1LIBNFTABLES-JSON(5) LIBNFTABLES-JSON(5)
2
3
4
6 libnftables-json - Supported JSON schema by libnftables
7
9 { "nftables": [ OBJECTS ] }
10
11 OBJECTS := LIST_OBJECTS | CMD_OBJECTS
12
13 LIST_OBJECTS := LIST_OBJECT [ , LIST_OBJECTS ]
14
15 CMD_OBJECTS := CMD_OBJECT [ , CMD_OBJECTS ]
16
17 CMD_OBJECT := { CMD: LIST_OBJECT } | METAINFO_OBJECT
18
19 CMD := "add" | "replace" | "create" | "insert" | "delete" | "list" |
20 "reset" | "flush" | "rename"
21
22 LIST_OBJECT := TABLE | CHAIN | RULE | SET | MAP | ELEMENT | FLOWTABLE |
23 COUNTER | QUOTA | CT_HELPER | LIMIT | METAINFO_OBJECT | CT_TIMEOUT |
24 CT_EXPECTATION
25
27 libnftables supports JSON formatted input and output. This is
28 implemented as an alternative frontend to the standard CLI syntax
29 parser, therefore basic behaviour is identical and, for (almost) any
30 operation available in standard syntax, there should be an equivalent
31 one in JSON.
32
33 JSON input may be provided in a single string as parameter to
34 nft_run_cmd_from_buffer() or in a file identified by the filename
35 parameter of the nft_run_cmd_from_filename() function.
36
37 JSON output has to be enabled via the nft_ctx_output_set_json()
38 function, turning library standard output into JSON format. Error
39 output remains unaffected.
40
42 In general, any JSON input or output is enclosed in an object with a
43 single property named nftables. Its value is an array containing
44 commands (for input) or ruleset elements (for output).
45
46 A command is an object with a single property whose name identifies the
47 command. Its value is a ruleset element - basically identical to output
48 elements, apart from certain properties which may be interpreted
49 differently or are required when output generally omits them.
50
52 In output, the first object in an nftables array is a special one
53 containing library information. Its content is as follows:
54
55 { "metainfo": {
56 "version": STRING,
57 "release_name": STRING,
58 "json_schema_version": NUMBER
59 }}
60
61 The values of version and release_name properties are equal to the
62 package version and release name as printed by nft -v. The value of the
63 json_schema_version property is an integer indicating the schema
64 version.
65
66 If supplied in library input, the parser will verify the
67 json_schema_version value to not exceed the internally hardcoded one
68 (to make sure the given schema is fully understood). In future, a lower
69 number than the internal one may activate compatibility mode to parse
70 outdated and incompatible JSON input.
71
73 The structure accepts an arbitrary amount of commands which are
74 interpreted in order of appearance. For instance, the following
75 standard syntax input:
76
77 flush ruleset
78 add table inet mytable
79 add chain inet mytable mychain
80 add rule inet mytable mychain tcp dport 22 accept
81
82 translates into JSON as such:
83
84 { "nftables": [
85 { "flush": { "ruleset": null }},
86 { "add": { "table": {
87 "family": "inet",
88 "name": "mytable"
89 }}},
90 { "add": { "chain": {
91 "family": "inet",
92 "table": "mytable",
93 "name": "mychain"
94 }}},
95 { "add": { "rule": {
96 "family": "inet",
97 "table": "mytable",
98 "chain": "mychain",
99 "expr": [
100 { "match": {
101 "op": "==",
102 "left": { "payload": {
103 "protocol": "tcp",
104 "field": "dport"
105 }},
106 "right": 22
107 }},
108 { "accept": null }
109 ]
110 }}}
111 ]}
112
113 ADD
114 { "add": ADD_OBJECT }
115
116 ADD_OBJECT := TABLE | CHAIN | RULE | SET | MAP | ELEMENT |
117 FLOWTABLE | COUNTER | QUOTA | CT_HELPER | LIMIT |
118 CT_TIMEOUT | CT_EXPECTATION
119
120 Add a new ruleset element to the kernel.
121
122 REPLACE
123 { "replace": RULE }
124
125 Replace a rule. In RULE, the handle property is mandatory and
126 identifies the rule to be replaced.
127
128 CREATE
129 { "create": ADD_OBJECT }
130
131 Identical to add command, but returns an error if the object already
132 exists.
133
134 INSERT
135 { "insert": RULE }
136
137 This command is identical to add for rules, but instead of appending
138 the rule to the chain by default, it inserts at first position. If a
139 handle or index property is given, the rule is inserted before the rule
140 identified by those properties.
