When
258       no address family is specified, ip is used by default.  The  only  dif‐
259       ference  between  add  and create is that the former will not return an
260       error if the specified table already exists while create will return an
261       error.
262
263       Table flags
264
265       ┌────────┬────────────────────────────┐
266       │Flag    │ Description                │
267       ├────────┼────────────────────────────┤
268       │dormant │ table is not evaluated any │
269       │        │ more (base chains are  un‐ │
270       │        │ registered)                │
271       └────────┴────────────────────────────┘
272       Add, change, delete a table
273
274       # start nft in interactive mode
275       nft --interactive
276
277       # create a new table.
278       create table inet mytable
279
280       # add a new base chain: get input packets
281       add chain inet mytable myin { type filter hook input priority 0; }
282
283       # add a single counter to the chain
284       add rule inet mytable myin counter
285
286       # disable the table temporarily -- rules are not evaluated anymore
287       add table inet mytable { flags dormant; }
288
289       # make table active again:
290       add table inet mytable
291
292
293       add    Add a new table for the given family with the given name.
294
295       delete Delete the specified table.
296
297       list   List all chains and rules of the specified table.
298
299       flush  Flush all chains and rules of the specified table.
300

CHAINS

302       {add | create} chain [family] table chain [ { type type hook hook
303       [device device] priority priority ; [policy policy ;] } ]
304       {delete | list | flush} chain [family] table chain
305       delete chain [family] table handle handle
306       rename chain [family] table chain newname
307
308       Chains are containers for rules. They exist in two kinds,  base  chains
309       and regular chains. A base chain is an entry point for packets from the
310       networking stack, a regular chain may be used as  jump  target  and  is
311       used for better rule organization.
312
313       add    Add a new chain in the specified table. When a hook and priority
314              value are specified, the chain is created as a  base  chain  and
315              hooked up to the networking stack.
316
317       create Similar  to  the  add command, but returns an error if the chain
318              already exists.
319
320       delete Delete the specified chain. The chain must not contain any rules
321              or be used as jump target.
322
323       rename Rename the specified chain.
324
325       list   List all rules of the specified chain.
326
327       flush  Flush all rules of the specified chain.
328
329       For base chains, type, hook and priority parameters are mandatory.
330
331       Supported chain types
332
333       ┌───────┬──────────┬──────────────────┬──────────────────┐
334       │Type   │ Families │ Hooks            │ Description      │
335       ├───────┼──────────┼──────────────────┼──────────────────┤
336       │filter │ all      │ all              │ Standard   chain │
337       │       │          │                  │ type to  use  in │
338       │       │          │                  │ doubt.           │
339       ├───────┼──────────┼──────────────────┼──────────────────┤
340       │nat    │ ip, ip6  │ prerouting,  in‐ │ Chains  of  this │
341       │       │          │ put,     output, │ type     perform │
342       │       │          │ postrouting      │ Network  Address │
343       │       │          │                  │ Translation      │
344       │       │          │                  │ based   on  con‐ │
345       │       │          │                  │ ntrack  entries. │
346       │       │          │                  │ Only  the  first │
347       │       │          │                  │ packet of a con‐ │
348       │       │          │                  │ nection actually │
349       │       │          │                  │ traverses   this │
350       │       │          │                  │ chain    -   its │
351       │       │          │                  │ rules    usually │
352       │       │          │                  │ define   details │
353       │       │          │                  │ of  the  created │
354       │       │          │                  │ conntrack  entry │
355       │       │          │                  │ (NAT  statements │
356       │       │          │                  │ for instance).   │
357       ├───────┼──────────┼──────────────────┼──────────────────┤
358       │route  │ ip, ip6  │ output           │ If  a packet has │
359       │       │          │                  │ traversed      a │
360       │       │          │                  │ chain   of  this │
361       │       │          │                  │ type   and    is │
362       │       │          │                  │ about  to be ac‐ │
363       │       │          │                  │ cepted,  a   new │
364       │       │          │                  │ route  lookup is │
365       │       │          │                  │ performed     if │
366       │       │          │                  │ relevant   parts │
367       │       │          │                  │ of the IP header │
368       │       │          │                  │ have    changed. │
369       │       │          │                  │ This  allows  to │
370       │       │          │                  │ e.g.   implement │
371       │       │          │                  │ policy   routing │
372       │       │          │                  │ selectors     in │
373       │       │          │                  │ nftables.        │
374       └───────┴──────────┴──────────────────┴──────────────────┘
375       Apart from the special cases illustrated above (e.g. nat type not  sup‐
376       porting  forward hook or route type only supporting output hook), there
377       are two further quirks worth noticing:
378
379       · netdev family supports merely a  single  combination,  namely  filter
380         type  and  ingress  hook. Base chains in this family also require the
381         device parameter to be present since they exist per  incoming  inter‐
382         face only.
383
384       · arp  family  supports  only input and output hooks, both in chains of
385         type filter.
386
387       The priority parameter accepts a signed integer value  which  specifies
388       the  order  in which chains with same hook value are traversed. The or‐
389       dering is ascending, i.e. lower priority values  have  precedence  over
390       higher ones.
391
392       Base  chains also allow to set the chain's policy, i.e. what happens to
393       packets not explicitly accepted or refused in contained rules. Support‐
394       ed policy values are accept (which is the default) or drop.
395

RULES

397       [add | insert] rule [family] table chain [ {handle | position} handle |
398       index index ] statement...
399       replace rule [family] table chain handle handle statement...
400       delete rule [family] table chain handle handle
401
402       Rules are added to chain in the given table.   If  the  family  is  not
403       specified, the ip family is used.  Rules are constructed from two kinds
404       of components according to a set of grammatical rules: expressions  and
405       statements.
406
407       The  add  and  insert  commands support an optional location specifier,
408       which is either a handle of an existing rule or an index  (starting  at
409       zero).  Internally,  rule locations are always identified by handle and
410       the translation from index happens in userspace. This has two potential
411       implications  in  case  a  concurrent  ruleset change happens after the
412       translation was done: The effective rule index might change if  a  rule
413       was  inserted  or deleted before the referred one. If the referred rule
414       was deleted, the command is rejected by the kernel just as  if  an  in‐
415       valid handle was given.
416
417       add    Add  a new rule described by the list of statements. The rule is
418              appended to the given chain unless a  handle  is  specified,  in
419              which case the rule is appended to the rule given by the handle.
420              The alternative name position is deprecated and  should  not  be
421              used anymore.
422
423       insert Similar to the add command, but the rule is prepended to the be‐
424              ginning of the chain or before the rule with the given handle.
425
426       replace
427              Similar to the add command, but the rule replaces the  specified
428              rule.
429
430       delete Delete the specified rule.
431
432       add a rule to ip table input chain
433
434       nft add rule filter output ip daddr 192.168.0.0/24 accept # 'ip filter' is assumed
435       # same command, slightly more verbose
436       nft add rule ip filter output ip daddr 192.168.0.0/24 accept
437
438
439
440       delete rule from inet table
441
442       # nft -a list ruleset
443       table inet filter {
444               chain input {
445                       type filter hook input priority 0; policy accept;
446                       ct state established,related accept # handle 4
447                       ip saddr 10.1.1.1 tcp dport ssh accept # handle 5
448                 ...
449       # delete the rule with handle 5
450       # nft delete rule inet filter input handle 5
451
452

SETS

454       nftables  offers  two  kinds  of set concepts.  Anonymous sets are sets
455       that have no specific name. The  set  members  are  enclosed  in  curly
456       braces, with commas to separate elements when creating the rule the set
457       is used in.  Once that rule is removed, the set  is  removed  as  well.
458       They  cannot be updated, i.e. once an anonymous set is declared it can‐
459       not be changed anymore except by removing/altering the rule  that  uses
460       the anonymous set.
461
462       Using anonymous sets to accept particular subnets and ports
463
464               nft add rule filter input ip saddr { 10.0.0.0/8, 192.168.0.0/16 } tcp dport { 22, 443 } accept
465
466
467       Named  sets  are  sets that need to be defined first before they can be
468       referenced in rules. Unlike anonymous sets, elements can be added to or
469       removed  from  a named set at any time.  Sets are referenced from rules
470       using an @ prefixed to the sets name.
471
472       Using named sets to accept addresses and ports
473
474               nft add rule filter input ip saddr @allowed_hosts tcp dport @allowed_ports accept
475
476
477       The sets allowed_hosts and allowed_ports need to be created first.  The
478       next section describes nft set syntax in more detail.
479
480       add set [family] table set { type type ; [flags flags ;] [timeout
481       timeout ;] [gc-interval gc-interval ;] [elements = { element[,...] } ;]
482       [size size ;] [policy policy ;] [auto-merge auto-merge ;] }
483       {delete | list | flush} set [family] table set
484       delete set [family] table handle handle
485       {add | delete} element [family] table set { element[,...] }
486
487       Sets  are  elements  containers  of an user-defined data type, they are
488       uniquely identified by an user-defined name and attached to tables.
489
490       add    Add a new set in the specified table.
491
492       delete Delete the specified set.
493
494       list   Display the elements in the specified set.
495
496       flush  Remove all elements from the specified set.
497
498       add element
499              Comma-separated list of elements to add into the specified set.
500
501       delete element
502              Comma-separated list of elements to delete  from  the  specified
503              set.
504
505       Set specifications
506
507       ┌────────────┬─────────────────────┬─────────────────────┐
508       │Keyword     │ Description         │ Type                │
509       ├────────────┼─────────────────────┼─────────────────────┤
510       │type        │ data  type  of  set │ string:  ipv4_addr, │
511       │            │ elements            │ ipv6_addr,          │
512       │            │                     │ ether_addr,     in‐ │
513       │            │                     │ et_proto, inet_ser‐ │
514       │            │                     │ vice, mark          │
515       ├────────────┼─────────────────────┼─────────────────────┤
516       │flags       │ set flags           │ string:   constant, │
517       │            │                     │ interval, timeout   │
518       ├────────────┼─────────────────────┼─────────────────────┤
519       │timeout     │ time   an   element │ string,     decimal │
520       │            │ stays in  the  set, │ followed  by  unit. │
521       │            │ mandatory if set is │ Units are: d, h, m, │
522       │            │ added to  from  the │ s                   │
523       │            │ packet  path (rule‐ │                     │
524       │            │ set).               │                     │
525       ├────────────┼─────────────────────┼─────────────────────┤
526       │gc-interval │ garbage  collection │ string,     decimal │
527       │            │ interval,      only │ followed  by  unit. │
528       │            │ available      when │ Units are: d, h, m, │
529       │            │ timeout   or   flag │ s                   │
530       │            │ timeout are active  │                     │
531       ├────────────┼─────────────────────┼─────────────────────┤
532       │elements    │ elements  contained │ set data type       │
533       │            │ by the set          │                     │
534       ├────────────┼─────────────────────┼─────────────────────┤
535       │size        │ maximum  number  of │ unsigned    integer │
536       │            │ elements   in   the │ (64 bit)            │
537       │            │ set,  mandatory  if │                     │
538       │            │ set  is  added   to │                     │
539       │            │ from   the   packet │                     │
540       │            │ path (ruleset).     │                     │
541       ├────────────┼─────────────────────┼─────────────────────┤
542       │policy      │ set policy          │ string: performance │
543       │            │                     │ [default], memory   │
544       ├────────────┼─────────────────────┼─────────────────────┤
545       │auto-merge  │ automatic merge  of │                     │
546       │            │ adjacent/overlap‐   │                     │
547       │            │ ping  set  elements │                     │
548       │            │ (only  for interval │                     │
549       │            │ sets)               │                     │
550       └────────────┴─────────────────────┴─────────────────────┘

MAPS

552       add map [family] table map { type type [flags flags ;] [elements = {
553       element[,...] } ;] [size size ;] [policy policy ;] }
554       {delete | list | flush} map [family] table map
555       {add | delete} element [family] table map { elements = { element[,...]
556       } ; }
557
558       Maps store data based on some specific key  used  as  input,  they  are
559       uniquely identified by an user-defined name and attached to tables.
560
561       add    Add a new map in the specified table.
562
563       delete Delete the specified map.
564
565       list   Display the elements in the specified map.
566
567       flush  Remove all elements from the specified map.
568
569       add element
570              Comma-separated list of elements to add into the specified map.
571
572       delete element
573              Comma-separated  list  of element keys to delete from the speci‐
574              fied map.
575
576       Map specifications
577
578       ┌─────────┬─────────────────────┬─────────────────────┐
579       │Keyword  │ Description         │ Type                │
580       ├─────────┼─────────────────────┼─────────────────────┤
581       │type     │ data  type  of  map │ string  ':' string: │
582       │         │ elements            │ ipv4_addr, ipv6_ad‐ │
583       │         │                     │ dr, ether_addr, in‐ │
584       │         │                     │ et_proto, inet_ser‐ │
585       │         │                     │ vice,         mark, │
586       │         │                     │ counter,     quota. │
587       │         │                     │ Counter  and  quota │
588       │         │                     │ can't  be  used  as │
589       │         │                     │ keys                │
590       ├─────────┼─────────────────────┼─────────────────────┤
591       │flags    │ map flags           │ string:   constant, │
592       │         │                     │ interval            │
593       ├─────────┼─────────────────────┼─────────────────────┤
594       │elements │ elements  contained │ map data type       │
595       │         │ by the map          │                     │
596       ├─────────┼─────────────────────┼─────────────────────┤
597       │size     │ maximum  number  of │ unsigned    integer │
598       │         │ elements in the map │ (64 bit)            │
599       ├─────────┼─────────────────────┼─────────────────────┤
600       │policy   │ map policy          │ string: performance │
601       │         │                     │ [default], memory   │
602       └─────────┴─────────────────────┴─────────────────────┘

