1LIBNFTABLES-JSON(5)                                        LIBNFTABLES-JSON(5)
2
3
4

NAME

6       libnftables-json - Supported JSON schema by libnftables
7

SYNOPSIS

9       { "nftables": [ OBJECTS ] }
10
11       OBJECTS := LIST_OBJECTS | CMD_OBJECTS
12
13       LIST_OBJECTS := LIST_OBJECT [ , LIST_OBJECTS ]
14
15       CMD_OBJECTS := CMD_OBJECT [ , CMD_OBJECTS ]
16
17       CMD_OBJECT := { CMD: LIST_OBJECT } | METAINFO_OBJECT
18
19       CMD := "add" | "replace" | "create" | "insert" | "delete" | "list" |
20       "reset" | "flush" | "rename"
21
22       LIST_OBJECT := TABLE | CHAIN | RULE | SET | MAP | ELEMENT | FLOWTABLE |
23       COUNTER | QUOTA | CT_HELPER | LIMIT | METAINFO_OBJECT | CT_TIMEOUT |
24       CT_EXPECTATION
25

DESCRIPTION

27       libnftables supports JSON formatted input and output. This is
28       implemented as an alternative frontend to the standard CLI syntax
29       parser, therefore basic behaviour is identical and, for (almost) any
30       operation available in standard syntax, there should be an equivalent
31       one in JSON.
32
33       JSON input may be provided in a single string as parameter to
34       nft_run_cmd_from_buffer() or in a file identified by the filename
35       parameter of the nft_run_cmd_from_filename() function.
36
37       JSON output has to be enabled via the nft_ctx_output_set_json()
38       function, turning library standard output into JSON format. Error
39       output remains unaffected.
40

GLOBAL STRUCTURE

42       In general, any JSON input or output is enclosed in an object with a
43       single property named nftables. Its value is an array containing
44       commands (for input) or ruleset elements (for output).
45
46       A command is an object with a single property whose name identifies the
47       command. Its value is a ruleset element - basically identical to output
48       elements, apart from certain properties which may be interpreted
49       differently or are required when output generally omits them.
50

METAINFO OBJECT

52       In output, the first object in an nftables array is a special one
53       containing library information. Its content is as follows:
54
55           { "metainfo": {
56                   "version": STRING,
57                   "release_name": STRING,
58                   "json_schema_version": NUMBER
59           }}
60
61       The values of version and release_name properties are equal to the
62       package version and release name as printed by nft -v. The value of the
63       json_schema_version property is an integer indicating the schema
64       version.
65
66       If supplied in library input, the parser will verify the
67       json_schema_version value to not exceed the internally hardcoded one
68       (to make sure the given schema is fully understood). In future, a lower
69       number than the internal one may activate compatibility mode to parse
70       outdated and incompatible JSON input.
71

COMMAND OBJECTS

73       The structure accepts an arbitrary amount of commands which are
74       interpreted in order of appearance. For instance, the following
75       standard syntax input:
76
77           flush ruleset
78           add table inet mytable
79           add chain inet mytable mychain
80           add rule inet mytable mychain tcp dport 22 accept
81
82       translates into JSON as such:
83
84           { "nftables": [
85                   { "flush": { "ruleset": null }},
86                   { "add": { "table": {
87                                   "family": "inet",
88                                   "name": "mytable"
89                   }}},
90                   { "add": { "chain": {
91                                   "family": "inet",
92                                   "table": "mytable",
93                                   "name": "mychain"
94                   }}},
95                   { "add": { "rule": {
96                                   "family": "inet",
97                                   "table": "mytable",
98                                   "chain": "mychain",
99                                   "expr": [
100                                           { "match": {
101                                                   "op": "==",
102                                                   "left": { "payload": {
103                                                                   "protocol": "tcp",
104                                                                   "field": "dport"
105                                                   }},
106                                                   "right": 22
107                                           }},
108                                           { "accept": null }
109                                   ]
110                   }}}
111           ]}
112
113   ADD
114           { "add": ADD_OBJECT }
115
116           ADD_OBJECT := TABLE | CHAIN | RULE | SET | MAP | ELEMENT |
117                           FLOWTABLE | COUNTER | QUOTA | CT_HELPER | LIMIT |
118                           CT_TIMEOUT | CT_EXPECTATION
119
120       Add a new ruleset element to the kernel.
121
122   REPLACE
123           { "replace": RULE }
124
125       Replace a rule. In RULE, the handle property is mandatory and
126       identifies the rule to be replaced.
127
128   CREATE
129           { "create": ADD_OBJECT }
130
131       Identical to add command, but returns an error if the object already
132       exists.
133
134   INSERT
135           { "insert": RULE }
136
137       This command is identical to add for rules, but instead of appending
138       the rule to the chain by default, it inserts at first position. If a
139       handle or index property is given, the rule is inserted before the rule
140       identified by those properties.
141
142   DELETE
143           { "delete": ADD_OBJECT }
144
145       Delete an object from the ruleset. Only the minimal number of
146       properties required to uniquely identify an object is generally needed
147       in ADD_OBJECT. For most ruleset elements, this is family and table plus
148       either handle or name (except rules since they don’t have a name).
149
150   LIST
151           { "list": LIST_OBJECT }
152
153           LIST_OBJECT := TABLE | TABLES | CHAIN | CHAINS | SET | SETS |
154                            MAP | MAPS | COUNTER | COUNTERS | QUOTA | QUOTAS |
155                            CT_HELPER | CT_HELPERS | LIMIT | LIMITS | RULESET |
156                            METER | METERS | FLOWTABLE | FLOWTABLES |
157                            CT_TIMEOUT | CT_EXPECTATION
158
159       List ruleset elements. The plural forms are used to list all objects of
160       that kind, optionally filtered by family and for some, also table.
161
162   RESET
163           { "reset": RESET_OBJECT }
164
165           RESET_OBJECT := COUNTER | COUNTERS | QUOTA | QUOTAS
166
167       Reset state in suitable objects, i.e. zero their internal counter.
168
169   FLUSH
170           { "flush": FLUSH_OBJECT }
171
172           FLUSH_OBJECT := TABLE | CHAIN | SET | MAP | METER | RULESET
173
174       Empty contents in given object, e.g. remove all chains from given table
175       or remove all elements from given set.
176
177   RENAME
178           { "rename": CHAIN }
179
180       Rename a chain. The new name is expected in a dedicated property named
181       newname.
182