141
142 DELETE
143 { "delete": ADD_OBJECT }
144
145 Delete an object from the ruleset. Only the minimal number of
146 properties required to uniquely identify an object is generally needed
147 in ADD_OBJECT. For most ruleset elements, this is family and table plus
148 either handle or name (except rules since they don’t have a name).
149
150 LIST
151 { "list": LIST_OBJECT }
152
153 LIST_OBJECT := TABLE | TABLES | CHAIN | CHAINS | SET | SETS |
154 MAP | MAPS | COUNTER | COUNTERS | QUOTA | QUOTAS |
155 CT_HELPER | CT_HELPERS | LIMIT | LIMITS | RULESET |
156 METER | METERS | FLOWTABLE | FLOWTABLES |
157 CT_TIMEOUT | CT_EXPECTATION
158
159 List ruleset elements. The plural forms are used to list all objects of
160 that kind, optionally filtered by family and for some, also table.
161
162 RESET
163 { "reset": RESET_OBJECT }
164
165 RESET_OBJECT := COUNTER | COUNTERS | QUOTA | QUOTAS
166
167 Reset state in suitable objects, i.e. zero their internal counter.
168
169 FLUSH
170 { "flush": FLUSH_OBJECT }
171
172 FLUSH_OBJECT := TABLE | CHAIN | SET | MAP | METER | RULESET
173
174 Empty contents in given object, e.g. remove all chains from given table
175 or remove all elements from given set.
176
177 RENAME
178 { "rename": CHAIN }
179
180 Rename a chain. The new name is expected in a dedicated property named
181 newname.
182
184 TABLE
185 { "table": {
186 "family": STRING,
187 "name": STRING,
188 "handle": NUMBER
189 }}
190
191 This object describes a table.
192
193 family
194 The table’s family, e.g. "ip" or "ip6".
195
196 name
197 The table’s name.
198
199 handle
200 The table’s handle. In input, it is used only in delete command as
201 alternative to name.
202
203 CHAIN
204 { "chain": {
205 "family": STRING,
206 "table": STRING,
207 "name": STRING,
208 "newname": STRING,
209 "handle": NUMBER,
210 "type": STRING,
211 "hook": STRING,
212 "prio": NUMBER,
213 "dev": STRING,
214 "policy": STRING
215 }}
216
217 This object describes a chain.
218
219 family
220 The table’s family.
221
222 table
223 The table’s name.
224
225 name
226 The chain’s name.
227
228 handle
229 The chain’s handle. In input, it is used only in delete command as
230 alternative to name.
231
232 newname
233 A new name for the chain, only relevant in the rename command.
234
235 The following properties are required for base chains:
236
237 type
238 The chain’s type.
239
240 hook
241 The chain’s hook.
242
243 prio
244 The chain’s priority.
245
246 dev
247 The chain’s bound interface (if in the netdev family).
248
249 policy
250 The chain’s policy.
251
252 RULE
253 { "rule": {
254 "family": STRING,
255 "table": STRING,
256 "chain": STRING,
257 "expr": [ STATEMENTS ],
258 "handle": NUMBER,
259 "index": NUMBER,
260 "comment": STRING
261 }}
262
263 STATEMENTS := STATEMENT [, STATEMENTS ]
264
265 This object describes a rule. Basic building blocks of rules are
266 statements. Each rule consists of at least one.
267
268 family
269 The table’s family.
270
271 table
272 The table’s name.
273
274 chain
275 The chain’s name.
276
277 expr
278 An array of statements this rule consists of. In input, it is used
279 in add/insert/replace commands only.
280
281 handle
282 The rule’s handle. In delete/replace commands, it serves as an
283 identifier of the rule to delete/replace. In add/insert commands,
284 it serves as an identifier of an existing rule to append/prepend
285 the rule to.
286
287 index
288 The rule’s position for add/insert commands. It is used as an
289 alternative to handle then.
290
291 comment
292 Optional rule comment.
293
294 SET / MAP
295 { "set": {
296 "family": STRING,
297 "table": STRING,
298 "name": STRING,
299 "handle": NUMBER,
300 "type": SET_TYPE,
301 "policy": SET_POLICY,
302 "flags": [ SET_FLAG_LIST ],
303 "elem": SET_ELEMENTS,
304 "timeout": NUMBER,
305 "gc-interval": NUMBER,
306 "size": NUMBER
307 }}
308
309 { "map": {
310 "family": STRING,
311 "table": STRING,
312 "name": STRING,
313 "handle": NUMBER,
314 "type": SET_TYPE,
315 "map": STRING,
316 "policy": SET_POLICY,
317 "flags": [ SET_FLAG_LIST ],
318 "elem": SET_ELEMENTS,
319 "timeout": NUMBER,
320 "gc-interval": NUMBER,
321 "size": NUMBER
322 }}
323
324 SET_TYPE := STRING | [ SET_TYPE_LIST ]
325 SET_TYPE_LIST := STRING [, SET_TYPE_LIST ]
326 SET_POLICY := "performance" | "memory"
327 SET_FLAG_LIST := SET_FLAG [, SET_FLAG_LIST ]
328 SET_FLAG := "constant" | "interval" | "timeout"
329 SET_ELEMENTS := EXPRESSION | [ EXPRESSION_LIST ]
330 EXPRESSION_LIST := EXPRESSION [, EXPRESSION_LIST ]
331
332 These objects describe a named set or map. Maps are a special form of
333 sets in that they translate a unique key to a value.
