1LIBNFTABLES-JSON(5) LIBNFTABLES-JSON(5)
2
6 libnftables-json - Supported JSON schema by libnftables
7
9 { "nftables": [ OBJECTS ] }
10 OBJECTS := LIST_OBJECTS | CMD_OBJECTS
12 LIST_OBJECTS := LIST_OBJECT [ , LIST_OBJECTS ]
14 CMD_OBJECTS := CMD_OBJECT [ , CMD_OBJECTS ]
16 CMD_OBJECT := { CMD: LIST_OBJECT } | METAINFO_OBJECT
18 CMD := "add" | "replace" | "create" | "insert" | "delete" | "list" |
20 "reset" | "flush" | "rename"
21 LIST_OBJECT := TABLE | CHAIN | RULE | SET | MAP | ELEMENT | FLOWTABLE |
23 COUNTER | QUOTA | CT_HELPER | LIMIT | METAINFO_OBJECT | CT_TIMEOUT |
24 CT_EXPECTATION
25
27 libnftables supports JSON formatted input and output. This is
28 implemented as an alternative frontend to the standard CLI syntax
29 parser, therefore basic behaviour is identical and, for (almost) any
30 operation available in standard syntax, there should be an equivalent
31 one in JSON.
32 JSON input may be provided in a single string as parameter to
34 nft_run_cmd_from_buffer() or in a file identified by the filename
35 parameter of the nft_run_cmd_from_filename() function.
36 JSON output has to be enabled via the nft_ctx_output_set_json()
38 function, turning library standard output into JSON format. Error
39 output remains unaffected.
40
42 In general, any JSON input or output is enclosed in an object with a
43 single property named nftables. Its value is an array containing
44 commands (for input) or ruleset elements (for output).
45 A command is an object with a single property whose name identifies the
47 command. Its value is a ruleset element - basically identical to output
48 elements, apart from certain properties which may be interpreted
49 differently or are required when output generally omits them.
50
52 In output, the first object in an nftables array is a special one
53 containing library information. Its content is as follows:
54 { "metainfo": {
56 "version": STRING,
57 "release_name": STRING,
58 "json_schema_version": NUMBER
59 }}
60 The values of version and release_name properties are equal to the
62 package version and release name as printed by nft -v. The value of the
63 json_schema_version property is an integer indicating the schema
64 version.
65 If supplied in library input, the parser will verify the
67 json_schema_version value to not exceed the internally hardcoded one
68 (to make sure the given schema is fully understood). In future, a lower
69 number than the internal one may activate compatibility mode to parse
70 outdated and incompatible JSON input.
71
73 The structure accepts an arbitrary amount of commands which are
74 interpreted in order of appearance. For instance, the following
75 standard syntax input:
76 flush ruleset
78 add table inet mytable
79 add chain inet mytable mychain
80 add rule inet mytable mychain tcp dport 22 accept
81 translates into JSON as such:
83 { "nftables": [
85 { "flush": { "ruleset": null }},
86 { "add": { "table": {
87 "family": "inet",
88 "name": "mytable"
89 }}},
90 { "add": { "chain": {
91 "family": "inet",
92 "table": "mytable",
93 "name": "mychain"
94 }}},
95 { "add": { "rule": {
96 "family": "inet",
97 "table": "mytable",
98 "chain": "mychain",
99 "expr": [
100 { "match": {
101 "op": "==",
102 "left": { "payload": {
103 "protocol": "tcp",
104 "field": "dport"
105 }},
106 "right": 22
107 }},
108 { "accept": null }
109 ]
110 }}}
111 ]}
112 ADD
114 { "add": ADD_OBJECT }
115 ADD_OBJECT := TABLE | CHAIN | RULE | SET | MAP | ELEMENT |
117 FLOWTABLE | COUNTER | QUOTA | CT_HELPER | LIMIT |
118 CT_TIMEOUT | CT_EXPECTATION
119 Add a new ruleset element to the kernel.
121 REPLACE
123 { "replace": RULE }
124 Replace a rule. In RULE, the handle property is mandatory and
126 identifies the rule to be replaced.
127 CREATE
129 { "create": ADD_OBJECT }
130 Identical to add command, but returns an error if the object already
132 exists.
133 INSERT
135 { "insert": RULE }
136 This command is identical to add for rules, but instead of appending
138 the rule to the chain by default, it inserts at first position. If a
139 handle or index property is given, the rule is inserted before the rule
140 identified by those properties.