FLOWTABLES

604       {add | create} flowtable [family] table flowtable { hook hook priority
605       priority ; devices = { device[,...] } ; }
606       {delete | list} flowtable [family] table flowtable
607
608       Flowtables  allow  you  to  accelerate  packet  forwarding in software.
609       Flowtables entries are represented through a tuple that is composed  of
610       the  input interface, source and destination address, source and desti‐
611       nation port; and layer 3/4 protocols. Each entry also caches the desti‐
612       nation  interface  and  the gateway address - to update the destination
613       link-layer address - to forward packets. The ttl  and  hoplimit  fields
614       are  also  decremented.  Hence, flowtables provides an alternative path
615       that allow packets to bypass the classic  forwarding  path.  Flowtables
616       reside in the ingress hook, that is located before the prerouting hook.
617       You can select what flows you want to offload through the flow  offload
618       expression  from  the forward chain. Flowtables are identified by their
619       address family and their name. The address family must be  one  of  ip,
620       ip6,  inet.  The inet address family is a dummy family which is used to
621       create hybrid IPv4/IPv6 tables.  When no address family  is  specified,
622       ip is used by default.
623
624       add    Add a new flowtable for the given family with the given name.
625
626       delete Delete the specified flowtable.
627
628       list   List all flowtables.
629

STATEFUL OBJECTS

631       {add | delete | list | reset} type [family] table object
632       delete type [family] table handle handle
633
634       Stateful objects are attached to tables and are identified by an unique
635       name. They group stateful information from rules, to reference them  in
636       rules the keywords "type name" are used e.g. "counter name".
637
638       add    Add a new stateful object in the specified table.
639
640       delete Delete the specified object.
641
642       list   Display stateful information the object holds.
643
644       reset  List-and-reset stateful object.
645
646   CT
647       ct helper helper { type type protocol protocol ; [l3proto family ;] }
648
649       Ct  helper  is used to define connection tracking helpers that can then
650       be used in combination with the "ct helper set"  statement.   type  and
651       protocol are mandatory, l3proto is derived from the table family by de‐
652       fault, i.e. in the inet table the kernel will try to load both the IPv4
653       and IPv6 helper backends, if they are supported by the kernel.
654
655       conntrack helper specifications
656
657       ┌─────────┬─────────────────────┬─────────────────────┐
658       │Keyword  │ Description         │ Type                │
659       ├─────────┼─────────────────────┼─────────────────────┤
660       │type     │ name of helper type │ quoted string (e.g. │
661       │         │                     │ "ftp")              │
662       ├─────────┼─────────────────────┼─────────────────────┤
663       │protocol │ layer 4 protocol of │ string (e.g. tcp)   │
664       │         │ the helper          │                     │
665       ├─────────┼─────────────────────┼─────────────────────┤
666       │l3proto  │ layer 3 protocol of │ address      family │
667       │         │ the helper          │ (e.g. ip)           │
668       └─────────┴─────────────────────┴─────────────────────┘
669       defining and assigning ftp helper
670
671       Unlike iptables, helper assignment needs to be performed after the con‐
672       ntrack lookup has completed, for example with the default 0 hook prior‐
673       ity.
674
675       table inet myhelpers {
676         ct helper ftp-standard {
677            type "ftp" protocol tcp
678         }
679         chain prerouting {
680             type filter hook prerouting priority 0;
681             tcp dport 21 ct helper set "ftp-standard"
682         }
683       }
684
685   COUNTER
686       counter [packets bytes]
687
688       Counter specifications
689
690       ┌────────┬─────────────────────┬─────────────────────┐
691       │Keyword │ Description         │ Type                │
692       ├────────┼─────────────────────┼─────────────────────┤
693       │packets │ initial   count  of │ unsigned    integer │
694       │        │ packets             │ (64 bit)            │
695       ├────────┼─────────────────────┼─────────────────────┤
696       │bytes   │ initial   count  of │ unsigned    integer │
697       │        │ bytes               │ (64 bit)            │
698       └────────┴─────────────────────┴─────────────────────┘
699   QUOTA
700       quota [over | until] [used]
701
702       Quota specifications
703
704       ┌────────┬─────────────────────┬─────────────────────┐
705       │Keyword │ Description         │ Type                │
706       ├────────┼─────────────────────┼─────────────────────┤
707       │quota   │ quota  limit,  used │ Two arguments,  un‐ │
708       │        │ as the quota name   │ signed  integer (64 │
709       │        │                     │ bit)  and   string: │
710       │        │                     │ bytes,      kbytes, │
711       │        │                     │ mbytes. "over"  and │
712       │        │                     │ "until"  go  before │
713       │        │                     │ these arguments     │
714       ├────────┼─────────────────────┼─────────────────────┤
715       │used    │ initial  value   of │ Two  arguments, un‐ │
716       │        │ used quota          │ signed integer  (64 │
717       │        │                     │ bit)   and  string: │
718       │        │                     │ bytes,      kbytes, │
719       │        │                     │ mbytes              │
720       └────────┴─────────────────────┴─────────────────────┘

EXPRESSIONS

722       Expressions  represent values, either constants like network addresses,
723       port numbers etc. or data gathered from the packet during ruleset eval‐
724       uation.  Expressions  can be combined using binary, logical, relational
725       and other types of expressions to form complex  or  relational  (match)
726       expressions.  They are also used as arguments to certain types of oper‐
727       ations, like NAT, packet marking etc.
728
729       Each expression has a data type, which determines the size, parsing and
730       representation of symbolic values and type compatibility with other ex‐
731       pressions.
732
733   DESCRIBE COMMAND
734       describe expression
735
736       The describe command shows information about the type of an  expression
737       and its data type.
738
739       The describe command
740
741       $ nft describe tcp flags
742       payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits
743
744       predefined symbolic constants:
745       fin                           0x01
746       syn                           0x02
747       rst                           0x04
748       psh                           0x08
749       ack                           0x10
750       urg                           0x20
751       ecn                           0x40
752       cwr                           0x80
753