334
335 family
336 The table’s family.
337
338 table
339 The table’s name.
340
341 name
342 The set’s name.
343
344 handle
345 The set’s handle. For input, it is used in the delete command only.
346
347 type
348 The set’s datatype, see below.
349
350 map
351 Type of values this set maps to (i.e. this set is a map).
352
353 policy
354 The set’s policy.
355
356 flags
357 The set’s flags.
358
359 elem
360 Initial set element(s), see below.
361
362 timeout
363 Element timeout in seconds.
364
365 gc-interval
366 Garbage collector interval in seconds.
367
368 size
369 Maximum number of elements supported.
370
371 TYPE
372 The set type might be a string, such as "ipv4_addr" or an array
373 consisting of strings (for concatenated types).
374
375 ELEM
376 A single set element might be given as string, integer or boolean
377 value for simple cases. If additional properties are required, a
378 formal elem object may be used.
379
380 Multiple elements may be given in an array.
381
382 ELEMENT
383 { "element": {
384 "family": STRING,
385 "table": STRING,
386 "name": STRING,
387 "elem": SET_ELEM
388 }}
389
390 SET_ELEM := EXPRESSION | [ EXPRESSION_LIST ]
391 EXPRESSION_LIST := EXPRESSION [, EXPRESSION ]
392
393 Manipulate element(s) in a named set.
394
395 family
396 The table’s family.
397
398 table
399 The table’s name.
400
401 name
402 The set’s name.
403
404 elem
405 See elem property of set object.
406
407 FLOWTABLE
408 { "flowtable": {
409 "family": STRING,
410 "table": STRING,
411 "name": STRING,
412 "handle": NUMBER,
413 "hook": STRING,
414 "prio": NUMBER,
415 "dev": FT_INTERFACE
416 }}
417
418 FT_INTERFACE := STRING | [ FT_INTERFACE_LIST ]
419 FT_INTERFACE_LIST := STRING [, STRING ]
420
421 This object represents a named flowtable.
422
423 family
424 The table’s family.
425
426 table
427 The table’s name.
428
429 name
430 The flow table’s name.
431
432 handle
433 The flow table’s handle. In input, it is used by the delete command
434 only.
435
436 hook
437 The flow table’s hook.
438
439 prio
440 The flow table’s priority.
441
442 dev
443 The flow table’s interface(s).
444
445 COUNTER
446 { "counter": {
447 "family": STRING,
448 "table": STRING,
449 "name": STRING,
450 "handle": NUMBER,
451 "packets": NUMBER,
452 "bytes": NUMBER
453 }}
454
455 This object represents a named counter.
456
457 family
458 The table’s family.
459
460 table
461 The table’s name.
462
463 name
464 The counter’s name.
465
466 handle
467 The counter’s handle. In input, it is used by the delete command
468 only.
469
470 packets
471 Packet counter value.
472
473 bytes
474 Byte counter value.
475
476 QUOTA
477 { "quota": {
478 "family": STRING,
479 "table": STRING,
480 "name": STRING,
481 "handle": NUMBER,
482 "bytes": NUMBER,
483 "used": NUMBER,
484 "inv": BOOLEAN
485 }}
486
487 This object represents a named quota.
488
489 family
490 The table’s family.
491
492 table
493 The table’s name.
494
495 name
496 The quota’s name.
497
498 handle
499 The quota’s handle. In input, it is used by the delete command
500 only.
501
502 bytes
503 Quota threshold.
504
505 used
506 Quota used so far.
507
508 inv
509 If true, match if the quota has been exceeded.
510
511 CT HELPER
512 { "ct helper": {
513 "family": STRING,
514 "table": STRING,
515 "name": STRING,
516 "handle": ... ',
517 "type": 'STRING,
518 "protocol": CTH_PROTO,
519 "l3proto": STRING
520 }}
521
522 CTH_PROTO := "tcp" | "udp"
523
524 This object represents a named conntrack helper.
525
526 family
527 The table’s family.
528
529 table
530 The table’s name.
531
532 name
533 The ct helper’s name.
534
535 handle
536 The ct helper’s handle. In input, it is used by the delete command
537 only.
