1LIBNFTABLES-JSON(5) LIBNFTABLES-JSON(5)
2
6 libnftables-json - Supported JSON schema by libnftables
7
9 { "nftables": [ OBJECTS ] }
10 OBJECTS := LIST_OBJECTS | CMD_OBJECTS
12 LIST_OBJECTS := LIST_OBJECT [ , LIST_OBJECTS ]
14 CMD_OBJECTS := CMD_OBJECT [ , CMD_OBJECTS ]
16 CMD_OBJECT := { CMD: LIST_OBJECT } | METAINFO_OBJECT
18 CMD := "add" | "replace" | "create" | "insert" | "delete" | "list" |
20 "reset" | "flush" | "rename"
21 LIST_OBJECT := TABLE | CHAIN | RULE | SET | MAP | ELEMENT | FLOWTABLE |
23 COUNTER | QUOTA | CT_HELPER | LIMIT | METAINFO_OBJECT | CT_TIMEOUT
24
26 libnftables supports JSON formatted input and output. This is
27 implemented as an alternative frontend to the standard CLI syntax
28 parser, therefore basic behaviour is identical and, for (almost) any
29 operation available in standard syntax, there should be an equivalent
30 one in JSON.
31 JSON input may be provided in a single string as parameter to
33 nft_run_cmd_from_buffer() or in a file identified by the filename
34 parameter of the nft_run_cmd_from_filename() function.
35 JSON output has to be enabled via the nft_ctx_output_set_json()
37 function, turning library standard output into JSON format. Error
38 output remains unaffected.
39
41 In general, any JSON input or output is enclosed in an object with a
42 single property named nftables. Its value is an array containing
43 commands (for input) or ruleset elements (for output).
44 A command is an object with a single property whose name identifies the
46 command. Its value is a ruleset element - basically identical to output
47 elements, apart from certain properties which may be interpreted
48 differently or are required when output generally omits them.
49
51 In output, the first object in an nftables array is a special one
52 containing library information. Its content is as follows:
53 { "metainfo": {
55 "version": STRING,
56 "release_name": STRING,
57 "json_schema_version": NUMBER
58 }}
59 The values of version and release_name properties are equal to the
61 package version and release name as printed by nft -v. The value of the
62 json_schema_version property is an integer indicating the schema
63 version.
64 If supplied in library input, the parser will verify the
66 json_schema_version value to not exceed the internally hardcoded one
67 (to make sure the given schema is fully understood). In future, a lower
68 number than the internal one may activate compatibility mode to parse
69 outdated and incompatible JSON input.
70
72 The structure accepts an arbitrary amount of commands which are
73 interpreted in order of appearance. For instance, the following
74 standard syntax input:
75 flush ruleset
77 add table inet mytable
78 add chain inet mytable mychain
79 add rule inet mytable mychain tcp dport 22 accept
80 translates into JSON as such:
82 { "nftables": [
84 { "flush": { "ruleset": null }},
85 { "add": { "table": {
86 "family": "inet",
87 "name": "mytable"
88 }}},
89 { "add": { "chain": {
90 "family": "inet",
91 "table": "mytable",
92 "chain": "mychain"
93 }}}
94 { "add": { "rule": {
95 "family": "inet",
96 "table": "mytable",
97 "chain": "mychain",
98 "expr": [
99 { "match": {
100 "left": { "payload": {
101 "protocol": "tcp",
102 "field": "dport"
103 }},
104 "right": 22
105 }},
106 { "accept": null }
107 ]
108 }}}
109 ]}
110 ADD
112 { "add": ADD_OBJECT }
113 ADD_OBJECT := TABLE | CHAIN | RULE | SET | MAP | ELEMENT |
115 FLOWTABLE | COUNTER | QUOTA | CT_HELPER | LIMIT |
116 CT_TIMEOUT
117 Add a new ruleset element to the kernel.
119 REPLACE
121 { "replace": RULE }
122 Replace a rule. In RULE, the handle property is mandatory and
124 identifies the rule to be replaced.
125 CREATE
127 { "create": ADD_OBJECT }
128 Identical to add command, but returns an error if the object already
130 exists.
