Difference between revisions of "Data types"
(→Data types used in Netfilter: Added "tun" ifkind.) |
(→Data types used in Netfilter: Specified particular meta matches) |
||
Line 14: | Line 14: | ||
| day | | day | ||
| Either a day of week ("Monday", "Tuesday", etc.), or an integer between 0 and 6. Strings are matched case-insensitively, and a full match is not expected (e.g. "Mon" would match "Monday"). When an integer is given, 0 is Sunday and 6 is Saturday. | | Either a day of week ("Monday", "Tuesday", etc.), or an integer between 0 and 6. Strings are matched case-insensitively, and a full match is not expected (e.g. "Mon" would match "Monday"). When an integer is given, 0 is Sunday and 6 is Saturday. | ||
| [[Matching_packet_metainformation |meta]] | | [[Matching_packet_metainformation|''meta day'']] | ||
| | | | ||
Line 20: | Line 20: | ||
| devgroup | | devgroup | ||
| Device group (32 bit integer). | | Device group (32 bit integer). | ||
| [[Matching_packet_metainformation |meta]] | | [[Matching_packet_metainformation|''meta'' {''iifgroup'' | ''oifgroup''}]] | ||
| Can be specified numerically or as symbolic name defined in /etc/iproute2/group. | | Can be specified numerically or as symbolic name defined in /etc/iproute2/group. | ||
Line 30: | Line 30: | ||
* ''ip6'' | * ''ip6'' | ||
* ''vlan'' | * ''vlan'' | ||
| [[Matching_packet_metainformation |meta]] | | [[Matching_packet_metainformation|''meta protocol'']] | ||
| [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/if_ether.h ether.h] has known types. | | [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/if_ether.h ether.h] has known types. | ||
NOTE that ether.h lists EtherTypes in [https://en.wikipedia.org/wiki/Endianness#Networking network order], while nft uses little-endian order on x86. (Check output of ''nft describe ether_type''.) | NOTE that ether.h lists EtherTypes in [https://en.wikipedia.org/wiki/Endianness#Networking network order], while nft uses little-endian order on x86. (Check output of ''nft describe ether_type''.) | ||
Line 37: | Line 37: | ||
| gid | | gid | ||
| Group ID (32 bit integer). | | Group ID (32 bit integer). | ||
| [[Matching_packet_metainformation |meta]] | | [[Matching_packet_metainformation |''meta skgid'']] | ||
| Can be specified numerically or as group name. | | Can be specified numerically or as group name. | ||
Line 43: | Line 43: | ||
| hour | | hour | ||
| A string representing an hour in 24-hour format. Seconds can optionally be specified. For example, 17:00 and 17:00:00 would be equivalent. | | A string representing an hour in 24-hour format. Seconds can optionally be specified. For example, 17:00 and 17:00:00 would be equivalent. | ||
| [[Matching_packet_metainformation |meta]] | | [[Matching_packet_metainformation|''meta hour'']] | ||
| | | | ||
Line 49: | Line 49: | ||
| iface_index | | iface_index | ||
| Interface index (32 bit integer). | | Interface index (32 bit integer). | ||
| [[Matching_packet_metainformation |meta]] | | [[Matching_packet_metainformation|''meta'' {''iif'' | ''oif''}]] | ||
| Can be specified numerically or as name of an existing interface. | | Can be specified numerically or as name of an existing interface. | ||
Use ifname instead for interfaces whose name and/or index can change (i.e. those that appear / disappear dynamically). | Use ifname instead for interfaces whose name and/or index can change (i.e. those that appear / disappear dynamically). | ||
Line 63: | Line 63: | ||
* ''sit'' | * ''sit'' | ||
* ''ipgre'' | * ''ipgre'' | ||
| [[Matching_packet_metainformation |meta]] | | [[Matching_packet_metainformation|''meta'' {''iiftype'' | ''oiftype''}]] | ||
| | | | ||
Line 69: | Line 69: | ||
| ifkind | | ifkind | ||