538
539 type
540 The ct helper type name, e.g. "ftp" or "tftp".
541
542 protocol
543 The ct helper’s layer 4 protocol.
544
545 l3proto
546 The ct helper’s layer 3 protocol, e.g. "ip" or "ip6".
547
548 LIMIT
549 { "limit": {
550 "family": STRING,
551 "table": STRING,
552 "name": STRING,
553 "handle": NUMBER,
554 "rate": NUMBER,
555 "per": STRING,
556 "burst": NUMBER,
557 "unit": LIMIT_UNIT,
558 "inv": BOOLEAN
559 }}
560
561 LIMIT_UNIT := "packets" | "bytes"
562
563 This object represents a named limit.
564
565 family
566 The table’s family.
567
568 table
569 The table’s name.
570
571 name
572 The limit’s name.
573
574 handle
575 The limit’s handle. In input, it is used by the delete command
576 only.
577
578 rate
579 The limit’s rate value.
580
581 per
582 Time unit to apply the limit to, e.g. "week", "day", "hour", etc.
583 If omitted, defaults to "second".
584
585 burst
586 The limit’s burst value. If omitted, defaults to 0.
587
588 unit
589 Unit of rate and burst values. If omitted, defaults to "packets".
590
591 inv
592 If true, match if limit was exceeded. If omitted, defaults to
593 false.
594
595 CT TIMEOUT
596 { "ct timeout": {
597 "family": STRING,
598 "table": STRING,
599 "name": STRING,
600 "handle": NUMBER,
601 "protocol": CTH_PROTO,
602 "state": STRING,
603 "value: NUMBER,
604 "l3proto": STRING
605 }}
606
607 CTH_PROTO := "tcp" | "udp" | "dccp" | "sctp" | "gre" | "icmpv6" | "icmp" | "generic"
608
609 This object represents a named conntrack timeout policy.
610
611 family
612 The table’s family.
613
614 table
615 The table’s name.
616
617 name
618 The ct timeout object’s name.
619
620 handle
621 The ct timeout object’s handle. In input, it is used by delete
622 command only.
623
624 protocol
625 The ct timeout object’s layer 4 protocol.
626
627 state
628 The connection state name, e.g. "established", "syn_sent", "close"
629 or "close_wait", for which the timeout value has to be updated.
630
631 value
632 The updated timeout value for the specified connection state.
633
634 l3proto
635 The ct timeout object’s layer 3 protocol, e.g. "ip" or "ip6".
636
637 CT EXPECTATION
638 { "ct expectation": {
639 "family": STRING,
640 "table": STRING,
641 "name": STRING,
642 "handle": NUMBER,
643 "l3proto": STRING
644 "protocol":* CTH_PROTO,
645 "dport": NUMBER,
646 "timeout: NUMBER,
647 "size: NUMBER,
648 *}}
649
650 CTH_PROTO := "tcp" | "udp" | "dccp" | "sctp" | "gre" | "icmpv6" | "icmp" | "generic"
651
652 This object represents a named conntrack expectation.
653
654 family
655 The table’s family.
656
657 table
658 The table’s name.
659
660 name
661 The ct expectation object’s name.
662
663 handle
664 The ct expectation object’s handle. In input, it is used by delete
665 command only.
666
667 l3proto
668 The ct expectation object’s layer 3 protocol, e.g. "ip" or "ip6".
669
670 protocol
671 The ct expectation object’s layer 4 protocol.
672
673 dport
674 The destination port of the expected connection.
675
676 timeout
677 The time in millisecond that this expectation will live.
678
679 size
680 The maximum count of expectations to be living in the same time.
681
683 Statements are the building blocks for rules. Each rule consists of at
684 least one.
685
686 VERDICT
687 { "accept": null }
688 { "drop": null }
689 { "continue": null }
690 { "return": null }
691 { "jump": { "target": * STRING *}}
692 { "goto": { "target": * STRING *}}
693
694 A verdict either terminates packet traversal through the current chain
695 or delegates to a different one.
696
697 jump and goto statements expect a target chain name.
698
699 MATCH
700 { "match": {
701 "left": EXPRESSION,
702 "right": EXPRESSION,
703 "op": STRING
704 }}
705
706 This matches the expression on left hand side (typically a packet
707 header or packet meta info) with the expression on right hand side
708 (typically a constant value). If the statement evaluates to true, the
709 next statement in this rule is considered. If not, processing continues
710 with the next rule in the same chain.