141 DELETE
143 { "delete": ADD_OBJECT }
144 Delete an object from the ruleset. Only the minimal number of
146 properties required to uniquely identify an object is generally needed
147 in ADD_OBJECT. For most ruleset elements, this is family and table plus
148 either handle or name (except rules since they don’t have a name).
149 LIST
151 { "list": LIST_OBJECT }
152 LIST_OBJECT := TABLE | TABLES | CHAIN | CHAINS | SET | SETS |
154 MAP | MAPS | COUNTER | COUNTERS | QUOTA | QUOTAS |
155 CT_HELPER | CT_HELPERS | LIMIT | LIMITS | RULESET |
156 METER | METERS | FLOWTABLE | FLOWTABLES |
157 CT_TIMEOUT | CT_EXPECTATION
158 List ruleset elements. The plural forms are used to list all objects of
160 that kind, optionally filtered by family and for some, also table.
161 RESET
163 { "reset": RESET_OBJECT }
164 RESET_OBJECT := COUNTER | COUNTERS | QUOTA | QUOTAS | RULE | RULES
166 Reset state in suitable objects, i.e. zero their internal counter.
168 FLUSH
170 { "flush": FLUSH_OBJECT }
171 FLUSH_OBJECT := TABLE | CHAIN | SET | MAP | METER | RULESET
173 Empty contents in given object, e.g. remove all chains from given table
175 or remove all elements from given set.
176 RENAME
178 { "rename": CHAIN }
179 Rename a chain. The new name is expected in a dedicated property named
181 newname.
182
184 TABLE
185 { "table": {
186 "family": STRING,
187 "name": STRING,
188 "handle": NUMBER
189 }}
190 This object describes a table.
192 family
194 The table’s family, e.g. "ip" or "ip6".
195 name
197 The table’s name.
198 handle
200 The table’s handle. In input, it is used only in delete command as
201 alternative to name.
202 CHAIN
204 { "chain": {
205 "family": STRING,
206 "table": STRING,
207 "name": STRING,
208 "newname": STRING,
209 "handle": NUMBER,
210 "type": STRING,
211 "hook": STRING,
212 "prio": NUMBER,
213 "dev": STRING,
214 "policy": STRING
215 }}
216 This object describes a chain.
218 family
220 The table’s family.
221 table
223 The table’s name.
224 name
226 The chain’s name.
227 handle
229 The chain’s handle. In input, it is used only in delete command as
230 alternative to name.
231 newname
233 A new name for the chain, only relevant in the rename command.
234 The following properties are required for base chains:
236 type
238 The chain’s type.
239 hook
241 The chain’s hook.
242 prio
244 The chain’s priority.
245 dev
247 The chain’s bound interface (if in the netdev family).
248 policy
250 The chain’s policy.
251 RULE
253 { "rule": {
254 "family": STRING,
255 "table": STRING,
256 "chain": STRING,
257 "expr": [ STATEMENTS ],
258 "handle": NUMBER,
259 "index": NUMBER,
260 "comment": STRING
261 }}
262 STATEMENTS := STATEMENT [, STATEMENTS ]
264 This object describes a rule. Basic building blocks of rules are
266 statements. Each rule consists of at least one.
267 family
269 The table’s family.
270 table
272 The table’s name.
273 chain
275 The chain’s name.
276 expr
278 An array of statements this rule consists of. In input, it is used
279 in add/insert/replace commands only.
280 handle
282 The rule’s handle. In delete/replace commands, it serves as an
283 identifier of the rule to delete/replace. In add/insert commands,
284 it serves as an identifier of an existing rule to append/prepend
285 the rule to.
286 index
288 The rule’s position for add/insert commands. It is used as an
289 alternative to handle then.