131 INSERT
133 { "insert": RULE }
134 This command is identical to add for rules, but instead of appending
136 the rule to the chain by default, it inserts at first position. If a
137 handle or index property is given, the rule is inserted before the rule
138 identified by those properties.
139 DELETE
141 { "delete": ADD_OBJECT }
142 Delete an object from the ruleset. Only the minimal number of
144 properties required to uniquely identify an object is generally needed
145 in ADD_OBJECT. For most ruleset elements, this is family and table plus
146 either handle or name (except rules since they don’t have a name).
147 LIST
149 { "list": LIST_OBJECT }
150 LIST_OBJECT := TABLE | TABLES | CHAIN | CHAINS | SET | SETS |
152 MAP | MAPS | COUNTER | COUNTERS | QUOTA | QUOTAS |
153 CT_HELPER | CT_HELPERS | LIMIT | LIMITS | RULESET |
154 METER | METERS | FLOWTABLES | CT_TIMEOUT
155 List ruleset elements. The plural forms are used to list all objects of
157 that kind, optionally filtered by family and for some, also table.
158 RESET
160 { "reset": RESET_OBJECT }
161 RESET_OBJECT := COUNTER | COUNTERS | QUOTA | QUOTAS
163 Reset state in suitable objects, i.e. zero their internal counter.
165 FLUSH
167 { "flush": FLUSH_OBJECT }
168 FLUSH_OBJECT := TABLE | CHAIN | SET | MAP | METER | RULESET
170 Empty contents in given object, e.g. remove all chains from given table
172 or remove all elements from given set.
173 RENAME
175 { "rename": CHAIN }
176 Rename a chain. The new name is expected in a dedicated property named
178 newname.
179
181 TABLE
182 { "table": {
183 "family": STRING,
184 "name": STRING,
185 "handle": NUMBER
186 }}
187 This object describes a table.
189 family
191 The table’s family, e.g. "ip" or "ip6".
192 name
194 The table’s name.
195 handle
197 The table’s handle. In input, it is used only in delete command as
198 alternative to name.
199 CHAIN
201 { "chain": {
202 "family": STRING,
203 "table": STRING,
204 "name": STRING,
205 "newname": STRING,
206 "handle": NUMBER,
207 "type": STRING,
208 "hook": STRING,
209 "prio": NUMBER,
210 "dev": STRING,
211 "policy": STRING
212 }}
213 This object describes a chain.
215 family
217 The table’s family.
218 table
220 The table’s name.
221 name
223 The chain’s name.
224 handle
226 The chain’s handle. In input, it is used only in delete command as
227 alternative to name.
228 newname
230 A new name for the chain, only relevant in the rename command.
231 The following properties are required for base chains:
233 type
235 The chain’s type.
236 hook
238 The chain’s hook.
239 prio
241 The chain’s priority.
242 dev
244 The chain’s bound interface (if in the netdev family).
245 policy
247 The chain’s policy.
248 RULE
250 { "rule": {
251 "family": STRING,
252 "table": STRING,
253 "chain": STRING,
254 "expr": [ STATEMENTS ],
255 "handle": NUMBER,
256 "index": NUMBER,
257 "comment": STRING
258 }}
259 STATEMENTS := STATEMENT [, STATEMENTS ]
261 This object describes a rule. Basic building blocks of rules are
263 statements. Each rule consists of at least one.
264 family
266 The table’s family.
267 table
269 The table’s name.
270 chain
272 The chain’s name.
273 expr
275 An array of statements this rule consists of. In input, it is used
276 in add/insert/replace commands only.
277 handle
279 The rule’s handle. In delete/replace commands, it serves as an
280 identifier of the rule to delete/replace. In add/insert commands,
281 it serves as an identifier of an existing rule to append/prepend
282 the rule to.
283 index
285 The rule’s position for add/insert commands. It is used as an
286 alternative to handle then.