RULESET ELEMENTS

184   TABLE
185           { "table": {
186                   "family": STRING,
187                   "name": STRING,
188                   "handle": NUMBER
189           }}
190
191       This object describes a table.
192
193       family
194           The table’s family, e.g.  "ip" or "ip6".
195
196       name
197           The table’s name.
198
199       handle
200           The table’s handle. In input, it is used only in delete command as
201           alternative to name.
202
203   CHAIN
204           { "chain": {
205                   "family": STRING,
206                   "table": STRING,
207                   "name": STRING,
208                   "newname": STRING,
209                   "handle": NUMBER,
210                   "type": STRING,
211                   "hook": STRING,
212                   "prio": NUMBER,
213                   "dev": STRING,
214                   "policy": STRING
215           }}
216
217       This object describes a chain.
218
219       family
220           The table’s family.
221
222       table
223           The table’s name.
224
225       name
226           The chain’s name.
227
228       handle
229           The chain’s handle. In input, it is used only in delete command as
230           alternative to name.
231
232       newname
233           A new name for the chain, only relevant in the rename command.
234
235       The following properties are required for base chains:
236
237       type
238           The chain’s type.
239
240       hook
241           The chain’s hook.
242
243       prio
244           The chain’s priority.
245
246       dev
247           The chain’s bound interface (if in the netdev family).
248
249       policy
250           The chain’s policy.
251
252   RULE
253           { "rule": {
254                   "family": STRING,
255                   "table": STRING,
256                   "chain": STRING,
257                   "expr": [ STATEMENTS ],
258                   "handle": NUMBER,
259                   "index": NUMBER,
260                   "comment": STRING
261           }}
262
263           STATEMENTS := STATEMENT [, STATEMENTS ]
264
265       This object describes a rule. Basic building blocks of rules are
266       statements. Each rule consists of at least one.
267
268       family
269           The table’s family.
270
271       table
272           The table’s name.
273
274       chain
275           The chain’s name.
276
277       expr
278           An array of statements this rule consists of. In input, it is used
279           in add/insert/replace commands only.
280
281       handle
282           The rule’s handle. In delete/replace commands, it serves as an
283           identifier of the rule to delete/replace. In add/insert commands,
284           it serves as an identifier of an existing rule to append/prepend
285           the rule to.
286
287       index
288           The rule’s position for add/insert commands. It is used as an
289           alternative to handle then.
290
291       comment
292           Optional rule comment.
293
294   SET / MAP
295           { "set": {
296                   "family": STRING,
297                   "table": STRING,
298                   "name": STRING,
299                   "handle": NUMBER,
300                   "type": SET_TYPE,
301                   "policy": SET_POLICY,
302                   "flags": [ SET_FLAG_LIST ],
303                   "elem": SET_ELEMENTS,
304                   "timeout": NUMBER,
305                   "gc-interval": NUMBER,
306                   "size": NUMBER
307           }}
308
309           { "map": {
310                   "family": STRING,
311                   "table": STRING,
312                   "name": STRING,
313                   "handle": NUMBER,
314                   "type": SET_TYPE,
315                   "map": STRING,
316                   "policy": SET_POLICY,
317                   "flags": [ SET_FLAG_LIST ],
318                   "elem": SET_ELEMENTS,
319                   "timeout": NUMBER,
320                   "gc-interval": NUMBER,
321                   "size": NUMBER
322           }}
323
324           SET_TYPE := STRING | [ SET_TYPE_LIST ]
325           SET_TYPE_LIST := STRING [, SET_TYPE_LIST ]
326           SET_POLICY := "performance" | "memory"
327           SET_FLAG_LIST := SET_FLAG [, SET_FLAG_LIST ]
328           SET_FLAG := "constant" | "interval" | "timeout"
329           SET_ELEMENTS := EXPRESSION | [ EXPRESSION_LIST ]
330           EXPRESSION_LIST := EXPRESSION [, EXPRESSION_LIST ]
331
332       These objects describe a named set or map. Maps are a special form of
333       sets in that they translate a unique key to a value.
