Data types: Difference between revisions
(→Data types used in Netfilter: Added symbolic constants for ether_type and iface_type.) |
(Linked ethernet & IP Wikipedia pages, and conntrack page.) |
||
(22 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
= | = ''nft describe'' = | ||
You can use ''nft describe'' to get information about a data type, to find out the data type of a particular selector, and to list predefined symbolic constants for that selector. Some examples: | |||
<nowiki>% nft describe iif | |||
meta expression, datatype iface_index (network interface index) (basetype integer), 32 bits | |||
% nft describe iifname | |||
meta expression, datatype ifname (network interface name) (basetype string), 16 characters | |||
% nft describe tcp flags | |||
payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits | |||
pre-defined symbolic constants (in hexadecimal): | |||
fin 0x01 | |||
syn 0x02 | |||
rst 0x04 | |||
psh 0x08 | |||
ack 0x10 | |||
urg 0x20 | |||
ecn 0x40 | |||
cwr 0x80</nowiki> | |||
= List of data types = | |||
== Date and time types == | |||
{| class="wikitable" | {| class="wikitable" | ||
!colspan="4"| | !colspan="4"|Date and time types | ||
|- style="vertical-align:bottom;" | |- style="vertical-align:bottom;" | ||
! Data Type | ! Data Type | ||
! style="text-align:left;" | Description | ! style="text-align:left;" | Description | ||
! style="text-align:left;" | | ! style="text-align:left;" | Expressions | ||
! style="text-align:left;" | Notes | ! style="text-align:left;" | Notes | ||
|- style="vertical-align:top;" | |- style="vertical-align:top;" | ||
| day | | day | ||
| | | Day of week of packet reception (8 bit integer, with pre-defined symbolic constants): | ||
| [[Matching_packet_metainformation |meta]] | * ''Sunday'' | ||
| | * ''Monday'' | ||
* ''Tuesday'' | |||
* ''Wednesday'' | |||
* ''Thursday'' | |||
* ''Friday'' | |||
* ''Saturday'' | |||
| [[Matching_packet_metainformation|''meta day'']] | |||
| ''Sunday'' = 0, ''Saturday'' = 6. | |||
Symbolic constants are case insensitive, and unique abbreviations are accepted: ''Sun'' = ''sun'' = ''Sunday'' = 0. | |||
|- style="vertical-align:top;" | |- style="vertical-align:top;" | ||
| | | hour | ||
| | | Hour of day of packet reception (32 bit integer). | ||
| [[Matching_packet_metainformation |meta]] | Specify as string in 24-hour format, hh:mm[:ss]. | ||
| | | [[Matching_packet_metainformation|''meta hour'']] | ||
| Seconds are optional: ''17:00'' = ''17:00:00''. | |||
|- style="vertical-align:top;" | |- style="vertical-align:top;" | ||
| | | time | ||
| | | Relative time of packet reception (64 bit integer). | ||
| [[Matching_packet_metainformation |''meta time'']] | |||
| Can be specified as a date in ISO format, i.e. "2019-06-06 17:00". Hour and seconds are optional and can be omitted if desired. If omitted, midnight will be assumed. The following three are equivalent: "2019-06-06" = "2019-06-06 00:00" = "2019-06-06 00:00:00". | |||
When an integer is specified, it is assumed to be a UNIX timestamp. | |||
| [[Matching_packet_metainformation |meta]] | |} | ||
| | |||
== Network interface types == | |||
|- style="vertical-align: | {| class="wikitable" | ||
!colspan="4"|Network interface types | |||
| | |- style="vertical-align:bottom;" | ||
| | ! Data Type | ||
