1LIBNFTABLES-JSON(5) LIBNFTABLES-JSON(5)
2
3
4
6 libnftables-json - Supported JSON schema by libnftables
7
9 { "nftables": [ OBJECTS ] }
10
11 OBJECTS := LIST_OBJECTS | CMD_OBJECTS
12
13 LIST_OBJECTS := LIST_OBJECT [ , LIST_OBJECTS ]
14
15 CMD_OBJECTS := CMD_OBJECT [ , CMD_OBJECTS ]
16
17 CMD_OBJECT := { CMD: LIST_OBJECT } | METAINFO_OBJECT
18
19 CMD := "add" | "replace" | "create" | "insert" | "delete" | "list" |
20 "reset" | "flush" | "rename"
21
22 LIST_OBJECT := TABLE | CHAIN | RULE | SET | MAP | ELEMENT | FLOWTABLE |
23 COUNTER | QUOTA | CT_HELPER | LIMIT | METAINFO_OBJECT | CT_TIMEOUT |
24 CT_EXPECTATION
25
27 libnftables supports JSON formatted input and output. This is
28 implemented as an alternative frontend to the standard CLI syntax
29 parser, therefore basic behaviour is identical and, for (almost) any
30 operation available in standard syntax, there should be an equivalent
31 one in JSON.
32
33 JSON input may be provided in a single string as parameter to
34 nft_run_cmd_from_buffer() or in a file identified by the filename
35 parameter of the nft_run_cmd_from_filename() function.
36
37 JSON output has to be enabled via the nft_ctx_output_set_json()
38 function, turning library standard output into JSON format. Error
39 output remains unaffected.
40
42 In general, any JSON input or output is enclosed in an object with a
43 single property named nftables. Its value is an array containing
44 commands (for input) or ruleset elements (for output).
45
46 A command is an object with a single property whose name identifies the
47 command. Its value is a ruleset element - basically identical to output
48 elements, apart from certain properties which may be interpreted
49 differently or are required when output generally omits them.
50
52 In output, the first object in an nftables array is a special one
53 containing library information. Its content is as follows:
54
55 { "metainfo": {
56 "version": STRING,
57 "release_name": STRING,
58 "json_schema_version": NUMBER
59 }}
60
61 The values of version and release_name properties are equal to the
62 package version and release name as printed by nft -v. The value of the
63 json_schema_version property is an integer indicating the schema
64 version.
65
66 If supplied in library input, the parser will verify the
67 json_schema_version value to not exceed the internally hardcoded one
68 (to make sure the given schema is fully understood). In future, a lower
69 number than the internal one may activate compatibility mode to parse
70 outdated and incompatible JSON input.
71
73 The structure accepts an arbitrary amount of commands which are
74 interpreted in order of appearance. For instance, the following
75 standard syntax input:
76
77 flush ruleset
78 add table inet mytable
79 add chain inet mytable mychain
80 add rule inet mytable mychain tcp dport 22 accept
81
82 translates into JSON as such:
83
84 { "nftables": [
85 { "flush": { "ruleset": null }},
86 { "add": { "table": {
87 "family": "inet",
88 "name": "mytable"
89 }}},
90 { "add": { "chain": {
91 "family": "inet",
92 "table": "mytable",
93 "chain": "mychain"
94 }}}
95 { "add": { "rule": {
96 "family": "inet",
97 "table": "mytable",
98 "chain": "mychain",
99 "expr": [
100 { "match": {
101 "left": { "payload": {
102 "protocol": "tcp",
103 "field": "dport"
104 }},
105 "right": 22
106 }},
107 { "accept": null }
108 ]
109 }}}
110 ]}
111
112 ADD
113 { "add": ADD_OBJECT }
114
115 ADD_OBJECT := TABLE | CHAIN | RULE | SET | MAP | ELEMENT |
116 FLOWTABLE | COUNTER | QUOTA | CT_HELPER | LIMIT |
117 CT_TIMEOUT | CT_EXPECTATION
118
119 Add a new ruleset element to the kernel.
120
121 REPLACE
122 { "replace": RULE }
123
124 Replace a rule. In RULE, the handle property is mandatory and
125 identifies the rule to be replaced.
126
127 CREATE
128 { "create": ADD_OBJECT }
129
130 Identical to add command, but returns an error if the object already
131 exists.
132
133 INSERT
134 { "insert": RULE }
135
136 This command is identical to add for rules, but instead of appending
137 the rule to the chain by default, it inserts at first position. If a
138 handle or index property is given, the rule is inserted before the rule
139 identified by those properties.
