1LIBNFTABLES-JSON(5)                                        LIBNFTABLES-JSON(5)
2
3
4

NAME

6       libnftables-json - Supported JSON schema by libnftables
7

SYNOPSIS

9       { "nftables": [ OBJECTS ] }
10
11       OBJECTS := LIST_OBJECTS | CMD_OBJECTS
12
13       LIST_OBJECTS := LIST_OBJECT [ , LIST_OBJECTS ]
14
15       CMD_OBJECTS := CMD_OBJECT [ , CMD_OBJECTS ]
16
17       CMD_OBJECT := { CMD: LIST_OBJECT } | METAINFO_OBJECT
18
19       CMD := "add" | "replace" | "create" | "insert" | "delete" | "list" |
20       "reset" | "flush" | "rename"
21
22       LIST_OBJECT := TABLE | CHAIN | RULE | SET | MAP | ELEMENT | FLOWTABLE |
23       COUNTER | QUOTA | CT_HELPER | LIMIT | METAINFO_OBJECT | CT_TIMEOUT |
24       CT_EXPECTATION
25

DESCRIPTION

27       libnftables supports JSON formatted input and output. This is
28       implemented as an alternative frontend to the standard CLI syntax
29       parser, therefore basic behaviour is identical and, for (almost) any
30       operation available in standard syntax, there should be an equivalent
31       one in JSON.
32
33       JSON input may be provided in a single string as parameter to
34       nft_run_cmd_from_buffer() or in a file identified by the filename
35       parameter of the nft_run_cmd_from_filename() function.
36
37       JSON output has to be enabled via the nft_ctx_output_set_json()
38       function, turning library standard output into JSON format. Error
39       output remains unaffected.
40

GLOBAL STRUCTURE

42       In general, any JSON input or output is enclosed in an object with a
43       single property named nftables. Its value is an array containing
44       commands (for input) or ruleset elements (for output).
45
46       A command is an object with a single property whose name identifies the
47       command. Its value is a ruleset element - basically identical to output
48       elements, apart from certain properties which may be interpreted
49       differently or are required when output generally omits them.
50

METAINFO OBJECT

52       In output, the first object in an nftables array is a special one
53       containing library information. Its content is as follows:
54
55           { "metainfo": {
56                   "version": STRING,
57                   "release_name": STRING,
58                   "json_schema_version": NUMBER
59           }}
60
61       The values of version and release_name properties are equal to the
62       package version and release name as printed by nft -v. The value of the
63       json_schema_version property is an integer indicating the schema
64       version.
65
66       If supplied in library input, the parser will verify the
67       json_schema_version value to not exceed the internally hardcoded one
68       (to make sure the given schema is fully understood). In future, a lower
69       number than the internal one may activate compatibility mode to parse
70       outdated and incompatible JSON input.
71

COMMAND OBJECTS

73       The structure accepts an arbitrary amount of commands which are
74       interpreted in order of appearance. For instance, the following
75       standard syntax input:
76
77           flush ruleset
78           add table inet mytable
79           add chain inet mytable mychain
80           add rule inet mytable mychain tcp dport 22 accept
81
82       translates into JSON as such:
83
84           { "nftables": [
85                   { "flush": { "ruleset": null }},
86                   { "add": { "table": {
87                                   "family": "inet",
88                                   "name": "mytable"
89                   }}},
90                   { "add": { "chain": {
91                                   "family": "inet",
92                                   "table": "mytable",
93                                   "chain": "mychain"
94                   }}}
95                   { "add": { "rule": {
96                                   "family": "inet",
97                                   "table": "mytable",
98                                   "chain": "mychain",
99                                   "expr": [
100                                           { "match": {
101                                                   "left": { "payload": {
102                                                                   "protocol": "tcp",
103                                                                   "field": "dport"
104                                                   }},
105                                                   "right": 22
106                                           }},
107                                           { "accept": null }
108                                   ]
109                   }}}
110           ]}
111
112   ADD
113           { "add": ADD_OBJECT }
114
115           ADD_OBJECT := TABLE | CHAIN | RULE | SET | MAP | ELEMENT |
116                           FLOWTABLE | COUNTER | QUOTA | CT_HELPER | LIMIT |
117                           CT_TIMEOUT | CT_EXPECTATION
118
119       Add a new ruleset element to the kernel.
120
121   REPLACE
122           { "replace": RULE }
123
124       Replace a rule. In RULE, the handle property is mandatory and
125       identifies the rule to be replaced.
126
127   CREATE
128           { "create": ADD_OBJECT }
129
130       Identical to add command, but returns an error if the object already
131       exists.
132
133   INSERT
134           { "insert": RULE }
135
136       This command is identical to add for rules, but instead of appending
137       the rule to the chain by default, it inserts at first position. If a
138       handle or index property is given, the rule is inserted before the rule
139       identified by those properties.
140
141   DELETE
142           { "delete": ADD_OBJECT }
143
144       Delete an object from the ruleset. Only the minimal number of
145       properties required to uniquely identify an object is generally needed
146       in ADD_OBJECT. For most ruleset elements, this is family and table plus
147       either handle or name (except rules since they don’t have a name).
148
149   LIST
150           { "list": LIST_OBJECT }
151
152           LIST_OBJECT := TABLE | TABLES | CHAIN | CHAINS | SET | SETS |
153                            MAP | MAPS | COUNTER | COUNTERS | QUOTA | QUOTAS |
154                            CT_HELPER | CT_HELPERS | LIMIT | LIMITS | RULESET |
155                            METER | METERS | FLOWTABLE | FLOWTABLES |
156                            CT_TIMEOUT | CT_EXPECTATION
157
158       List ruleset elements. The plural forms are used to list all objects of
159       that kind, optionally filtered by family and for some, also table.
160
161   RESET
162           { "reset": RESET_OBJECT }
163
164           RESET_OBJECT := COUNTER | COUNTERS | QUOTA | QUOTAS
165
166       Reset state in suitable objects, i.e. zero their internal counter.
167
168   FLUSH
169           { "flush": FLUSH_OBJECT }
170
171           FLUSH_OBJECT := TABLE | CHAIN | SET | MAP | METER | RULESET
172
173       Empty contents in given object, e.g. remove all chains from given table
174       or remove all elements from given set.
175
176   RENAME
177           { "rename": CHAIN }
178
179       Rename a chain. The new name is expected in a dedicated property named
180       newname.
181