287 comment
289 Optional rule comment.
290 SET / MAP
292 { "set": {
293 "family": STRING,
294 "table": STRING,
295 "name": STRING,
296 "handle": NUMBER,
297 "type": SET_TYPE,
298 "policy": SET_POLICY,
299 "flags": [ SET_FLAG_LIST ],
300 "elem": SET_ELEMENTS,
301 "timeout": NUMBER,
302 "gc-interval": NUMBER,
303 "size": NUMBER
304 }}
305 { "map": {
307 "family": STRING,
308 "table": STRING,
309 "name": STRING,
310 "handle": NUMBER,
311 "type": SET_TYPE,
312 "map": STRING,
313 "policy": SET_POLICY,
314 "flags": [ SET_FLAG_LIST ],
315 "elem": SET_ELEMENTS,
316 "timeout": NUMBER,
317 "gc-interval": NUMBER,
318 "size": NUMBER
319 }}
320 SET_TYPE := STRING | [ SET_TYPE_LIST ]
322 SET_TYPE_LIST := STRING [, SET_TYPE_LIST ]
323 SET_POLICY := "performance" | "memory"
324 SET_FLAG_LIST := SET_FLAG [, SET_FLAG_LIST ]
325 SET_FLAG := "constant" | "interval" | "timeout"
326 SET_ELEMENTS := EXPRESSION | [ EXPRESSION_LIST ]
327 EXPRESSION_LIST := EXPRESSION [, EXPRESSION_LIST ]
328 These objects describe a named set or map. Maps are a special form of
330 sets in that they translate a unique key to a value.
331 family
333 The table’s family.
334 table
336 The table’s name.
337 name
339 The set’s name.
340 handle
342 The set’s handle. For input, it is used in the delete command only.
343 type
345 The set’s datatype, see below.
346 map
348 Type of values this set maps to (i.e. this set is a map).
349 policy
351 The set’s policy.
352 flags
354 The set’s flags.
355 elem
357 Initial set element(s), see below.
358 timeout
360 Element timeout in seconds.
361 gc-interval
363 Garbage collector interval in seconds.
364 size
366 Maximum number of elements supported.
367 TYPE
369 The set type might be a string, such as "ipv4_addr" or an array
370 consisting of strings (for concatenated types).
371 ELEM
373 A single set element might be given as string, integer or boolean
374 value for simple cases. If additional properties are required, a
375 formal elem object may be used.
376 Multiple elements may be given in an array.
378 ELEMENT
380 { "element": {
381 "family": STRING,
382 "table": STRING,
383 "name": STRING,
384 "elem": SET_ELEM
385 }}
386 SET_ELEM := EXPRESSION | [ EXPRESSION_LIST ]
388 EXPRESSION_LIST := EXPRESSION [, EXPRESSION ]
389 Manipulate element(s) in a named set.
391 family
393 The table’s family.
394 table
396 The table’s name.
397 name
399 The set’s name.
400 elem
402 See elem property of set object.
403 FLOWTABLE
405 { "flowtable": {
406 "family": STRING,
407 "table": STRING,
408 "name": STRING,
409 "hook": STRING,
410 "prio": NUMBER,
411 "dev": FT_INTERFACE
412 }}
413 FT_INTERFACE := STRING | [ FT_INTERFACE_LIST ]
415 FT_INTERFACE_LIST := STRING [, STRING ]
416 This object represents a named flowtable.
418 family
420 The table’s family.
421 table
423 The table’s name.
424 name
426 The flow table’s name.
427 hook
429 The flow table’s hook.
430 prio
432 The flow table’s priority.
433 dev
435 The flow table’s interface(s).
436 COUNTER
438 { "counter": {
439 "family": STRING,
440 "table": STRING,
441 "name": STRING,
442 "handle": NUMBER,
443 "packets": NUMBER,
444 "bytes": NUMBER
445 }}
446 This object represents a named counter.
448 family
450 The table’s family.
451 table
453 The table’s name.
454 name
456 The counter’s name.
457 handle
459 The counter’s handle. In input, it is used by the delete command
460 only.
461 packets
463 Packet counter value.
464 bytes
466 Byte counter value.
467 QUOTA
469 { "quota": {
470 "family": STRING,
471 "table": STRING,
472 "name": STRING,
473 "handle": NUMBER,
474 "bytes": NUMBER,
475 "used": NUMBER,
476 "inv": BOOLEAN
477 }}
478 This object represents a named quota.
480 family
482 The table’s family.
483 table
485 The table’s name.
486 name
488 The quota’s name.
489 handle
491 The quota’s handle. In input, it is used by the delete command
492 only.