140
141 DELETE
142 { "delete": ADD_OBJECT }
143
144 Delete an object from the ruleset. Only the minimal number of
145 properties required to uniquely identify an object is generally needed
146 in ADD_OBJECT. For most ruleset elements, this is family and table plus
147 either handle or name (except rules since they don’t have a name).
148
149 LIST
150 { "list": LIST_OBJECT }
151
152 LIST_OBJECT := TABLE | TABLES | CHAIN | CHAINS | SET | SETS |
153 MAP | MAPS | COUNTER | COUNTERS | QUOTA | QUOTAS |
154 CT_HELPER | CT_HELPERS | LIMIT | LIMITS | RULESET |
155 METER | METERS | FLOWTABLE | FLOWTABLES |
156 CT_TIMEOUT | CT_EXPECTATION
157
158 List ruleset elements. The plural forms are used to list all objects of
159 that kind, optionally filtered by family and for some, also table.
160
161 RESET
162 { "reset": RESET_OBJECT }
163
164 RESET_OBJECT := COUNTER | COUNTERS | QUOTA | QUOTAS
165
166 Reset state in suitable objects, i.e. zero their internal counter.
167
168 FLUSH
169 { "flush": FLUSH_OBJECT }
170
171 FLUSH_OBJECT := TABLE | CHAIN | SET | MAP | METER | RULESET
172
173 Empty contents in given object, e.g. remove all chains from given table
174 or remove all elements from given set.
175
176 RENAME
177 { "rename": CHAIN }
178
179 Rename a chain. The new name is expected in a dedicated property named
180 newname.
181
183 TABLE
184 { "table": {
185 "family": STRING,
186 "name": STRING,
187 "handle": NUMBER
188 }}
189
190 This object describes a table.
191
192 family
193 The table’s family, e.g. "ip" or "ip6".
194
195 name
196 The table’s name.
197
198 handle
199 The table’s handle. In input, it is used only in delete command as
200 alternative to name.
201
202 CHAIN
203 { "chain": {
204 "family": STRING,
205 "table": STRING,
206 "name": STRING,
207 "newname": STRING,
208 "handle": NUMBER,
209 "type": STRING,
210 "hook": STRING,
211 "prio": NUMBER,
212 "dev": STRING,
213 "policy": STRING
214 }}
215
216 This object describes a chain.
217
218 family
219 The table’s family.
220
221 table
222 The table’s name.
223
224 name
225 The chain’s name.
226
227 handle
228 The chain’s handle. In input, it is used only in delete command as
229 alternative to name.
230
231 newname
232 A new name for the chain, only relevant in the rename command.
233
234 The following properties are required for base chains:
235
236 type
237 The chain’s type.
238
239 hook
240 The chain’s hook.
241
242 prio
243 The chain’s priority.
244
245 dev
246 The chain’s bound interface (if in the netdev family).
247
248 policy
249 The chain’s policy.
250
251 RULE
252 { "rule": {
253 "family": STRING,
254 "table": STRING,
255 "chain": STRING,
256 "expr": [ STATEMENTS ],
257 "handle": NUMBER,
258 "index": NUMBER,
259 "comment": STRING
260 }}
261
262 STATEMENTS := STATEMENT [, STATEMENTS ]
263
264 This object describes a rule. Basic building blocks of rules are
265 statements. Each rule consists of at least one.
266
267 family
268 The table’s family.
269
270 table
271 The table’s name.
272
273 chain
274 The chain’s name.
275
276 expr
277 An array of statements this rule consists of. In input, it is used
278 in add/insert/replace commands only.
279
280 handle
281 The rule’s handle. In delete/replace commands, it serves as an
282 identifier of the rule to delete/replace. In add/insert commands,
283 it serves as an identifier of an existing rule to append/prepend
284 the rule to.
285
286 index
287 The rule’s position for add/insert commands. It is used as an
288 alternative to handle then.