| Interface kind name (16 byte string). | | Interface kind name (16 byte string). | ||
| [[Matching_packet_metainformation |meta]] | | [[Matching_packet_metainformation|''meta'' {''iifkind'' | ''oifkind''}]] | ||
| dev->rtnl_link_ops->kind | | dev->rtnl_link_ops->kind | ||
The ''man 8 ip-link'' TYPES section lists valid ifkinds. It's missing at least one: ''tun''. | The ''man 8 ip-link'' TYPES section lists valid ifkinds. It's missing at least one: ''tun''. | ||
Line 76: | Line 76: | ||
| ifname | | ifname | ||
| Interface name (16 byte string). | | Interface name (16 byte string). | ||
| [[Matching_packet_metainformation |meta]] | | [[Matching_packet_metainformation|''meta'' {''iifname'' | ''oifname''}]] | ||
| Does not have to exist. | | Does not have to exist. | ||
Slower than iface_index but good for interfaces that can dynamically appear / disappear. | Slower than iface_index but good for interfaces that can dynamically appear / disappear. | ||
|- style="vertical-align:top;" | |||
| inet_service | |||
| Network service port number (16 bit integer). | |||
| [[Matching_packet_header_fields#Matching_TCP.2FUDP.2FUDPlite_traffic|''udp'' {''sport'' | ''dport''}]]<br> | |||
[[Matching_packet_header_fields#Matching_TCP.2FUDP.2FUDPlite_traffic|''tcp'' {''sport'' | ''dport''}]]<br> | |||
[[Matching_packet_header_fields#Matching_TCP.2FUDP.2FUDPlite_traffic|''udplite'' {''sport'' | ''dport''}]]<br> | |||
[[Matching_packet_header_fields#Matching_TCP.2FUDP.2FUDPlite_traffic|''sctp'' {''sport'' | ''dport''}]]<br> | |||
[[Matching_packet_header_fields#Matching_TCP.2FUDP.2FUDPlite_traffic|''dccp'' {''sport'' | ''dport''}]] | |||
| | |||
|- style="vertical-align:top;" | |||
| ipv4_addr | |||
| IPv4 address (32 bit integer). | |||
| [[Matching_packet_header_fields#Matching_IPv4_header_fields|''ip'' {''saddr'' | ''daddr''} ]]<br> | |||
''arp'' {''saddr'' | ''daddr''} ''ip''<br> | |||
''ct'' {''original'' | ''reply''} ''ip'' {''saddr'' | ''daddr''} | |||
| | |||
|- style="vertical-align:top;" | |- style="vertical-align:top;" | ||
Line 87: | Line 105: | ||
* ''multicast'' - to group | * ''multicast'' - to group | ||
* ''other'' - addressed to another host | * ''other'' - addressed to another host | ||
| [[Matching_packet_metainformation |meta]] | | [[Matching_packet_metainformation |''meta pkttype'']] | ||
| | | | ||
Line 93: | Line 111: | ||
| realm | | realm | ||
| Routing Realm (32 bit integer). | | Routing Realm (32 bit integer). | ||
| [[Matching_packet_metainformation |meta]] | | [[Matching_packet_metainformation |''meta rtclassid'']] | ||
| Can be specified numerically or as symbolic name defined in /etc/iproute2/rt_realms. | | Can be specified numerically or as symbolic name defined in /etc/iproute2/rt_realms. | ||
Routing realm references: | Routing realm references: | ||
Line 104: | Line 122: | ||
| time | | time | ||
| Either an integer or a date in ISO format. For example: "2019-06-06 17:00". Hour and seconds are optional and can be omitted if desired. If omitted, midnight will be assumed. The following three would be equivalent: "2019-06-06", "2019-06-06 00:00" and "2019-06-06 00:00:00". When an integer is given, it is assumed to be a UNIX timestamp. | | Either an integer or a date in ISO format. For example: "2019-06-06 17:00". Hour and seconds are optional and can be omitted if desired. If omitted, midnight will be assumed. The following three would be equivalent: "2019-06-06", "2019-06-06 00:00" and "2019-06-06 00:00:00". When an integer is given, it is assumed to be a UNIX timestamp. | ||
| [[Matching_packet_metainformation |meta]] | | [[Matching_packet_metainformation |''meta time'']] | ||
| | | | ||
Line 110: | Line 128: | ||
| uid | | uid | ||