DATA TYPES

755       Data  types  determine the size, parsing and representation of symbolic
756       values and type compatibility of expressions. A number of  global  data
757       types  exist,  in  addition  some  expression types define further data
758       types specific to the expression type. Most data  types  have  a  fixed
759       size, some however may have a dynamic size, f.i. the string type.
760
761       Types may be derived from lower order types, f.i. the IPv4 address type
762       is derived from the integer type, meaning an IPv4 address can  also  be
763       specified as an integer value.
764
765       In  certain  contexts  (set and map definitions) it is necessary to ex‐
766       plicitly specify a data type.  Each type has a name which is  used  for
767       this.
768
769   INTEGER TYPE
770       ┌────────┬─────────┬──────────┬───────────┐
771       │Name    │ Keyword │ Size     │ Base type │
772       ├────────┼─────────┼──────────┼───────────┤
773       │Integer │ integer │ variable │ -         │
774       └────────┴─────────┴──────────┴───────────┘
775       The  integer  type  is  used for numeric values. It may be specified as
776       decimal, hexadecimal or octal number. The integer type doesn't  have  a
777       fixed  size,  its  size is determined by the expression for which it is
778       used.
779
780   BITMASK TYPE
781       ┌────────┬─────────┬──────────┬───────────┐
782       │Name    │ Keyword │ Size     │ Base type │
783       ├────────┼─────────┼──────────┼───────────┤
784       │Bitmask │ bitmask │ variable │ integer   │
785       └────────┴─────────┴──────────┴───────────┘
786       The bitmask type (bitmask) is used for bitmasks.
787
788   STRING TYPE
789       ┌───────┬─────────┬──────────┬───────────┐
790       │Name   │ Keyword │ Size     │ Base type │
791       ├───────┼─────────┼──────────┼───────────┤
792       │String │ string  │ variable │ -         │
793       └───────┴─────────┴──────────┴───────────┘
794       The string type is used to for character strings. A string begins  with
795       an  alphabetic character (a-zA-Z) followed by zero or more alphanumeric
796       characters or the characters /, -, _ and .. In  addition  anything  en‐
797       closed in double quotes (") is recognized as a string.
798
799       String specification
800
801       # Interface name
802       filter input iifname eth0
803
804       # Weird interface name
805       filter input iifname "(eth0)"
806
807   LINK LAYER ADDRESS TYPE
808       ┌─────────────────┬─────────┬──────────┬───────────┐
809       │Name             │ Keyword │ Size     │ Base type │
810       ├─────────────────┼─────────┼──────────┼───────────┤
811       │Link  layer  ad‐ │ lladdr  │ variable │ integer   │
812       │dress            │         │          │           │
813       └─────────────────┴─────────┴──────────┴───────────┘
814       The link layer address type is used for link layer addresses. Link lay‐
815       er  addresses are specified as a variable amount of groups of two hexa‐
816       decimal digits separated using colons (:).
817
818       Link layer address specification
819
820       # Ethernet destination MAC address
821       filter input ether daddr 20:c9:d0:43:12:d9
822
823   IPV4 ADDRESS TYPE
824       ┌─────────────┬───────────┬────────┬───────────┐
825       │Name         │ Keyword   │ Size   │ Base type │
826       ├─────────────┼───────────┼────────┼───────────┤
827       │IPv4 address │ ipv4_addr │ 32 bit │ integer   │
828       └─────────────┴───────────┴────────┴───────────┘
829       The IPv4 address type is used for IPv4 addresses. Addresses are  speci‐
830       fied  in either dotted decimal, dotted hexadecimal, dotted octal, deci‐
831       mal, hexadecimal, octal notation or as a host name. A host name will be
832       resolved using the standard system resolver.
833
834       IPv4 address specification
835
836       # dotted decimal notation
837       filter output ip daddr 127.0.0.1
838
839       # host name
840       filter output ip daddr localhost
841
842   IPV6 ADDRESS TYPE
843       ┌─────────────┬───────────┬─────────┬───────────┐
844       │Name         │ Keyword   │ Size    │ Base type │
845       ├─────────────┼───────────┼─────────┼───────────┤
846       │IPv6 address │ ipv6_addr │ 128 bit │ integer   │
847       └─────────────┴───────────┴─────────┴───────────┘
848       The IPv6 address type is used for IPv6 addresses.  Addresses are speci‐
849       fied as a host name or as hexadecimal halfwords  separated  by  colons.
850       Addresses  might be enclosed in square brackets ("[]") to differentiate
851       them from port numbers.
852
853       IPv6 address specificationIPv6 address specification with bracket nota‐
854       tion
855
856       # abbreviated loopback address
857       filter output ip6 daddr ::1
858
859       # without [] the port number (22) would be parsed as part of ipv6 address
860       ip6 nat prerouting tcp dport 2222 dnat to [1ce::d0]:22
861
862   BOOLEAN TYPE
863       ┌────────┬─────────┬───────┬───────────┐
864       │Name    │ Keyword │ Size  │ Base type │
865       ├────────┼─────────┼───────┼───────────┤
866       │Boolean │ boolean │ 1 bit │ integer   │
867       └────────┴─────────┴───────┴───────────┘
868       The  boolean type is a syntactical helper type in user space.  It's use
869       is in the right-hand side of a (typically implicit) relational  expres‐
870       sion  to  change  the  expression  on the left-hand side into a boolean
871       check (usually for existence).
872
873       The following keywords will automatically resolve into a  boolean  type
874       with given value:
875
876       ┌────────┬───────┐
877       │Keyword │ Value │
878       ├────────┼───────┤
879       │exists  │ 1     │
880       ├────────┼───────┤
881       │missing │ 0     │
882       └────────┴───────┘
883       Boolean specification
884
885       The following expressions support a boolean comparison:
886
887       ┌───────────┬────────────────────────────┐
888       │Expression │ Behaviour                  │
889       ├───────────┼────────────────────────────┤
890       │fib        │ Check route existence.     │
891       ├───────────┼────────────────────────────┤
892       │exthdr     │ Check IPv6 extension head‐ │
893       │           │ er existence.              │
894       ├───────────┼────────────────────────────┤
895       │tcp option │ Check  TCP  option  header │
896       │           │ existence.                 │
897       └───────────┴────────────────────────────┘
898       # match if route exists
899       filter input fib daddr . iif oif exists
900
901       # match only non-fragmented packets in IPv6 traffic
902       filter input exthdr frag missing
903
904       # match if TCP timestamp option is present
905       filter input tcp option timestamp exists
906
907   ICMP TYPE TYPE
908       ┌──────────┬───────────┬───────┬───────────┐
909       │Name      │ Keyword   │ Size  │ Base type │
910       ├──────────┼───────────┼───────┼───────────┤
911       │ICMP Type │ icmp_type │ 8 bit │ integer   │
912       └──────────┴───────────┴───────┴───────────┘
913       The  ICMP  Type  type is used to conveniently specify the ICMP header's
914       type field.
915
916       The following keywords may be used when specifying the ICMP type:
917
918       ┌────────────────────────┬───────┐
919       │Keyword                 │ Value │
920       ├────────────────────────┼───────┤
921       │echo-reply              │ 0     │
922       ├────────────────────────┼───────┤
923       │destination-unreachable │ 3     │
924       ├────────────────────────┼───────┤
925       │source-quench           │ 4     │
926       ├────────────────────────┼───────┤
927       │redirect                │ 5     │
928       ├────────────────────────┼───────┤
929       │echo-request            │ 8     │
930       ├────────────────────────┼───────┤
931       │router-advertisement    │ 9     │
932       ├────────────────────────┼───────┤
933       │router-solicitation     │ 10    │
934       ├────────────────────────┼───────┤
935       │time-exceeded           │ 11    │
936       ├────────────────────────┼───────┤
937       │parameter-problem       │ 12    │
938       ├────────────────────────┼───────┤
939       │timestamp-request       │ 13    │
940       ├────────────────────────┼───────┤
941       │timestamp-reply         │ 14    │
942       ├────────────────────────┼───────┤
943       │info-request            │ 15    │
944       ├────────────────────────┼───────┤
945       │info-reply              │ 16    │
946       ├────────────────────────┼───────┤
947       │address-mask-request    │ 17    │
948       ├────────────────────────┼───────┤
949       │address-mask-reply      │ 18    │
950       └────────────────────────┴───────┘
951       ICMP Type specification
952
953       # match ping packets
954       filter output icmp type { echo-request, echo-reply }
955
956   ICMP CODE TYPE
957       ┌──────────┬───────────┬───────┬───────────┐
958       │Name      │ Keyword   │ Size  │ Base type │
959       ├──────────┼───────────┼───────┼───────────┤
960       │ICMP Code │ icmp_code │ 8 bit │ integer   │
961       └──────────┴───────────┴───────┴───────────┘
962       The ICMP Code type is used to conveniently specify  the  ICMP  header's
963       code field.
964
965       The following keywords may be used when specifying the ICMP code:
966
967       ┌─────────────────┬───────┐
968       │Keyword          │ Value │
969       ├─────────────────┼───────┤
970       │net-unreachable  │ 0     │
971       ├─────────────────┼───────┤
972       │host-unreachable │ 1     │
973       ├─────────────────┼───────┤
974       │prot-unreachable │ 2     │
975       ├─────────────────┼───────┤
976       │port-unreachable │ 3     │
977       ├─────────────────┼───────┤
978       │net-prohibited   │ 9     │
979       ├─────────────────┼───────┤
980       │host-prohibited  │ 10    │
981       ├─────────────────┼───────┤
982       │admin-prohibited │ 13    │
983       └─────────────────┴───────┘
984   ICMPV6 TYPE TYPE
985       ┌────────────┬─────────────┬───────┬───────────┐
986       │Name        │ Keyword     │ Size  │ Base type │
987       ├────────────┼─────────────┼───────┼───────────┤
988       │ICMPv6 Type │ icmpv6_type │ 8 bit │ integer   │
989       └────────────┴─────────────┴───────┴───────────┘
990       The  ICMPv6  Type type is used to conveniently specify the ICMPv6 head‐
991       er's type field.
992
993       The following keywords may be used when specifying the ICMPv6 type:
994
995       ┌────────────────────────┬───────┐
996       │Keyword                 │ Value │
997       ├────────────────────────┼───────┤
998       │destination-unreachable │ 1     │
999       ├────────────────────────┼───────┤
1000       │packet-too-big          │ 2     │
1001       ├────────────────────────┼───────┤
1002       │time-exceeded           │ 3     │
1003       ├────────────────────────┼───────┤
1004       │parameter-problem       │ 4     │
1005       ├────────────────────────┼───────┤
1006       │echo-request            │ 128   │
1007       ├────────────────────────┼───────┤
1008       │echo-reply              │ 129   │
1009       ├────────────────────────┼───────┤
1010       │mld-listener-query      │ 130   │
1011       ├────────────────────────┼───────┤
1012       │mld-listener-report     │ 131   │
1013       ├────────────────────────┼───────┤
1014       │mld-listener-done       │ 132   │
1015       ├────────────────────────┼───────┤
1016       │mld-listener-reduction  │ 132   │
1017       ├────────────────────────┼───────┤
1018       │nd-router-solicit       │ 133   │
1019       ├────────────────────────┼───────┤
1020       │nd-router-advert        │ 134   │
1021       ├────────────────────────┼───────┤
1022       │nd-neighbor-solicit     │ 135   │
1023       ├────────────────────────┼───────┤
1024       │nd-neighbor-advert      │ 136   │
1025       ├────────────────────────┼───────┤
1026       │nd-redirect             │ 137   │
1027       ├────────────────────────┼───────┤
1028       │router-renumbering      │ 138   │
1029       ├────────────────────────┼───────┤
1030       │ind-neighbor-solicit    │ 141   │
1031       ├────────────────────────┼───────┤
1032       │ind-neighbor-advert     │ 142   │
1033       ├────────────────────────┼───────┤
1034       │mld2-listener-report    │ 143   │
1035       └────────────────────────┴───────┘
1036       ICMPv6 Type specification
1037
1038       # match ICMPv6 ping packets
1039       filter output icmpv6 type { echo-request, echo-reply }
1040
1041   ICMPV6 CODE TYPE
1042       ┌────────────┬─────────────┬───────┬───────────┐
1043       │Name        │ Keyword     │ Size  │ Base type │
1044       ├────────────┼─────────────┼───────┼───────────┤
1045       │ICMPv6 Code │ icmpv6_code │ 8 bit │ integer   │
1046       └────────────┴─────────────┴───────┴───────────┘
1047       The ICMPv6 Code type is used to conveniently specify the  ICMPv6  head‐
1048       er's code field.
1049
1050       The following keywords may be used when specifying the ICMPv6 code:
1051
1052       ┌─────────────────┬───────┐
1053       │Keyword          │ Value │
1054       ├─────────────────┼───────┤
1055       │no-route         │ 0     │
1056       ├─────────────────┼───────┤
1057       │admin-prohibited │ 1     │
1058       ├─────────────────┼───────┤
1059       │addr-unreachable │ 3     │
1060       ├─────────────────┼───────┤
1061       │port-unreachable │ 4     │
1062       ├─────────────────┼───────┤
1063       │policy-fail      │ 5     │
1064       ├─────────────────┼───────┤
1065       │reject-route     │ 6     │
1066       └─────────────────┴───────┘
1067   ICMPVX CODE TYPE
1068       ┌────────────┬────────────┬───────┬───────────┐
1069       │Name        │ Keyword    │ Size  │ Base type │
1070       ├────────────┼────────────┼───────┼───────────┤
1071       │ICMPvX Code │ icmpx_code │ 8 bit │ integer   │
1072       └────────────┴────────────┴───────┴───────────┘
1073       The  ICMPvX  Code type abstraction is a set of values which overlap be‐
1074       tween ICMP and ICMPv6 Code types to be used from the inet family.
1075
1076       The following keywords may be used when specifying the ICMPvX code:
1077
1078       ┌─────────────────┬───────┐
1079       │Keyword          │ Value │
1080       ├─────────────────┼───────┤
1081       │no-route         │ 0     │
1082       ├─────────────────┼───────┤
1083       │port-unreachable │ 1     │
1084       ├─────────────────┼───────┤
1085       │host-unreachable │ 2     │
1086       ├─────────────────┼───────┤
1087       │admin-prohibited │ 3     │
1088       └─────────────────┴───────┘
1089   CONNTRACK TYPES
1090       This is an overview of types used in ct expression and statement:
1091
1092       ┌─────────────────┬───────────┬─────────┬───────────┐
1093       │Name             │ Keyword   │ Size    │ Base type │
1094       ├─────────────────┼───────────┼─────────┼───────────┤
1095       │conntrack state  │ ct_state  │ 4 byte  │ bitmask   │
1096       ├─────────────────┼───────────┼─────────┼───────────┤
1097       │conntrack direc‐ │ ct_dir    │ 8 bit   │ integer   │
1098       │tion             │           │         │           │
1099       ├─────────────────┼───────────┼─────────┼───────────┤
1100       │conntrack status │ ct_status │ 4 byte  │ bitmask   │
1101       ├─────────────────┼───────────┼─────────┼───────────┤
1102       │conntrack  event │ ct_event  │ 4 byte  │ bitmask   │
1103       │bits             │           │         │           │
1104       ├─────────────────┼───────────┼─────────┼───────────┤
1105       │conntrack label  │ ct_label  │ 128 bit │ bitmask   │
1106       └─────────────────┴───────────┴─────────┴───────────┘
1107       For each of the types above, keywords are available for convenience:
1108
1109       conntrack state (ct_state)
1110
1111       ┌────────────┬───────┐
1112       │Keyword     │ Value │
1113       ├────────────┼───────┤
1114       │invalid     │ 1     │
1115       ├────────────┼───────┤
1116       │established │ 2     │
1117       ├────────────┼───────┤
1118       │related     │ 4     │
1119       ├────────────┼───────┤
1120       │new         │ 8     │
1121       ├────────────┼───────┤
1122       │untracked   │ 64    │
1123       └────────────┴───────┘
1124       conntrack direction (ct_dir)
1125
1126       ┌─────────┬───────┐
1127       │Keyword  │ Value │
1128       ├─────────┼───────┤
1129       │original │ 0     │
1130       ├─────────┼───────┤
1131       │reply    │ 1     │
1132       └─────────┴───────┘
1133       conntrack status (ct_status)
1134
1135       ┌───────────┬───────┐
1136       │Keyword    │ Value │
1137       ├───────────┼───────┤
1138       │expected   │ 1     │
1139       ├───────────┼───────┤
1140       │seen-reply │ 2     │
1141       ├───────────┼───────┤
1142       │assured    │ 4     │
1143       ├───────────┼───────┤
1144       │confirmed  │ 8     │
1145       ├───────────┼───────┤
1146       │snat       │ 16    │
1147       ├───────────┼───────┤
1148       │dnat       │ 32    │
1149       ├───────────┼───────┤
1150       │dying      │ 512   │
1151       └───────────┴───────┘
1152       conntrack event bits (ct_event)
1153
1154       ┌──────────┬───────┐
1155       │Keyword   │ Value │
1156       ├──────────┼───────┤
1157       │new       │ 1     │
1158       ├──────────┼───────┤
1159       │related   │ 2     │
1160       ├──────────┼───────┤
1161       │destroy   │ 4     │
1162       ├──────────┼───────┤
1163       │reply     │ 8     │
1164       ├──────────┼───────┤
1165       │assured   │ 16    │
1166       ├──────────┼───────┤
1167       │protoinfo │ 32    │
1168       ├──────────┼───────┤
1169       │helper    │ 64    │
1170       ├──────────┼───────┤
1171       │mark      │ 128   │
1172       ├──────────┼───────┤
1173       │seqadj    │ 256   │
1174       ├──────────┼───────┤
1175       │secmark   │ 512   │
1176       ├──────────┼───────┤
1177       │label     │ 1024  │
1178       └──────────┴───────┘
1179       Possible keywords for conntrack label type (ct_label) are read at  run‐
1180       time from /etc/connlabel.conf.
1181