334
335       family
336           The table’s family.
337
338       table
339           The table’s name.
340
341       name
342           The set’s name.
343
344       handle
345           The set’s handle. For input, it is used in the delete command only.
346
347       type
348           The set’s datatype, see below.
349
350       map
351           Type of values this set maps to (i.e. this set is a map).
352
353       policy
354           The set’s policy.
355
356       flags
357           The set’s flags.
358
359       elem
360           Initial set element(s), see below.
361
362       timeout
363           Element timeout in seconds.
364
365       gc-interval
366           Garbage collector interval in seconds.
367
368       size
369           Maximum number of elements supported.
370
371       TYPE
372           The set type might be a string, such as "ipv4_addr" or an array
373           consisting of strings (for concatenated types).
374
375       ELEM
376           A single set element might be given as string, integer or boolean
377           value for simple cases. If additional properties are required, a
378           formal elem object may be used.
379
380           Multiple elements may be given in an array.
381
382   ELEMENT
383           { "element": {
384                   "family": STRING,
385                   "table": STRING,
386                   "name": STRING,
387                   "elem": SET_ELEM
388           }}
389
390           SET_ELEM := EXPRESSION | [ EXPRESSION_LIST ]
391           EXPRESSION_LIST := EXPRESSION [, EXPRESSION ]
392
393       Manipulate element(s) in a named set.
394
395       family
396           The table’s family.
397
398       table
399           The table’s name.
400
401       name
402           The set’s name.
403
404       elem
405           See elem property of set object.
406
407   FLOWTABLE
408           { "flowtable": {
409                   "family": STRING,
410                   "table": STRING,
411                   "name": STRING,
412                   "handle": NUMBER,
413                   "hook": STRING,
414                   "prio": NUMBER,
415                   "dev": FT_INTERFACE
416           }}
417
418           FT_INTERFACE := STRING | [ FT_INTERFACE_LIST ]
419           FT_INTERFACE_LIST := STRING [, STRING ]
420
421       This object represents a named flowtable.
422
423       family
424           The table’s family.
425
426       table
427           The table’s name.
428
429       name
430           The flow table’s name.
431
432       handle
433           The flow table’s handle. In input, it is used by the delete command
434           only.
435
436       hook
437           The flow table’s hook.
438
439       prio
440           The flow table’s priority.
441
442       dev
443           The flow table’s interface(s).
444
445   COUNTER
446           { "counter": {
447                   "family": STRING,
448                   "table": STRING,
449                   "name": STRING,
450                   "handle": NUMBER,
451                   "packets": NUMBER,
452                   "bytes": NUMBER
453           }}
454
455       This object represents a named counter.
456
457       family
458           The table’s family.
459
460       table
461           The table’s name.
462
463       name
464           The counter’s name.
465
466       handle
467           The counter’s handle. In input, it is used by the delete command
468           only.
469
470       packets
471           Packet counter value.
472
473       bytes
474           Byte counter value.
475
476   QUOTA
477           { "quota": {
478                   "family": STRING,
479                   "table": STRING,
480                   "name": STRING,
481                   "handle": NUMBER,
482                   "bytes": NUMBER,
483                   "used": NUMBER,
484                   "inv": BOOLEAN
485           }}
486
487       This object represents a named quota.
488
489       family
490           The table’s family.
491
492       table
493           The table’s name.
494
495       name
496           The quota’s name.
497
498       handle
499           The quota’s handle. In input, it is used by the delete command
500           only.
501
502       bytes
503           Quota threshold.
504
505       used
506           Quota used so far.
507
508       inv
509           If true, match if the quota has been exceeded.
510
511   CT HELPER
512           { "ct helper": {
513                   "family": STRING,
514                   "table": STRING,
515                   "name": STRING,
516                   "handle": ... ',
517                   "type": 'STRING,