| | ! style="text-align:left;" | Description | ||
! style="text-align:left;" | Expressions | |||
! style="text-align:left;" | Notes | |||
|- style="vertical-align:top;" | |- style="vertical-align:top;" | ||
| | | devgroup | ||
| | | Device group (32 bit integer). | ||
| [[Matching_packet_metainformation |meta]] | | [[Matching_packet_metainformation|''meta'' {''iifgroup'' | ''oifgroup''}]] | ||
| | | Can be specified numerically or as symbolic name defined in /etc/iproute2/group. | ||
|- style="vertical-align:top;" | |- style="vertical-align:top;" | ||
| iface_index | | iface_index | ||
| Interface index (32 bit integer). | | Interface index (32 bit integer). | ||
| [[Matching_packet_metainformation |meta]] | | [[Matching_packet_metainformation|''meta'' {''iif'' | ''oif''}]] | ||
| Can be specified numerically or as name of an existing interface. | | Can be specified numerically or as name of an existing interface. | ||
Use ifname instead for interfaces whose name and/or index can change (i.e. those that appear / disappear dynamically). | Use ifname instead for interfaces whose name and/or index can change (i.e. those that appear / disappear dynamically). | ||
Line 63: | Line 99: | ||
* ''sit'' | * ''sit'' | ||
* ''ipgre'' | * ''ipgre'' | ||
| [[Matching_packet_metainformation |meta]] | | [[Matching_packet_metainformation|''meta'' {''iiftype'' | ''oiftype''}]] | ||
| | | | ||
|- style="vertical-align:top;" | |- style="vertical-align:top;" | ||
| ifkind | | ifkind | ||
| Interface kind (16 byte string). | | Interface kind name (16 byte string). | ||
| [[Matching_packet_metainformation |meta]] | | [[Matching_packet_metainformation|''meta'' {''iifkind'' | ''oifkind''}]] | ||
| | | dev->rtnl_link_ops->kind | ||
The ''man 8 ip-link'' TYPES section lists valid ifkinds. It's missing at least one: ''tun''. | |||
|- style="vertical-align:top;" | |- style="vertical-align:top;" | ||
| ifname | | ifname | ||
| Interface name (16 byte string). | | Interface name (16 byte string). | ||
| [[Matching_packet_metainformation |meta]] | | [[Matching_packet_metainformation|''meta'' {''iifname'' | ''oifname''}]] | ||
| Does not have to exist. | | Does not have to exist. | ||
Slower than iface_index but good for interfaces that can dynamically appear / disappear. | Slower than iface_index but good for interfaces that can dynamically appear / disappear. | ||
|} | |||
== Ethernet types == | |||
{| class="wikitable" | |||
!colspan="4"|[https://en.wikipedia.org/wiki/Ethernet Ethernet] types | |||
|- style="vertical-align:bottom;" | |||
! Data Type | |||
! style="text-align:left;" | Description | |||
! style="text-align:left;" | Expressions | |||
! style="text-align:left;" | Notes | |||
|- style="vertical-align:top;" | |||
| ether_addr | |||
| Ethernet address (48 bit integer). | |||
| | |||
* [[Matching_packet_headers#Matching_ethernet_headers|''ether'' {''saddr'' | ''daddr''}]] | |||
* ''arp'' {''saddr'' | ''daddr''} ''ether'' | |||
| | |||
|- style="vertical-align:top;" | |||
| ether_type | |||
| [https://en.wikipedia.org/wiki/EtherType EtherType] (16 bit integer, with pre-defined symbolic constants): | |||
* ''arp'' | |||
* ''ip'' | |||
* ''ip6'' | |||
* ''vlan'' | |||
| [[Matching_packet_metainformation|''meta protocol'']] | |||