PRIMARY EXPRESSIONS

1183       The  lowest  order expression is a primary expression, representing ei‐
1184       ther a constant or a single datum from a packet's payload, meta data or
1185       a stateful module.
1186
1187   META EXPRESSIONS
1188       meta {length | nfproto | l4proto | protocol | priority}
1189       [meta] {mark | iif | iifname | iiftype | oif | oifname | oiftype |
1190       skuid | skgid | nftrace | rtclassid | ibrname | obrname | pkttype | cpu
1191       | iifgroup | oifgroup | cgroup | random | secpath}
1192
1193       A meta expression refers to meta data associated with a packet.
1194
1195       There are two types of meta expressions: unqualified and qualified meta
1196       expressions.  Qualified meta expressions require the meta  keyword  be‐
1197       fore the meta key, unqualified meta expressions can be specified by us‐
1198       ing the meta key directly  or  as  qualified  meta  expressions.   Meta
1199       l4proto is useful to match a particular transport protocol that is part
1200       of either an IPv4 or IPv6 packet. It will also skip any IPv6  extension
1201       headers present in an IPv6 packet.
1202
1203       Meta expression types
1204
1205       ┌──────────┬─────────────────────┬───────────────────┐
1206       │Keyword   │ Description         │ Type              │
1207       ├──────────┼─────────────────────┼───────────────────┤
1208       │length    │ Length of the pack‐ │ integer (32 bit)  │
1209       │          │ et in bytes         │                   │
1210       ├──────────┼─────────────────────┼───────────────────┤
1211       │nfproto   │ real hook  protocol │ integer (32 bit)  │
1212       │          │ family, useful only │                   │
1213       │          │ in inet table       │                   │
1214       ├──────────┼─────────────────────┼───────────────────┤
1215       │l4proto   │ layer  4  protocol, │ integer (8 bit)   │
1216       │          │ skips  ipv6  exten‐ │                   │
1217       │          │ sion headers        │                   │
1218       ├──────────┼─────────────────────┼───────────────────┤
1219       │protocol  │ EtherType  protocol │ ether_type        │
1220       │          │ value               │                   │
1221       ├──────────┼─────────────────────┼───────────────────┤
1222       │priority  │ TC packet priority  │ tc_handle         │
1223       ├──────────┼─────────────────────┼───────────────────┤
1224       │mark      │ Packet mark         │ mark              │
1225       ├──────────┼─────────────────────┼───────────────────┤
1226       │iif       │ Input interface in‐ │ iface_index       │
1227       │          │ dex                 │                   │
1228       ├──────────┼─────────────────────┼───────────────────┤
1229       │iifname   │ Input     interface │ ifname            │
1230       │          │ name                │                   │
1231       ├──────────┼─────────────────────┼───────────────────┤
1232       │iiftype   │ Input     interface │ iface_type        │
1233       │          │ type                │                   │
1234       ├──────────┼─────────────────────┼───────────────────┤
1235       │oif       │ Output    interface │ iface_index       │
1236       │          │ index               │                   │
1237       ├──────────┼─────────────────────┼───────────────────┤
1238       │oifname   │ Output    interface │ ifname            │
1239       │          │ name                │                   │
1240       ├──────────┼─────────────────────┼───────────────────┤
1241       │oiftype   │ Output    interface │ iface_type        │
1242       │          │ hardware type       │                   │
1243       ├──────────┼─────────────────────┼───────────────────┤
1244       │skuid     │ UID associated with │ uid               │
1245       │          │ originating socket  │                   │
1246       ├──────────┼─────────────────────┼───────────────────┤
1247       │skgid     │ GID associated with │ gid               │
1248       │          │ originating socket  │                   │
1249       ├──────────┼─────────────────────┼───────────────────┤
1250       │rtclassid │ Routing realm       │ realm             │
1251       ├──────────┼─────────────────────┼───────────────────┤
1252       │ibrname   │ Input bridge inter‐ │ ifname            │
1253       │          │ face name           │                   │
1254       ├──────────┼─────────────────────┼───────────────────┤
1255       │obrname   │ Output  bridge  in‐ │ ifname            │
1256       │          │ terface name        │                   │
1257       ├──────────┼─────────────────────┼───────────────────┤
1258       │pkttype   │ packet type         │ pkt_type          │
1259       ├──────────┼─────────────────────┼───────────────────┤
1260       │cpu       │ cpu number process‐ │ integer (32 bits) │
1261       │          │ ing the packet      │                   │
1262       ├──────────┼─────────────────────┼───────────────────┤
1263       │iifgroup  │ incoming     device │ devgroup          │
1264       │          │ group               │                   │
1265       ├──────────┼─────────────────────┼───────────────────┤
1266       │oifgroup  │ outgoing     device │ devgroup          │
1267       │          │ group               │                   │
1268       ├──────────┼─────────────────────┼───────────────────┤
1269       │cgroup    │ control group id    │ integer (32 bits) │
1270       ├──────────┼─────────────────────┼───────────────────┤
1271       │random    │ pseudo-random  num‐ │ integer (32 bits) │
1272       │          │ ber                 │                   │
1273       ├──────────┼─────────────────────┼───────────────────┤
1274       │secpath   │ boolean             │ boolean (1 bit)   │
1275       └──────────┴─────────────────────┴───────────────────┘
1276       Meta expression specific types
1277
1278       ┌──────────────┬────────────────────────────┐
1279       │Type          │ Description                │
1280       ├──────────────┼────────────────────────────┤
1281       │iface_index   │ Interface  index  (32  bit │
1282       │              │ number). Can be  specified │
1283       │              │ numerically  or as name of │
1284       │              │ an existing interface.     │
1285       ├──────────────┼────────────────────────────┤
1286       │ifname        │ Interface  name  (16  byte │
1287       │              │ string).  Does not have to │
1288       │              │ exist.                     │
1289       ├──────────────┼────────────────────────────┤
1290       │iface_type    │ Interface  type  (16   bit │
1291       │              │ number).                   │
1292       ├──────────────┼────────────────────────────┤
1293       │uid           │ User  ID  (32 bit number). │
1294       │              │ Can be  specified  numeri‐ │
1295       │              │ cally or as user name.     │
1296       ├──────────────┼────────────────────────────┤
1297       │gid           │ Group  ID (32 bit number). │
1298       │              │ Can be  specified  numeri‐ │
1299       │              │ cally or as group name.    │
1300       ├──────────────┼────────────────────────────┤
1301       │realm         │ Routing Realm (32 bit num‐ │
1302       │              │ ber). Can be specified nu‐ │
1303       │              │ merically  or  as symbolic │
1304       │              │ name      defined       in │
1305       │              │ /etc/iproute2/rt_realms.   │
1306       ├──────────────┼────────────────────────────┤
1307       │devgroup_type │ Device  group (32 bit num‐ │
1308       │              │ ber). Can be specified nu‐ │
1309       │              │ merically  or  as symbolic │
1310       │              │ name      defined       in │
1311       │              │ /etc/iproute2/group.       │
1312       ├──────────────┼────────────────────────────┤
1313       │pkt_type      │ Packet  type: Unicast (ad‐ │
1314       │              │ dressed  to  local  host), │
1315       │              │ Broadcast (to all), Multi‐ │
1316       │              │ cast (to group).           │
1317       └──────────────┴────────────────────────────┘
1318       Using meta expressions
1319
1320       # qualified meta expression
1321       filter output meta oif eth0
1322
1323       # unqualified meta expression
1324       filter output oif eth0
1325
1326       # packed was subject to ipsec processing
1327       raw prerouting meta secpath exists accept
1328
1329   FIB EXPRESSIONS
1330       fib {saddr | daddr | {mark | iif | oif}} {oif | oifname | type}
1331
1332       A fib expression queries the fib (forwarding information base)  to  ob‐
1333       tain  information  such  as the output interface index a particular ad‐
1334       dress would use. The input is a tuple of elements that is used as input
1335       to the fib lookup functions.
1336
1337       fib expression specific types
1338
1339       ┌────────┬─────────────────────┬──────────────────┐
1340       │Keyword │ Description         │ Type             │
1341       ├────────┼─────────────────────┼──────────────────┤
1342       │oif     │ Output    interface │ integer (32 bit) │
1343       │        │ index               │                  │
1344       ├────────┼─────────────────────┼──────────────────┤
1345       │oifname │ Output    interface │ string           │
1346       │        │ name                │                  │
1347       ├────────┼─────────────────────┼──────────────────┤
1348       │type    │ Address type        │ fib_addrtype     │
1349       └────────┴─────────────────────┴──────────────────┘
1350       Using fib expressions
1351
1352       # drop packets without a reverse path
1353       filter prerouting fib saddr . iif oif missing drop
1354
1355       # drop packets to address not configured on ininterface
1356       filter prerouting fib daddr . iif type != { local, broadcast, multicast } drop
1357
1358       # perform lookup in a specific 'blackhole' table (0xdead, needs ip appropriate ip rule)
1359       filter prerouting meta mark set 0xdead fib daddr . mark type vmap { blackhole : drop, prohibit : jump prohibited, unreachable : drop }
1360
1361   ROUTING EXPRESSIONS
1362       rt {classid | nexthop}
1363
1364       A routing expression refers to routing data associated with a packet.
1365
1366       Routing expression types
1367
1368       ┌────────┬─────────────────────┬─────────────────────┐
1369       │Keyword │ Description         │ Type                │
1370       ├────────┼─────────────────────┼─────────────────────┤
1371       │classid │ Routing realm       │ realm               │
1372       ├────────┼─────────────────────┼─────────────────────┤
1373       │nexthop │ Routing nexthop     │ ipv4_addr/ipv6_addr │
1374       ├────────┼─────────────────────┼─────────────────────┤
1375       │mtu     │ TCP maximum segment │ integer (16 bit)    │
1376       │        │ size of route       │                     │
1377       └────────┴─────────────────────┴─────────────────────┘
1378       Routing expression specific types
1379
1380       ┌──────┬────────────────────────────┐
1381       │Type  │ Description                │
1382       ├──────┼────────────────────────────┤
1383       │realm │ Routing Realm (32 bit num‐ │
1384       │      │ ber). Can be specified nu‐ │
1385       │      │ merically or  as  symbolic │
1386       │      │ name       defined      in │
1387       │      │ /etc/iproute2/rt_realms.   │
1388       └──────┴────────────────────────────┘
1389       Using routing expressions
1390
1391       # IP family independent rt expression
1392       filter output rt classid 10
1393
1394       # IP family dependent rt expressions
1395       ip filter output rt nexthop 192.168.0.1
1396       ip6 filter output rt nexthop fd00::1
1397       inet filter output rt ip nexthop 192.168.0.1
1398       inet filter output rt ip6 nexthop fd00::1
1399