518                   "protocol": CTH_PROTO,
519                   "l3proto": STRING
520           }}
521
522           CTH_PROTO := "tcp" | "udp"
523
524       This object represents a named conntrack helper.
525
526       family
527           The table’s family.
528
529       table
530           The table’s name.
531
532       name
533           The ct helper’s name.
534
535       handle
536           The ct helper’s handle. In input, it is used by the delete command
537           only.
538
539       type
540           The ct helper type name, e.g.  "ftp" or "tftp".
541
542       protocol
543           The ct helper’s layer 4 protocol.
544
545       l3proto
546           The ct helper’s layer 3 protocol, e.g.  "ip" or "ip6".
547
548   LIMIT
549           { "limit": {
550                   "family": STRING,
551                   "table": STRING,
552                   "name": STRING,
553                   "handle": NUMBER,
554                   "rate": NUMBER,
555                   "per": STRING,
556                   "burst": NUMBER,
557                   "unit": LIMIT_UNIT,
558                   "inv": BOOLEAN
559           }}
560
561           LIMIT_UNIT := "packets" | "bytes"
562
563       This object represents a named limit.
564
565       family
566           The table’s family.
567
568       table
569           The table’s name.
570
571       name
572           The limit’s name.
573
574       handle
575           The limit’s handle. In input, it is used by the delete command
576           only.
577
578       rate
579           The limit’s rate value.
580
581       per
582           Time unit to apply the limit to, e.g.  "week", "day", "hour", etc.
583           If omitted, defaults to "second".
584
585       burst
586           The limit’s burst value. If omitted, defaults to 0.
587
588       unit
589           Unit of rate and burst values. If omitted, defaults to "packets".
590
591       inv
592           If true, match if limit was exceeded. If omitted, defaults to
593           false.
594
595   CT TIMEOUT
596           { "ct timeout": {
597                   "family": STRING,
598                   "table": STRING,
599                   "name": STRING,
600                   "handle": NUMBER,
601                   "protocol": CTH_PROTO,
602                   "state": STRING,
603                   "value: NUMBER,
604                   "l3proto": STRING
605           }}
606
607           CTH_PROTO := "tcp" | "udp" | "dccp" | "sctp" | "gre" | "icmpv6" | "icmp" | "generic"
608
609       This object represents a named conntrack timeout policy.
610
611       family
612           The table’s family.
613
614       table
615           The table’s name.
616
617       name
618           The ct timeout object’s name.
619
620       handle
621           The ct timeout object’s handle. In input, it is used by delete
622           command only.
623
624       protocol
625           The ct timeout object’s layer 4 protocol.
626
627       state
628           The connection state name, e.g.  "established", "syn_sent", "close"
629           or "close_wait", for which the timeout value has to be updated.
630
631       value
632           The updated timeout value for the specified connection state.
633
634       l3proto
635           The ct timeout object’s layer 3 protocol, e.g.  "ip" or "ip6".
636
637   CT EXPECTATION
638           { "ct expectation": {
639                   "family": STRING,
640                   "table": STRING,
641                   "name": STRING,
642                   "handle": NUMBER,
643                   "l3proto": STRING
644                   "protocol":* CTH_PROTO,
645                   "dport": NUMBER,
646                   "timeout: NUMBER,
647                   "size: NUMBER,
648           *}}
649
650           CTH_PROTO := "tcp" | "udp" | "dccp" | "sctp" | "gre" | "icmpv6" | "icmp" | "generic"
651
652       This object represents a named conntrack expectation.
653
654       family
655           The table’s family.
656
657       table
658           The table’s name.
659
660       name
661           The ct expectation object’s name.
662
663       handle
664           The ct expectation object’s handle. In input, it is used by delete
665           command only.
666
667       l3proto
668           The ct expectation object’s layer 3 protocol, e.g.  "ip" or "ip6".
669
670       protocol
671           The ct expectation object’s layer 4 protocol.
672
673       dport
674           The destination port of the expected connection.
675
676       timeout
677           The time in millisecond that this expectation will live.
678
679       size
680           The maximum count of expectations to be living in the same time.
681