711
712 left
713 Left hand side of this match.
714
715 right
716 Right hand side of this match.
717
718 op
719 Operator indicating the type of comparison.
720
721 OPERATORS
722 & Binary AND
723
724 | Binary OR
725
726
727
728 ^ Binary XOR
729
730 << Left shift
731
732 >> Right shift
733
734 == Equal
735
736 != Not equal
737
738 < Less than
739
740 > Greater than
741
742 ⇐ Less than or equal to
743
744 >= Greater than or equal to
745
746 in Perform a lookup, i.e.
747 test if bits on RHS are
748 contained in LHS value
749
750
751 Unlike with the standard API, the operator is mandatory here. In
752 the standard API, a missing operator may be resolved in two ways,
753 depending on the type of expression on the RHS:
754
755 • If the RHS is a bitmask or a list of bitmasks, the expression
756 resolves into a binary operation with the inequality operator,
757 like this: LHS & RHS != 0.
758
759 • In any other case, the equality operator is simply inserted.
760
761 For the non-trivial first case, the JSON API supports the in
762 operator.
763
764 COUNTER
765 { "counter": {
766 "packets": NUMBER,
767 "bytes": NUMBER
768 }}
769
770 { "counter": STRING }
771
772 This object represents a byte/packet counter. In input, no properties
773 are required. If given, they act as initial values for the counter.
774
775 The first form creates an anonymous counter which lives in the rule it
776 appears in. The second form specifies a reference to a named counter
777 object.
778
779 packets
780 Packets counted.
781
782 bytes
783 Bytes counted.
784
785 MANGLE
786 { "mangle": {
787 "key": EXPRESSION,
788 "value": EXPRESSION
789 }}
790
791 This changes the packet data or meta info.
792
793 key
794 The packet data to be changed, given as an exthdr, payload, meta,
795 ct or ct helper expression.
796
797 value
798 Value to change data to.
799
800 QUOTA
801 { "quota": {
802 "val": NUMBER,
803 "val_unit": STRING,
804 "used": NUMBER,
805 "used_unit": STRING,
806 "inv": BOOLEAN
807 }}
808
809 { "quota": STRING }
810
811 The first form creates an anonymous quota which lives in the rule it
812 appears in. The second form specifies a reference to a named quota
813 object.
814
815 val
816 Quota value.
817
818 val_unit
819 Unit of val, e.g. "kbytes" or "mbytes". If omitted, defaults to
820 "bytes".
821
822 used
823 Quota used so far. Optional on input. If given, serves as initial
824 value.
825
826 used_unit
827 Unit of used. Defaults to "bytes".
828
829 inv
830 If true, will match if quota was exceeded. Defaults to false.
831
832 LIMIT
833 { "limit": {
834 "rate": NUMBER,
835 "rate_unit": STRING,
836 "per": STRING,
837 "burst": NUMBER,
838 "burst_unit": STRING,
839 "inv": BOOLEAN
840 }}
841
842 { "limit": STRING }
843
844 The first form creates an anonymous limit which lives in the rule it
845 appears in. The second form specifies a reference to a named limit
846 object.
847
848 rate
849 Rate value to limit to.
850
851 rate_unit
852 Unit of rate, e.g. "packets" or "mbytes". Defaults to "packets".
853
854 per
855 Denominator of rate, e.g. "week" or "minutes".
856
857 burst
858 Burst value. Defaults to 0.
859
860 burst_unit
861 Unit of burst, ignored if rate_unit is "packets". Defaults to
862 "bytes".
863
864 inv
865 If true, matches if the limit was exceeded. Defaults to false.
866
867 FWD
868 { "fwd": {
869 "dev": EXPRESSION,
870 "family": FWD_FAMILY,
871 "addr": EXPRESSION
872 }}
873
874 FWD_FAMILY := "ip" | "ip6"
875
876 Forward a packet to a different destination.
877
878 dev
879 Interface to forward the packet on.
880
881 family
882 Family of addr.
883
884 addr
885 IP(v6) address to forward the packet to.
886
887 Both family and addr are optional, but if at least one is given, both
888 must be present.
889
890 NOTRACK
891 { "notrack": null }
892
893 Disable connection tracking for the packet.
894
895 DUP
896 { "dup": {
897 "addr": EXPRESSION,
898 "dev": EXPRESSION
899 }}
900
901 Duplicate a packet to a different destination.
902
903 addr
904 Address to duplicate packet to.
905
906 dev
907 Interface to duplicate packet on. May be omitted to not specify an
908 interface explicitly.