| [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/if_ether.h ether.h] has known types. | |||
NOTE that ether.h lists EtherTypes in [https://en.wikipedia.org/wiki/Endianness#Networking network order], while nft uses little-endian order on x86. (Check output of ''nft describe ether_type''.) | |||
|} | |||
== ARP types == | |||
{| class="wikitable" | |||
!colspan="4"|[https://en.wikipedia.org/wiki/Address_Resolution_Protocol ARP] types | |||
|- style="vertical-align:bottom;" | |||
! Data Type | |||
! style="text-align:left;" | Description | |||
! style="text-align:left;" | Expressions | |||
! style="text-align:left;" | Notes | |||
|- style="vertical-align:top;" | |||
| | |||
| ARP HLEN, hardware address length in octets (8 bit integer) | |||
| [[Matching_packet_headers#Matching_ARP_headers|''arp hlen'' «HLEN»]] | |||
| Unnamed 8-bit integer in nftables. | |||
For ethernet HLEN = 6. | |||
|- style="vertical-align:top;" | |||
| | |||
| ARP HTYPE, hardware type (16 bit integer) | |||
| [[Matching_packet_headers#Matching_ARP_headers|''arp htype'' «HTYPE»]] | |||
| Unnamed 16-bit integer in nftables. | |||
[https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/if_arp.h if_arp.h] has known types. | |||
|- style="vertical-align:top;" | |||
| | |||
| ARP PLEN, internetwork address length in octets (8 bit integer) | |||
| [[Matching_packet_headers#Matching_ARP_headers|''arp plen'' «PLEN»]] | |||
| Unnamed 8-bit integer in nftables. | |||
For IPv4 PLEN = 4. | |||
|- style="vertical-align:top;" | |||
| arp_op | |||
| ARP operation (16 bit integer, with pre-defined symbolic constants): | |||
* ''request'' = 1 | |||
* ''reply'' = 2 | |||
* ''rrequest'' = 3 | |||
* ''rreply'' = 4 | |||
* ''inrequest'' = 8 | |||
* ''inreply'' = 9 | |||
* ''nak'' = 10 | |||
| [[Matching_packet_headers#Matching_ARP_headers|''arp operation'' «arp_op»]] | |||
| | |||
|} | |||
== IP types == | |||
{| class="wikitable" | |||
!colspan="4"|[https://en.wikipedia.org/wiki/Internet_Protocol IP] types | |||
|- style="vertical-align:bottom;" | |||
! Data Type | |||
! style="text-align:left;" | Description | |||
! style="text-align:left;" | Expressions | |||
! style="text-align:left;" | Notes | |||
|- style="vertical-align:top;" | |||
| inet_proto | |||
| Internet protocol (8 bit integer, with pre-defined symbolic constants): | |||
* ''tcp'' | |||
* ''udp'' | |||
* ''udplite'' | |||
* ''esp'' | |||
* ''ah'' | |||
* ''icmp'' | |||
* ''icmpv6'' | |||
* ''comp'' | |||
* ''dccp'' | |||
* ''sctp'' | |||
| | |||
* [[Matching_packet_headers#Matching_transport_protocol|''ip protocol'']] | |||
* [[Matching_packet_headers#Matching_IPv6_headers|''ip6 nexthdr'']] | |||
* ''ah nexthdr'' | |||
* ''comp nexthdr'' | |||
* [[Matching_connection_tracking_stateful_metainformation|''ct'' {''original'' | ''reply''} ''protocol'']] | |||
| [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/in.h in.h] has known types. | |||
|- style="vertical-align:top;" | |||
| inet_service | |||
| Network service port number (16 bit integer). | |||
| | |||
* [[Matching_packet_headers#Matching_TCP.2FUDP.2FUDPlite_traffic|''udp'' {''sport'' | ''dport''}]] | |||
* [[Matching_packet_headers#Matching_TCP.2FUDP.2FUDPlite_traffic|''tcp'' {''sport'' | ''dport''}]] | |||
* [[Matching_packet_headers#Matching_TCP.2FUDP.2FUDPlite_traffic|''udplite'' {''sport'' | ''dport''}]] | |||