289
290 comment
291 Optional rule comment.
292
293 SET / MAP
294 { "set": {
295 "family": STRING,
296 "table": STRING,
297 "name": STRING,
298 "handle": NUMBER,
299 "type": SET_TYPE,
300 "policy": SET_POLICY,
301 "flags": [ SET_FLAG_LIST ],
302 "elem": SET_ELEMENTS,
303 "timeout": NUMBER,
304 "gc-interval": NUMBER,
305 "size": NUMBER
306 }}
307
308 { "map": {
309 "family": STRING,
310 "table": STRING,
311 "name": STRING,
312 "handle": NUMBER,
313 "type": SET_TYPE,
314 "map": STRING,
315 "policy": SET_POLICY,
316 "flags": [ SET_FLAG_LIST ],
317 "elem": SET_ELEMENTS,
318 "timeout": NUMBER,
319 "gc-interval": NUMBER,
320 "size": NUMBER
321 }}
322
323 SET_TYPE := STRING | [ SET_TYPE_LIST ]
324 SET_TYPE_LIST := STRING [, SET_TYPE_LIST ]
325 SET_POLICY := "performance" | "memory"
326 SET_FLAG_LIST := SET_FLAG [, SET_FLAG_LIST ]
327 SET_FLAG := "constant" | "interval" | "timeout"
328 SET_ELEMENTS := EXPRESSION | [ EXPRESSION_LIST ]
329 EXPRESSION_LIST := EXPRESSION [, EXPRESSION_LIST ]
330
331 These objects describe a named set or map. Maps are a special form of
332 sets in that they translate a unique key to a value.
333
334 family
335 The table’s family.
336
337 table
338 The table’s name.
339
340 name
341 The set’s name.
342
343 handle
344 The set’s handle. For input, it is used in the delete command only.
345
346 type
347 The set’s datatype, see below.
348
349 map
350 Type of values this set maps to (i.e. this set is a map).
351
352 policy
353 The set’s policy.
354
355 flags
356 The set’s flags.
357
358 elem
359 Initial set element(s), see below.
360
361 timeout
362 Element timeout in seconds.
363
364 gc-interval
365 Garbage collector interval in seconds.
366
367 size
368 Maximum number of elements supported.
369
370 TYPE
371 The set type might be a string, such as "ipv4_addr" or an array
372 consisting of strings (for concatenated types).
373
374 ELEM
375 A single set element might be given as string, integer or boolean
376 value for simple cases. If additional properties are required, a
377 formal elem object may be used.
378
379 Multiple elements may be given in an array.
380
381 ELEMENT
382 { "element": {
383 "family": STRING,
384 "table": STRING,
385 "name": STRING,
386 "elem": SET_ELEM
387 }}
388
389 SET_ELEM := EXPRESSION | [ EXPRESSION_LIST ]
390 EXPRESSION_LIST := EXPRESSION [, EXPRESSION ]
391
392 Manipulate element(s) in a named set.
393
394 family
395 The table’s family.
396
397 table
398 The table’s name.
399
400 name
401 The set’s name.
402
403 elem
404 See elem property of set object.
405
406 FLOWTABLE
407 { "flowtable": {
408 "family": STRING,
409 "table": STRING,
410 "name": STRING,
411 "handle": NUMBER,
412 "hook": STRING,
413 "prio": NUMBER,
414 "dev": FT_INTERFACE
415 }}
416
417 FT_INTERFACE := STRING | [ FT_INTERFACE_LIST ]
418 FT_INTERFACE_LIST := STRING [, STRING ]
419
420 This object represents a named flowtable.
421
422 family
423 The table’s family.
424
425 table
426 The table’s name.
427
428 name
429 The flow table’s name.
430
431 handle
432 The flow table’s handle. In input, it is used by the delete command
433 only.
434
435 hook
436 The flow table’s hook.
437
438 prio
439 The flow table’s priority.
440
441 dev
442 The flow table’s interface(s).
443
444 COUNTER
445 { "counter": {
446 "family": STRING,
447 "table": STRING,
448 "name": STRING,
449 "handle": NUMBER,
450 "packets": NUMBER,
451 "bytes": NUMBER
452 }}
453
454 This object represents a named counter.
455
456 family
457 The table’s family.
458
459 table
460 The table’s name.
461
462 name
463 The counter’s name.
464
465 handle
466 The counter’s handle. In input, it is used by the delete command
467 only.
468
469 packets
470 Packet counter value.
471
472 bytes
473 Byte counter value.
474
475 QUOTA
476 { "quota": {
477 "family": STRING,
478 "table": STRING,
479 "name": STRING,
480 "handle": NUMBER,
481 "bytes": NUMBER,
482 "used": NUMBER,
483 "inv": BOOLEAN
484 }}
485
486 This object represents a named quota.
487
488 family
489 The table’s family.
490
491 table
492 The table’s name.
493
494 name
495 The quota’s name.
496
497 handle
498 The quota’s handle. In input, it is used by the delete command
499 only.
500
501 bytes
502 Quota threshold.
503
504 used
505 Quota used so far.
506
507 inv
508 If true, match if the quota has been exceeded.
509
510 CT HELPER
511 { "ct helper": {
512 "family": STRING,
513 "table": STRING,
514 "name": STRING,
515 "handle": ... ',
516 "type": 'STRING,
517 "protocol": CTH_PROTO,
518 "l3proto": STRING
519 }}
520
521 CTH_PROTO := "tcp" | "udp"
522
523 This object represents a named conntrack helper.
524
525 family
526 The table’s family.
527
528 table
529 The table’s name.
530
531 name
532 The ct helper’s name.
533
534 handle
535 The ct helper’s handle. In input, it is used by the delete command
536 only.