STATEMENTS

683       Statements are the building blocks for rules. Each rule consists of at
684       least one.
685
686   VERDICT
687           { "accept": null }
688           { "drop": null }
689           { "continue": null }
690           { "return": null }
691           { "jump": { "target": * STRING *}}
692           { "goto": { "target": * STRING *}}
693
694       A verdict either terminates packet traversal through the current chain
695       or delegates to a different one.
696
697       jump and goto statements expect a target chain name.
698
699   MATCH
700           { "match": {
701                   "left": EXPRESSION,
702                   "right": EXPRESSION,
703                   "op": STRING
704           }}
705
706       This matches the expression on left hand side (typically a packet
707       header or packet meta info) with the expression on right hand side
708       (typically a constant value). If the statement evaluates to true, the
709       next statement in this rule is considered. If not, processing continues
710       with the next rule in the same chain.
711
712       left
713           Left hand side of this match.
714
715       right
716           Right hand side of this match.
717
718       op
719           Operator indicating the type of comparison.
720
721       OPERATORS
722           &    Binary AND
723
724           |    Binary OR
725
726
727
728           ^    Binary XOR
729
730           <<   Left shift
731
732           >>   Right shift
733
734           ==   Equal
735
736           !=   Not equal
737
738           <    Less than
739
740           >    Greater than
741
742           Less than or equal to
743
744           >=   Greater than or equal to
745
746           in   Perform a lookup, i.e.
747                test if bits on RHS are
748                contained in LHS value
749
750
751           Unlike with the standard API, the operator is mandatory here. In
752           the standard API, a missing operator may be resolved in two ways,
753           depending on the type of expression on the RHS:
754
755           •   If the RHS is a bitmask or a list of bitmasks, the expression
756               resolves into a binary operation with the inequality operator,
757               like this: LHS & RHS != 0.
758
759           •   In any other case, the equality operator is simply inserted.
760
761           For the non-trivial first case, the JSON API supports the in
762           operator.
763
764   COUNTER
765           { "counter": {
766                   "packets": NUMBER,
767                   "bytes": NUMBER
768           }}
769
770           { "counter": STRING }
771
772       This object represents a byte/packet counter. In input, no properties
773       are required. If given, they act as initial values for the counter.
774
775       The first form creates an anonymous counter which lives in the rule it
776       appears in. The second form specifies a reference to a named counter
777       object.
778
779       packets
780           Packets counted.
781
782       bytes
783           Bytes counted.
784
785   MANGLE
786           { "mangle": {
787                   "key": EXPRESSION,
788                   "value": EXPRESSION
789           }}
790
791       This changes the packet data or meta info.
792
793       key
794           The packet data to be changed, given as an exthdr, payload, meta,
795           ct or ct helper expression.
796
797       value
798           Value to change data to.
799
800   QUOTA
801           { "quota": {
802                   "val": NUMBER,
803                   "val_unit": STRING,
804                   "used": NUMBER,
805                   "used_unit": STRING,
806                   "inv": BOOLEAN
807           }}
808
809           { "quota": STRING }
810
811       The first form creates an anonymous quota which lives in the rule it
812       appears in. The second form specifies a reference to a named quota
813       object.
814
815       val
816           Quota value.
817
818       val_unit
819           Unit of val, e.g.  "kbytes" or "mbytes". If omitted, defaults to
820           "bytes".
821
822       used
823           Quota used so far. Optional on input. If given, serves as initial
824           value.
825
826       used_unit
827           Unit of used. Defaults to "bytes".
828
829       inv
830           If true, will match if quota was exceeded. Defaults to false.
831
832   LIMIT
833           { "limit": {
834                   "rate": NUMBER,
835                   "rate_unit": STRING,
836                   "per": STRING,
837                   "burst": NUMBER,
838                   "burst_unit": STRING,
839                   "inv": BOOLEAN
840           }}
841
842           { "limit": STRING }
843
844       The first form creates an anonymous limit which lives in the rule it
845       appears in. The second form specifies a reference to a named limit
846       object.
847
848       rate
849           Rate value to limit to.
850
851       rate_unit
852           Unit of rate, e.g.  "packets" or "mbytes". Defaults to "packets".
853
854       per
855           Denominator of rate, e.g.  "week" or "minutes".
856
857       burst
858           Burst value. Defaults to 0.
859
860       burst_unit
861           Unit of burst, ignored if rate_unit is "packets". Defaults to
862           "bytes".
863
864       inv
865           If true, matches if the limit was exceeded. Defaults to false.
866
867   FWD
868           { "fwd": {
869                   "dev": EXPRESSION,
870                   "family": FWD_FAMILY,
871                   "addr": EXPRESSION
872           }}
873
874           FWD_FAMILY := "ip" | "ip6"
875
876       Forward a packet to a different destination.
877
878       dev
879           Interface to forward the packet on.
880
881       family
882           Family of addr.
883
884       addr
885           IP(v6) address to forward the packet to.
886
887       Both family and addr are optional, but if at least one is given, both
