http://wiki.nftables.org/wiki-nftables/api.php?action=feedcontributions&feedformat=atom&user=Aurelien
nftables wiki - User contributions [en]
2026-04-11T10:32:58Z
User contributions
MediaWiki 1.43.6
http://wiki.nftables.org/wiki-nftables/index.php?title=Quick_reference-nftables_in_10_minutes&diff=1132
Quick reference-nftables in 10 minutes
2024-04-21T07:52:41Z
<p>Aurelien: /* Rules */ Clarify the explanation about the inserted rule position.</p>
<hr />
<div>Find below some basic concepts to know before using nftables.<br />
<br />
'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.<br />
<br />
'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].<br />
<br />
'''rule''' refers to an action to be configured within a ''chain''.<br />
<br />
<br />
= nft command line =<br />
<br />
''nft'' is the command line tool in order to interact with nftables at userspace.<br />
<br />
== Tables ==<br />
<br />
'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''. It defaults to ''ip''.<br />
<br />
<source lang="bash"><br />
% nft list tables [<family>]<br />
% nft [-n] [-a] list table [<family>] <name><br />
% nft (add | delete | flush) table [<family>] <name><br />
</source><br />
<br />
The argument ''-n'' shows the addresses and other information that use names in numeric format. The ''-a'' argument is used to display each rule's ''handle'' (i.e., a numerical identifier).<br />
<br />
== Chains ==<br />
<br />
'''type''' refers to the kind of chain to be created. Possible types are:<br />
<br />
* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.<br />
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.<br />
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.<br />
<br />
'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].<br />
<br />
* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.<br />
* The hooks for ''arp'' family are: '' input'', ''output''.<br />
* The ''bridge'' family handles ethernet packets traversing bridge devices.<br />
* The hooks for ''netdev'' are: ''ingress'', ''egress''.<br />
<br />
'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.<br />
<br />
'''policy''' is the default verdict statement to control the flow in the base chain. Possible values are: ''accept'' (default) and ''drop''. Warning: Setting the policy to ''drop'' discards all packets that<br />
have not been accepted by the ruleset.<br />
<br />
<source lang="bash"><br />
% nft (add | create) chain [<family>] <table> <name> [ \{ type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] \} ]<br />
% nft (delete | list | flush) chain [<family>] <table> <name><br />
% nft rename chain [<family>] <table> <name> <newname><br />
</source><br />
<br />
== Rules ==<br />
<br />
'''handle''' is an internal number that identifies a certain ''rule''.<br />
<br />
<source lang="bash"><br />
% nft add rule [<family>] <table> <chain> <matches> <statements><br />
% nft insert rule [<family>] <table> <chain> [position <handle>] <matches> <statements><br />
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements><br />
% nft delete rule [<family>] <table> <chain> [handle <handle>]<br />
</source><br />
<br />
Inserted rules are placed at the beginning of the chain, by default. However, if you specify a ''position'' handle, then the new rule is inserted just before the existing rule with that handle.<br />
<br />
=== Matches ===<br />
<br />
'''matches''' are clues used to access to certain packet information and create filters according to them.<br />
<br />
==== Ip ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip match<br />
|-<br />
| | ''dscp <value>''<br />
|<br />
|<source lang="bash"><br />
ip dscp cs1<br />
ip dscp != cs1<br />
ip dscp 0x38<br />
ip dscp != 0x20<br />
ip dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, <br />
af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
ip length 232<br />
ip length != 233<br />
ip length 333-435<br />
ip length != 333-453<br />
ip length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''id <id>''<br />
| IP ID<br />
|<source lang="bash"><br />
ip id 22<br />
ip id != 233<br />
ip id 33-45<br />
ip id != 33-45<br />
ip id { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| Fragmentation offset<br />
|<source lang="bash"><br />
ip frag-off & 0x1fff != 0 # match fragments<br />
ip frag-off & 0x2000 != 0 # match MF flag <br />
ip frag-off & 0x4000 != 0 # match DF flag <br />
</source><br />
|-<br />
| ''ttl <ttl>''<br />
| Time to live<br />
|<source lang="bash"><br />
ip ttl 0<br />
ip ttl 233<br />
ip ttl 33-55<br />
ip ttl != 45-50<br />
ip ttl { 43, 53, 45 }<br />
ip ttl { 33-55 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| Upper layer protocol<br />
|<source lang="bash"><br />
ip protocol tcp<br />
ip protocol 6<br />
ip protocol != tcp<br />
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
ip checksum 13172<br />
ip checksum 22<br />
ip checksum != 233<br />
ip checksum 33-45<br />
ip checksum != 33-45<br />
ip checksum { 33, 55, 67, 88 }<br />
ip checksum { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source address<br />
|<source lang="bash"><br />
ip saddr 192.168.2.0/24<br />
ip saddr != 192.168.2.0/24<br />
ip saddr 192.168.3.1 ip daddr 192.168.3.100<br />