RULESET ELEMENTS

183   TABLE
184           { "table": {
185                   "family": STRING,
186                   "name": STRING,
187                   "handle": NUMBER
188           }}
189
190       This object describes a table.
191
192       family
193           The table’s family, e.g.  "ip" or "ip6".
194
195       name
196           The table’s name.
197
198       handle
199           The table’s handle. In input, it is used only in delete command as
200           alternative to name.
201
202   CHAIN
203           { "chain": {
204                   "family": STRING,
205                   "table": STRING,
206                   "name": STRING,
207                   "newname": STRING,
208                   "handle": NUMBER,
209                   "type": STRING,
210                   "hook": STRING,
211                   "prio": NUMBER,
212                   "dev": STRING,
213                   "policy": STRING
214           }}
215
216       This object describes a chain.
217
218       family
219           The table’s family.
220
221       table
222           The table’s name.
223
224       name
225           The chain’s name.
226
227       handle
228           The chain’s handle. In input, it is used only in delete command as
229           alternative to name.
230
231       newname
232           A new name for the chain, only relevant in the rename command.
233
234       The following properties are required for base chains:
235
236       type
237           The chain’s type.
238
239       hook
240           The chain’s hook.
241
242       prio
243           The chain’s priority.
244
245       dev
246           The chain’s bound interface (if in the netdev family).
247
248       policy
249           The chain’s policy.
250
251   RULE
252           { "rule": {
253                   "family": STRING,
254                   "table": STRING,
255                   "chain": STRING,
256                   "expr": [ STATEMENTS ],
257                   "handle": NUMBER,
258                   "index": NUMBER,
259                   "comment": STRING
260           }}
261
262           STATEMENTS := STATEMENT [, STATEMENTS ]
263
264       This object describes a rule. Basic building blocks of rules are
265       statements. Each rule consists of at least one.
266
267       family
268           The table’s family.
269
270       table
271           The table’s name.
272
273       chain
274           The chain’s name.
275
276       expr
277           An array of statements this rule consists of. In input, it is used
278           in add/insert/replace commands only.
279
280       handle
281           The rule’s handle. In delete/replace commands, it serves as an
282           identifier of the rule to delete/replace. In add/insert commands,
283           it serves as an identifier of an existing rule to append/prepend
284           the rule to.
285
286       index
287           The rule’s position for add/insert commands. It is used as an
288           alternative to handle then.
289
290       comment
291           Optional rule comment.
292
293   SET / MAP
294           { "set": {
295                   "family": STRING,
296                   "table": STRING,
297                   "name": STRING,
298                   "handle": NUMBER,
299                   "type": SET_TYPE,
300                   "policy": SET_POLICY,
301                   "flags": [ SET_FLAG_LIST ],
302                   "elem": SET_ELEMENTS,
303                   "timeout": NUMBER,
304                   "gc-interval": NUMBER,
305                   "size": NUMBER
306           }}
307
308           { "map": {
309                   "family": STRING,
310                   "table": STRING,
311                   "name": STRING,
312                   "handle": NUMBER,
313                   "type": SET_TYPE,
314                   "map": STRING,
315                   "policy": SET_POLICY,
316                   "flags": [ SET_FLAG_LIST ],
317                   "elem": SET_ELEMENTS,
318                   "timeout": NUMBER,
319                   "gc-interval": NUMBER,
320                   "size": NUMBER
321           }}
322
323           SET_TYPE := STRING | [ SET_TYPE_LIST ]
324           SET_TYPE_LIST := STRING [, SET_TYPE_LIST ]
325           SET_POLICY := "performance" | "memory"
326           SET_FLAG_LIST := SET_FLAG [, SET_FLAG_LIST ]
327           SET_FLAG := "constant" | "interval" | "timeout"
328           SET_ELEMENTS := EXPRESSION | [ EXPRESSION_LIST ]
329           EXPRESSION_LIST := EXPRESSION [, EXPRESSION_LIST ]
330
331       These objects describe a named set or map. Maps are a special form of
332       sets in that they translate a unique key to a value.