493 bytes
495 Quota threshold.
496 used
498 Quota used so far.
499 inv
501 If true, match if the quota has been exceeded.
502 CT HELPER
504 { "ct helper": {
505 "family": STRING,
506 "table": STRING,
507 "name": STRING,
508 "handle": ... ',
509 "type": 'STRING,
510 "protocol": CTH_PROTO,
511 "l3proto": STRING
512 }}
513 CTH_PROTO := "tcp" | "udp"
515 This object represents a named conntrack helper.
517 family
519 The table’s family.
520 table
522 The table’s name.
523 name
525 The ct helper’s name.
526 handle
528 The ct helper’s handle. In input, it is used by the delete command
529 only.
530 type
532 The ct helper type name, e.g. "ftp" or "tftp".
533 protocol
535 The ct helper’s layer 4 protocol.
536 l3proto
538 The ct helper’s layer 3 protocol, e.g. "ip" or "ip6".
539 LIMIT
541 { "limit": {
542 "family": STRING,
543 "table": STRING,
544 "name": STRING,
545 "handle": NUMBER,
546 "rate": NUMBER,
547 "per": STRING,
548 "burst": NUMBER,
549 "unit": LIMIT_UNIT,
550 "inv": BOOLEAN
551 }}
552 LIMIT_UNIT := "packets" | "bytes"
554 This object represents a named limit.
556 family
558 The table’s family.
559 table
561 The table’s name.
562 name
564 The limit’s name.
565 handle
567 The limit’s handle. In input, it is used by the delete command
568 only.
569 rate
571 The limit’s rate value.
572 per
574 Time unit to apply the limit to, e.g. "week", "day", "hour", etc.
575 If omitted, defaults to "second".
576 burst
578 The limit’s burst value. If omitted, defaults to 0.
579 unit
581 Unit of rate and burst values. If omitted, defaults to "packets".
582 inv
584 If true, match if limit was exceeded. If omitted, defaults to
585 false.
586 CT TIMEOUT
588 { "ct timeout": {
589 "family": STRING,
590 "table": STRING,
591 "name": STRING,
592 "handle": NUMBER,
593 "protocol": CTH_PROTO,
594 "state": STRING,
595 "value: NUMBER,
596 "l3proto": STRING
597 }}
598 CTH_PROTO := "tcp" | "udp" | "dccp" | "sctp" | "gre" | "icmpv6" | "icmp" | "generic"
600 This object represents a named conntrack timeout policy.
602 family
604 The table’s family.
605 table
607 The table’s name.
608 name
610 The ct timeout object’s name.
611 handle
613 The ct timeout object’s handle. In input, it is used by delete
614 command only.
615 protocol
617 The ct timeout object’s layer 4 protocol.
618 state
620 The connection state name, e.g. "established", "syn_sent", "close"
621 or "close_wait", for which the timeout value has to be updated.
622 value
624 The updated timeout value for the specified connection state.
625 l3proto
627 The ct timeout object’s layer 3 protocol, e.g. "ip" or "ip6".
628
630 Statements are the building blocks for rules. Each rule consists of at
631 least one.
632 VERDICT
634 { "accept": null }
635 { "drop": null }
636 { "continue": null }
637 { "return": null }
638 { "jump": { "target": * STRING *}}
639 { "goto": { "target": * STRING *}}
640 A verdict either terminates packet traversal through the current chain
642 or delegates to a different one.
643 jump and goto statements expect a target chain name.
645 MATCH
647 { "match": {
648 "left": EXPRESSION,
649 "right": EXPRESSION,
650 "op": STRING
651 }}
652 This matches the expression on left hand side (typically a packet
654 header or packet meta info) with the expression on right hand side
655 (typically a constant value). If the statement evaluates to true, the
656 next statement in this rule is considered. If not, processing continues
657 with the next rule in the same chain.