290 comment
292 Optional rule comment.
293 SET / MAP
295 { "set": {
296 "family": STRING,
297 "table": STRING,
298 "name": STRING,
299 "handle": NUMBER,
300 "type": SET_TYPE,
301 "policy": SET_POLICY,
302 "flags": [ SET_FLAG_LIST ],
303 "elem": SET_ELEMENTS,
304 "timeout": NUMBER,
305 "gc-interval": NUMBER,
306 "size": NUMBER
307 }}
308 { "map": {
310 "family": STRING,
311 "table": STRING,
312 "name": STRING,
313 "handle": NUMBER,
314 "type": SET_TYPE,
315 "map": STRING,
316 "policy": SET_POLICY,
317 "flags": [ SET_FLAG_LIST ],
318 "elem": SET_ELEMENTS,
319 "timeout": NUMBER,
320 "gc-interval": NUMBER,
321 "size": NUMBER
322 }}
323 SET_TYPE := STRING | [ SET_TYPE_LIST ]
325 SET_TYPE_LIST := STRING [, SET_TYPE_LIST ]
326 SET_POLICY := "performance" | "memory"
327 SET_FLAG_LIST := SET_FLAG [, SET_FLAG_LIST ]
328 SET_FLAG := "constant" | "interval" | "timeout"
329 SET_ELEMENTS := EXPRESSION | [ EXPRESSION_LIST ]
330 EXPRESSION_LIST := EXPRESSION [, EXPRESSION_LIST ]
331 These objects describe a named set or map. Maps are a special form of
333 sets in that they translate a unique key to a value.
334 family
336 The table’s family.
337 table
339 The table’s name.
340 name
342 The set’s name.
343 handle
345 The set’s handle. For input, it is used in the delete command only.
346 type
348 The set’s datatype, see below.
349 map
351 Type of values this set maps to (i.e. this set is a map).
352 policy
354 The set’s policy.
355 flags
357 The set’s flags.
358 elem
360 Initial set element(s), see below.
361 timeout
363 Element timeout in seconds.
364 gc-interval
366 Garbage collector interval in seconds.
367 size
369 Maximum number of elements supported.
370 TYPE
372 The set type might be a string, such as "ipv4_addr" or an array
373 consisting of strings (for concatenated types).
374 ELEM
376 A single set element might be given as string, integer or boolean
377 value for simple cases. If additional properties are required, a
378 formal elem object may be used.
379 Multiple elements may be given in an array.
381 ELEMENT
383 { "element": {
384 "family": STRING,
385 "table": STRING,
386 "name": STRING,
387 "elem": SET_ELEM
388 }}
389 SET_ELEM := EXPRESSION | [ EXPRESSION_LIST ]
391 EXPRESSION_LIST := EXPRESSION [, EXPRESSION ]
392 Manipulate element(s) in a named set.
394 family
396 The table’s family.
397 table
399 The table’s name.
400 name
402 The set’s name.
403 elem
405 See elem property of set object.
406 FLOWTABLE
408 { "flowtable": {
409 "family": STRING,
410 "table": STRING,
411 "name": STRING,
412 "handle": NUMBER,
413 "hook": STRING,
414 "prio": NUMBER,
415 "dev": FT_INTERFACE
416 }}
417 FT_INTERFACE := STRING | [ FT_INTERFACE_LIST ]
419 FT_INTERFACE_LIST := STRING [, STRING ]
420 This object represents a named flowtable.
422 family
424 The table’s family.
425 table
427 The table’s name.
428 name
430 The flow table’s name.
431 handle
433 The flow table’s handle. In input, it is used by the delete command
434 only.
435 hook
437 The flow table’s hook.
438 prio
440 The flow table’s priority.
441 dev
443 The flow table’s interface(s).
444 COUNTER
446 { "counter": {
447 "family": STRING,
448 "table": STRING,
449 "name": STRING,
450 "handle": NUMBER,
451 "packets": NUMBER,
452 "bytes": NUMBER
453 }}
454 This object represents a named counter.
456 family
458 The table’s family.
459 table
461 The table’s name.
462 name
464 The counter’s name.
465 handle
467 The counter’s handle. In input, it is used by the delete command
468 only.
469 packets
471 Packet counter value.
472 bytes
474 Byte counter value.
475 QUOTA
477 { "quota": {
478 "family": STRING,
479 "table": STRING,
480 "name": STRING,
481 "handle": NUMBER,
482 "bytes": NUMBER,
483 "used": NUMBER,
484 "inv": BOOLEAN
485 }}
486 This object represents a named quota.
488 family
490 The table’s family.
491 table
493 The table’s name.
494 name
496 The quota’s name.
497 handle
499 The quota’s handle. In input, it is used by the delete command
500 only.
501 bytes
503 Quota threshold.
504 used
506 Quota used so far.
507 inv
509 If true, match if the quota has been exceeded.
510 CT HELPER
512 { "ct helper": {
513 "family": STRING,
514 "table": STRING,
515 "name": STRING,
516 "handle": ... ',
517 "type": 'STRING,
518 "protocol": CTH_PROTO,
519 "l3proto": STRING
520 }}
521 CTH_PROTO := "tcp" | "udp"
523 This object represents a named conntrack helper.
525 family
527 The table’s family.
528 table
530 The table’s name.
531 name
533 The ct helper’s name.
534 handle
536 The ct helper’s handle. In input, it is used by the delete command
537 only.