333
334       family
335           The table’s family.
336
337       table
338           The table’s name.
339
340       name
341           The set’s name.
342
343       handle
344           The set’s handle. For input, it is used in the delete command only.
345
346       type
347           The set’s datatype, see below.
348
349       map
350           Type of values this set maps to (i.e. this set is a map).
351
352       policy
353           The set’s policy.
354
355       flags
356           The set’s flags.
357
358       elem
359           Initial set element(s), see below.
360
361       timeout
362           Element timeout in seconds.
363
364       gc-interval
365           Garbage collector interval in seconds.
366
367       size
368           Maximum number of elements supported.
369
370       TYPE
371           The set type might be a string, such as "ipv4_addr" or an array
372           consisting of strings (for concatenated types).
373
374       ELEM
375           A single set element might be given as string, integer or boolean
376           value for simple cases. If additional properties are required, a
377           formal elem object may be used.
378
379           Multiple elements may be given in an array.
380
381   ELEMENT
382           { "element": {
383                   "family": STRING,
384                   "table": STRING,
385                   "name": STRING,
386                   "elem": SET_ELEM
387           }}
388
389           SET_ELEM := EXPRESSION | [ EXPRESSION_LIST ]
390           EXPRESSION_LIST := EXPRESSION [, EXPRESSION ]
391
392       Manipulate element(s) in a named set.
393
394       family
395           The table’s family.
396
397       table
398           The table’s name.
399
400       name
401           The set’s name.
402
403       elem
404           See elem property of set object.
405
406   FLOWTABLE
407           { "flowtable": {
408                   "family": STRING,
409                   "table": STRING,
410                   "name": STRING,
411                   "handle": NUMBER,
412                   "hook": STRING,
413                   "prio": NUMBER,
414                   "dev": FT_INTERFACE
415           }}
416
417           FT_INTERFACE := STRING | [ FT_INTERFACE_LIST ]
418           FT_INTERFACE_LIST := STRING [, STRING ]
419
420       This object represents a named flowtable.
421
422       family
423           The table’s family.
424
425       table
426           The table’s name.
427
428       name
429           The flow table’s name.
430
431       handle
432           The flow table’s handle. In input, it is used by the delete command
433           only.
434
435       hook
436           The flow table’s hook.
437
438       prio
439           The flow table’s priority.
440
441       dev
442           The flow table’s interface(s).
443
444   COUNTER
445           { "counter": {
446                   "family": STRING,
447                   "table": STRING,
448                   "name": STRING,
449                   "handle": NUMBER,
450                   "packets": NUMBER,
451                   "bytes": NUMBER
452           }}
453
454       This object represents a named counter.
455
456       family
457           The table’s family.
458
459       table
460           The table’s name.
461
462       name
463           The counter’s name.
464
465       handle
466           The counter’s handle. In input, it is used by the delete command
467           only.
468
469       packets
470           Packet counter value.
471
472       bytes
473           Byte counter value.
474
475   QUOTA
476           { "quota": {
477                   "family": STRING,
478                   "table": STRING,
479                   "name": STRING,
480                   "handle": NUMBER,
481                   "bytes": NUMBER,
482                   "used": NUMBER,
483                   "inv": BOOLEAN
484           }}
485
486       This object represents a named quota.
487
488       family
489           The table’s family.
490
491       table
492           The table’s name.
493
494       name
495           The quota’s name.
496
497       handle
498           The quota’s handle. In input, it is used by the delete command
499           only.
500
501       bytes
502           Quota threshold.
503
504       used
505           Quota used so far.
506
507       inv
508           If true, match if the quota has been exceeded.
509
510   CT HELPER
511           { "ct helper": {
512                   "family": STRING,
513                   "table": STRING,
514                   "name": STRING,
515                   "handle": ... ',
516                   "type": 'STRING,