* [[Matching_packet_headers#Matching_TCP.2FUDP.2FUDPlite_traffic|''sctp'' {''sport'' | ''dport''}]] | |||
* [[Matching_packet_headers#Matching_TCP.2FUDP.2FUDPlite_traffic|''dccp'' {''sport'' | ''dport''}]] | |||
| | |||
|- style="vertical-align:top;" | |||
| ipv4_addr | |||
| IPv4 address (32 bit integer). | |||
| | |||
* [[Matching_packet_headers#Matching_IPv4_headers|''ip'' {''saddr'' | ''daddr''} ]] | |||
* ''arp'' {''saddr'' | ''daddr''} ''ip'' | |||
* [[Matching_connection_tracking_stateful_metainformation|''ct'' {''original'' | ''reply''} ''ip'' {''saddr'' | ''daddr''}]] | |||
* [[Matching routing information|''rt ip nexthop'']] | |||
* ''ipsec'' {''in'' | ''out''} ''ip'' {''saddr'' | ''daddr''} | |||
| | |||
|- style="vertical-align:top;" | |||
| ipv6_addr | |||
| IPv6 address (128 bit integer). | |||
| | |||
* [[Matching_packet_headers#Matching_IPv6_headers|''ip6'' {''saddr'' | ''daddr''} ]] | |||
* [[Matching_connection_tracking_stateful_metainformation|''ct'' {''original'' | ''reply''} ''ip6'' {''saddr'' | ''daddr''}]] | |||
* [[Matching routing information|''rt ip6 nexthop'']] | |||
* ''ipsec'' {''in'' | ''out''} ''ip6'' {''saddr'' | ''daddr''} | |||
| | |||
|} | |||
== Conntrack types == | |||
{| class="wikitable" | |||
!colspan="4"|[[Connection_Tracking_System|Conntrack]] types | |||
|- style="vertical-align:bottom;" | |||
! Data Type | |||
! style="text-align:left;" | Description | |||
! style="text-align:left;" | Expressions | |||
! style="text-align:left;" | Notes | |||
|- style="vertical-align:top;" | |||
| ct_dir | |||
| Conntrack direction (8 bit integer). | |||
| | |||
| Symbolic constants: | |||
<pre> | |||
original 0 | |||
reply 1 | |||
</pre> | |||
|- style="vertical-align:top;" | |||
| ct_event | |||
| Conntrack event bits (4 byte bitmask). | |||
| | |||
| Symbolic constants: | |||
<pre> | |||
new 1 | |||
related 2 | |||
destroy 4 | |||
reply 8 | |||
assured 16 | |||
protoinfo 32 | |||
helper 64 | |||
mark 128 | |||
seqadj 256 | |||
secmark 512 | |||
label 1024 | |||
</pre> | |||
|- style="vertical-align:top;" | |||
| ct_label | |||
| Conntrack label (128 bit bitmask). | |||
| | |||
| | |||
|- style="vertical-align:top;" | |||
| ct_state | |||
| Conntrack state (4 byte bitmask). | |||
| | |||
| Symbolic constants: | |||
<pre> | |||
invalid 1 | |||
established 2 | |||
related 4 | |||
new 8 | |||
untracked 64 | |||
</pre> | |||
|- style="vertical-align:top;" | |||
| ct_status | |||
| Conntrack status (4 byte bitmask). | |||
| | |||
| Symbolic constants: | |||
<pre> | |||
expected 1 | |||
seen-reply 2 | |||
assured 4 | |||
confirmed 8 | |||
snat 16 | |||
dnat 32 | |||
dying 512 | |||
</pre> | |||
|} | |||
== Other types == | |||
{| class="wikitable" | |||
!colspan="4"|Other types | |||
|- style="vertical-align:bottom;" | |||
! Data Type | |||
! style="text-align:left;" | Description | |||
! style="text-align:left;" | Expressions | |||
! style="text-align:left;" | Notes | |||
|- style="vertical-align:top;" | |||
| gid | |||
| Group ID (32 bit integer). | |||
| [[Matching_packet_metainformation |''meta skgid'']] | |||
| Can be specified numerically or as group name. | |||
|- style="vertical-align:top;" | |||
| mark | |||
| Packet mark (32 bit integer). | |||
| | |||