538 type
540 The ct helper type name, e.g. "ftp" or "tftp".
541 protocol
543 The ct helper’s layer 4 protocol.
544 l3proto
546 The ct helper’s layer 3 protocol, e.g. "ip" or "ip6".
547 LIMIT
549 { "limit": {
550 "family": STRING,
551 "table": STRING,
552 "name": STRING,
553 "handle": NUMBER,
554 "rate": NUMBER,
555 "per": STRING,
556 "burst": NUMBER,
557 "unit": LIMIT_UNIT,
558 "inv": BOOLEAN
559 }}
560 LIMIT_UNIT := "packets" | "bytes"
562 This object represents a named limit.
564 family
566 The table’s family.
567 table
569 The table’s name.
570 name
572 The limit’s name.
573 handle
575 The limit’s handle. In input, it is used by the delete command
576 only.
577 rate
579 The limit’s rate value.
580 per
582 Time unit to apply the limit to, e.g. "week", "day", "hour", etc.
583 If omitted, defaults to "second".
584 burst
586 The limit’s burst value. If omitted, defaults to 0.
587 unit
589 Unit of rate and burst values. If omitted, defaults to "packets".
590 inv
592 If true, match if limit was exceeded. If omitted, defaults to
593 false.
594 CT TIMEOUT
596 { "ct timeout": {
597 "family": STRING,
598 "table": STRING,
599 "name": STRING,
600 "handle": NUMBER,
601 "protocol": CTH_PROTO,
602 "state": STRING,
603 "value: NUMBER,
604 "l3proto": STRING
605 }}
606 CTH_PROTO := "tcp" | "udp" | "dccp" | "sctp" | "gre" | "icmpv6" | "icmp" | "generic"
608 This object represents a named conntrack timeout policy.
610 family
612 The table’s family.
613 table
615 The table’s name.
616 name
618 The ct timeout object’s name.
619 handle
621 The ct timeout object’s handle. In input, it is used by delete
622 command only.
623 protocol
625 The ct timeout object’s layer 4 protocol.
626 state
628 The connection state name, e.g. "established", "syn_sent", "close"
629 or "close_wait", for which the timeout value has to be updated.
630 value
632 The updated timeout value for the specified connection state.
633 l3proto
635 The ct timeout object’s layer 3 protocol, e.g. "ip" or "ip6".
636 CT EXPECTATION
638 { "ct expectation": {
639 "family": STRING,
640 "table": STRING,
641 "name": STRING,
642 "handle": NUMBER,
643 "l3proto": STRING
644 "protocol":* CTH_PROTO,
645 "dport": NUMBER,
646 "timeout: NUMBER,
647 "size: NUMBER,
648 *}}
649 CTH_PROTO := "tcp" | "udp" | "dccp" | "sctp" | "gre" | "icmpv6" | "icmp" | "generic"
651 This object represents a named conntrack expectation.
653 family
655 The table’s family.
656 table
658 The table’s name.
659 name
661 The ct expectation object’s name.
662 handle
664 The ct expectation object’s handle. In input, it is used by delete
665 command only.
666 l3proto
668 The ct expectation object’s layer 3 protocol, e.g. "ip" or "ip6".
669 protocol
671 The ct expectation object’s layer 4 protocol.
672 dport
674 The destination port of the expected connection.
675 timeout
677 The time in millisecond that this expectation will live.
678 size
680 The maximum count of expectations to be living in the same time.
681
683 Statements are the building blocks for rules. Each rule consists of at
684 least one.
685 VERDICT
687 { "accept": null }
688 { "drop": null }
689 { "continue": null }
690 { "return": null }
691 { "jump": { "target": * STRING *}}
692 { "goto": { "target": * STRING *}}
693 A verdict either terminates packet traversal through the current chain
695 or delegates to a different one.
696 jump and goto statements expect a target chain name.
698 MATCH
700 { "match": {
701 "left": EXPRESSION,
702 "right": EXPRESSION,
703 "op": STRING
704 }}
705 This matches the expression on left hand side (typically a packet
707 header or packet meta info) with the expression on right hand side
708 (typically a constant value). If the statement evaluates to true, the
709 next statement in this rule is considered. If not, processing continues
710 with the next rule in the same chain.