537
538 type
539 The ct helper type name, e.g. "ftp" or "tftp".
540
541 protocol
542 The ct helper’s layer 4 protocol.
543
544 l3proto
545 The ct helper’s layer 3 protocol, e.g. "ip" or "ip6".
546
547 LIMIT
548 { "limit": {
549 "family": STRING,
550 "table": STRING,
551 "name": STRING,
552 "handle": NUMBER,
553 "rate": NUMBER,
554 "per": STRING,
555 "burst": NUMBER,
556 "unit": LIMIT_UNIT,
557 "inv": BOOLEAN
558 }}
559
560 LIMIT_UNIT := "packets" | "bytes"
561
562 This object represents a named limit.
563
564 family
565 The table’s family.
566
567 table
568 The table’s name.
569
570 name
571 The limit’s name.
572
573 handle
574 The limit’s handle. In input, it is used by the delete command
575 only.
576
577 rate
578 The limit’s rate value.
579
580 per
581 Time unit to apply the limit to, e.g. "week", "day", "hour", etc.
582 If omitted, defaults to "second".
583
584 burst
585 The limit’s burst value. If omitted, defaults to 0.
586
587 unit
588 Unit of rate and burst values. If omitted, defaults to "packets".
589
590 inv
591 If true, match if limit was exceeded. If omitted, defaults to
592 false.
593
594 CT TIMEOUT
595 { "ct timeout": {
596 "family": STRING,
597 "table": STRING,
598 "name": STRING,
599 "handle": NUMBER,
600 "protocol": CTH_PROTO,
601 "state": STRING,
602 "value: NUMBER,
603 "l3proto": STRING
604 }}
605
606 CTH_PROTO := "tcp" | "udp" | "dccp" | "sctp" | "gre" | "icmpv6" | "icmp" | "generic"
607
608 This object represents a named conntrack timeout policy.
609
610 family
611 The table’s family.
612
613 table
614 The table’s name.
615
616 name
617 The ct timeout object’s name.
618
619 handle
620 The ct timeout object’s handle. In input, it is used by delete
621 command only.
622
623 protocol
624 The ct timeout object’s layer 4 protocol.
625
626 state
627 The connection state name, e.g. "established", "syn_sent", "close"
628 or "close_wait", for which the timeout value has to be updated.
629
630 value
631 The updated timeout value for the specified connection state.
632
633 l3proto
634 The ct timeout object’s layer 3 protocol, e.g. "ip" or "ip6".
635
636 CT EXPECTATION
637 { "ct expectation": {
638 "family": STRING,
639 "table": STRING,
640 "name": STRING,
641 "handle": NUMBER,
642 "l3proto": STRING
643 "protocol":* CTH_PROTO,
644 "dport": NUMBER,
645 "timeout: NUMBER,
646 "size: NUMBER,
647 *}}
648
649 CTH_PROTO := "tcp" | "udp" | "dccp" | "sctp" | "gre" | "icmpv6" | "icmp" | "generic"
650
651 This object represents a named conntrack expectation.
652
653 family
654 The table’s family.
655
656 table
657 The table’s name.
658
659 name
660 The ct expectation object’s name.
661
662 handle
663 The ct expectation object’s handle. In input, it is used by delete
664 command only.
665
666 l3proto
667 The ct expectation object’s layer 3 protocol, e.g. "ip" or "ip6".
668
669 protocol
670 The ct expectation object’s layer 4 protocol.
671
672 dport
673 The destination port of the expected connection.
674
675 timeout
676 The time in millisecond that this expectation will live.
677
678 size
679 The maximum count of expectations to be living in the same time.
680
682 Statements are the building blocks for rules. Each rule consists of at
683 least one.
684
685 VERDICT
686 { "accept": null }
687 { "drop": null }
688 { "continue": null }
689 { "return": null }
690 { "jump": { "target": * STRING *}}
691 { "goto": { "target": * STRING *}}
692
693 A verdict either terminates packet traversal through the current chain
694 or delegates to a different one.
695
696 jump and goto statements expect a target chain name.
697
698 MATCH
699 { "match": {
700 "left": EXPRESSION,
701 "right": EXPRESSION,
702 "op": STRING
703 }}
704
705 This matches the expression on left hand side (typically a packet
706 header or packet meta info) with the expression on right hand side
707 (typically a constant value). If the statement evaluates to true, the
708 next statement in this rule is considered. If not, processing continues
709 with the next rule in the same chain.