517                   "protocol": CTH_PROTO,
518                   "l3proto": STRING
519           }}
520
521           CTH_PROTO := "tcp" | "udp"
522
523       This object represents a named conntrack helper.
524
525       family
526           The table’s family.
527
528       table
529           The table’s name.
530
531       name
532           The ct helper’s name.
533
534       handle
535           The ct helper’s handle. In input, it is used by the delete command
536           only.
537
538       type
539           The ct helper type name, e.g.  "ftp" or "tftp".
540
541       protocol
542           The ct helper’s layer 4 protocol.
543
544       l3proto
545           The ct helper’s layer 3 protocol, e.g.  "ip" or "ip6".
546
547   LIMIT
548           { "limit": {
549                   "family": STRING,
550                   "table": STRING,
551                   "name": STRING,
552                   "handle": NUMBER,
553                   "rate": NUMBER,
554                   "per": STRING,
555                   "burst": NUMBER,
556                   "unit": LIMIT_UNIT,
557                   "inv": BOOLEAN
558           }}
559
560           LIMIT_UNIT := "packets" | "bytes"
561
562       This object represents a named limit.
563
564       family
565           The table’s family.
566
567       table
568           The table’s name.
569
570       name
571           The limit’s name.
572
573       handle
574           The limit’s handle. In input, it is used by the delete command
575           only.
576
577       rate
578           The limit’s rate value.
579
580       per
581           Time unit to apply the limit to, e.g.  "week", "day", "hour", etc.
582           If omitted, defaults to "second".
583
584       burst
585           The limit’s burst value. If omitted, defaults to 0.
586
587       unit
588           Unit of rate and burst values. If omitted, defaults to "packets".
589
590       inv
591           If true, match if limit was exceeded. If omitted, defaults to
592           false.
593
594   CT TIMEOUT
595           { "ct timeout": {
596                   "family": STRING,
597                   "table": STRING,
598                   "name": STRING,
599                   "handle": NUMBER,
600                   "protocol": CTH_PROTO,
601                   "state": STRING,
602                   "value: NUMBER,
603                   "l3proto": STRING
604           }}
605
606           CTH_PROTO := "tcp" | "udp" | "dccp" | "sctp" | "gre" | "icmpv6" | "icmp" | "generic"
607
608       This object represents a named conntrack timeout policy.
609
610       family
611           The table’s family.
612
613       table
614           The table’s name.
615
616       name
617           The ct timeout object’s name.
618
619       handle
620           The ct timeout object’s handle. In input, it is used by delete
621           command only.
622
623       protocol
624           The ct timeout object’s layer 4 protocol.
625
626       state
627           The connection state name, e.g.  "established", "syn_sent", "close"
628           or "close_wait", for which the timeout value has to be updated.
629
630       value
631           The updated timeout value for the specified connection state.
632
633       l3proto
634           The ct timeout object’s layer 3 protocol, e.g.  "ip" or "ip6".
635
636   CT EXPECTATION
637           { "ct expectation": {
638                   "family": STRING,
639                   "table": STRING,
640                   "name": STRING,
641                   "handle": NUMBER,
642                   "l3proto": STRING
643                   "protocol":* CTH_PROTO,
644                   "dport": NUMBER,
645                   "timeout: NUMBER,
646                   "size: NUMBER,
647           *}}
648
649           CTH_PROTO := "tcp" | "udp" | "dccp" | "sctp" | "gre" | "icmpv6" | "icmp" | "generic"
650
651       This object represents a named conntrack expectation.
652
653       family
654           The table’s family.
655
656       table
657           The table’s name.
658
659       name
660           The ct expectation object’s name.
661
662       handle
663           The ct expectation object’s handle. In input, it is used by delete
664           command only.
665
666       l3proto
667           The ct expectation object’s layer 3 protocol, e.g.  "ip" or "ip6".
668
669       protocol
670           The ct expectation object’s layer 4 protocol.
671
672       dport
673           The destination port of the expected connection.
674
675       timeout
676           The time in millisecond that this expectation will live.
677
678       size
679           The maximum count of expectations to be living in the same time.
680