711 left
713 Left hand side of this match.
714 right
716 Right hand side of this match.
717 op
719 Operator indicating the type of comparison.
720 OPERATORS
722 & Binary AND
723 | Binary OR
725 ^ Binary XOR
729 << Left shift
731 >> Right shift
733 == Equal
735 != Not equal
737 < Less than
739 > Greater than
741 ⇐ Less than or equal to
743 >= Greater than or equal to
745 in Perform a lookup, i.e.
747 test if bits on RHS are
748 contained in LHS value
749 Unlike with the standard API, the operator is mandatory here. In
752 the standard API, a missing operator may be resolved in two ways,
753 depending on the type of expression on the RHS:
754 • If the RHS is a bitmask or a list of bitmasks, the expression
756 resolves into a binary operation with the inequality operator,
757 like this: LHS & RHS != 0.
758 • In any other case, the equality operator is simply inserted.
760 For the non-trivial first case, the JSON API supports the in
762 operator.
763 COUNTER
765 { "counter": {
766 "packets": NUMBER,
767 "bytes": NUMBER
768 }}
769 { "counter": STRING }
771 This object represents a byte/packet counter. In input, no properties
773 are required. If given, they act as initial values for the counter.
774 The first form creates an anonymous counter which lives in the rule it
776 appears in. The second form specifies a reference to a named counter
777 object.
778 packets
780 Packets counted.
781 bytes
783 Bytes counted.
784 MANGLE
786 { "mangle": {
787 "key": EXPRESSION,
788 "value": EXPRESSION
789 }}
790 This changes the packet data or meta info.
792 key
794 The packet data to be changed, given as an exthdr, payload, meta,
795 ct or ct helper expression.
796 value
798 Value to change data to.
799 QUOTA
801 { "quota": {
802 "val": NUMBER,
803 "val_unit": STRING,
804 "used": NUMBER,
805 "used_unit": STRING,
806 "inv": BOOLEAN
807 }}
808 { "quota": STRING }
810 The first form creates an anonymous quota which lives in the rule it
812 appears in. The second form specifies a reference to a named quota
813 object.
814 val
816 Quota value.
817 val_unit
819 Unit of val, e.g. "kbytes" or "mbytes". If omitted, defaults to
820 "bytes".
821 used
823 Quota used so far. Optional on input. If given, serves as initial
824 value.
825 used_unit
827 Unit of used. Defaults to "bytes".
828 inv
830 If true, will match if quota was exceeded. Defaults to false.
831 LIMIT
833 { "limit": {
834 "rate": NUMBER,
835 "rate_unit": STRING,
836 "per": STRING,
837 "burst": NUMBER,
838 "burst_unit": STRING,
839 "inv": BOOLEAN
840 }}
841 { "limit": STRING }
843 The first form creates an anonymous limit which lives in the rule it
845 appears in. The second form specifies a reference to a named limit
846 object.
847 rate
849 Rate value to limit to.
850 rate_unit
852 Unit of rate, e.g. "packets" or "mbytes". Defaults to "packets".
853 per
855 Denominator of rate, e.g. "week" or "minutes".
856 burst
858 Burst value. Defaults to 0.
859 burst_unit
861 Unit of burst, ignored if rate_unit is "packets". Defaults to
862 "bytes".
863 inv
865 If true, matches if the limit was exceeded. Defaults to false.
866 FWD
868 { "fwd": {
869 "dev": EXPRESSION,
870 "family": FWD_FAMILY,
871 "addr": EXPRESSION
872 }}
873 FWD_FAMILY := "ip" | "ip6"
875 Forward a packet to a different destination.
877 dev
879 Interface to forward the packet on.
880 family
882 Family of addr.
883 addr
885 IP(v6) address to forward the packet to.
886 Both family and addr are optional, but if at least one is given, both
888 must be present.
889 NOTRACK
891 { "notrack": null }
892 Disable connection tracking for the packet.
894 DUP
896 { "dup": {
897 "addr": EXPRESSION,
898 "dev": EXPRESSION
899 }}
900 Duplicate a packet to a different destination.
902 addr
904 Address to duplicate packet to.
905 dev
907 Interface to duplicate packet on. May be omitted to not specify an
908 interface explicitly.