| User ID (32 bit integer). | | User ID (32 bit integer). | ||
| [[Matching_packet_metainformation |meta]] | | [[Matching_packet_metainformation |''meta skuid'']] | ||
| Can be specified numerically or as user name. | | Can be specified numerically or as user name. | ||
Revision as of 12:37, 17 February 2021
Data types used in Netfilter
The following data types are used in nft selectors:
Netfilter Data Types | |||
---|---|---|---|
Data Type | Description | nft Selector(s) | Notes |
day | Either a day of week ("Monday", "Tuesday", etc.), or an integer between 0 and 6. Strings are matched case-insensitively, and a full match is not expected (e.g. "Mon" would match "Monday"). When an integer is given, 0 is Sunday and 6 is Saturday. | meta day | |
devgroup | Device group (32 bit integer). | meta {iifgroup | oifgroup} | Can be specified numerically or as symbolic name defined in /etc/iproute2/group. |
ether_type | EtherType (16 bit integer, with pre-defined symbolic constants):
|
meta protocol | ether.h has known types.
NOTE that ether.h lists EtherTypes in network order, while nft uses little-endian order on x86. (Check output of nft describe ether_type.) |
gid | Group ID (32 bit integer). | meta skgid | Can be specified numerically or as group name. |
hour | A string representing an hour in 24-hour format. Seconds can optionally be specified. For example, 17:00 and 17:00:00 would be equivalent. | meta hour | |
iface_index | Interface index (32 bit integer). | meta {iif | oif} | Can be specified numerically or as name of an existing interface.
Use ifname instead for interfaces whose name and/or index can change (i.e. those that appear / disappear dynamically). |
iface_type | Interface type (16 bit integer, with pre-defined symbolic constants):
|
meta {iiftype | oiftype} | |
ifkind | Interface kind name (16 byte string). | meta {iifkind | oifkind} | dev->rtnl_link_ops->kind
The man 8 ip-link TYPES section lists valid ifkinds. It's missing at least one: tun. |
ifname | Interface name (16 byte string). | meta {iifname | oifname} | Does not have to exist.
Slower than iface_index but good for interfaces that can dynamically appear / disappear. |
inet_service | Network service port number (16 bit integer). | udp {sport | dport} tcp {sport | dport} |
|
ipv4_addr | IPv4 address (32 bit integer). | ip {saddr | daddr} arp {saddr | daddr} ip |
|
pkt_type | Packet type (8 bit integer, with pre-defined symbolic constants):
|
meta pkttype | |
realm | Routing Realm (32 bit integer). | meta rtclassid | Can be specified numerically or as symbolic name defined in /etc/iproute2/rt_realms.
Routing realm references: |
time | Either an integer or a date in ISO format. For example: "2019-06-06 17:00". Hour and seconds are optional and can be omitted if desired. If omitted, midnight will be assumed. The following three would be equivalent: "2019-06-06", "2019-06-06 00:00" and "2019-06-06 00:00:00". When an integer is given, it is assumed to be a UNIX timestamp. | meta time | |
uid | User ID (32 bit integer). | meta skuid | Can be specified numerically or as user name. |
nft describe
You can use nft describe to get information about a data type, to find out the data type of a particular selector, and to list predefined symbolic constants for that selector. Some examples:
% nft describe iif meta expression, datatype iface_index (network interface index) (basetype integer), 32 bits % nft describe iifname meta expression, datatype ifname (network interface name) (basetype string), 16 characters % nft describe tcp flags payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits pre-defined symbolic constants (in hexadecimal): fin 0x01 syn 0x02 rst 0x04 psh 0x08 ack 0x10 urg 0x20 ecn 0x40 cwr 0x80