STATEMENTS

682       Statements are the building blocks for rules. Each rule consists of at
683       least one.
684
685   VERDICT
686           { "accept": null }
687           { "drop": null }
688           { "continue": null }
689           { "return": null }
690           { "jump": { "target": * STRING *}}
691           { "goto": { "target": * STRING *}}
692
693       A verdict either terminates packet traversal through the current chain
694       or delegates to a different one.
695
696       jump and goto statements expect a target chain name.
697
698   MATCH
699           { "match": {
700                   "left": EXPRESSION,
701                   "right": EXPRESSION,
702                   "op": STRING
703           }}
704
705       This matches the expression on left hand side (typically a packet
706       header or packet meta info) with the expression on right hand side
707       (typically a constant value). If the statement evaluates to true, the
708       next statement in this rule is considered. If not, processing continues
709       with the next rule in the same chain.
710
711       left
712           Left hand side of this match.
713
714       right
715           Right hand side of this match.
716
717       op
718           Operator indicating the type of comparison.
719
720       OPERATORS
721           &    Binary AND
722
723           |    Binary OR
724
725           ^    Binary XOR
726
727           <<   Left shift
728
729           >>   Right shift
730
731           ==   Equal
732
733
734           !=   Not equal
735
736           <    Less than
737
738           >    Greater than
739
740           Less than or equal to
741
742           >=   Greater than or equal to
743
744           in   Perform a lookup, i.e.
745                test if bits on RHS are
746                contained in LHS value
747
748
749           Unlike with the standard API, the operator is mandatory here. In
750           the standard API, a missing operator may be resolved in two ways,
751           depending on the type of expression on the RHS:
752
753           ·   If the RHS is a bitmask or a list of bitmasks, the expression
754               resolves into a binary operation with the inequality operator,
755               like this: LHS & RHS != 0.
756
757           ·   In any other case, the equality operator is simply inserted.
758
759           For the non-trivial first case, the JSON API supports the in
760           operator.
761
762   COUNTER
763           { "counter": {
764                   "packets": NUMBER,
765                   "bytes": NUMBER
766           }}
767
768           { "counter": STRING }
769
770       This object represents a byte/packet counter. In input, no properties
771       are required. If given, they act as initial values for the counter.
772
773       The first form creates an anonymous counter which lives in the rule it
774       appears in. The second form specifies a reference to a named counter
775       object.
776
777       packets
778           Packets counted.
779
780       bytes
781           Bytes counted.
782
783   MANGLE
784           { "mangle": {
785                   "key": EXPRESSION,
786                   "value": EXPRESSION
787           }}
788
789       This changes the packet data or meta info.
790
791       key
792           The packet data to be changed, given as an exthdr, payload, meta,
793           ct or ct helper expression.
794
795       value
796           Value to change data to.
797
798   QUOTA
799           { "quota": {
800                   "val": NUMBER,
801                   "val_unit": STRING,
802                   "used": NUMBER,
803                   "used_unit": STRING,
804                   "inv": BOOLEAN
805           }}
806
807           { "quota": STRING }
808
809       The first form creates an anonymous quota which lives in the rule it
810       appears in. The second form specifies a reference to a named quota
811       object.
812
813       val
814           Quota value.
815
816       val_unit
817           Unit of val, e.g.  "kbytes" or "mbytes". If omitted, defaults to
818           "bytes".
819
820       used
821           Quota used so far. Optional on input. If given, serves as initial
822           value.
823
824       used_unit
825           Unit of used. Defaults to "bytes".
826
827       inv
828           If true, will match if quota was exceeded. Defaults to false.
829
830   LIMIT
831           { "limit": {
832                   "rate": NUMBER,
833                   "rate_unit": STRING,
834                   "per": STRING,
835                   "burst": NUMBER,
836                   "burst_unit": STRING,
837                   "inv": BOOLEAN
838           }}
839
840           { "limit": STRING }
841
842       The first form creates an anonymous limit which lives in the rule it
843       appears in. The second form specifies a reference to a named limit
844       object.
845
846       rate
847           Rate value to limit to.
848
849       rate_unit
850           Unit of rate, e.g.  "packets" or "mbytes". Defaults to "packets".
851
852       per
853           Denominator of rate, e.g.  "week" or "minutes".
854
855       burst
856           Burst value. Defaults to 0.
857
858       burst_unit
859           Unit of burst, ignored if rate_unit is "packets". Defaults to
860           "bytes".
861
862       inv
863           If true, matches if the limit was exceeded. Defaults to false.
864
865   FWD
866           { "fwd": {
867                   "dev": EXPRESSION,
868                   "family": FWD_FAMILY,
869                   "addr": EXPRESSION
870           }}
871
872           FWD_FAMILY := "ip" | "ip6"
873
874       Forward a packet to a different destination.
875
876       dev
877           Interface to forward the packet on.
878
879       family
880           Family of addr.
881
882       addr
883           IP(v6) address to forward the packet to.
884
885       Both family and addr are optional, but if at least one is given, both