710
711 left
712 Left hand side of this match.
713
714 right
715 Right hand side of this match.
716
717 op
718 Operator indicating the type of comparison.
719
720 OPERATORS
721 & Binary AND
722
723 | Binary OR
724
725 ^ Binary XOR
726
727 << Left shift
728
729 >> Right shift
730
731 == Equal
732
733
734 != Not equal
735
736 < Less than
737
738 > Greater than
739
740 ⇐ Less than or equal to
741
742 >= Greater than or equal to
743
744 in Perform a lookup, i.e.
745 test if bits on RHS are
746 contained in LHS value
747
748
749 Unlike with the standard API, the operator is mandatory here. In
750 the standard API, a missing operator may be resolved in two ways,
751 depending on the type of expression on the RHS:
752
753 · If the RHS is a bitmask or a list of bitmasks, the expression
754 resolves into a binary operation with the inequality operator,
755 like this: LHS & RHS != 0.
756
757 · In any other case, the equality operator is simply inserted.
758
759 For the non-trivial first case, the JSON API supports the in
760 operator.
761
762 COUNTER
763 { "counter": {
764 "packets": NUMBER,
765 "bytes": NUMBER
766 }}
767
768 { "counter": STRING }
769
770 This object represents a byte/packet counter. In input, no properties
771 are required. If given, they act as initial values for the counter.
772
773 The first form creates an anonymous counter which lives in the rule it
774 appears in. The second form specifies a reference to a named counter
775 object.
776
777 packets
778 Packets counted.
779
780 bytes
781 Bytes counted.
782
783 MANGLE
784 { "mangle": {
785 "key": EXPRESSION,
786 "value": EXPRESSION
787 }}
788
789 This changes the packet data or meta info.
790
791 key
792 The packet data to be changed, given as an exthdr, payload, meta,
793 ct or ct helper expression.
794
795 value
796 Value to change data to.
797
798 QUOTA
799 { "quota": {
800 "val": NUMBER,
801 "val_unit": STRING,
802 "used": NUMBER,
803 "used_unit": STRING,
804 "inv": BOOLEAN
805 }}
806
807 { "quota": STRING }
808
809 The first form creates an anonymous quota which lives in the rule it
810 appears in. The second form specifies a reference to a named quota
811 object.
812
813 val
814 Quota value.
815
816 val_unit
817 Unit of val, e.g. "kbytes" or "mbytes". If omitted, defaults to
818 "bytes".
819
820 used
821 Quota used so far. Optional on input. If given, serves as initial
822 value.
823
824 used_unit
825 Unit of used. Defaults to "bytes".
826
827 inv
828 If true, will match if quota was exceeded. Defaults to false.
829
830 LIMIT
831 { "limit": {
832 "rate": NUMBER,
833 "rate_unit": STRING,
834 "per": STRING,
835 "burst": NUMBER,
836 "burst_unit": STRING,
837 "inv": BOOLEAN
838 }}
839
840 { "limit": STRING }
841
842 The first form creates an anonymous limit which lives in the rule it
843 appears in. The second form specifies a reference to a named limit
844 object.
845
846 rate
847 Rate value to limit to.
848
849 rate_unit
850 Unit of rate, e.g. "packets" or "mbytes". Defaults to "packets".
851
852 per
853 Denominator of rate, e.g. "week" or "minutes".
854
855 burst
856 Burst value. Defaults to 0.
857
858 burst_unit
859 Unit of burst, ignored if rate_unit is "packets". Defaults to
860 "bytes".
861
862 inv
863 If true, matches if the limit was exceeded. Defaults to false.
864
865 FWD
866 { "fwd": {
867 "dev": EXPRESSION,
868 "family": FWD_FAMILY,
869 "addr": EXPRESSION
870 }}
871
872 FWD_FAMILY := "ip" | "ip6"
873
874 Forward a packet to a different destination.
875
876 dev
877 Interface to forward the packet on.
878
879 family
880 Family of addr.
881
882 addr
883 IP(v6) address to forward the packet to.
884
885 Both family and addr are optional, but if at least one is given, both
886 must be present.
887
888 NOTRACK
889 { "notrack": null }
890
891 Disable connection tracking for the packet.
892
893 DUP
894 { "dup": {
895 "addr": EXPRESSION,
896 "dev": EXPRESSION
897 }}
898
899 Duplicate a packet to a different destination.
900
901 addr
902 Address to duplicate packet to.
903
904 dev
905 Interface to duplicate packet on. May be omitted to not specify an
906 interface explicitly.