PAYLOAD EXPRESSIONS

1401       Payload expressions refer to data from the packet's payload.
1402
1403   ETHERNET HEADER EXPRESSION
1404       ether [Ethernet header field]
1405
1406       Ethernet header expression types
1407
1408       ┌────────┬─────────────────────┬────────────┐
1409       │Keyword │ Description         │ Type       │
1410       ├────────┼─────────────────────┼────────────┤
1411       │daddr   │ Destination MAC ad‐ │ ether_addr │
1412       │        │ dress               │            │
1413       ├────────┼─────────────────────┼────────────┤
1414       │saddr   │ Source MAC address  │ ether_addr │
1415       ├────────┼─────────────────────┼────────────┤
1416       │type    │ EtherType           │ ether_type │
1417       └────────┴─────────────────────┴────────────┘
1418   VLAN HEADER EXPRESSION
1419       vlan [VLAN header field]
1420
1421       VLAN header expression
1422
1423       ┌────────┬─────────────────────┬──────────────────┐
1424       │Keyword │ Description         │ Type             │
1425       ├────────┼─────────────────────┼──────────────────┤
1426       │id      │ VLAN ID (VID)       │ integer (12 bit) │
1427       ├────────┼─────────────────────┼──────────────────┤
1428       │cfi     │ Canonical    Format │ integer (1 bit)  │
1429       │        │ Indicator           │                  │
1430       ├────────┼─────────────────────┼──────────────────┤
1431       │pcp     │ Priority code point │ integer (3 bit)  │
1432       ├────────┼─────────────────────┼──────────────────┤
1433       │type    │ EtherType           │ ether_type       │
1434       └────────┴─────────────────────┴──────────────────┘
1435   ARP HEADER EXPRESSION
1436       arp [ARP header field]
1437
1438       ARP header expression
1439
1440       ┌──────────┬─────────────────────┬──────────────────┐
1441       │Keyword   │ Description         │ Type             │
1442       ├──────────┼─────────────────────┼──────────────────┤
1443       │htype     │ ARP hardware type   │ integer (16 bit) │
1444       ├──────────┼─────────────────────┼──────────────────┤
1445       │ptype     │ EtherType           │ ether_type       │
1446       ├──────────┼─────────────────────┼──────────────────┤
1447       │hlen      │ Hardware    address │ integer (8 bit)  │
1448       │          │ len                 │                  │
1449       ├──────────┼─────────────────────┼──────────────────┤
1450       │plen      │ Protocol    address │ integer (8 bit)  │
1451       │          │ len                 │                  │
1452       ├──────────┼─────────────────────┼──────────────────┤
1453       │operation │ Operation           │ arp_op           │
1454       └──────────┴─────────────────────┴──────────────────┘
1455   IPV4 HEADER EXPRESSION
1456       ip [IPv4 header field]
1457
1458       IPv4 header expression
1459
1460       ┌──────────┬─────────────────────┬─────────────────────┐
1461       │Keyword   │ Description         │ Type                │
1462       ├──────────┼─────────────────────┼─────────────────────┤
1463       │version   │ IP  header  version │ integer (4 bit)     │
1464       │          │ (4)                 │                     │
1465       ├──────────┼─────────────────────┼─────────────────────┤
1466       │hdrlength │ IP   header  length │ integer   (4   bit) │
1467       │          │ including options   │ FIXME scaling       │
1468       ├──────────┼─────────────────────┼─────────────────────┤
1469       │dscp      │ Differentiated Ser‐ │ dscp                │
1470       │          │ vices Code Point    │                     │
1471       ├──────────┼─────────────────────┼─────────────────────┤
1472       │ecn       │ Explicit Congestion │ ecn                 │
1473       │          │ Notification        │                     │
1474       ├──────────┼─────────────────────┼─────────────────────┤
1475       │length    │ Total packet length │ integer (16 bit)    │
1476       ├──────────┼─────────────────────┼─────────────────────┤
1477       │id        │ IP ID               │ integer (16 bit)    │
1478       ├──────────┼─────────────────────┼─────────────────────┤
1479       │frag-off  │ Fragment offset     │ integer (16 bit)    │
1480       ├──────────┼─────────────────────┼─────────────────────┤
1481       │ttl       │ Time to live        │ integer (8 bit)     │
1482       ├──────────┼─────────────────────┼─────────────────────┤
1483       │protocol  │ Upper  layer proto‐ │ inet_proto          │
1484       │          │ col                 │                     │
1485       ├──────────┼─────────────────────┼─────────────────────┤
1486       │checksum  │ IP header checksum  │ integer (16 bit)    │
1487       ├──────────┼─────────────────────┼─────────────────────┤
1488       │saddr     │ Source address      │ ipv4_addr           │
1489       ├──────────┼─────────────────────┼─────────────────────┤
1490       │daddr     │ Destination address │ ipv4_addr           │
1491       └──────────┴─────────────────────┴─────────────────────┘
1492   ICMP HEADER EXPRESSION
1493       icmp [ICMP header field]
1494
1495       ICMP header expression
1496
1497       ┌─────────┬─────────────────────┬──────────────────┐
1498       │Keyword  │ Description         │ Type             │
1499       ├─────────┼─────────────────────┼──────────────────┤
1500       │type     │ ICMP type field     │ icmp_type        │
1501       ├─────────┼─────────────────────┼──────────────────┤
1502       │code     │ ICMP code field     │ integer (8 bit)  │
1503       ├─────────┼─────────────────────┼──────────────────┤
1504       │checksum │ ICMP checksum field │ integer (16 bit) │
1505       ├─────────┼─────────────────────┼──────────────────┤
1506       │id       │ ID  of   echo   re‐ │ integer (16 bit) │
1507       │         │ quest/response      │                  │
1508       ├─────────┼─────────────────────┼──────────────────┤
1509       │sequence │ sequence  number of │ integer (16 bit) │
1510       │         │ echo    request/re‐ │                  │
1511       │         │ sponse              │                  │
1512       ├─────────┼─────────────────────┼──────────────────┤
1513       │gateway  │ gateway   of  redi‐ │ integer (32 bit) │
1514       │         │ rects               │                  │
1515       ├─────────┼─────────────────────┼──────────────────┤
1516       │mtu      │ MTU  of  path   MTU │ integer (16 bit) │
1517       │         │ discovery           │                  │
1518       └─────────┴─────────────────────┴──────────────────┘
1519   IPV6 HEADER EXPRESSION
1520       ip6 [IPv6 header field]
1521
1522       This  expression  refers to the ipv6 header fields.  Caution when using
1523       ip6 nexthdr, the value only refers to the next header, i.e. ip6 nexthdr
1524       tcp  will  only match if the ipv6 packet does not contain any extension
1525       headers. Packets that are fragmented or e.g. contain a  routing  exten‐
1526       sion  headers will not be matched.  Please use meta l4proto if you wish
1527       to match the real transport header and ignore any additional  extension
1528       headers instead.
1529
1530       IPv6 header expression
1531
1532       ┌──────────┬─────────────────────┬──────────────────┐
1533       │Keyword   │ Description         │ Type             │
1534       ├──────────┼─────────────────────┼──────────────────┤
1535       │version   │ IP  header  version │ integer (4 bit)  │
1536       │          │ (6)                 │                  │
1537       ├──────────┼─────────────────────┼──────────────────┤
1538       │dscp      │ Differentiated Ser‐ │ dscp             │
1539       │          │ vices Code Point    │                  │
1540       ├──────────┼─────────────────────┼──────────────────┤
1541       │ecn       │ Explicit Congestion │ ecn              │
1542       │          │ Notification        │                  │
1543       ├──────────┼─────────────────────┼──────────────────┤
1544       │flowlabel │ Flow label          │ integer (20 bit) │
1545       ├──────────┼─────────────────────┼──────────────────┤
1546       │length    │ Payload length      │ integer (16 bit) │
1547       ├──────────┼─────────────────────┼──────────────────┤
1548       │nexthdr   │ Nexthdr protocol    │ inet_proto       │
1549       ├──────────┼─────────────────────┼──────────────────┤
1550       │hoplimit  │ Hop limit           │ integer (8 bit)  │
1551       ├──────────┼─────────────────────┼──────────────────┤
1552       │saddr     │ Source address      │ ipv6_addr        │
1553       ├──────────┼─────────────────────┼──────────────────┤
1554       │daddr     │ Destination address │ ipv6_addr        │
1555       └──────────┴─────────────────────┴──────────────────┘
1556       matching if first extension header indicates a fragment
1557
1558       ip6 nexthdr ipv6-frag counter
1559
1560   ICMPV6 HEADER EXPRESSION
1561       icmpv6 [ICMPv6 header field]
1562
1563       ICMPv6 header expression
1564
1565       ┌──────────────────┬─────────────────────┬──────────────────┐
1566       │Keyword           │ Description         │ Type             │
1567       ├──────────────────┼─────────────────────┼──────────────────┤
1568       │type              │ ICMPv6 type field   │ icmpv6_type      │
1569       ├──────────────────┼─────────────────────┼──────────────────┤
1570       │code              │ ICMPv6 code field   │ integer (8 bit)  │
1571       ├──────────────────┼─────────────────────┼──────────────────┤
1572       │checksum          │ ICMPv6     checksum │ integer (16 bit) │
1573       │                  │ field               │                  │
1574       ├──────────────────┼─────────────────────┼──────────────────┤
1575       │parameter-problem │ pointer to problem  │ integer (32 bit) │
1576       ├──────────────────┼─────────────────────┼──────────────────┤
1577       │packet-too-big    │ oversized MTU       │ integer (32 bit) │
1578       ├──────────────────┼─────────────────────┼──────────────────┤
1579       │id                │ ID   of   echo  re‐ │ integer (16 bit) │
1580       │                  │ quest/response      │                  │
1581       ├──────────────────┼─────────────────────┼──────────────────┤
1582       │sequence          │ sequence number  of │ integer (16 bit) │
1583       │                  │ echo    request/re‐ │                  │
1584       │                  │ sponse              │                  │
1585       ├──────────────────┼─────────────────────┼──────────────────┤
1586       │max-delay         │ maximum    response │ integer (16 bit) │
1587       │                  │ delay     of    MLD │                  │
1588       │                  │ queries             │                  │
1589       └──────────────────┴─────────────────────┴──────────────────┘
1590   TCP HEADER EXPRESSION
1591       tcp [TCP header field]
1592
1593       TCP header expression
1594
1595       ┌─────────┬──────────────────┬─────────────────────┐
1596       │Keyword  │ Description      │ Type                │
1597       ├─────────┼──────────────────┼─────────────────────┤
1598       │sport    │ Source port      │ inet_service        │
1599       ├─────────┼──────────────────┼─────────────────────┤
1600       │dport    │ Destination port │ inet_service        │
1601       ├─────────┼──────────────────┼─────────────────────┤
1602       │sequence │ Sequence number  │ integer (32 bit)    │
1603       ├─────────┼──────────────────┼─────────────────────┤
1604       │ackseq   │ Acknowledgement  │ integer (32 bit)    │
1605       │         │ number           │                     │
1606       ├─────────┼──────────────────┼─────────────────────┤
1607       │doff     │ Data offset      │ integer   (4   bit) │
1608       │         │                  │ FIXME scaling       │
1609       ├─────────┼──────────────────┼─────────────────────┤
1610       │reserved │ Reserved area    │ integer (4 bit)     │
1611       ├─────────┼──────────────────┼─────────────────────┤
1612       │flags    │ TCP flags        │ tcp_flag            │
1613       ├─────────┼──────────────────┼─────────────────────┤
1614       │window   │ Window           │ integer (16 bit)    │
1615       ├─────────┼──────────────────┼─────────────────────┤
1616       │checksum │ Checksum         │ integer (16 bit)    │
1617       ├─────────┼──────────────────┼─────────────────────┤
1618       │urgptr   │ Urgent pointer   │ integer (16 bit)    │
1619       └─────────┴──────────────────┴─────────────────────┘
1620   UDP HEADER EXPRESSION
1621       udp [UDP header field]
1622
1623       UDP header expression
1624
1625       ┌─────────┬─────────────────────┬──────────────────┐
1626       │Keyword  │ Description         │ Type             │
1627       ├─────────┼─────────────────────┼──────────────────┤
1628       │sport    │ Source port         │ inet_service     │
1629       ├─────────┼─────────────────────┼──────────────────┤
1630       │dport    │ Destination port    │ inet_service     │
1631       ├─────────┼─────────────────────┼──────────────────┤
1632       │length   │ Total packet length │ integer (16 bit) │
1633       ├─────────┼─────────────────────┼──────────────────┤
1634       │checksum │ Checksum            │ integer (16 bit) │
1635       └─────────┴─────────────────────┴──────────────────┘
1636   UDP-LITE HEADER EXPRESSION
1637       udplite [UDP-Lite header field]
1638
1639       UDP-Lite header expression
1640
1641       ┌─────────┬──────────────────┬──────────────────┐
1642       │Keyword  │ Description      │ Type             │
1643       ├─────────┼──────────────────┼──────────────────┤
1644       │sport    │ Source port      │ inet_service     │
1645       ├─────────┼──────────────────┼──────────────────┤
1646       │dport    │ Destination port │ inet_service     │
1647       ├─────────┼──────────────────┼──────────────────┤
1648       │checksum │ Checksum         │ integer (16 bit) │
1649       └─────────┴──────────────────┴──────────────────┘
1650   SCTP HEADER EXPRESSION
1651       sctp [SCTP header field]
1652
1653       SCTP header expression
1654
1655       ┌─────────┬──────────────────┬──────────────────┐
1656       │Keyword  │ Description      │ Type             │
1657       ├─────────┼──────────────────┼──────────────────┤
1658       │sport    │ Source port      │ inet_service     │
1659       ├─────────┼──────────────────┼──────────────────┤
1660       │dport    │ Destination port │ inet_service     │
1661       ├─────────┼──────────────────┼──────────────────┤
1662       │vtag     │ Verification Tag │ integer (32 bit) │
1663       ├─────────┼──────────────────┼──────────────────┤
1664       │checksum │ Checksum         │ integer (32 bit) │
1665       └─────────┴──────────────────┴──────────────────┘
1666   DCCP HEADER EXPRESSION
1667       dccp [DCCP header field]
1668
1669       DCCP header expression
1670
1671       ┌────────┬──────────────────┬──────────────┐
1672       │Keyword │ Description      │ Type         │
1673       ├────────┼──────────────────┼──────────────┤
1674       │sport   │ Source port      │ inet_service │
1675       ├────────┼──────────────────┼──────────────┤
1676       │dport   │ Destination port │ inet_service │