886       must be present.
887
888   NOTRACK
889           { "notrack": null }
890
891       Disable connection tracking for the packet.
892
893   DUP
894           { "dup": {
895                   "addr": EXPRESSION,
896                   "dev": EXPRESSION
897           }}
898
899       Duplicate a packet to a different destination.
900
901       addr
902           Address to duplicate packet to.
903
904       dev
905           Interface to duplicate packet on. May be omitted to not specify an
906           interface explicitly.
907
908   NETWORK ADDRESS TRANSLATION
909           { "snat": {
910                   "addr": EXPRESSION,
911                   "family": STRING,
912                   "port": EXPRESSION,
913                   "flags": FLAGS
914           }}
915
916           { "dnat": {
917                   "addr": EXPRESSION,
918                   "family": STRING,
919                   "port": EXPRESSION,
920                   "flags": FLAGS
921           }}
922
923           { "masquerade": {
924                   "port": EXPRESSION,
925                   "flags": FLAGS
926           }}
927
928           { "redirect": {
929                   "port": EXPRESSION,
930                   "flags": FLAGS
931           }}
932
933           FLAGS := FLAG | [ FLAG_LIST ]
934           FLAG_LIST := FLAG [, FLAG_LIST ]
935           FLAG := "random" | "fully-random" | "persistent"
936
937       Perform Network Address Translation.
938
939       addr
940           Address to translate to.
941
942       family
943           Family of addr, either ip or ip6. Required in inet table family.
944
945       port
946           Port to translate to.
947
948       flags
949           Flag(s).
950
951       All properties are optional and default to none.
952
953   REJECT
954           { "reject": {
955                   "type": STRING,
956                   "expr": EXPRESSION
957           }}
958
959       Reject the packet and send the given error reply.
960
961       type
962           Type of reject, either "tcp reset", "icmpx", "icmp" or "icmpv6".
963
964       expr
965           ICMP type to reject with.
966
967       All properties are optional.
968
969   SET
970           { "set": {
971                   "op": STRING,
972                   "elem": EXPRESSION,
973                   "set": STRING
974           }}
975
976       Dynamically add/update elements to a set.
977
978       op
979           Operator on set, either "add" or "update".
980
981       elem
982           Set element to add or update.
983
984       set
985           Set reference.
986
987   LOG
988           { "log": {
989                   "prefix": STRING,
990                   "group": NUMBER,
991                   "snaplen": NUMBER,
992                   "queue-threshold": NUMBER,
993                   "level": LEVEL,
994                   "flags": FLAGS
995           }}
996
997           LEVEL := "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
998                      "info" | "debug" | "audit"
999
1000           FLAGS := FLAG | [ FLAG_LIST ]
1001           FLAG_LIST := FLAG [, FLAG_LIST ]
1002           FLAG := "tcp sequence" | "tcp options" | "ip options" | "skuid" |
1003                     "ether" | "all"
1004
1005       Log the packet.
1006
1007       prefix
1008           Prefix for log entries.
1009
1010       group
1011           Log group.
1012
1013       snaplen
1014           Snaplen for logging.
1015
1016       queue-threshold
1017           Queue threshold.
1018
1019       level
1020           Log level. Defaults to "warn".
1021
1022       flags
1023           Log flags.
1024
1025       All properties are optional.
1026
1027   CT HELPER
1028           { "ct helper": EXPRESSION }
1029
1030       Enable the specified conntrack helper for this packet.
1031
1032       ct helper
1033           CT helper reference.
1034
1035   METER
1036           { "meter": {
1037                   "name": STRING,
1038                   "key": EXPRESSION,
1039                   "stmt": STATEMENT
1040           }}
1041
1042       Apply a given statement using a meter.
1043
1044       name
1045           Meter name.
1046
1047       key
1048           Meter key.
1049
1050       stmt
1051           Meter statement.
1052
1053   QUEUE
1054           { "queue": {
1055                   "num": EXPRESSION,
1056                   "flags": FLAGS
1057           }}
1058
1059           FLAGS := FLAG | [ FLAG_LIST ]
1060           FLAG_LIST := FLAG [, FLAG_LIST ]
1061           FLAG := "bypass" | "fanout"
1062
1063       Queue the packet to userspace.
1064
1065       num
1066           Queue number.
1067
1068       flags
1069           Queue flags.
1070
1071   VERDICT MAP
1072           { "vmap": {
1073                   "key": EXPRESSION,
1074                   "data": EXPRESSION
1075           }}
1076
1077       Apply a verdict conditionally.
1078
1079       key
1080           Map key.
1081
1082       data
1083           Mapping expression consisting of value/verdict pairs.
1084
1085   CT COUNT
1086           { "ct count": {
1087                   "val": NUMBER,
1088                   "inv": BOOLEAN
1089           }}
1090
1091       Limit the number of connections using conntrack.
1092
1093       val
1094           Connection count threshold.
1095
1096       inv
1097           If true, match if val was exceeded. If omitted, defaults to false.
1098
1099   CT TIMEOUT
1100           { "ct timeout": EXPRESSION }
1101
1102       Assign connection tracking timeout policy.
1103
1104       ct timeout
1105           CT timeout reference.
1106
1107   CT EXPECTATION
1108           { "ct expectation": EXPRESSION }
1109
1110       Assign connection tracking expectation.
1111
1112       ct expectation
1113           CT expectation reference.
1114
1115   XT
1116           { "xt": null }
1117
1118       This represents an xt statement from xtables compat interface. Sadly,
1119       at this point, it is not possible to provide any further information
1120       about its content.
1121