907
908 NETWORK ADDRESS TRANSLATION
909 { "snat": {
910 "addr": EXPRESSION,
911 "family": STRING,
912 "port": EXPRESSION,
913 "flags": FLAGS
914 }}
915
916 { "dnat": {
917 "addr": EXPRESSION,
918 "family": STRING,
919 "port": EXPRESSION,
920 "flags": FLAGS
921 }}
922
923 { "masquerade": {
924 "port": EXPRESSION,
925 "flags": FLAGS
926 }}
927
928 { "redirect": {
929 "port": EXPRESSION,
930 "flags": FLAGS
931 }}
932
933 FLAGS := FLAG | [ FLAG_LIST ]
934 FLAG_LIST := FLAG [, FLAG_LIST ]
935 FLAG := "random" | "fully-random" | "persistent"
936
937 Perform Network Address Translation.
938
939 addr
940 Address to translate to.
941
942 family
943 Family of addr, either ip or ip6. Required in inet table family.
944
945 port
946 Port to translate to.
947
948 flags
949 Flag(s).
950
951 All properties are optional and default to none.
952
953 REJECT
954 { "reject": {
955 "type": STRING,
956 "expr": EXPRESSION
957 }}
958
959 Reject the packet and send the given error reply.
960
961 type
962 Type of reject, either "tcp reset", "icmpx", "icmp" or "icmpv6".
963
964 expr
965 ICMP type to reject with.
966
967 All properties are optional.
968
969 SET
970 { "set": {
971 "op": STRING,
972 "elem": EXPRESSION,
973 "set": STRING
974 }}
975
976 Dynamically add/update elements to a set.
977
978 op
979 Operator on set, either "add" or "update".
980
981 elem
982 Set element to add or update.
983
984 set
985 Set reference.
986
987 LOG
988 { "log": {
989 "prefix": STRING,
990 "group": NUMBER,
991 "snaplen": NUMBER,
992 "queue-threshold": NUMBER,
993 "level": LEVEL,
994 "flags": FLAGS
995 }}
996
997 LEVEL := "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
998 "info" | "debug" | "audit"
999
1000 FLAGS := FLAG | [ FLAG_LIST ]
1001 FLAG_LIST := FLAG [, FLAG_LIST ]
1002 FLAG := "tcp sequence" | "tcp options" | "ip options" | "skuid" |
1003 "ether" | "all"
1004
1005 Log the packet.
1006
1007 prefix
1008 Prefix for log entries.
1009
1010 group
1011 Log group.
1012
1013 snaplen
1014 Snaplen for logging.
1015
1016 queue-threshold
1017 Queue threshold.
1018
1019 level
1020 Log level. Defaults to "warn".
1021
1022 flags
1023 Log flags.
1024
1025 All properties are optional.
1026
1027 CT HELPER
1028 { "ct helper": EXPRESSION }
1029
1030 Enable the specified conntrack helper for this packet.
1031
1032 ct helper
1033 CT helper reference.
1034
1035 METER
1036 { "meter": {
1037 "name": STRING,
1038 "key": EXPRESSION,
1039 "stmt": STATEMENT
1040 }}
1041
1042 Apply a given statement using a meter.
1043
1044 name
1045 Meter name.
1046
1047 key
1048 Meter key.
1049
1050 stmt
1051 Meter statement.
1052
1053 QUEUE
1054 { "queue": {
1055 "num": EXPRESSION,
1056 "flags": FLAGS
1057 }}
1058
1059 FLAGS := FLAG | [ FLAG_LIST ]
1060 FLAG_LIST := FLAG [, FLAG_LIST ]
1061 FLAG := "bypass" | "fanout"
1062
1063 Queue the packet to userspace.
1064
1065 num
1066 Queue number.
1067
1068 flags
1069 Queue flags.
1070
1071 VERDICT MAP
1072 { "vmap": {
1073 "key": EXPRESSION,
1074 "data": EXPRESSION
1075 }}
1076
1077 Apply a verdict conditionally.
1078
1079 key
1080 Map key.
1081
1082 data
1083 Mapping expression consisting of value/verdict pairs.
1084
1085 CT COUNT
1086 { "ct count": {
1087 "val": NUMBER,
1088 "inv": BOOLEAN
1089 }}
1090
1091 Limit the number of connections using conntrack.
1092
1093 val
1094 Connection count threshold.
1095
1096 inv
1097 If true, match if val was exceeded. If omitted, defaults to false.
1098
1099 CT TIMEOUT
1100 { "ct timeout": EXPRESSION }
1101
1102 Assign connection tracking timeout policy.
1103
1104 ct timeout
1105 CT timeout reference.
1106
1107 CT EXPECTATION
1108 { "ct expectation": EXPRESSION }
1109
1110 Assign connection tracking expectation.
1111
1112 ct expectation
1113 CT expectation reference.
1114
1115 XT
1116 { "xt": null }
1117
1118 This represents an xt statement from xtables compat interface. Sadly,
1119 at this point, it is not possible to provide any further information
1120 about its content.