909
910 NETWORK ADDRESS TRANSLATION
911 { "snat": {
912 "addr": EXPRESSION,
913 "family": STRING,
914 "port": EXPRESSION,
915 "flags": FLAGS
916 }}
917
918 { "dnat": {
919 "addr": EXPRESSION,
920 "family": STRING,
921 "port": EXPRESSION,
922 "flags": FLAGS
923 }}
924
925 { "masquerade": {
926 "port": EXPRESSION,
927 "flags": FLAGS
928 }}
929
930 { "redirect": {
931 "port": EXPRESSION,
932 "flags": FLAGS
933 }}
934
935 FLAGS := FLAG | [ FLAG_LIST ]
936 FLAG_LIST := FLAG [, FLAG_LIST ]
937 FLAG := "random" | "fully-random" | "persistent"
938
939 Perform Network Address Translation.
940
941 addr
942 Address to translate to.
943
944 family
945 Family of addr, either ip or ip6. Required in inet table family.
946
947 port
948 Port to translate to.
949
950 flags
951 Flag(s).
952
953 All properties are optional and default to none.
954
955 REJECT
956 { "reject": {
957 "type": STRING,
958 "expr": EXPRESSION
959 }}
960
961 Reject the packet and send the given error reply.
962
963 type
964 Type of reject, either "tcp reset", "icmpx", "icmp" or "icmpv6".
965
966 expr
967 ICMP code to reject with.
968
969 All properties are optional.
970
971 SET
972 { "set": {
973 "op": STRING,
974 "elem": EXPRESSION,
975 "set": STRING
976 }}
977
978 Dynamically add/update elements to a set.
979
980 op
981 Operator on set, either "add" or "update".
982
983 elem
984 Set element to add or update.
985
986 set
987 Set reference.
988
989 LOG
990 { "log": {
991 "prefix": STRING,
992 "group": NUMBER,
993 "snaplen": NUMBER,
994 "queue-threshold": NUMBER,
995 "level": LEVEL,
996 "flags": FLAGS
997 }}
998
999 LEVEL := "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
1000 "info" | "debug" | "audit"
1001
1002 FLAGS := FLAG | [ FLAG_LIST ]
1003 FLAG_LIST := FLAG [, FLAG_LIST ]
1004 FLAG := "tcp sequence" | "tcp options" | "ip options" | "skuid" |
1005 "ether" | "all"
1006
1007 Log the packet.
1008
1009 prefix
1010 Prefix for log entries.
1011
1012 group
1013 Log group.
1014
1015 snaplen
1016 Snaplen for logging.
1017
1018 queue-threshold
1019 Queue threshold.
1020
1021 level
1022 Log level. Defaults to "warn".
1023
1024 flags
1025 Log flags.
1026
1027 All properties are optional.
1028
1029 CT HELPER
1030 { "ct helper": EXPRESSION }
1031
1032 Enable the specified conntrack helper for this packet.
1033
1034 ct helper
1035 CT helper reference.
1036
1037 METER
1038 { "meter": {
1039 "name": STRING,
1040 "key": EXPRESSION,
1041 "stmt": STATEMENT
1042 }}
1043
1044 Apply a given statement using a meter.
1045
1046 name
1047 Meter name.
1048
1049 key
1050 Meter key.
1051
1052 stmt
1053 Meter statement.
1054
1055 QUEUE
1056 { "queue": {
1057 "num": EXPRESSION,
1058 "flags": FLAGS
1059 }}
1060
1061 FLAGS := FLAG | [ FLAG_LIST ]
1062 FLAG_LIST := FLAG [, FLAG_LIST ]
1063 FLAG := "bypass" | "fanout"
1064
1065 Queue the packet to userspace.
1066
1067 num
1068 Queue number.
1069
1070 flags
1071 Queue flags.
1072
1073 VERDICT MAP
1074 { "vmap": {
1075 "key": EXPRESSION,
1076 "data": EXPRESSION
1077 }}
1078
1079 Apply a verdict conditionally.
1080
1081 key
1082 Map key.
1083
1084 data
1085 Mapping expression consisting of value/verdict pairs.
1086
1087 CT COUNT
1088 { "ct count": {
1089 "val": NUMBER,
1090 "inv": BOOLEAN
1091 }}
1092
1093 Limit the number of connections using conntrack.
1094
1095 val
1096 Connection count threshold.
1097
1098 inv
1099 If true, match if val was exceeded. If omitted, defaults to false.
1100
1101 CT TIMEOUT
1102 { "ct timeout": EXPRESSION }
1103
1104 Assign connection tracking timeout policy.
1105
1106 ct timeout
1107 CT timeout reference.
1108
1109 CT EXPECTATION
1110 { "ct expectation": EXPRESSION }
1111
1112 Assign connection tracking expectation.
1113
1114 ct expectation
1115 CT expectation reference.
1116
1117 XT
1118 { "xt": null }
1119
1120 This represents an xt statement from xtables compat interface. Sadly,
1121 at this point, it is not possible to provide any further information
1122 about its content.