888       must be present.
889
890   NOTRACK
891           { "notrack": null }
892
893       Disable connection tracking for the packet.
894
895   DUP
896           { "dup": {
897                   "addr": EXPRESSION,
898                   "dev": EXPRESSION
899           }}
900
901       Duplicate a packet to a different destination.
902
903       addr
904           Address to duplicate packet to.
905
906       dev
907           Interface to duplicate packet on. May be omitted to not specify an
908           interface explicitly.
909
910   NETWORK ADDRESS TRANSLATION
911           { "snat": {
912                   "addr": EXPRESSION,
913                   "family": STRING,
914                   "port": EXPRESSION,
915                   "flags": FLAGS
916           }}
917
918           { "dnat": {
919                   "addr": EXPRESSION,
920                   "family": STRING,
921                   "port": EXPRESSION,
922                   "flags": FLAGS
923           }}
924
925           { "masquerade": {
926                   "port": EXPRESSION,
927                   "flags": FLAGS
928           }}
929
930           { "redirect": {
931                   "port": EXPRESSION,
932                   "flags": FLAGS
933           }}
934
935           FLAGS := FLAG | [ FLAG_LIST ]
936           FLAG_LIST := FLAG [, FLAG_LIST ]
937           FLAG := "random" | "fully-random" | "persistent"
938
939       Perform Network Address Translation.
940
941       addr
942           Address to translate to.
943
944       family
945           Family of addr, either ip or ip6. Required in inet table family.
946
947       port
948           Port to translate to.
949
950       flags
951           Flag(s).
952
953       All properties are optional and default to none.
954
955   REJECT
956           { "reject": {
957                   "type": STRING,
958                   "expr": EXPRESSION
959           }}
960
961       Reject the packet and send the given error reply.
962
963       type
964           Type of reject, either "tcp reset", "icmpx", "icmp" or "icmpv6".
965
966       expr
967           ICMP code to reject with.
968
969       All properties are optional.
970
971   SET
972           { "set": {
973                   "op": STRING,
974                   "elem": EXPRESSION,
975                   "set": STRING
976           }}
977
978       Dynamically add/update elements to a set.
979
980       op
981           Operator on set, either "add" or "update".
982
983       elem
984           Set element to add or update.
985
986       set
987           Set reference.
988
989   LOG
990           { "log": {
991                   "prefix": STRING,
992                   "group": NUMBER,
993                   "snaplen": NUMBER,
994                   "queue-threshold": NUMBER,
995                   "level": LEVEL,
996                   "flags": FLAGS
997           }}
998
999           LEVEL := "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
1000                      "info" | "debug" | "audit"
1001
1002           FLAGS := FLAG | [ FLAG_LIST ]
1003           FLAG_LIST := FLAG [, FLAG_LIST ]
1004           FLAG := "tcp sequence" | "tcp options" | "ip options" | "skuid" |
1005                     "ether" | "all"
1006
1007       Log the packet.
1008
1009       prefix
1010           Prefix for log entries.
1011
1012       group
1013           Log group.
1014
1015       snaplen
1016           Snaplen for logging.
1017
1018       queue-threshold
1019           Queue threshold.
1020
1021       level
1022           Log level. Defaults to "warn".
1023
1024       flags
1025           Log flags.
1026
1027       All properties are optional.
1028
1029   CT HELPER
1030           { "ct helper": EXPRESSION }
1031
1032       Enable the specified conntrack helper for this packet.
1033
1034       ct helper
1035           CT helper reference.
1036
1037   METER
1038           { "meter": {
1039                   "name": STRING,
1040                   "key": EXPRESSION,
1041                   "stmt": STATEMENT
1042           }}
1043
1044       Apply a given statement using a meter.
1045
1046       name
1047           Meter name.
1048
1049       key
1050           Meter key.
1051
1052       stmt
1053           Meter statement.
1054
1055   QUEUE
1056           { "queue": {
1057                   "num": EXPRESSION,
1058                   "flags": FLAGS
1059           }}
1060
1061           FLAGS := FLAG | [ FLAG_LIST ]
1062           FLAG_LIST := FLAG [, FLAG_LIST ]
1063           FLAG := "bypass" | "fanout"
1064
1065       Queue the packet to userspace.
1066
1067       num
1068           Queue number.
1069
1070       flags
1071           Queue flags.
1072
1073   VERDICT MAP
1074           { "vmap": {
1075                   "key": EXPRESSION,
1076                   "data": EXPRESSION
1077           }}
1078
1079       Apply a verdict conditionally.
1080
1081       key
1082           Map key.
1083
1084       data
1085           Mapping expression consisting of value/verdict pairs.
1086
1087   CT COUNT
1088           { "ct count": {
1089                   "val": NUMBER,
1090                   "inv": BOOLEAN
1091           }}
1092
1093       Limit the number of connections using conntrack.
1094
1095       val
1096           Connection count threshold.
1097
1098       inv
1099           If true, match if val was exceeded. If omitted, defaults to false.
1100
1101   CT TIMEOUT
1102           { "ct timeout": EXPRESSION }
1103
1104       Assign connection tracking timeout policy.
1105
1106       ct timeout
1107           CT timeout reference.
1108
1109   CT EXPECTATION
1110           { "ct expectation": EXPRESSION }
1111
1112       Assign connection tracking expectation.
1113
1114       ct expectation
1115           CT expectation reference.
1116
1117   XT
1118           { "xt": null }
1119
1120       This represents an xt statement from xtables compat interface. Sadly,
1121       at this point, it is not possible to provide any further information
1122       about its content.
1123