1121
1123 Expressions are the building blocks of (most) statements. In their most
1124 basic form, they are just immediate values represented as a JSON
1125 string, integer or boolean type.
1126
1127 IMMEDIATES
1128 STRING
1129 NUMBER
1130 BOOLEAN
1131
1132 Immediate expressions are typically used for constant values. For
1133 strings, there are two special cases:
1134
1135 @STRING
1136 The remaining part is taken as set name to create a set reference.
1137
1138 \*
1139 Construct a wildcard expression.
1140
1141 LISTS
1142 ARRAY
1143
1144 List expressions are constructed by plain arrays containing of an
1145 arbitrary number of expressions.
1146
1147 CONCAT
1148 { "concat": CONCAT }
1149
1150 CONCAT := [ EXPRESSION_LIST ]
1151 EXPRESSION_LIST := EXPRESSION [, EXPRESSION_LIST ]
1152
1153 Concatenate several expressions.
1154
1155 SET
1156 { "set": SET }
1157
1158 SET := EXPRESSION | [ EXPRESSION_LIST ]
1159
1160 This object constructs an anonymous set. For mappings, an array of
1161 arrays with exactly two elements is expected.
1162
1163 MAP
1164 { "map": {
1165 "key": EXPRESSION,
1166 "data": EXPRESSION
1167 }}
1168
1169 Map a key to a value.
1170
1171 key
1172 Map key.
1173
1174 data
1175 Mapping expression consisting of value/target pairs.
1176
1177 PREFIX
1178 { "prefix": {
1179 "addr": EXPRESSION,
1180 "len": NUMBER
1181 }}
1182
1183 Construct an IPv4 or IPv6 prefix consisting of address part in addr and
1184 prefix length in len.
1185
1186 RANGE
1187 { "range": [ EXPRESSION , EXPRESSION ] }
1188
1189 Construct a range of values. The first array item denotes the lower
1190 boundary, the second one the upper boundary.
1191
1192 PAYLOAD
1193 { "payload": {
1194 "base": BASE,
1195 "offset": NUMBER,
1196 "len": NUMBER
1197 }}
1198
1199 { "payload": {
1200 "protocol": STRING,
1201 "field": STRING
1202 }}
1203
1204 BASE := "ll" | "nh" | "th"
1205
1206 Construct a payload expression, i.e. a reference to a certain part of
1207 packet data. The first form creates a raw payload expression to point
1208 at a random number (len) of bytes at a certain offset (offset) from a
1209 given reference point (base). The following base values are accepted:
1210
1211 "ll"
1212 The offset is relative to Link Layer header start offset.
1213
1214 "nh"
1215 The offset is relative to Network Layer header start offset.
1216
1217 "th"
1218 The offset is relative to Transport Layer header start offset.
1219
1220 The second form allows to reference a field by name (field) in a named
1221 packet header (protocol).
1222
1223 EXTHDR
1224 { "exthdr": {
1225 "name": STRING,
1226 "field": STRING,
1227 "offset": NUMBER
1228 }}
1229
1230 Create a reference to a field (field) in an IPv6 extension header
1231 (name). offset is used only for rt0 protocol.
1232
1233 If the field property is not given, the expression is to be used as a
1234 header existence check in a match statement with a boolean on the right
1235 hand side.
1236
1237 TCP OPTION
1238 { "tcp option": {
1239 "name": STRING,
1240 "field": STRING
1241 }}
1242
1243 Create a reference to a field (field) of a TCP option header (name).
1244
1245 If the field property is not given, the expression is to be used as a
1246 TCP option existence check in a match statement with a boolean on the
1247 right hand side.