658 left
660 Left hand side of this match.
661 right
663 Right hand side of this match.
664 op
666 Operator indicating the type of comparison.
667 OPERATORS
669 & Binary AND
670 | Binary OR
672 ^ Binary XOR
674 << Left shift
676 >> Right shift
678 == Equal
681 != Not equal
683 < Less than
685 > Greater than
687 ⇐ Less than or equal to
689 >= Greater than or equal to
691 in Perform a lookup, i.e.
693 test if bits on RHS are
694 contained in LHS value
695 Unlike with the standard API, the operator is mandatory here. In
698 the standard API, a missing operator may be resolved in two ways,
699 depending on the type of expression on the RHS:
700 · If the RHS is a bitmask or a list of bitmasks, the expression
702 resolves into a binary operation with the inequality operator,
703 like this: LHS & RHS != 0.
704 · In any other case, the equality operator is simply inserted.
706 For the non-trivial first case, the JSON API supports the in
708 operator.
709 COUNTER
711 { "counter": {
712 "packets": NUMBER,
713 "bytes": NUMBER
714 }}
715 { "counter": STRING }
717 This object represents a byte/packet counter. In input, no properties
719 are required. If given, they act as initial values for the counter.
720 The first form creates an anonymous counter which lives in the rule it
722 appears in. The second form specifies a reference to a named counter
723 object.
724 packets
726 Packets counted.
727 bytes
729 Bytes counted.
730 MANGLE
732 { "mangle": {
733 "key": EXPRESSION,
734 "value": EXPRESSION
735 }}
736 This changes the packet data or meta info.
738 key
740 The packet data to be changed, given as an exthdr, payload, meta,
741 ct or ct helper expression.
742 value
744 Value to change data to.
745 QUOTA
747 { "quota": {
748 "val": NUMBER,
749 "val_unit": STRING,
750 "used": NUMBER,
751 "used_unit": STRING,
752 "inv": BOOLEAN
753 }}
754 { "quota": STRING }
756 The first form creates an anonymous quota which lives in the rule it
758 appears in. The second form specifies a reference to a named quota
759 object.
760 val
762 Quota value.
763 val_unit
765 Unit of val, e.g. "kbytes" or "mbytes". If omitted, defaults to
766 "bytes".
767 used
769 Quota used so far. Optional on input. If given, serves as initial
770 value.
771 used_unit
773 Unit of used. Defaults to "bytes".
774 inv
776 If true, will match if quota was exceeded. Defaults to false.
777 LIMIT
779 { "limit": {
780 "rate": NUMBER,
781 "rate_unit": STRING,
782 "per": STRING,
783 "burst": NUMBER,
784 "burst_unit": STRING,
785 "inv": BOOLEAN
786 }}
787 { "limit": STRING }
789 The first form creates an anonymous limit which lives in the rule it
791 appears in. The second form specifies a reference to a named limit
792 object.
793 rate
795 Rate value to limit to.
796 rate_unit
798 Unit of rate, e.g. "packets" or "mbytes". Defaults to "packets".
799 per
801 Denominator of rate, e.g. "week" or "minutes".
802 burst
804 Burst value. Defaults to 0.
805 burst_unit
807 Unit of burst, ignored if rate_unit is "packets". Defaults to
808 "bytes".
809 inv
811 If true, matches if the limit was exceeded. Defaults to false.
812 FWD
814 { "fwd": {
815 "dev": EXPRESSION,
816 "family": FWD_FAMILY,
817 "addr": EXPRESSION
818 }}
819 FWD_FAMILY := "ip" | "ip6"
821 Forward a packet to a different destination.
823 dev
825 Interface to forward the packet on.
826 family
828 Family of addr.
829 addr
831 IP(v6) address to forward the packet to.
832 Both family and addr are optional, but if at least one is given, both
834 must be present.
835 NOTRACK
837 { "notrack": null }
838 Disable connection tracking for the packet.
840 DUP
842 { "dup": {
843 "addr": EXPRESSION,
844 "dev": EXPRESSION
845 }}
846 Duplicate a packet to a different destination.
848 addr
850 Address to duplicate packet to.
851 dev
853 Interface to duplicate packet on. May be omitted to not specify an
854 interface explicitly.