1677       └────────┴──────────────────┴──────────────┘
1678   AUTHENTICATION HEADER EXPRESSION
1679       ah [AH header field]
1680
1681       AH header expression
1682
1683       ┌──────────┬─────────────────────┬──────────────────┐
1684       │Keyword   │ Description         │ Type             │
1685       ├──────────┼─────────────────────┼──────────────────┤
1686       │nexthdr   │ Next header  proto‐ │ inet_proto       │
1687       │          │ col                 │                  │
1688       ├──────────┼─────────────────────┼──────────────────┤
1689       │hdrlength │ AH Header length    │ integer (8 bit)  │
1690       ├──────────┼─────────────────────┼──────────────────┤
1691       │reserved  │ Reserved area       │ integer (16 bit) │
1692       ├──────────┼─────────────────────┼──────────────────┤
1693       │spi       │ Security  Parameter │ integer (32 bit) │
1694       │          │ Index               │                  │
1695       ├──────────┼─────────────────────┼──────────────────┤
1696       │sequence  │ Sequence number     │ integer (32 bit) │
1697       └──────────┴─────────────────────┴──────────────────┘
1698   ENCRYPTED SECURITY PAYLOAD HEADER EXPRESSION
1699       esp [ESP header field]
1700
1701       ESP header expression
1702
1703       ┌─────────┬─────────────────────┬──────────────────┐
1704       │Keyword  │ Description         │ Type             │
1705       ├─────────┼─────────────────────┼──────────────────┤
1706       │spi      │ Security  Parameter │ integer (32 bit) │
1707       │         │ Index               │                  │
1708       ├─────────┼─────────────────────┼──────────────────┤
1709       │sequence │ Sequence number     │ integer (32 bit) │
1710       └─────────┴─────────────────────┴──────────────────┘
1711   IPCOMP HEADER EXPRESSION
1712       comp [IPComp header field]
1713
1714       IPComp header expression
1715
1716       ┌────────┬─────────────────────┬──────────────────┐
1717       │Keyword │ Description         │ Type             │
1718       ├────────┼─────────────────────┼──────────────────┤
1719       │nexthdr │ Next  header proto‐ │ inet_proto       │
1720       │        │ col                 │                  │
1721       ├────────┼─────────────────────┼──────────────────┤
1722       │flags   │ Flags               │ bitmask          │
1723       ├────────┼─────────────────────┼──────────────────┤
1724       │cpi     │ Compression Parame‐ │ integer (16 bit) │
1725       │        │ ter Index           │                  │
1726       └────────┴─────────────────────┴──────────────────┘
1727   RAW PAYLOAD EXPRESSION
1728       @ [base,offset,length]
1729
1730       The  raw  payload  expression  instructs to load lengthbits starting at
1731       offsetbits.  Bit 0 refers the the very first bit -- in the  C  program‐
1732       ming  language,  this corresponds to the topmost bit, i.e. 0x80 in case
1733       of an octet.  They are useful to match headers that do not have  a  hu‐
1734       man-readable  template  expression yet.  Note that nft will not add de‐
1735       pendencies for Raw payload expressions.  If you e.g. want to match pro‐
1736       tocol  fields of a transport header with protocol number 5, you need to
1737       manually exclude packets that have a different  transport  header,  for
1738       instance my using meta l4proto 5 before the raw expression.
1739
1740       Supported payload protocol bases
1741
1742       ┌─────┬────────────────────────────┐
1743       │Base │ Description                │
1744       ├─────┼────────────────────────────┤
1745       │ll   │ Link  layer,  for  example │
1746       │     │ the Ethernet header        │
1747       ├─────┼────────────────────────────┤
1748       │nh   │ Network header, for  exam‐ │
1749       │     │ ple IPv4 or IPv6           │
1750       ├─────┼────────────────────────────┤
1751       │th   │ Transport  Header, for ex‐ │
1752       │     │ ample TCP                  │
1753       └─────┴────────────────────────────┘
1754       Matching destination port of both UDP and TCP
1755
1756       inet filter input meta l4proto {tcp, udp} @th,16,16 { dns, http }
1757
1758       Rewrite arp packet target hardware address if target  protocol  address
1759       matches a given address
1760
1761       input meta iifname enp2s0 arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 accept
1762
1763   EXTENSION HEADER EXPRESSIONS
1764       Extension header expressions refer to data from variable-sized protocol
1765       headers, such as IPv6 extension headers and TCP options.
1766
1767       nftables currently supports matching (finding) a given  ipv6  extension
1768       header or TCP option.
1769       hbh {nexthdr | hdrlength}
1770       frag {nexthdr | frag-off | more-fragments | id}
1771       rt {nexthdr | hdrlength | type | seg-left}
1772       dst {nexthdr | hdrlength}
1773       mh {nexthdr | hdrlength | checksum | type}
1774       srh {flags | tag | sid | seg-left}
1775       tcp option {eol | noop | maxseg | window | sack-permitted | sack |
1776                  sack0 | sack1 | sack2 | sack3 | timestamp} tcp_option_field
1777
1778       The following syntaxes are valid only in a relational  expression  with
1779       boolean type on right-hand side for checking header existence only:
1780       exthdr {hbh | frag | rt | dst | mh}
1781       tcp option {eol | noop | maxseg | window | sack-permitted | sack |
1782                  sack0 | sack1 | sack2 | sack3 | timestamp}
1783
1784       IPv6 extension headers
1785
1786       ┌────────┬────────────────────────┐
1787       │Keyword │ Description            │
1788       ├────────┼────────────────────────┤
1789       │hbh     │ Hop by Hop             │
1790       ├────────┼────────────────────────┤
1791       │rt      │ Routing Header         │
1792       ├────────┼────────────────────────┤
1793       │frag    │ Fragmentation header   │
1794       ├────────┼────────────────────────┤
1795       │dst     │ dst options            │
1796       ├────────┼────────────────────────┤
1797       │mh      │ Mobility Header        │
1798       ├────────┼────────────────────────┤
1799       │srh     │ Segment Routing Header │
1800       └────────┴────────────────────────┘
1801       TCP Options
1802
1803       ┌───────────────┬─────────────────────┬─────────────────────┐
1804       │Keyword        │ Description         │ TCP option fields   │
1805       ├───────────────┼─────────────────────┼─────────────────────┤
1806       │eol            │ End of option list  │ kind                │
1807       ├───────────────┼─────────────────────┼─────────────────────┤
1808       │noop           │ 1  Byte  TCP  No-op │ kind                │
1809       │               │ options             │                     │
1810       ├───────────────┼─────────────────────┼─────────────────────┤
1811       │maxseg         │ TCP Maximum Segment │ kind, length, size  │
1812       │               │ Size                │                     │
1813       ├───────────────┼─────────────────────┼─────────────────────┤
1814       │window         │ TCP Window Scaling  │ kind, length, count │
1815       ├───────────────┼─────────────────────┼─────────────────────┤
1816       │sack-permitted │ TCP SACK permitted  │ kind, length        │
1817       ├───────────────┼─────────────────────┼─────────────────────┤
1818       │sack           │ TCP  Selective  Ac‐ │ kind, length, left, │
1819       │               │ knowledgement       │ right               │
1820       │               │ (alias of block 0)  │                     │
1821       ├───────────────┼─────────────────────┼─────────────────────┤
1822       │sack0          │ TCP  Selective  Ac‐ │ kind, length, left, │
1823       │               │ knowledgement       │ right               │
1824       │               │ (block 0)           │                     │
1825       ├───────────────┼─────────────────────┼─────────────────────┤
1826       │sack1          │ TCP  Selective  Ac‐ │ kind, length, left, │
1827       │               │ knowledgement       │ right               │
1828       │               │ (block 1)           │                     │
1829       ├───────────────┼─────────────────────┼─────────────────────┤
1830       │sack2          │ TCP  Selective  Ac‐ │ kind, length, left, │
1831       │               │ knowledgement       │ right               │
1832       │               │ (block 2)           │                     │
1833       ├───────────────┼─────────────────────┼─────────────────────┤
1834       │sack3          │ TCP  Selective  Ac‐ │ kind, length, left, │
1835       │               │ knowledgement       │ right               │
1836       │               │ (block 3)           │                     │
1837       ├───────────────┼─────────────────────┼─────────────────────┤
1838       │timestamp      │ TCP Timestamps      │ kind,       length, │
1839       │               │                     │ tsval, tsecr        │
1840       └───────────────┴─────────────────────┴─────────────────────┘
1841       finding TCP options
1842
1843       filter input tcp option sack-permitted kind 1 counter
1844
1845       matching IPv6 exthdr
1846
1847       ip6 filter input frag more-fragments 1 counter
1848
1849   CONNTRACK EXPRESSIONS
1850       Conntrack expressions refer to meta data of the connection tracking en‐
1851       try associated with a packet.
1852
1853       There  are three types of conntrack expressions. Some conntrack expres‐
1854       sions require the flow direction before the conntrack key, others  must
1855       be  used  directly  because  they are direction agnostic.  The packets,
1856       bytes and avgpkt keywords can be used with or without a  direction.  If
1857       the  direction is omitted, the sum of the original and the reply direc‐
1858       tion is returned. The same is true for the zone, if a direction is giv‐
1859       en, the zone is only matched if the zone id is tied to the given direc‐
1860       tion.
1861
1862       ct {state | direction | status | mark | expiration | helper | label |
1863          l3proto | protocol | bytes | packets | avgpkt | zone}
1864       ct {original | reply} {l3proto | protocol | proto-src | proto-dst |
1865          bytes | packets | avgpkt | zone}
1866       ct {original | reply} {ip | ip6} {saddr | daddr}
1867
1868       Conntrack expressions
1869
1870       ┌───────────┬─────────────────────┬─────────────────────┐
1871       │Keyword    │ Description         │ Type                │
1872       ├───────────┼─────────────────────┼─────────────────────┤
1873       │state      │ State of  the  con‐ │ ct_state            │
1874       │           │ nection             │                     │
1875       ├───────────┼─────────────────────┼─────────────────────┤
1876       │direction  │ Direction   of  the │ ct_dir              │
1877       │           │ packet relative  to │                     │
1878       │           │ the connection      │                     │
1879       ├───────────┼─────────────────────┼─────────────────────┤
1880       │status     │ Status  of the con‐ │ ct_status           │
1881       │           │ nection             │                     │
1882       ├───────────┼─────────────────────┼─────────────────────┤
1883       │mark       │ Connection mark     │ mark                │
1884       ├───────────┼─────────────────────┼─────────────────────┤
1885       │expiration │ Connection  expira‐ │ time                │
1886       │           │ tion time           │                     │
1887       ├───────────┼─────────────────────┼─────────────────────┤
1888       │helper     │ Helper   associated │ string              │
1889       │           │ with the connection │                     │
1890       ├───────────┼─────────────────────┼─────────────────────┤
1891       │label      │ Connection tracking │ ct_label            │
1892       │           │ label  bit  or sym‐ │                     │
1893       │           │ bolic name  defined │                     │
1894       │           │ in   connlabel.conf │                     │
1895       │           │ in the nftables in‐ │                     │
1896       │           │ clude path          │                     │
1897       ├───────────┼─────────────────────┼─────────────────────┤
1898       │l3proto    │ Layer 3 protocol of │ nf_proto            │
1899       │           │ the connection      │                     │
1900       ├───────────┼─────────────────────┼─────────────────────┤
1901       │saddr      │ Source  address  of │ ipv4_addr/ipv6_addr │
1902       │           │ the  connection for │                     │
1903       │           │ the given direction │                     │
1904       ├───────────┼─────────────────────┼─────────────────────┤
1905       │daddr      │ Destination address │ ipv4_addr/ipv6_addr │
1906       │           │ of  the  connection │                     │
1907       │           │ for the  given  di‐ │                     │
1908       │           │ rection             │                     │
1909       ├───────────┼─────────────────────┼─────────────────────┤
1910       │protocol   │ Layer 4 protocol of │ inet_proto          │
1911       │           │ the connection  for │                     │
1912       │           │ the given direction │                     │
1913       ├───────────┼─────────────────────┼─────────────────────┤
1914       │proto-src  │ Layer   4  protocol │ integer (16 bit)    │
1915       │           │ source for the giv‐ │                     │
1916       │           │ en direction        │                     │
1917       ├───────────┼─────────────────────┼─────────────────────┤
1918       │proto-dst  │ Layer   4  protocol │ integer (16 bit)    │
1919       │           │ destination for the │                     │
1920       │           │ given direction     │                     │
1921       ├───────────┼─────────────────────┼─────────────────────┤
1922       │packets    │ packet  count  seen │ integer (64 bit)    │
1923       │           │ in the given direc‐ │                     │
1924       │           │ tion   or   sum  of │                     │
1925       │           │ original and reply  │                     │
1926       ├───────────┼─────────────────────┼─────────────────────┤
1927       │bytes      │ byte  count   seen, │ integer (64 bit)    │
1928       │           │ see description for │                     │
1929       │           │ packets keyword     │                     │
1930       ├───────────┼─────────────────────┼─────────────────────┤
1931       │avgpkt     │ average  bytes  per │ integer (64 bit)    │
1932       │           │ packet,   see   de‐ │                     │
1933       │           │ scription for pack‐ │                     │
1934       │           │ ets keyword         │                     │
1935       ├───────────┼─────────────────────┼─────────────────────┤
1936       │zone       │ conntrack zone      │ integer (16 bit)    │
1937       └───────────┴─────────────────────┴─────────────────────┘
1938       A  description  of  conntrack-specific  types listed above can be found
1939       sub-section CONNTRACK TYPES above.
1940