1248
1249 META
1250 { "meta": {
1251 "key": META_KEY
1252 }}
1253
1254 META_KEY := "length" | "protocol" | "priority" | "random" | "mark" |
1255 "iif" | "iifname" | "iiftype" | "oif" | "oifname" |
1256 "oiftype" | "skuid" | "skgid" | "nftrace" |
1257 "rtclassid" | "ibriport" | "obriport" | "ibridgename" |
1258 "obridgename" | "pkttype" | "cpu" | "iifgroup" |
1259 "oifgroup" | "cgroup" | "nfproto" | "l4proto" |
1260 "secpath"
1261
1262 Create a reference to packet meta data.
1263
1264 RT
1265 { "rt": {
1266 "key": RT_KEY,
1267 "family": RT_FAMILY
1268 }}
1269
1270 RT_KEY := "classid" | "nexthop" | "mtu"
1271 RT_FAMILY := "ip" | "ip6"
1272
1273 Create a reference to packet routing data.
1274
1275 The family property is optional and defaults to unspecified.
1276
1277 CT
1278 { "ct": {
1279 "key": STRING,
1280 "family": CT_FAMILY,
1281 "dir": CT_DIRECTION
1282 }}
1283
1284 CT_FAMILY := "ip" | "ip6"
1285 CT_DIRECTION := "original" | "reply"
1286
1287 Create a reference to packet conntrack data.
1288
1289 Some CT keys do not support a direction. In this case, dir must not be
1290 given.
1291
1292 NUMGEN
1293 { "numgen": {
1294 "mode": NG_MODE,
1295 "mod": NUMBER,
1296 "offset": NUMBER
1297 }}
1298
1299 NG_MODE := "inc" | "random"
1300
1301 Create a number generator.
1302
1303 The offset property is optional and defaults to 0.
1304
1305 HASH
1306 { "jhash": {
1307 "mod": NUMBER,
1308 "offset": NUMBER,
1309 "expr": EXPRESSION,
1310 "seed": NUMBER
1311 }}
1312
1313 { "symhash": {
1314 "mod": NUMBER,
1315 "offset": NUMBER
1316 }}
1317
1318 Hash packet data.
1319
1320 The offset and seed properties are optional and default to 0.
1321
1322 FIB
1323 { "fib": {
1324 "result": FIB_RESULT,
1325 "flags": FIB_FLAGS
1326 }}
1327
1328 FIB_RESULT := "oif" | "oifname" | "type"
1329
1330 FIB_FLAGS := FIB_FLAG | [ FIB_FLAG_LIST ]
1331 FIB_FLAG_LIST := FIB_FLAG [, FIB_FLAG_LIST ]
1332 FIB_FLAG := "saddr" | "daddr" | "mark" | "iif" | "oif"
1333
1334 Perform kernel Forwarding Information Base lookups.
1335
1336 BINARY OPERATION
1337 { "|": [ EXPRESSION, EXPRESSION ] }
1338 { "^": [ EXPRESSION, EXPRESSION ] }
1339 { "&": [ EXPRESSION, EXPRESSION ] }
1340 { "<<": [ EXPRESSION, EXPRESSION ] }
1341 { ">>": [ EXPRESSION, EXPRESSION ] }
1342
1343 All binary operations expect an array of exactly two expressions, of
1344 which the first element denotes the left hand side and the second one
1345 the right hand side.
1346
1347 VERDICT
1348 { "accept": null }
1349 { "drop": null }
1350 { "continue": null }
1351 { "return": null }
1352 { "jump": { "target": STRING }}
1353 { "goto": { "target": STRING }}
1354
1355 Same as the verdict statement, but for use in verdict maps.
1356
1357 jump and goto verdicts expect a target chain name.
1358
1359 ELEM
1360 { "elem": {
1361 "val": EXPRESSION,
1362 "timeout": NUMBER,
1363 "expires": NUMBER,
1364 "comment": STRING
1365 }}
1366
1367 Explicitly set element object, in case timeout, expires or comment are
1368 desired. Otherwise, it may be replaced by the value of val.
1369
1370 SOCKET
1371 { "socket": {
1372 "key": SOCKET_KEY
1373 }}
1374
1375 SOCKET_KEY := "transparent"
1376
1377 Construct a reference to packet’s socket.
1378
1379 OSF
1380 { "osf": {
1381 "key": OSF_KEY,
1382 "ttl": OSF_TTL
1383 }}
1384
1385 OSF_KEY := "name"
1386 OSF_TTL := "loose" | "skip"
1387
1388 Perform OS fingerprinting. This expression is typically used in the LHS
1389 of a match statement.
1390
1391 key
1392 Which part of the fingerprint info to match against. At this point,
1393 only the OS name is supported.
1394
1395 ttl
1396 Define how the packet’s TTL value is to be matched. This property
1397 is optional. If omitted, the TTL value has to match exactly. A
1398 value of loose accepts TTL values less than the fingerprint one. A
1399 value of skip omits TTL value comparison entirely.
1400
1402 Phil Sutter <phil@nwl.cc>
1403 Author.
1404
1405
1406
1407 01/29/2020 LIBNFTABLES-JSON(5)