855 NETWORK ADDRESS TRANSLATION
857 { "snat": {
858 "addr": EXPRESSION,
859 "family": STRING,
860 "port": EXPRESSION,
861 "flags": FLAGS
862 }}
863 { "dnat": {
865 "addr": EXPRESSION,
866 "family": STRING,
867 "port": EXPRESSION,
868 "flags": FLAGS
869 }}
870 { "masquerade": {
872 "port": EXPRESSION,
873 "flags": FLAGS
874 }}
875 { "redirect": {
877 "port": EXPRESSION,
878 "flags": FLAGS
879 }}
880 FLAGS := FLAG | [ FLAG_LIST ]
882 FLAG_LIST := FLAG [, FLAG_LIST ]
883 FLAG := "random" | "fully-random" | "persistent"
884 Perform Network Address Translation.
886 addr
888 Address to translate to.
889 family
891 Family of addr, either ip or ip6. Required in inet table family.
892 port
894 Port to translate to.
895 flags
897 Flag(s).
898 All properties are optional and default to none.
900 REJECT
902 { "reject": {
903 "type": STRING,
904 "expr": EXPRESSION
905 }}
906 Reject the packet and send the given error reply.
908 type
910 Type of reject, either "tcp reset", "icmpx", "icmp" or "icmpv6".
911 expr
913 ICMP type to reject with.
914 All properties are optional.
916 SET
918 { "set": {
919 "op": STRING,
920 "elem": EXPRESSION,
921 "set": STRING
922 }}
923 Dynamically add/update elements to a set.
925 op
927 Operator on set, either "add" or "update".
928 elem
930 Set element to add or update.
931 set
933 Set reference.
934 LOG
936 { "log": {
937 "prefix": STRING,
938 "group": NUMBER,
939 "snaplen": NUMBER,
940 "queue-threshold": NUMBER,
941 "level": LEVEL,
942 "flags": FLAGS
943 }}
944 LEVEL := "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
946 "info" | "debug" | "audit"
947 FLAGS := FLAG | [ FLAG_LIST ]
949 FLAG_LIST := FLAG [, FLAG_LIST ]
950 FLAG := "tcp sequence" | "tcp options" | "ip options" | "skuid" |
951 "ether" | "all"
952 Log the packet.
954 prefix
956 Prefix for log entries.
957 group
959 Log group.
960 snaplen
962 Snaplen for logging.
963 queue-threshold
965 Queue threshold.
966 level
968 Log level. Defaults to "warn".
969 flags
971 Log flags.
972 All properties are optional.
974 CT HELPER
976 { "ct helper": EXPRESSION }
977 Enable the specified conntrack helper for this packet.
979 ct helper
981 CT helper reference.
982 METER
984 { "meter": {
985 "name": STRING,
986 "key": EXPRESSION,
987 "stmt": STATEMENT
988 }}
989 Apply a given statement using a meter.
991 name
993 Meter name.
994 key
996 Meter key.
997 stmt
999 Meter statement.
1000 QUEUE
1002 { "queue": {
1003 "num": EXPRESSION,
1004 "flags": FLAGS
1005 }}
1006 FLAGS := FLAG | [ FLAG_LIST ]
1008 FLAG_LIST := FLAG [, FLAG_LIST ]
1009 FLAG := "bypass" | "fanout"
1010 Queue the packet to userspace.
1012 num
1014 Queue number.
1015 flags
1017 Queue flags.
1018 VERDICT MAP
1020 { "vmap": {
1021 "key": EXPRESSION,
1022 "data": EXPRESSION
1023 }}
1024 Apply a verdict conditionally.
1026 key
1028 Map key.
1029 data
1031 Mapping expression consisting of value/verdict pairs.
1032 CT COUNT
1034 { "ct count": {
1035 "val": NUMBER,
1036 "inv": BOOLEAN
1037 }}
1038 Limit the number of connections using conntrack.
1040 val
1042 Connection count threshold.
1043 inv
1045 If true, match if val was exceeded. If omitted, defaults to false.
1046 CT TIMEOUT
1048 { "ct timeout": EXPRESSION }
1049 Assign connection tracking timeout policy.
1051 ct timeout
1053 CT timeout reference.
1054 XT
1056 { "xt": null }
1057 This represents an xt statement from xtables compat interface. Sadly,
1059 at this point, it is not possible to provide any further information
1060 about its content.