STATEMENTS

1942       Statements represent actions to be performed. They  can  alter  control
1943       flow  (return, jump to a different chain, accept or drop the packet) or
1944       can perform actions, such as logging, rejecting a packet, etc.
1945
1946       Statements exist in two kinds. Terminal statements unconditionally ter‐
1947       minate  evaluation  of the current rule, non-terminal statements either
1948       only conditionally or never terminate evaluation of the  current  rule,
1949       in  other  words, they are passive from the ruleset evaluation perspec‐
1950       tive. There can be an arbitrary amount of non-terminal statements in  a
1951       rule, but only a single terminal statement as the final statement.
1952
1953   VERDICT STATEMENT
1954       The  verdict  statement  alters  control flow in the ruleset and issues
1955       policy decisions for packets.
1956
1957       {accept | drop | queue | continue | return}
1958       {jump | goto} chain
1959
1960       accept Terminate ruleset evaluation and accept the packet.
1961
1962       drop   Terminate ruleset evaluation and drop the packet.
1963
1964       queue  Terminate ruleset evaluation and queue the packet to userspace.
1965
1966       continue
1967              Continue ruleset evaluation with the next rule. FIXME
1968
1969       return Return from the current chain and  continue  evaluation  at  the
1970              next  rule  in  the last chain. If issued in a base chain, it is
1971              equivalent to accept.
1972
1973       jump chain
1974              Continue evaluation at the first rule in chain.  The current po‐
1975              sition  in  the ruleset is pushed to a call stack and evaluation
1976              will continue there when the new chain is entirely evaluated  of
1977              a return verdict is issued.
1978
1979       goto chain
1980              Similar  to  jump, but the current position is not pushed to the
1981              call stack, meaning that after the  new  chain  evaluation  will
1982              continue at the last chain instead of the one containing the go‐
1983              to statement.
1984
1985       Verdict statements
1986
1987       # process packets from eth0 and the internal network in from_lan
1988       # chain, drop all packets from eth0 with different source addresses.
1989
1990       filter input iif eth0 ip saddr 192.168.0.0/24 jump from_lan
1991       filter input iif eth0 drop
1992
1993   PAYLOAD STATEMENT
1994       The payload statement alters packet content.  It can be used for  exam‐
1995       ple to set ip DSCP (differv) header field or ipv6 flow labels.
1996
1997       route some packets instead of bridging
1998
1999       # redirect tcp:http from 192.160.0.0/16 to local machine for routing instead of bridging
2000       # assumes 00:11:22:33:44:55 is local MAC address.
2001       bridge input meta iif eth0 ip saddr 192.168.0.0/16 tcp dport 80 meta pkttype set unicast ether daddr set 00:11:22:33:44:55
2002
2003       Set IPv4 DSCP header field
2004
2005       ip forward ip dscp set 42
2006
2007   EXTENSION HEADER STATEMENT
2008       The  extension header statement alters packet content in variable-sized
2009       headers.  This can currently be used to alter the TCP  Maximum  segment
2010       size of packets, similar to TCPMSS.
2011
2012       change tcp mss
2013
2014       tcp flags syn tcp option maxseg size set 1360
2015       # set a size based on route information:
2016       tcp flags syn tcp option maxseg size set rt mtu
2017
2018   LOG STATEMENT
2019       log [prefix quoted_string] [level syslog-level] [flags log-flags]
2020       log group nflog_group [prefix quoted_string] [queue-threshold value]
2021           [snaplen size]
2022
2023       The log statement enables logging of matching packets. When this state‐
2024       ment  is used from a rule, the Linux kernel will print some information
2025       on all matching packets, such as header  fields,  via  the  kernel  log
2026       (where  it  can  be  read  with dmesg(1) or read in the syslog). If the
2027       group number is specified, the Linux kernel will  pass  the  packet  to
2028       nfnetlink_log  which will multicast the packet through a netlink socket
2029       to the specified multicast group. One or more userspace  processes  may
2030       subscribe  to  the group to receive the packets, see libnetfilter_queue
2031       documentation for details. This is a non-terminating statement, so  the
2032       rule evaluation continues after the packet is logged.
2033
2034       log statement options
2035
2036       ┌────────────────┬─────────────────────┬─────────────────────┐
2037       │Keyword         │ Description         │ Type                │
2038       ├────────────────┼─────────────────────┼─────────────────────┤
2039       │prefix          │ Log message prefix  │ quoted string       │
2040       ├────────────────┼─────────────────────┼─────────────────────┤
2041       │level           │ Syslog   level   of │ string:      emerg, │
2042       │                │ logging             │ alert,  crit,  err, │
2043       │                │                     │ warn [default], no‐ │
2044       │                │                     │ tice, info, debug   │
2045       ├────────────────┼─────────────────────┼─────────────────────┤
2046       │group           │ NFLOG group to send │ unsigned    integer │
2047       │                │ messages to         │ (16 bit)            │
2048       ├────────────────┼─────────────────────┼─────────────────────┤
2049       │snaplen         │ Length   of  packet │ unsigned    integer │
2050       │                │ payload to  include │ (32 bit)            │
2051       │                │ in netlink message  │                     │
2052       ├────────────────┼─────────────────────┼─────────────────────┤
2053       │queue-threshold │ Number  of  packets │ unsigned    integer │
2054       │                │ to queue inside the │ (32 bit)            │
2055       │                │ kernel before send‐ │                     │
2056       │                │ ing     them     to │                     │
2057       │                │ userspace           │                     │
2058       └────────────────┴─────────────────────┴─────────────────────┘
2059       log-flags
2060
2061       ┌─────────────┬────────────────────────────┐
2062       │Flag         │ Description                │
2063       ├─────────────┼────────────────────────────┤
2064       │tcp sequence │ Log TCP sequence numbers.  │
2065       ├─────────────┼────────────────────────────┤
2066       │tcp options  │ Log  options  from the TCP │
2067       │             │ packet header.             │
2068       ├─────────────┼────────────────────────────┤
2069       │ip options   │ Log   options   from   the │
2070       │             │ IP/IPv6 packet header.     │
2071       ├─────────────┼────────────────────────────┤
2072       │skuid        │ Log   the  userid  of  the │
2073       │             │ process  which   generated │
2074       │             │ the packet.                │
2075       ├─────────────┼────────────────────────────┤
2076       │ether        │ Decode  MAC  addresses and │
2077       │             │ protocol.                  │
2078       ├─────────────┼────────────────────────────┤
2079       │all          │ Enable all log flags list‐ │
2080       │             │ ed above.                  │
2081       └─────────────┴────────────────────────────┘
2082       Using log statement
2083
2084       # log the UID which generated the packet and ip options
2085       ip filter output log flags skuid flags ip options
2086
2087       # log the tcp sequence numbers and tcp options from the TCP packet
2088       ip filter output log flags tcp sequence,options
2089
2090       # enable all supported log flags
2091       ip6 filter output log flags all
2092
2093   REJECT STATEMENT
2094       reject [ with {icmp | icmpv6 | icmpx} type {icmp_code | icmpv6_code |
2095              icmpx_code} ]
2096       reject [ with tcp reset ]
2097
2098       A reject statement is used to send back an error packet in response  to
2099       the matched packet otherwise it is equivalent to drop so it is a termi‐
2100       nating statement, ending rule traversal. This statement is  only  valid
2101       in  the input, forward and output chains, and user-defined chains which
2102       are only called from those chains.
2103
2104       The different ICMP reject variants are meant for use in different table
2105       families:
2106
2107       ┌────────┬────────┬─────────────┐
2108       │Variant │ Family │ Type        │
2109       ├────────┼────────┼─────────────┤
2110       │icmp    │ ip     │ icmp_code   │
2111       ├────────┼────────┼─────────────┤
2112       │icmpv6  │ ip6    │ icmpv6_code │
2113       ├────────┼────────┼─────────────┤
2114       │icmpx   │ inet   │ icmpx_code  │
2115       └────────┴────────┴─────────────┘
2116       For  a  description of the different types and a list of supported key‐
2117       words refer to DATA TYPES section above.   The  common  default  reject
2118       value is port-unreachable.
2119
2120       Note  that  in  bridge family, reject statement is only allowed in base
2121       chains which hook into input or prerouting.
2122
2123   COUNTER STATEMENT
2124       A counter statement sets the hit count of packets along with the number
2125       of bytes.
2126
2127       counter [ packets number bytes number ]
2128
2129   CONNTRACK STATEMENT
2130       The  conntrack statement can be used to set the conntrack mark and con‐
2131       ntrack labels.
2132
2133       ct {mark | event | label | zone} set value
2134
2135       The ct statement sets meta data associated with a connection.  The zone
2136       id  has to be assigned before a conntrack lookup takes place, i.e. this
2137       has to be done in prerouting and possibly output (if locally  generated
2138       packets  need to be placed in a distinct zone), with a hook priority of
2139       -300.
2140
2141       Conntrack statement types
2142
2143       ┌────────┬─────────────────────┬─────────────────────┐
2144       │Keyword │ Description         │ Value               │
2145       ├────────┼─────────────────────┼─────────────────────┤
2146       │event   │ conntrack     event │ bitmask,    integer │
2147       │        │ bits                │ (32 bit)            │
2148       ├────────┼─────────────────────┼─────────────────────┤
2149       │helper  │ name of  ct  helper │ quoted string       │
2150       │        │ object to assign to │                     │
2151       │        │ the connection      │                     │
2152       ├────────┼─────────────────────┼─────────────────────┤
2153       │mark    │ Connection tracking │ mark                │
2154       │        │ mark                │                     │
2155       ├────────┼─────────────────────┼─────────────────────┤
2156       │label   │ Connection tracking │ label               │
2157       │        │ label               │                     │
2158       ├────────┼─────────────────────┼─────────────────────┤
2159       │zone    │ conntrack zone      │ integer (16 bit)    │
2160       └────────┴─────────────────────┴─────────────────────┘
2161       save packet nfmark in conntrack
2162
2163       ct mark set meta mark
2164
2165       set zone mapped via interface
2166
2167       table inet raw {
2168         chain prerouting {
2169             type filter hook prerouting priority -300;
2170             ct zone set iif map { "eth1" : 1, "veth1" : 2 }
2171         }
2172         chain output {
2173             type filter hook output priority -300;
2174             ct zone set oif map { "eth1" : 1, "veth1" : 2 }
2175         }
2176       }
2177
2178       restrict events reported by ctnetlink
2179
2180       ct event set new,related,destroy
2181
2182   META STATEMENT
2183       A meta statement sets the value of a  meta  expression.   The  existing
2184       meta fields are: priority, mark, pkttype, nftrace.
2185
2186       meta {mark | priority | pkttype | nftrace} set value
2187
2188       A meta statement sets meta data associated with a packet.
2189
2190       Meta statement types
2191
2192       ┌─────────┬─────────────────────┬───────────┐
2193       │Keyword  │ Description         │ Value     │
2194       ├─────────┼─────────────────────┼───────────┤
2195       │priority │ TC packet priority  │ tc_handle │
2196       ├─────────┼─────────────────────┼───────────┤
2197       │mark     │ Packet mark         │ mark      │
2198       ├─────────┼─────────────────────┼───────────┤
2199       │pkttype  │ packet type         │ pkt_type  │
2200       ├─────────┼─────────────────────┼───────────┤
2201       │nftrace  │ ruleset      packet │ 0, 1      │
2202       │         │ tracing on/off. Use │           │
2203       │         │ monitor  trace com‐ │           │
2204       │         │ mand    to    watch │           │
2205       │         │ traces              │           │
2206       └─────────┴─────────────────────┴───────────┘
2207   LIMIT STATEMENT
2208       limit rate [over] packet_number / {second | minute | hour | day} [burst
2209             packet_number packets]
2210       limit rate [over] byte_number {bytes | kbytes | mbytes} / {second |
2211             minute | hour | day | week} [burst byte_number bytes]
2212
2213       A  limit  statement matches at a limited rate using a token bucket fil‐
2214       ter. A rule using  this  statement  will  match  until  this  limit  is
2215       reached.  It  can be used in combination with the log statement to give
2216       limited logging. The over keyword, that is  optional,  makes  it  match
2217       over the specified rate.
2218
2219       limit statement values
2220
2221       ┌──────────────┬───────────────────┬─────────────────────┐
2222       │Value         │ Description       │ Type                │
2223       ├──────────────┼───────────────────┼─────────────────────┤
2224       │packet_number │ Number of packets │ unsigned    integer │
2225       │              │                   │ (32 bit)            │
2226       ├──────────────┼───────────────────┼─────────────────────┤
2227       │byte_number   │ Number of bytes   │ unsigned    integer │
2228       │              │                   │ (32 bit)            │
2229       └──────────────┴───────────────────┴─────────────────────┘
2230   NAT STATEMENTS
2231       snat to address [:port] [persistent, random, fully-random]
2232       snat to address - address [:port - port] [persistent, random, fully-
2233            random]
2234       dnat to address [:port] [persistent, random, fully-random]
2235       dnat to address [:port - port] [persistent, random, fully-random]
2236       masquerade to [:port] [persistent, random, fully-random]
2237       masquerade to [:port - port] [persistent, random, fully-random]
2238       redirect to [:port] [persistent, random, fully-random]
2239       redirect to [:port - port] [persistent, random, fully-random]
2240
2241       The nat statements are only valid from nat chain types.
2242
2243       The snat and masquerade statements specify that the source  address  of
2244       the  packet  should  be  modified.  While  snat  is  only  valid in the
2245       postrouting and input chains, masquerade makes sense only in  postrout‐
2246       ing.  The dnat and redirect statements are only valid in the prerouting
2247       and output chains, they specify that the  destination  address  of  the
2248       packet should be modified. You can use non-base chains which are called
2249       from base chains of nat chain type too. All future packets in this con‐
2250       nection will also be mangled, and rules should cease being examined.
2251
2252       The  masquerade  statement  is a special form of snat which always uses
2253       the outgoing interface's IP address to translate to. It is particularly
2254       useful on gateways with dynamic (public) IP addresses.
2255
2256       The  redirect  statement  is a special form of dnat which always trans‐
2257       lates the destination address to the local  host's  one.  It  comes  in
2258       handy if one only wants to alter the destination port of incoming traf‐
2259       fic on different interfaces.
2260
2261       Note that all nat statements require both  prerouting  and  postrouting
2262       base  chains  to  be present since otherwise packets on the return path
2263       won't be seen by netfilter and therefore no  reverse  translation  will
2264       take place.
2265
2266       NAT statement values
2267
2268       ┌───────────┬─────────────────────┬─────────────────────┐
2269       │Expression │ Description         │ Type                │
2270       ├───────────┼─────────────────────┼─────────────────────┤
2271       │address    │ Specifies  that the │ ipv4_addr, ipv6_ad‐ │
2272       │           │ source/destination  │ dr,            e.g. │
2273       │           │ address    of   the │ abcd::1234,  or you │
2274       │           │ packet  should   be │ can use a  mapping, │
2275       │           │ modified.  You  may │ e.g.  meta mark map │
2276       │           │ specify  a  mapping │ { 10 : 192.168.1.2, │
2277       │           │ to relate a list of │ 20 : 192.168.1.3 }  │
2278       │           │ tuples composed  of │                     │
2279       │           │ arbitrary   expres‐ │                     │
2280       │           │ sion key  with  ad‐ │                     │
2281       │           │ dress value.        │                     │
2282       ├───────────┼─────────────────────┼─────────────────────┤
2283       │port       │ Specifies  that the │ port   number   (16 │
2284       │           │ source/destination  │ bits)               │
2285       │           │ address    of   the │                     │
2286       │           │ packet  should   be │                     │
2287       │           │ modified.           │                     │
2288       └───────────┴─────────────────────┴─────────────────────┘
2289       NAT statement flags
2290
2291       ┌─────────────┬────────────────────────────┐
2292       │Flag         │ Description                │
2293       ├─────────────┼────────────────────────────┤
2294       │persistent   │ Gives a  client  the  same │
2295       │             │ source-/destination-ad‐    │
2296       │             │ dress for each connection. │
2297       ├─────────────┼────────────────────────────┤
2298       │random       │ If used then port  mapping │
2299       │             │ will be randomized using a │
2300       │             │ random seeded MD5 hash mix │
2301       │             │ using  source and destina‐ │
2302       │             │ tion address and  destina‐ │
2303       │             │ tion port.                 │
2304       ├─────────────┼────────────────────────────┤
2305       │fully-random │ If  used then port mapping │
2306       │             │ is generated  based  on  a │
2307       │             │ 32-bit pseudo-random algo‐ │
2308       │             │ rithm.                     │
2309       └─────────────┴────────────────────────────┘
2310       Using NAT statements
2311
2312       # create a suitable table/chain setup for all further examples
2313       add table nat
2314       add chain nat prerouting { type nat hook prerouting priority 0; }
2315       add chain nat postrouting { type nat hook postrouting priority 100; }
2316
2317       # translate source addresses of all packets leaving via eth0 to address 1.2.3.4
2318       add rule nat postrouting oif eth0 snat to 1.2.3.4
2319
2320       # redirect all traffic entering via eth0 to destination address 192.168.1.120
2321       add rule nat prerouting iif eth0 dnat to 192.168.1.120
2322
2323       # translate source addresses of all packets leaving via eth0 to whatever
2324       # locally generated packets would use as source to reach the same destination
2325       add rule nat postrouting oif eth0 masquerade
2326
2327       # redirect incoming TCP traffic for port 22 to port 2222
2328       add rule nat prerouting tcp dport 22 redirect to :2222
2329
2330   FLOW OFFLOAD STATEMENT
2331       A flow offload statement allows us to select what flows you want to ac‐
2332       celerate  forwarding  through layer 3 network stack bypass. You have to
2333       specify the flowtable name where you want to offload this flow.
2334
2335       flow offload @flowtable
2336
2337   QUEUE STATEMENT
2338       This statement passes the packet to userspace using the nfnetlink_queue
2339       handler.  The  packet  is  put  into the queue identified by its 16-bit
2340       queue number. Userspace can inspect and modify the packet  if  desired.
2341       Userspace  must  then drop or re-inject the packet into the kernel. See
2342       libnetfilter_queue documentation for details.
2343
2344       queue [num queue_number] [bypass]
2345       queue [num queue_number_from - queue_number_to] [bypass,fanout]
2346
2347       queue statement values
2348
2349       ┌──────────────────┬─────────────────────┬─────────────────────┐
2350       │Value             │ Description         │ Type                │
2351       ├──────────────────┼─────────────────────┼─────────────────────┤
2352       │queue_number      │ Sets queue  number, │ unsigned    integer │
2353       │                  │ default is 0.       │ (16 bit)            │
2354       ├──────────────────┼─────────────────────┼─────────────────────┤
2355       │queue_number_from │ Sets initial  queue │ unsigned    integer │
2356       │                  │ in  the  range,  if │ (16 bit)            │
2357       │                  │ fanout is used.     │                     │
2358       ├──────────────────┼─────────────────────┼─────────────────────┤
2359       │queue_number_to   │ Sets  closing queue │ unsigned    integer │
2360       │                  │ in  the  range,  if │ (16 bit)            │
2361       │                  │ fanout is used.     │                     │
2362       └──────────────────┴─────────────────────┴─────────────────────┘
2363       queue statement flags
2364
2365       ┌───────┬────────────────────────────┐
2366       │Flag   │ Description                │
2367       ├───────┼────────────────────────────┤
2368       │bypass │ Let packets go through  if │
2369       │       │ userspace application can‐ │
2370       │       │ not back off. Before using │
2371       │       │ this flag, read libnetfil‐ │
2372       │       │ ter_queue    documentation │
2373       │       │ for   performance   tuning │
2374       │       │ recommendations.           │
2375       ├───────┼────────────────────────────┤
2376       │fanout │ Distribute packets between │
2377       │       │ several queues.            │
2378       └───────┴────────────────────────────┘
2379   DUP STATEMENT
2380       The  dup statement is used to duplicate a packet and send the copy to a
2381       different destination.
2382
2383       dup to device
2384       dup to address device device
2385
2386       Dup statement values
2387
2388       ┌───────────┬─────────────────────┬─────────────────────┐
2389       │Expression │ Description         │ Type                │
2390       ├───────────┼─────────────────────┼─────────────────────┤
2391       │address    │ Specifies that  the │ ipv4_addr, ipv6_ad‐ │
2392       │           │ copy  of the packet │ dr,            e.g. │
2393       │           │ should be sent to a │ abcd::1234,  or you │
2394       │           │ new gateway.        │ can use a  mapping, │
2395       │           │                     │ e.g. ip saddr map { │
2396       │           │                     │ 192.168.1.2       : │
2397       │           │                     │ 10.1.1.1 }          │
2398       ├───────────┼─────────────────────┼─────────────────────┤
2399       │device     │ Specifies  that the │ string              │
2400       │           │ copy   should    be │                     │
2401       │           │ transmitted via de‐ │                     │
2402       │           │ vice.               │                     │
2403       └───────────┴─────────────────────┴─────────────────────┘
2404       Using the dup statement
2405
2406       # send to machine with ip address 10.2.3.4 on eth0
2407       ip filter forward dup to 10.2.3.4 device "eth0"
2408
2409       # copy raw frame to another interface
2410       netdetv ingress dup to "eth0"
2411       dup to "eth0"
2412
2413       # combine with map dst addr to gateways
2414       dup to ip daddr map { 192.168.7.1 : "eth0", 192.168.7.2 : "eth1" }
2415
2416   FWD STATEMENT
2417       The fwd statement is used to redirect a raw packet  to  another  inter‐
2418       face.  Its  is only available in the netdev family ingress hook.  It is
2419       similar to the dup statement except that no copy is made.
2420
2421       fwd to device
2422
2423   SET STATEMENT
2424       The set statement is used to dynamically add or update  elements  in  a
2425       set  from  the  packet path.  The set setname must already exist in the
2426       given table.  Furthermore, any set that  will  be  dynamically  updated
2427       from the nftables ruleset must specify both a maximum set size (to pre‐
2428       vent memory exhaustion) and a timeout (so that number of entries in set
2429       will  not  grow  indefinitely).   The set statement can be used to e.g.
2430       create dynamic blacklists.
2431
2432       {add | update} @setname { expression [timeout timeout] [comment string]
2433       }
2434
2435       Example for simple blacklist
2436
2437           # declare a set, bound to table "filter", in family "ip".  Timeout and size are mandatory because we will add elements from packet path.
2438           nft add set ip filter blackhole "{ type ipv4_addr; flags timeout; size 65536; }"
2439
2440           # whitelist internal interface.
2441           nft add rule ip filter input meta iifname "internal" accept
2442
2443           # drop packets coming from blacklisted ip addresses.
2444           nft add rule ip filter input ip saddr @blackhole counter drop
2445
2446           # add source ip addresses to the blacklist if more than 10 tcp connection requests occurred per second and ip address.
2447           # entries will timeout after one minute, after which they might be re-added if limit condition persists.
2448           nft add rule ip filter input tcp flags syn tcp dport ssh meter flood size 128000 { ip saddr timeout 10s limit rate over 10/second} add @blackhole { ip saddr timeout 1m } drop
2449
2450           # inspect state of the rate limit meter:
2451           nft list meter ip filter flood
2452
2453           # inspect content of blackhole:
2454           nft list set ip filter blackhole
2455
2456           # manually add two addresses to the set:
2457           nft add element filter blackhole { 10.2.3.4, 10.23.1.42 }
2458