909 NETWORK ADDRESS TRANSLATION
911 { "snat": {
912 "addr": EXPRESSION,
913 "family": STRING,
914 "port": EXPRESSION,
915 "flags": FLAGS
916 }}
917 { "dnat": {
919 "addr": EXPRESSION,
920 "family": STRING,
921 "port": EXPRESSION,
922 "flags": FLAGS
923 }}
924 { "masquerade": {
926 "port": EXPRESSION,
927 "flags": FLAGS
928 }}
929 { "redirect": {
931 "port": EXPRESSION,
932 "flags": FLAGS
933 }}
934 FLAGS := FLAG | [ FLAG_LIST ]
936 FLAG_LIST := FLAG [, FLAG_LIST ]
937 FLAG := "random" | "fully-random" | "persistent"
938 Perform Network Address Translation.
940 addr
942 Address to translate to.
943 family
945 Family of addr, either ip or ip6. Required in inet table family.
946 port
948 Port to translate to.
949 flags
951 Flag(s).
952 All properties are optional and default to none.
954 REJECT
956 { "reject": {
957 "type": STRING,
958 "expr": EXPRESSION
959 }}
960 Reject the packet and send the given error reply.
962 type
964 Type of reject, either "tcp reset", "icmpx", "icmp" or "icmpv6".
965 expr
967 ICMP code to reject with.
968 All properties are optional.
970 SET
972 { "set": {
973 "op": STRING,
974 "elem": EXPRESSION,
975 "set": STRING
976 }}
977 Dynamically add/update elements to a set.
979 op
981 Operator on set, either "add" or "update".
982 elem
984 Set element to add or update.
985 set
987 Set reference.
988 LOG
990 { "log": {
991 "prefix": STRING,
992 "group": NUMBER,
993 "snaplen": NUMBER,
994 "queue-threshold": NUMBER,
995 "level": LEVEL,
996 "flags": FLAGS
997 }}
998 LEVEL := "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
1000 "info" | "debug" | "audit"
1001 FLAGS := FLAG | [ FLAG_LIST ]
1003 FLAG_LIST := FLAG [, FLAG_LIST ]
1004 FLAG := "tcp sequence" | "tcp options" | "ip options" | "skuid" |
1005 "ether" | "all"
1006 Log the packet.
1008 prefix
1010 Prefix for log entries.
1011 group
1013 Log group.
1014 snaplen
1016 Snaplen for logging.
1017 queue-threshold
1019 Queue threshold.
1020 level
1022 Log level. Defaults to "warn".
1023 flags
1025 Log flags.
1026 All properties are optional.
1028 CT HELPER
1030 { "ct helper": EXPRESSION }
1031 Enable the specified conntrack helper for this packet.
1033 ct helper
1035 CT helper reference.
1036 METER
1038 { "meter": {
1039 "name": STRING,
1040 "key": EXPRESSION,
1041 "stmt": STATEMENT
1042 }}
1043 Apply a given statement using a meter.
1045 name
1047 Meter name.
1048 key
1050 Meter key.
1051 stmt
1053 Meter statement.
1054 QUEUE
1056 { "queue": {
1057 "num": EXPRESSION,
1058 "flags": FLAGS
1059 }}
1060 FLAGS := FLAG | [ FLAG_LIST ]
1062 FLAG_LIST := FLAG [, FLAG_LIST ]
1063 FLAG := "bypass" | "fanout"
1064 Queue the packet to userspace.
1066 num
1068 Queue number.
1069 flags
1071 Queue flags.
1072 VERDICT MAP
1074 { "vmap": {
1075 "key": EXPRESSION,
1076 "data": EXPRESSION
1077 }}
1078 Apply a verdict conditionally.
1080 key
1082 Map key.
1083 data
1085 Mapping expression consisting of value/verdict pairs.
1086 CT COUNT
1088 { "ct count": {
1089 "val": NUMBER,
1090 "inv": BOOLEAN
1091 }}
1092 Limit the number of connections using conntrack.
1094 val
1096 Connection count threshold.
1097 inv
1099 If true, match if val was exceeded. If omitted, defaults to false.
1100 CT TIMEOUT
1102 { "ct timeout": EXPRESSION }
1103 Assign connection tracking timeout policy.
1105 ct timeout
1107 CT timeout reference.
1108 CT EXPECTATION
1110 { "ct expectation": EXPRESSION }
1111 Assign connection tracking expectation.
1113 ct expectation
1115 CT expectation reference.
1116 XT
1118 { "xt": {
1119 "type": TYPENAME,
1120 "name": STRING
1121 }}
1122 TYPENAME := match | target | watcher
1124 This represents an xt statement from xtables compat interface. It is a
1126 fallback if translation is not available or not complete.