EXPRESSIONS

1125       Expressions are the building blocks of (most) statements. In their most
1126       basic form, they are just immediate values represented as a JSON
1127       string, integer or boolean type.
1128
1129   IMMEDIATES
1130           STRING
1131           NUMBER
1132           BOOLEAN
1133
1134       Immediate expressions are typically used for constant values. For
1135       strings, there are two special cases:
1136
1137       @STRING
1138           The remaining part is taken as set name to create a set reference.
1139
1140       \*
1141           Construct a wildcard expression.
1142
1143   LISTS
1144           ARRAY
1145
1146       List expressions are constructed by plain arrays containing of an
1147       arbitrary number of expressions.
1148
1149   CONCAT
1150           { "concat": CONCAT }
1151
1152           CONCAT := [ EXPRESSION_LIST ]
1153           EXPRESSION_LIST := EXPRESSION [, EXPRESSION_LIST ]
1154
1155       Concatenate several expressions.
1156
1157   SET
1158           { "set": SET }
1159
1160           SET := EXPRESSION | [ EXPRESSION_LIST ]
1161
1162       This object constructs an anonymous set. For mappings, an array of
1163       arrays with exactly two elements is expected.
1164
1165   MAP
1166           { "map": {
1167                   "key": EXPRESSION,
1168                   "data": EXPRESSION
1169           }}
1170
1171       Map a key to a value.
1172
1173       key
1174           Map key.
1175
1176       data
1177           Mapping expression consisting of value/target pairs.
1178
1179   PREFIX
1180           { "prefix": {
1181                   "addr": EXPRESSION,
1182                   "len": NUMBER
1183           }}
1184
1185       Construct an IPv4 or IPv6 prefix consisting of address part in addr and
1186       prefix length in len.
1187
1188   RANGE
1189           { "range": [ EXPRESSION , EXPRESSION ] }
1190
1191       Construct a range of values. The first array item denotes the lower
1192       boundary, the second one the upper boundary.
1193
1194   PAYLOAD
1195           { "payload": {
1196                   "base": BASE,
1197                   "offset": NUMBER,
1198                   "len": NUMBER
1199           }}
1200
1201           { "payload": {
1202                   "protocol": STRING,
1203                   "field": STRING
1204           }}
1205
1206           BASE := "ll" | "nh" | "th"
1207
1208       Construct a payload expression, i.e. a reference to a certain part of
1209       packet data. The first form creates a raw payload expression to point
1210       at a random number (len) of bytes at a certain offset (offset) from a
1211       given reference point (base). The following base values are accepted:
1212
1213       "ll"
1214           The offset is relative to Link Layer header start offset.
1215
1216       "nh"
1217           The offset is relative to Network Layer header start offset.
1218
1219       "th"
1220           The offset is relative to Transport Layer header start offset.
1221
1222       The second form allows to reference a field by name (field) in a named
1223       packet header (protocol).
1224
1225   EXTHDR
1226           { "exthdr": {
1227                   "name": STRING,
1228                   "field": STRING,
1229                   "offset": NUMBER
1230           }}
1231
1232       Create a reference to a field (field) in an IPv6 extension header
1233       (name). offset is used only for rt0 protocol.
1234
1235       If the field property is not given, the expression is to be used as a
1236       header existence check in a match statement with a boolean on the right
1237       hand side.
1238
1239   TCP OPTION
1240           { "tcp option": {
1241                   "name": STRING,
1242                   "field": STRING
1243           }}
1244
1245       Create a reference to a field (field) of a TCP option header (name).
1246
1247       If the field property is not given, the expression is to be used as a
1248       TCP option existence check in a match statement with a boolean on the
1249       right hand side.
1250
1251   SCTP CHUNK
1252           { "sctp chunk": {
1253                   "name": STRING,
1254                   "field": STRING
1255           }}
1256
1257       Create a reference to a field (field) of an SCTP chunk (name).
1258
1259       If the field property is not given, the expression is to be used as an
1260       SCTP chunk existence check in a match statement with a boolean on the
1261       right hand side.
1262
1263   META
1264           { "meta": {
1265                   "key": META_KEY
1266           }}
1267
1268           META_KEY := "length" | "protocol" | "priority" | "random" | "mark" |
1269                         "iif" | "iifname" | "iiftype" | "oif" | "oifname" |
1270                         "oiftype" | "skuid" | "skgid" | "nftrace" |