1061
1063 Expressions are the building blocks of (most) statements. In their most
1064 basic form, they are just immediate values represented as a JSON
1065 string, integer or boolean type.
1066 IMMEDIATES
1068 STRING
1069 NUMBER
1070 BOOLEAN
1071 Immediate expressions are typically used for constant values. For
1073 strings, there are two special cases:
1074 @STRING
1076 The remaining part is taken as set name to create a set reference.
1077 \*
1079 Construct a wildcard expression.
1080 LISTS
1082 ARRAY
1083 List expressions are constructed by plain arrays containing of an
1085 arbitrary number of expressions.
1086 CONCAT
1088 { "concat": CONCAT }
1089 CONCAT := [ EXPRESSION_LIST ]
1091 EXPRESSION_LIST := EXPRESSION [, EXPRESSION_LIST ]
1092 Concatenate several expressions.
1094 SET
1096 { "set": SET }
1097 SET := EXPRESSION | [ EXPRESSION_LIST ]
1099 This object constructs an anonymous set. For mappings, an array of
1101 arrays with exactly two elements is expected.
1102 MAP
1104 { "map": {
1105 "key": EXPRESSION,
1106 "data": EXPRESSION
1107 }}
1108 Map a key to a value.
1110 key
1112 Map key.
1113 data
1115 Mapping expression consisting of value/target pairs.
1116 PREFIX
1118 { "prefix": {
1119 "addr": EXPRESSION,
1120 "len": NUMBER
1121 }}
1122 Construct an IPv4 or IPv6 prefix consisting of address part in addr and
1124 prefix length in len.
1125 RANGE
1127 { "range": [ EXPRESSION , EXPRESSION ] }
1128 Construct a range of values. The first array item denotes the lower
1130 boundary, the second one the upper boundary.
1131 PAYLOAD
1133 { "payload": {
1134 "base": BASE,
1135 "offset": NUMBER,
1136 "len": NUMBER
1137 }}
1138 { "payload": {
1140 "protocol": STRING,
1141 "field": STRING
1142 }}
1143 BASE := "ll" | "nh" | "th"
1145 Construct a payload expression, i.e. a reference to a certain part of
1147 packet data. The first form creates a raw payload expression to point
1148 at a random number (len) of bytes at a certain offset (offset) from a
1149 given reference point (base). The following base values are accepted:
1150 "ll"
1152 The offset is relative to Link Layer header start offset.
1153 "nh"
1155 The offset is relative to Network Layer header start offset.
1156 "th"
1158 The offset is relative to Transport Layer header start offset.
1159 The second form allows to reference a field by name (field) in a named
1161 packet header (protocol).
1162 EXTHDR
1164 { "exthdr": {
1165 "name": STRING,
1166 "field": STRING,
1167 "offset": NUMBER
1168 }}
1169 Create a reference to a field (field) in an IPv6 extension header
1171 (name). offset is used only for rt0 protocol.
1172 If the field property is not given, the expression is to be used as a
1174 header existence check in a match statement with a boolean on the right
1175 hand side.
1176 TCP OPTION
1178 { "tcp option": {
1179 "name": STRING,
1180 "field": STRING
1181 }}
1182 Create a reference to a field (field) of a TCP option header (name).
1184 If the field property is not given, the expression is to be used as a
1186 TCP option existence check in a match statement with a boolean on the
1187 right hand side.
1188 META
1190 { "meta": {
1191 "key": META_KEY
1192 }}
1193 META_KEY := "length" | "protocol" | "priority" | "random" | "mark" |
1195 "iif" | "iifname" | "iiftype" | "oif" | "oifname" |
1196 "oiftype" | "skuid" | "skgid" | "nftrace" |
1197 "rtclassid" | "ibriport" | "obriport" | "ibridgename" |
1198 "obridgename" | "pkttype" | "cpu" | "iifgroup" |
1199 "oifgroup" | "cgroup" | "nfproto" | "l4proto" |
1200 "secpath"