1127 Seeing this means the ruleset (or parts of it) were created by
1129 iptables-nft and one should use that to manage it.
1130 BEWARE: nftables won’t restore these statements.
1132
1134 Expressions are the building blocks of (most) statements. In their most
1135 basic form, they are just immediate values represented as a JSON
1136 string, integer or boolean type.
1137 IMMEDIATES
1139 STRING
1140 NUMBER
1141 BOOLEAN
1142 Immediate expressions are typically used for constant values. For
1144 strings, there are two special cases:
1145 @STRING
1147 The remaining part is taken as set name to create a set reference.
1148 \*
1150 Construct a wildcard expression.
1151 LISTS
1153 ARRAY
1154 List expressions are constructed by plain arrays containing of an
1156 arbitrary number of expressions.
1157 CONCAT
1159 { "concat": CONCAT }
1160 CONCAT := [ EXPRESSION_LIST ]
1162 EXPRESSION_LIST := EXPRESSION [, EXPRESSION_LIST ]
1163 Concatenate several expressions.
1165 SET
1167 { "set": SET }
1168 SET := EXPRESSION | [ EXPRESSION_LIST ]
1170 This object constructs an anonymous set. For mappings, an array of
1172 arrays with exactly two elements is expected.
1173 MAP
1175 { "map": {
1176 "key": EXPRESSION,
1177 "data": EXPRESSION
1178 }}
1179 Map a key to a value.
1181 key
1183 Map key.
1184 data
1186 Mapping expression consisting of value/target pairs.
1187 PREFIX
1189 { "prefix": {
1190 "addr": EXPRESSION,
1191 "len": NUMBER
1192 }}
1193 Construct an IPv4 or IPv6 prefix consisting of address part in addr and
1195 prefix length in len.
1196 RANGE
1198 { "range": [ EXPRESSION , EXPRESSION ] }
1199 Construct a range of values. The first array item denotes the lower
1201 boundary, the second one the upper boundary.
1202 PAYLOAD
1204 { "payload": {
1205 "base": BASE,
1206 "offset": NUMBER,
1207 "len": NUMBER
1208 }}
1209 { "payload": {
1211 "protocol": STRING,
1212 "field": STRING
1213 }}
1214 BASE := "ll" | "nh" | "th"
1216 Construct a payload expression, i.e. a reference to a certain part of
1218 packet data. The first form creates a raw payload expression to point
1219 at a random number (len) of bytes at a certain offset (offset) from a
1220 given reference point (base). The following base values are accepted:
1221 "ll"
1223 The offset is relative to Link Layer header start offset.
1224 "nh"
1226 The offset is relative to Network Layer header start offset.
1227 "th"
1229 The offset is relative to Transport Layer header start offset.
1230 The second form allows one to reference a field by name (field) in a
1232 named packet header (protocol).
1233 EXTHDR
1235 { "exthdr": {
1236 "name": STRING,
1237 "field": STRING,
1238 "offset": NUMBER
1239 }}
1240 Create a reference to a field (field) in an IPv6 extension header
1242 (name). offset is used only for rt0 protocol.
1243 If the field property is not given, the expression is to be used as a
1245 header existence check in a match statement with a boolean on the right
1246 hand side.
1247 TCP OPTION
1249 { "tcp option": {
1250 "name": STRING,
1251 "field": STRING
1252 }}
1253 Create a reference to a field (field) of a TCP option header (name).
1255 If the field property is not given, the expression is to be used as a
1257 TCP option existence check in a match statement with a boolean on the
1258 right hand side.
1259 SCTP CHUNK
1261 { "sctp chunk": {
1262 "name": STRING,
1263 "field": STRING
1264 }}
1265 Create a reference to a field (field) of an SCTP chunk (name).
1267 If the field property is not given, the expression is to be used as an
1269 SCTP chunk existence check in a match statement with a boolean on the
1270 right hand side.