1271                         "rtclassid" | "ibriport" | "obriport" | "ibridgename" |
1272                         "obridgename" | "pkttype" | "cpu" | "iifgroup" |
1273                         "oifgroup" | "cgroup" | "nfproto" | "l4proto" |
1274                         "secpath"
1275
1276       Create a reference to packet meta data.
1277
1278   RT
1279           { "rt": {
1280                   "key": RT_KEY,
1281                   "family": RT_FAMILY
1282           }}
1283
1284           RT_KEY := "classid" | "nexthop" | "mtu"
1285           RT_FAMILY := "ip" | "ip6"
1286
1287       Create a reference to packet routing data.
1288
1289       The family property is optional and defaults to unspecified.
1290
1291   CT
1292           { "ct": {
1293                   "key": STRING,
1294                   "family": CT_FAMILY,
1295                   "dir": CT_DIRECTION
1296           }}
1297
1298           CT_FAMILY := "ip" | "ip6"
1299           CT_DIRECTION := "original" | "reply"
1300
1301       Create a reference to packet conntrack data.
1302
1303       Some CT keys do not support a direction. In this case, dir must not be
1304       given.
1305
1306   NUMGEN
1307           { "numgen": {
1308                   "mode": NG_MODE,
1309                   "mod": NUMBER,
1310                   "offset": NUMBER
1311           }}
1312
1313           NG_MODE := "inc" | "random"
1314
1315       Create a number generator.
1316
1317       The offset property is optional and defaults to 0.
1318
1319   HASH
1320           { "jhash": {
1321                   "mod": NUMBER,
1322                   "offset": NUMBER,
1323                   "expr": EXPRESSION,
1324                   "seed": NUMBER
1325           }}
1326
1327           { "symhash": {
1328                   "mod": NUMBER,
1329                   "offset": NUMBER
1330           }}
1331
1332       Hash packet data.
1333
1334       The offset and seed properties are optional and default to 0.
1335
1336   FIB
1337           { "fib": {
1338                   "result": FIB_RESULT,
1339                   "flags": FIB_FLAGS
1340           }}
1341
1342           FIB_RESULT := "oif" | "oifname" | "type"
1343
1344           FIB_FLAGS := FIB_FLAG | [ FIB_FLAG_LIST ]
1345           FIB_FLAG_LIST := FIB_FLAG [, FIB_FLAG_LIST ]
1346           FIB_FLAG := "saddr" | "daddr" | "mark" | "iif" | "oif"
1347
1348       Perform kernel Forwarding Information Base lookups.
1349
1350   BINARY OPERATION
1351           { "|": [ EXPRESSION, EXPRESSION ] }
1352           { "^": [ EXPRESSION, EXPRESSION ] }
1353           { "&": [ EXPRESSION, EXPRESSION ] }
1354           { "<<": [ EXPRESSION, EXPRESSION ] }
1355           { ">>": [ EXPRESSION, EXPRESSION ] }
1356
1357       All binary operations expect an array of exactly two expressions, of
1358       which the first element denotes the left hand side and the second one
1359       the right hand side.
1360
1361   VERDICT
1362           { "accept": null }
1363           { "drop": null }
1364           { "continue": null }
1365           { "return": null }
1366           { "jump": { "target": STRING }}
1367           { "goto": { "target": STRING }}
1368
1369       Same as the verdict statement, but for use in verdict maps.
1370
1371       jump and goto verdicts expect a target chain name.
1372
1373   ELEM
1374           { "elem": {
1375                   "val": EXPRESSION,
1376                   "timeout": NUMBER,
1377                   "expires": NUMBER,
1378                   "comment": STRING
1379           }}
1380
1381       Explicitly set element object, in case timeout, expires or comment are
1382       desired. Otherwise, it may be replaced by the value of val.
1383
1384   SOCKET
1385           { "socket": {
1386                   "key": SOCKET_KEY
1387           }}
1388
1389           SOCKET_KEY := "transparent"
1390
1391       Construct a reference to packet’s socket.
1392
1393   OSF
1394           { "osf": {
1395                   "key": OSF_KEY,
1396                   "ttl": OSF_TTL
1397           }}
1398
1399           OSF_KEY := "name"
1400           OSF_TTL := "loose" | "skip"
1401
1402       Perform OS fingerprinting. This expression is typically used in the LHS
1403       of a match statement.
1404
1405       key
1406           Which part of the fingerprint info to match against. At this point,
1407           only the OS name is supported.
1408
1409       ttl
1410           Define how the packet’s TTL value is to be matched. This property
1411           is optional. If omitted, the TTL value has to match exactly. A
1412           value of loose accepts TTL values less than the fingerprint one. A
1413           value of skip omits TTL value comparison entirely.
1414

AUTHOR

1416       Phil Sutter <phil@nwl.cc>
1417           Author.
1418
1419
1420
1421                                  08/09/2022               LIBNFTABLES-JSON(5)
Impressum