EXPRESSIONS

1123       Expressions are the building blocks of (most) statements. In their most
1124       basic form, they are just immediate values represented as a JSON
1125       string, integer or boolean type.
1126
1127   IMMEDIATES
1128           STRING
1129           NUMBER
1130           BOOLEAN
1131
1132       Immediate expressions are typically used for constant values. For
1133       strings, there are two special cases:
1134
1135       @STRING
1136           The remaining part is taken as set name to create a set reference.
1137
1138       \*
1139           Construct a wildcard expression.
1140
1141   LISTS
1142           ARRAY
1143
1144       List expressions are constructed by plain arrays containing of an
1145       arbitrary number of expressions.
1146
1147   CONCAT
1148           { "concat": CONCAT }
1149
1150           CONCAT := [ EXPRESSION_LIST ]
1151           EXPRESSION_LIST := EXPRESSION [, EXPRESSION_LIST ]
1152
1153       Concatenate several expressions.
1154
1155   SET
1156           { "set": SET }
1157
1158           SET := EXPRESSION | [ EXPRESSION_LIST ]
1159
1160       This object constructs an anonymous set. For mappings, an array of
1161       arrays with exactly two elements is expected.
1162
1163   MAP
1164           { "map": {
1165                   "key": EXPRESSION,
1166                   "data": EXPRESSION
1167           }}
1168
1169       Map a key to a value.
1170
1171       key
1172           Map key.
1173
1174       data
1175           Mapping expression consisting of value/target pairs.
1176
1177   PREFIX
1178           { "prefix": {
1179                   "addr": EXPRESSION,
1180                   "len": NUMBER
1181           }}
1182
1183       Construct an IPv4 or IPv6 prefix consisting of address part in addr and
1184       prefix length in len.
1185
1186   RANGE
1187           { "range": [ EXPRESSION , EXPRESSION ] }
1188
1189       Construct a range of values. The first array item denotes the lower
1190       boundary, the second one the upper boundary.
1191
1192   PAYLOAD
1193           { "payload": {
1194                   "base": BASE,
1195                   "offset": NUMBER,
1196                   "len": NUMBER
1197           }}
1198
1199           { "payload": {
1200                   "protocol": STRING,
1201                   "field": STRING
1202           }}
1203
1204           BASE := "ll" | "nh" | "th"
1205
1206       Construct a payload expression, i.e. a reference to a certain part of
1207       packet data. The first form creates a raw payload expression to point
1208       at a random number (len) of bytes at a certain offset (offset) from a
1209       given reference point (base). The following base values are accepted:
1210
1211       "ll"
1212           The offset is relative to Link Layer header start offset.
1213
1214       "nh"
1215           The offset is relative to Network Layer header start offset.
1216
1217       "th"
1218           The offset is relative to Transport Layer header start offset.
1219
1220       The second form allows to reference a field by name (field) in a named
1221       packet header (protocol).
1222
1223   EXTHDR
1224           { "exthdr": {
1225                   "name": STRING,
1226                   "field": STRING,
1227                   "offset": NUMBER
1228           }}
1229
1230       Create a reference to a field (field) in an IPv6 extension header
1231       (name). offset is used only for rt0 protocol.
1232
1233       If the field property is not given, the expression is to be used as a
1234       header existence check in a match statement with a boolean on the right
1235       hand side.
1236
1237   TCP OPTION
1238           { "tcp option": {
1239                   "name": STRING,
1240                   "field": STRING
1241           }}
1242
1243       Create a reference to a field (field) of a TCP option header (name).
1244
1245       If the field property is not given, the expression is to be used as a
1246       TCP option existence check in a match statement with a boolean on the
1247       right hand side.
1248
1249   META
1250           { "meta": {
1251                   "key": META_KEY
1252           }}
1253
1254           META_KEY := "length" | "protocol" | "priority" | "random" | "mark" |
1255                         "iif" | "iifname" | "iiftype" | "oif" | "oifname" |
1256                         "oiftype" | "skuid" | "skgid" | "nftrace" |
1257                         "rtclassid" | "ibriport" | "obriport" | "ibridgename" |
1258                         "obridgename" | "pkttype" | "cpu" | "iifgroup" |
1259                         "oifgroup" | "cgroup" | "nfproto" | "l4proto" |