1271 META
1273 { "meta": {
1274 "key": META_KEY
1275 }}
1276 META_KEY := "length" | "protocol" | "priority" | "random" | "mark" |
1278 "iif" | "iifname" | "iiftype" | "oif" | "oifname" |
1279 "oiftype" | "skuid" | "skgid" | "nftrace" |
1280 "rtclassid" | "ibriport" | "obriport" | "ibridgename" |
1281 "obridgename" | "pkttype" | "cpu" | "iifgroup" |
1282 "oifgroup" | "cgroup" | "nfproto" | "l4proto" |
1283 "secpath"
1284 Create a reference to packet meta data.
1286 RT
1288 { "rt": {
1289 "key": RT_KEY,
1290 "family": RT_FAMILY
1291 }}
1292 RT_KEY := "classid" | "nexthop" | "mtu"
1294 RT_FAMILY := "ip" | "ip6"
1295 Create a reference to packet routing data.
1297 The family property is optional and defaults to unspecified.
1299 CT
1301 { "ct": {
1302 "key": STRING,
1303 "family": CT_FAMILY,
1304 "dir": CT_DIRECTION
1305 }}
1306 CT_FAMILY := "ip" | "ip6"
1308 CT_DIRECTION := "original" | "reply"
1309 Create a reference to packet conntrack data.
1311 Some CT keys do not support a direction. In this case, dir must not be
1313 given.
1314 NUMGEN
1316 { "numgen": {
1317 "mode": NG_MODE,
1318 "mod": NUMBER,
1319 "offset": NUMBER
1320 }}
1321 NG_MODE := "inc" | "random"
1323 Create a number generator.
1325 The offset property is optional and defaults to 0.
1327 HASH
1329 { "jhash": {
1330 "mod": NUMBER,
1331 "offset": NUMBER,
1332 "expr": EXPRESSION,
1333 "seed": NUMBER
1334 }}
1335 { "symhash": {
1337 "mod": NUMBER,
1338 "offset": NUMBER
1339 }}
1340 Hash packet data.
1342 The offset and seed properties are optional and default to 0.
1344 FIB
1346 { "fib": {
1347 "result": FIB_RESULT,
1348 "flags": FIB_FLAGS
1349 }}
1350 FIB_RESULT := "oif" | "oifname" | "type"
1352 FIB_FLAGS := FIB_FLAG | [ FIB_FLAG_LIST ]
1354 FIB_FLAG_LIST := FIB_FLAG [, FIB_FLAG_LIST ]
1355 FIB_FLAG := "saddr" | "daddr" | "mark" | "iif" | "oif"
1356 Perform kernel Forwarding Information Base lookups.
1358 BINARY OPERATION
1360 { "|": [ EXPRESSION, EXPRESSION ] }
1361 { "^": [ EXPRESSION, EXPRESSION ] }
1362 { "&": [ EXPRESSION, EXPRESSION ] }
1363 { "<<": [ EXPRESSION, EXPRESSION ] }
1364 { ">>": [ EXPRESSION, EXPRESSION ] }
1365 All binary operations expect an array of exactly two expressions, of
1367 which the first element denotes the left hand side and the second one
1368 the right hand side.
1369 VERDICT
1371 { "accept": null }
1372 { "drop": null }
1373 { "continue": null }
1374 { "return": null }
1375 { "jump": { "target": STRING }}
1376 { "goto": { "target": STRING }}
1377 Same as the verdict statement, but for use in verdict maps.
1379 jump and goto verdicts expect a target chain name.
1381 ELEM
1383 { "elem": {
1384 "val": EXPRESSION,
1385 "timeout": NUMBER,
1386 "expires": NUMBER,
1387 "comment": STRING
1388 }}
1389 Explicitly set element object, in case timeout, expires or comment are
1391 desired. Otherwise, it may be replaced by the value of val.
1392 SOCKET
1394 { "socket": {
1395 "key": SOCKET_KEY
1396 }}
1397 SOCKET_KEY := "transparent"
1399 Construct a reference to packet’s socket.
1401 OSF
1403 { "osf": {
1404 "key": OSF_KEY,
1405 "ttl": OSF_TTL
1406 }}
1407 OSF_KEY := "name"
1409 OSF_TTL := "loose" | "skip"
1410 Perform OS fingerprinting. This expression is typically used in the LHS
1412 of a match statement.
1413 key
1415 Which part of the fingerprint info to match against. At this point,
1416 only the OS name is supported.
1417 ttl
1419 Define how the packet’s TTL value is to be matched. This property
1420 is optional. If omitted, the TTL value has to match exactly. A
1421 value of loose accepts TTL values less than the fingerprint one. A
1422 value of skip omits TTL value comparison entirely.
1423
1425 Phil Sutter <phil@nwl.cc>
1426 Author.
1427 03/13/2023 LIBNFTABLES-JSON(5)