* [[Matching_packet_metainformation#Matching_by_packet_mark.2C_routing_class_and_realm|''meta mark'']] | |||
* ''socket mark'' | |||
* [[Matching routing information|''fib mark . ''{''saddr'' | ''daddr'' | ''iif'' | ''oif''} [. ...] {''oif'' | ''oifname'' | ''type''}]] | |||
* [[Matching_connection_tracking_stateful_metainformation|''ct mark'']] | |||
| | |||
|- style="vertical-align:top;" | |- style="vertical-align:top;" | ||
Line 86: | Line 373: | ||
* ''multicast'' - to group | * ''multicast'' - to group | ||
* ''other'' - addressed to another host | * ''other'' - addressed to another host | ||
| [[Matching_packet_metainformation |meta]] | | [[Matching_packet_metainformation |''meta pkttype'']] | ||
| | | | ||
Line 92: | Line 379: | ||
| realm | | realm | ||
| Routing Realm (32 bit integer). | | Routing Realm (32 bit integer). | ||
| [[Matching_packet_metainformation |meta]] | | [[Matching_packet_metainformation |''meta rtclassid'']] | ||
| Can be specified numerically or as symbolic name defined in /etc/iproute2/rt_realms. | | Can be specified numerically or as symbolic name defined in /etc/iproute2/rt_realms. | ||
Routing realm references: | Routing realm references: | ||
Line 99: | Line 386: | ||
<li>[http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH07.web.html policyrouting.org] | <li>[http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH07.web.html policyrouting.org] | ||
</ul> | </ul> | ||
|- style="vertical-align:top;" | |- style="vertical-align:top;" | ||
| uid | | uid | ||
| User ID (32 bit integer). | | User ID (32 bit integer). | ||
| [[Matching_packet_metainformation |meta]] | | [[Matching_packet_metainformation |''meta skuid'']] | ||
| Can be specified numerically or as user name. | | Can be specified numerically or as user name. | ||
|} | |} | ||
Latest revision as of 17:05, 20 April 2021
nft describe
You can use nft describe to get information about a data type, to find out the data type of a particular selector, and to list predefined symbolic constants for that selector. Some examples:
% nft describe iif meta expression, datatype iface_index (network interface index) (basetype integer), 32 bits % nft describe iifname meta expression, datatype ifname (network interface name) (basetype string), 16 characters % nft describe tcp flags payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits pre-defined symbolic constants (in hexadecimal): fin 0x01 syn 0x02 rst 0x04 psh 0x08 ack 0x10 urg 0x20 ecn 0x40 cwr 0x80
List of data types
Date and time types
Date and time types | |||
---|---|---|---|
Data Type | Description | Expressions | Notes |
day | Day of week of packet reception (8 bit integer, with pre-defined symbolic constants):
|
meta day | Sunday = 0, Saturday = 6.
Symbolic constants are case insensitive, and unique abbreviations are accepted: Sun = sun = Sunday = 0. |
hour | Hour of day of packet reception (32 bit integer).
Specify as string in 24-hour format, hh:mm[:ss]. |
meta hour | Seconds are optional: 17:00 = 17:00:00. |
time | Relative time of packet reception (64 bit integer). | meta time | Can be specified as a date in ISO format, i.e. "2019-06-06 17:00". Hour and seconds are optional and can be omitted if desired. If omitted, midnight will be assumed. The following three are equivalent: "2019-06-06" = "2019-06-06 00:00" = "2019-06-06 00:00:00".