1123
1125 Expressions are the building blocks of (most) statements. In their most
1126 basic form, they are just immediate values represented as a JSON
1127 string, integer or boolean type.
1128
1129 IMMEDIATES
1130 STRING
1131 NUMBER
1132 BOOLEAN
1133
1134 Immediate expressions are typically used for constant values. For
1135 strings, there are two special cases:
1136
1137 @STRING
1138 The remaining part is taken as set name to create a set reference.
1139
1140 \*
1141 Construct a wildcard expression.
1142
1143 LISTS
1144 ARRAY
1145
1146 List expressions are constructed by plain arrays containing of an
1147 arbitrary number of expressions.
1148
1149 CONCAT
1150 { "concat": CONCAT }
1151
1152 CONCAT := [ EXPRESSION_LIST ]
1153 EXPRESSION_LIST := EXPRESSION [, EXPRESSION_LIST ]
1154
1155 Concatenate several expressions.
1156
1157 SET
1158 { "set": SET }
1159
1160 SET := EXPRESSION | [ EXPRESSION_LIST ]
1161
1162 This object constructs an anonymous set. For mappings, an array of
1163 arrays with exactly two elements is expected.
1164
1165 MAP
1166 { "map": {
1167 "key": EXPRESSION,
1168 "data": EXPRESSION
1169 }}
1170
1171 Map a key to a value.
1172
1173 key
1174 Map key.
1175
1176 data
1177 Mapping expression consisting of value/target pairs.
1178
1179 PREFIX
1180 { "prefix": {
1181 "addr": EXPRESSION,
1182 "len": NUMBER
1183 }}
1184
1185 Construct an IPv4 or IPv6 prefix consisting of address part in addr and
1186 prefix length in len.
1187
1188 RANGE
1189 { "range": [ EXPRESSION , EXPRESSION ] }
1190
1191 Construct a range of values. The first array item denotes the lower
1192 boundary, the second one the upper boundary.
1193
1194 PAYLOAD
1195 { "payload": {
1196 "base": BASE,
1197 "offset": NUMBER,
1198 "len": NUMBER
1199 }}
1200
1201 { "payload": {
1202 "protocol": STRING,
1203 "field": STRING
1204 }}
1205
1206 BASE := "ll" | "nh" | "th"
1207
1208 Construct a payload expression, i.e. a reference to a certain part of
1209 packet data. The first form creates a raw payload expression to point
1210 at a random number (len) of bytes at a certain offset (offset) from a
1211 given reference point (base). The following base values are accepted:
1212
1213 "ll"
1214 The offset is relative to Link Layer header start offset.
1215
1216 "nh"
1217 The offset is relative to Network Layer header start offset.
1218
1219 "th"
1220 The offset is relative to Transport Layer header start offset.
1221
1222 The second form allows to reference a field by name (field) in a named
1223 packet header (protocol).
1224
1225 EXTHDR
1226 { "exthdr": {
1227 "name": STRING,
1228 "field": STRING,
1229 "offset": NUMBER
1230 }}
1231
1232 Create a reference to a field (field) in an IPv6 extension header
1233 (name). offset is used only for rt0 protocol.
1234
1235 If the field property is not given, the expression is to be used as a
1236 header existence check in a match statement with a boolean on the right
1237 hand side.
1238
1239 TCP OPTION
1240 { "tcp option": {
1241 "name": STRING,
1242 "field": STRING
1243 }}
1244
1245 Create a reference to a field (field) of a TCP option header (name).
1246
1247 If the field property is not given, the expression is to be used as a
1248 TCP option existence check in a match statement with a boolean on the
1249 right hand side.
1250
1251 SCTP CHUNK
1252 { "sctp chunk": {
1253 "name": STRING,
1254 "field": STRING
1255 }}
1256
1257 Create a reference to a field (field) of an SCTP chunk (name).
1258
1259 If the field property is not given, the expression is to be used as an
1260 SCTP chunk existence check in a match statement with a boolean on the
1261 right hand side.