1201 Create a reference to packet meta data.
1203 RT
1205 { "rt": {
1206 "key": RT_KEY,
1207 "family": RT_FAMILY
1208 }}
1209 RT_KEY := "classid" | "nexthop" | "mtu"
1211 RT_FAMILY := "ip" | "ip6"
1212 Create a reference to packet routing data.
1214 The family property is optional and defaults to unspecified.
1216 CT
1218 { "ct": {
1219 "key": STRING,
1220 "family": CT_FAMILY,
1221 "dir": CT_DIRECTION
1222 }}
1223 CT_FAMILY := "ip" | "ip6"
1225 CT_DIRECTION := "original" | "reply"
1226 Create a reference to packet conntrack data.
1228 Some CT keys do not support a direction. In this case, dir must not be
1230 given.
1231 NUMGEN
1233 { "numgen": {
1234 "mode": NG_MODE,
1235 "mod": NUMBER,
1236 "offset": NUMBER
1237 }}
1238 NG_MODE := "inc" | "random"
1240 Create a number generator.
1242 The offset property is optional and defaults to 0.
1244 HASH
1246 { "jhash": {
1247 "mod": NUMBER,
1248 "offset": NUMBER,
1249 "expr": EXPRESSION,
1250 "seed": NUMBER
1251 }}
1252 { "symhash": {
1254 "mod": NUMBER,
1255 "offset": NUMBER
1256 }}
1257 Hash packet data.
1259 The offset and seed properties are optional and default to 0.
1261 FIB
1263 { "fib": {
1264 "result": FIB_RESULT,
1265 "flags": FIB_FLAGS
1266 }}
1267 FIB_RESULT := "oif" | "oifname" | "type"
1269 FIB_FLAGS := FIB_FLAG | [ FIB_FLAG_LIST ]
1271 FIB_FLAG_LIST := FIB_FLAG [, FIB_FLAG_LIST ]
1272 FIB_FLAG := "saddr" | "daddr" | "mark" | "iif" | "oif"
1273 Perform kernel Forwarding Information Base lookups.
1275 BINARY OPERATION
1277 { "|": [ EXPRESSION, EXPRESSION ] }
1278 { "^": [ EXPRESSION, EXPRESSION ] }
1279 { "&": [ EXPRESSION, EXPRESSION ] }
1280 { "<<": [ EXPRESSION, EXPRESSION ] }
1281 { ">>": [ EXPRESSION, EXPRESSION ] }
1282 All binary operations expect an array of exactly two expressions, of
1284 which the first element denotes the left hand side and the second one
1285 the right hand side.
1286 VERDICT
1288 { "accept": null }
1289 { "drop": null }
1290 { "continue": null }
1291 { "return": null }
1292 { "jump": { "target": STRING }}
1293 { "goto": { "target": STRING }}
1294 Same as the verdict statement, but for use in verdict maps.
1296 jump and goto verdicts expect a target chain name.
1298 ELEM
1300 { "elem": {
1301 "val": EXPRESSION,
1302 "timeout": NUMBER,
1303 "expires": NUMBER,
1304 "comment": STRING
1305 }}
1306 Explicitly set element object, in case timeout, expires or comment are
1308 desired. Otherwise, it may be replaced by the value of val.
1309 SOCKET
1311 { "socket": {
1312 "key": SOCKET_KEY
1313 }}
1314 SOCKET_KEY := "transparent"
1316 Construct a reference to packet’s socket.
1318 OSF
1320 { "osf": {
1321 "key": OSF_KEY,
1322 "ttl": OSF_TTL
1323 }}
1324 OSF_KEY := "name"
1326 OSF_TTL := "loose" | "skip"
1327 Perform OS fingerprinting. This expression is typically used in the LHS
1329 of a match statement.
1330 key
1332 Which part of the fingerprint info to match against. At this point,
1333 only the OS name is supported.
1334 ttl
1336 Define how the packet’s TTL value is to be matched. This property
1337 is optional. If omitted, the TTL value has to match exactly. A
1338 value of loose accepts TTL values less than the fingerprint one. A
1339 value of skip omits TTL value comparison entirely.
1340
1342 Phil Sutter <phil@nwl.cc>
1343 Author.
1344 07/25/2019 LIBNFTABLES-JSON(5)