When an integer is specified, it is assumed to be a UNIX timestamp. |
Network interface types
Network interface types | |||
---|---|---|---|
Data Type | Description | Expressions | Notes |
devgroup | Device group (32 bit integer). | meta {iifgroup | oifgroup} | Can be specified numerically or as symbolic name defined in /etc/iproute2/group. |
iface_index | Interface index (32 bit integer). | meta {iif | oif} | Can be specified numerically or as name of an existing interface.
Use ifname instead for interfaces whose name and/or index can change (i.e. those that appear / disappear dynamically). |
iface_type | Interface type (16 bit integer, with pre-defined symbolic constants):
|
meta {iiftype | oiftype} | |
ifkind | Interface kind name (16 byte string). | meta {iifkind | oifkind} | dev->rtnl_link_ops->kind
The man 8 ip-link TYPES section lists valid ifkinds. It's missing at least one: tun. |
ifname | Interface name (16 byte string). | meta {iifname | oifname} | Does not have to exist.
Slower than iface_index but good for interfaces that can dynamically appear / disappear. |
Ethernet types
Ethernet types | |||
---|---|---|---|
Data Type | Description | Expressions | Notes |
ether_addr | Ethernet address (48 bit integer). |
|
|
ether_type | EtherType (16 bit integer, with pre-defined symbolic constants):
|
meta protocol | ether.h has known types.
NOTE that ether.h lists EtherTypes in network order, while nft uses little-endian order on x86. (Check output of nft describe ether_type.) |
ARP types
ARP types | |||
---|---|---|---|
Data Type | Description | Expressions | Notes |
ARP HLEN, hardware address length in octets (8 bit integer) | arp hlen «HLEN» | Unnamed 8-bit integer in nftables.
For ethernet HLEN = 6. | |
ARP HTYPE, hardware type (16 bit integer) | arp htype «HTYPE» | Unnamed 16-bit integer in nftables.
if_arp.h has known types. | |
ARP PLEN, internetwork address length in octets (8 bit integer) | arp plen «PLEN» | Unnamed 8-bit integer in nftables.
For IPv4 PLEN = 4. | |
arp_op | ARP operation (16 bit integer, with pre-defined symbolic constants):
|
arp operation «arp_op» |
IP types
IP types | |||
---|---|---|---|
Data Type | Description | Expressions | Notes |
inet_proto | Internet protocol (8 bit integer, with pre-defined symbolic constants):
|
|
in.h has known types. |
inet_service | Network service port number (16 bit integer). | ||
ipv4_addr | IPv4 address (32 bit integer). |
|
|
ipv6_addr | IPv6 address (128 bit integer). |
|
Conntrack types
Conntrack types | |||
---|---|---|---|
Data Type | Description | Expressions | Notes |
ct_dir | Conntrack direction (8 bit integer). | Symbolic constants:
original 0 reply 1 | |
ct_event | Conntrack event bits (4 byte bitmask). | Symbolic constants:
new 1 related 2 destroy 4 reply 8 assured 16 protoinfo 32 helper 64 mark 128 seqadj 256 secmark 512 label 1024 | |
ct_label | Conntrack label (128 bit bitmask). | ||
ct_state | Conntrack state (4 byte bitmask). | Symbolic constants:
invalid 1 established 2 related 4 new 8 untracked 64 | |
ct_status | Conntrack status (4 byte bitmask). | Symbolic constants:
expected 1 seen-reply 2 assured 4 confirmed 8 snat 16 dnat 32 dying 512 |
Other types
Other types | |||
---|---|---|---|
Data Type | Description | Expressions | Notes |
gid | Group ID (32 bit integer). | meta skgid | Can be specified numerically or as group name. |
mark | Packet mark (32 bit integer). | ||
pkt_type | Packet type (8 bit integer, with pre-defined symbolic constants):
|
meta pkttype | |
realm | Routing Realm (32 bit integer). | meta rtclassid | Can be specified numerically or as symbolic name defined in /etc/iproute2/rt_realms.
Routing realm references: |
uid | User ID (32 bit integer). | meta skuid | Can be specified numerically or as user name. |