1262
1263 META
1264 { "meta": {
1265 "key": META_KEY
1266 }}
1267
1268 META_KEY := "length" | "protocol" | "priority" | "random" | "mark" |
1269 "iif" | "iifname" | "iiftype" | "oif" | "oifname" |
1270 "oiftype" | "skuid" | "skgid" | "nftrace" |
1271 "rtclassid" | "ibriport" | "obriport" | "ibridgename" |
1272 "obridgename" | "pkttype" | "cpu" | "iifgroup" |
1273 "oifgroup" | "cgroup" | "nfproto" | "l4proto" |
1274 "secpath"
1275
1276 Create a reference to packet meta data.
1277
1278 RT
1279 { "rt": {
1280 "key": RT_KEY,
1281 "family": RT_FAMILY
1282 }}
1283
1284 RT_KEY := "classid" | "nexthop" | "mtu"
1285 RT_FAMILY := "ip" | "ip6"
1286
1287 Create a reference to packet routing data.
1288
1289 The family property is optional and defaults to unspecified.
1290
1291 CT
1292 { "ct": {
1293 "key": STRING,
1294 "family": CT_FAMILY,
1295 "dir": CT_DIRECTION
1296 }}
1297
1298 CT_FAMILY := "ip" | "ip6"
1299 CT_DIRECTION := "original" | "reply"
1300
1301 Create a reference to packet conntrack data.
1302
1303 Some CT keys do not support a direction. In this case, dir must not be
1304 given.
1305
1306 NUMGEN
1307 { "numgen": {
1308 "mode": NG_MODE,
1309 "mod": NUMBER,
1310 "offset": NUMBER
1311 }}
1312
1313 NG_MODE := "inc" | "random"
1314
1315 Create a number generator.
1316
1317 The offset property is optional and defaults to 0.
1318
1319 HASH
1320 { "jhash": {
1321 "mod": NUMBER,
1322 "offset": NUMBER,
1323 "expr": EXPRESSION,
1324 "seed": NUMBER
1325 }}
1326
1327 { "symhash": {
1328 "mod": NUMBER,
1329 "offset": NUMBER
1330 }}
1331
1332 Hash packet data.
1333
1334 The offset and seed properties are optional and default to 0.
1335
1336 FIB
1337 { "fib": {
1338 "result": FIB_RESULT,
1339 "flags": FIB_FLAGS
1340 }}
1341
1342 FIB_RESULT := "oif" | "oifname" | "type"
1343
1344 FIB_FLAGS := FIB_FLAG | [ FIB_FLAG_LIST ]
1345 FIB_FLAG_LIST := FIB_FLAG [, FIB_FLAG_LIST ]
1346 FIB_FLAG := "saddr" | "daddr" | "mark" | "iif" | "oif"
1347
1348 Perform kernel Forwarding Information Base lookups.
1349
1350 BINARY OPERATION
1351 { "|": [ EXPRESSION, EXPRESSION ] }
1352 { "^": [ EXPRESSION, EXPRESSION ] }
1353 { "&": [ EXPRESSION, EXPRESSION ] }
1354 { "<<": [ EXPRESSION, EXPRESSION ] }
1355 { ">>": [ EXPRESSION, EXPRESSION ] }
1356
1357 All binary operations expect an array of exactly two expressions, of
1358 which the first element denotes the left hand side and the second one
1359 the right hand side.
1360
1361 VERDICT
1362 { "accept": null }
1363 { "drop": null }
1364 { "continue": null }
1365 { "return": null }
1366 { "jump": { "target": STRING }}
1367 { "goto": { "target": STRING }}
1368
1369 Same as the verdict statement, but for use in verdict maps.
1370
1371 jump and goto verdicts expect a target chain name.
1372
1373 ELEM
1374 { "elem": {
1375 "val": EXPRESSION,
1376 "timeout": NUMBER,
1377 "expires": NUMBER,
1378 "comment": STRING
1379 }}
1380
1381 Explicitly set element object, in case timeout, expires or comment are
1382 desired. Otherwise, it may be replaced by the value of val.
1383
1384 SOCKET
1385 { "socket": {
1386 "key": SOCKET_KEY
1387 }}
1388
1389 SOCKET_KEY := "transparent"
1390
1391 Construct a reference to packet’s socket.
1392
1393 OSF
1394 { "osf": {
1395 "key": OSF_KEY,
1396 "ttl": OSF_TTL
1397 }}
1398
1399 OSF_KEY := "name"
1400 OSF_TTL := "loose" | "skip"
1401
1402 Perform OS fingerprinting. This expression is typically used in the LHS
1403 of a match statement.
1404
1405 key
1406 Which part of the fingerprint info to match against. At this point,
1407 only the OS name is supported.
1408
1409 ttl
1410 Define how the packet’s TTL value is to be matched. This property
1411 is optional. If omitted, the TTL value has to match exactly. A
1412 value of loose accepts TTL values less than the fingerprint one. A
1413 value of skip omits TTL value comparison entirely.
1414
1416 Phil Sutter <phil@nwl.cc>
1417 Author.
1418
1419
1420
1421 08/09/2022 LIBNFTABLES-JSON(5)