ADDITIONAL COMMANDS

2460       These are some additional commands included in nft.
2461
2462   MONITOR
2463       The  monitor command allows you to listen to Netlink events produced by
2464       the nf_tables subsystem, related to creation and deletion  of  objects.
2465       When  they  occur, nft will print to stdout the monitored events in ei‐
2466       ther XML, JSON or native nft format.
2467
2468       To filter events related to a concrete object, use one of the  keywords
2469       'tables', 'chains', 'sets', 'rules', 'elements', 'ruleset'.
2470
2471       To  filter  events  related  to a concrete action, use keyword 'new' or
2472       'destroy'.
2473
2474       Hit ^C to finish the monitor operation.
2475
2476       Listen to all events, report in native nft format
2477
2478       % nft monitor
2479
2480       Listen to added tables, report in XML format
2481
2482       % nft monitor new tables xml
2483
2484       Listen to deleted rules, report in JSON format
2485
2486       % nft monitor destroy rules json
2487
2488       Listen to both new and destroyed chains, in native nft format
2489
2490       % nft monitor chains
2491
2492       Listen to ruleset events such as table, chain, rule, set, counters  and
2493       quotas, in native nft format
2494
2495       % nft monitor ruleset
2496

ERROR REPORTING

2498       When  an error is detected, nft shows the line(s) containing the error,
2499       the position of the erroneous parts in the input stream  and  marks  up
2500       the  erroneous  parts  using  carets (^). If the error results from the
2501       combination of two expressions or statements,  the  part  imposing  the
2502       constraints which are violated is marked using tildes (~).
2503
2504       For  errors returned by the kernel, nft can't detect which parts of the
2505       input caused the error and the entire command is marked.
2506
2507       Error caused by single incorrect expression
2508
2509       <cmdline>:1:19-22: Error: Interface does not exist
2510       filter output oif eth0
2511                         ^^^^
2512
2513       Error caused by invalid combination of two expressions
2514
2515       <cmdline>:1:28-36: Error: Right hand side of relational expression (==) must be constant
2516       filter output tcp dport == tcp dport
2517                               ~~ ^^^^^^^^^
2518
2519       Error returned by the kernel
2520
2521       <cmdline>:0:0-23: Error: Could not process rule: Operation not permitted
2522       filter output oif wlan0
2523       ^^^^^^^^^^^^^^^^^^^^^^^
2524

EXIT STATUS

2526       On success, nft exits with a status of 0. Unspecified errors  cause  it
2527       to  exit  with a status of 1, memory allocation errors with a status of
2528       2, unable to open Netlink socket with 3.
2529

SEE ALSO

2531       iptables(8), ip6tables(8), arptables(8), ebtables(8), ip(8), tc(8)
2532
2533       There is an official wiki at: https://wiki.nftables.org
2534

AUTHORS

2536       nftables was written by Patrick McHardy and Pablo  Neira  Ayuso,  among
2537       many other contributors from the Netfilter community.
2538
2540       Copyright  2008-2014 Patrick McHardy <kaber@trash.net>
2541       Copyright  2013-2016 Pablo Neira Ayuso <pablo@netfilter.org>
2542
2543       nftables is free software; you can redistribute it and/or modify it un‐
2544       der the terms of the GNU General Public License version 2 as  published
2545       by the Free Software Foundation.
2546
2547       This  documentation is licensed under the terms of the Creative Commons
2548       Attribution-ShareAlike 4.0 license, CC BY-SA 4.0 ⟨http://
2549       creativecommons.org/licenses/by-sa/4.0/⟩ .
2550
2551
2552
2553                               17 February 2019                         nft(8)
Impressum