1260                         "secpath"
1261
1262       Create a reference to packet meta data.
1263
1264   RT
1265           { "rt": {
1266                   "key": RT_KEY,
1267                   "family": RT_FAMILY
1268           }}
1269
1270           RT_KEY := "classid" | "nexthop" | "mtu"
1271           RT_FAMILY := "ip" | "ip6"
1272
1273       Create a reference to packet routing data.
1274
1275       The family property is optional and defaults to unspecified.
1276
1277   CT
1278           { "ct": {
1279                   "key": STRING,
1280                   "family": CT_FAMILY,
1281                   "dir": CT_DIRECTION
1282           }}
1283
1284           CT_FAMILY := "ip" | "ip6"
1285           CT_DIRECTION := "original" | "reply"
1286
1287       Create a reference to packet conntrack data.
1288
1289       Some CT keys do not support a direction. In this case, dir must not be
1290       given.
1291
1292   NUMGEN
1293           { "numgen": {
1294                   "mode": NG_MODE,
1295                   "mod": NUMBER,
1296                   "offset": NUMBER
1297           }}
1298
1299           NG_MODE := "inc" | "random"
1300
1301       Create a number generator.
1302
1303       The offset property is optional and defaults to 0.
1304
1305   HASH
1306           { "jhash": {
1307                   "mod": NUMBER,
1308                   "offset": NUMBER,
1309                   "expr": EXPRESSION,
1310                   "seed": NUMBER
1311           }}
1312
1313           { "symhash": {
1314                   "mod": NUMBER,
1315                   "offset": NUMBER
1316           }}
1317
1318       Hash packet data.
1319
1320       The offset and seed properties are optional and default to 0.
1321
1322   FIB
1323           { "fib": {
1324                   "result": FIB_RESULT,
1325                   "flags": FIB_FLAGS
1326           }}
1327
1328           FIB_RESULT := "oif" | "oifname" | "type"
1329
1330           FIB_FLAGS := FIB_FLAG | [ FIB_FLAG_LIST ]
1331           FIB_FLAG_LIST := FIB_FLAG [, FIB_FLAG_LIST ]
1332           FIB_FLAG := "saddr" | "daddr" | "mark" | "iif" | "oif"
1333
1334       Perform kernel Forwarding Information Base lookups.
1335
1336   BINARY OPERATION
1337           { "|": [ EXPRESSION, EXPRESSION ] }
1338           { "^": [ EXPRESSION, EXPRESSION ] }
1339           { "&": [ EXPRESSION, EXPRESSION ] }
1340           { "<<": [ EXPRESSION, EXPRESSION ] }
1341           { ">>": [ EXPRESSION, EXPRESSION ] }
1342
1343       All binary operations expect an array of exactly two expressions, of
1344       which the first element denotes the left hand side and the second one
1345       the right hand side.
1346
1347   VERDICT
1348           { "accept": null }
1349           { "drop": null }
1350           { "continue": null }
1351           { "return": null }
1352           { "jump": { "target": STRING }}
1353           { "goto": { "target": STRING }}
1354
1355       Same as the verdict statement, but for use in verdict maps.
1356
1357       jump and goto verdicts expect a target chain name.
1358
1359   ELEM
1360           { "elem": {
1361                   "val": EXPRESSION,
1362                   "timeout": NUMBER,
1363                   "expires": NUMBER,
1364                   "comment": STRING
1365           }}
1366
1367       Explicitly set element object, in case timeout, expires or comment are
1368       desired. Otherwise, it may be replaced by the value of val.
1369
1370   SOCKET
1371           { "socket": {
1372                   "key": SOCKET_KEY
1373           }}
1374
1375           SOCKET_KEY := "transparent"
1376
1377       Construct a reference to packet’s socket.
1378
1379   OSF
1380           { "osf": {
1381                   "key": OSF_KEY,
1382                   "ttl": OSF_TTL
1383           }}
1384
1385           OSF_KEY := "name"
1386           OSF_TTL := "loose" | "skip"
1387
1388       Perform OS fingerprinting. This expression is typically used in the LHS
1389       of a match statement.
1390
1391       key
1392           Which part of the fingerprint info to match against. At this point,
1393           only the OS name is supported.
1394
1395       ttl
1396           Define how the packet’s TTL value is to be matched. This property
1397           is optional. If omitted, the TTL value has to match exactly. A
1398           value of loose accepts TTL values less than the fingerprint one. A
1399           value of skip omits TTL value comparison entirely.
1400

AUTHOR

1402       Phil Sutter <phil@nwl.cc>
1403           Author.
1404
1405
1406
1407                                  01/28/2021               LIBNFTABLES-JSON(5)
Impressum