ip saddr != 1.1.1.1<br />
ip saddr 1.1.1.1<br />
ip saddr & 0xff == 1<br />
ip saddr & 0.0.0.255 < 0.0.0.127<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination address<br />
|<source lang="bash"><br />
ip daddr 192.168.0.1<br />
ip daddr != 192.168.0.1<br />
ip daddr 192.168.0.1-192.168.0.250<br />
ip daddr 10.0.0.0-10.255.255.255<br />
ip daddr 172.16.0.0-172.31.255.255<br />
ip daddr 192.168.3.1-192.168.4.250<br />
ip daddr != 192.168.0.1-192.168.0.250<br />
ip daddr { 192.168.0.1-192.168.0.250 }<br />
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }<br />
</source><br />
|-<br />
| ''version <version>''<br />
| Ip Header version<br />
|<source lang="bash"><br />
ip version 4<br />
</source><br />
|-<br />
| ''hdrlength <header length>''<br />
| IP header length<br />
|<source lang="bash"><br />
ip hdrlength 0<br />
ip hdrlength 15<br />
</source><br />
|}<br />
<br />
==== Ip6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip6 match<br />
|-<br />
| ''dscp <value>''<br />
| <br />
|<source lang="bash"><br />
ip6 dscp cs1<br />
ip6 dscp != cs1<br />
ip6 dscp 0x38<br />
ip6 dscp != 0x20<br />
ip6 dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''flowlabel <label>''<br />
| Flow label<br />
|<source lang="bash"><br />
ip6 flowlabel 22<br />
ip6 flowlabel != 233<br />
ip6 flowlabel { 33, 55, 67, 88 }<br />
ip6 flowlabel { 33-55 }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
ip6 length 232<br />
ip6 length != 233<br />
ip6 length 333-435<br />
ip6 length != 333-453<br />
ip6 length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''nexthdr <header>''<br />
| Next header type (Upper layer protocol number)<br />
|<source lang="bash"><br />
ip6 nexthdr { esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6 }<br />
ip6 nexthdr esp<br />
ip6 nexthdr != esp<br />
ip6 nexthdr { 33-44 }<br />
ip6 nexthdr 33-44<br />
ip6 nexthdr != 33-44<br />
</source><br />
|-<br />
| ''hoplimit <hoplimit>''<br />
| Hop limit<br />
|<source lang="bash"><br />
ip6 hoplimit 1<br />
ip6 hoplimit != 233<br />
ip6 hoplimit 33-45<br />
ip6 hoplimit != 33-45<br />
ip6 hoplimit { 33, 55, 67, 88 }<br />
ip6 hoplimit { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source Address<br />
|<source lang="bash"><br />
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::/64<br />
ip6 saddr ::1 ip6 daddr ::2<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination Address<br />
|<source lang="bash"><br />
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234<br />
</source><br />
|-<br />
| ''version <version>''<br />
| IP header version<br />
|<source lang="bash"><br />
ip6 version 6<br />
</source><br />
|}<br />
<br />
==== Tcp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|tcp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
tcp dport 22<br />
tcp dport != 33-45<br />
tcp dport { 33-55 }<br />
tcp dport { telnet, http, https }<br />
tcp dport vmap { 22 : accept, 23 : drop }<br />
tcp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
tcp sport 22<br />
tcp sport != 33-45<br />
tcp sport { 33, 55, 67, 88 }<br />
tcp sport { 33-55 }<br />
tcp sport vmap { 25:accept, 28:drop }<br />
tcp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| Sequence number<br />
|<source lang="bash"><br />
tcp sequence 22<br />
tcp sequence != 33-45<br />
</source><br />
|-<br />
| ''ackseq <value>''<br />
| Acknowledgement number<br />
|<source lang="bash"><br />
tcp ackseq 22<br />
tcp ackseq != 33-45<br />
tcp ackseq { 33, 55, 67, 88 }<br />
tcp ackseq { 33-55 }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| TCP flags<br />
|<source lang="bash"><br />
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr }<br />
tcp flags cwr<br />
tcp flags != cwr<br />
</source><br />
|-<br />
| ''window <value>''<br />
| Window<br />
|<source lang="bash"><br />
tcp window 22<br />
tcp window != 33-45<br />
tcp window { 33, 55, 67, 88 }<br />
tcp window { 33-55 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
tcp checksum 22<br />
tcp checksum != 33-45<br />
tcp checksum { 33, 55, 67, 88 }<br />
tcp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''urgptr <pointer>''<br />
| Urgent pointer<br />
|<source lang="bash"><br />
tcp urgptr 22<br />
tcp urgptr != 33-45<br />
tcp urgptr { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''doff <offset>''<br />
| Data offset<br />
|<source lang="bash"><br />
tcp doff 8<br />
</source><br />
|}<br />
<br />
==== Udp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udp dport 22<br />
udp dport != 33-45<br />
udp dport { 33-55 }<br />
udp dport { telnet, http, https }<br />
udp dport vmap { 22 : accept, 23 : drop }<br />
udp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udp sport 22<br />
udp sport != 33-45<br />
udp sport { 33, 55, 67, 88 }<br />
udp sport { 33-55 }<br />
udp sport vmap { 25:accept, 28:drop }<br />
udp sport 1024 udp dport 22<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
udp length 6666<br />
udp length != 50-65<br />
udp length { 50, 65 }<br />
udp length { 35-50 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| UDP checksum<br />
|<source lang="bash"><br />
udp checksum 22<br />
udp checksum != 33-45<br />
udp checksum { 33, 55, 67, 88 }<br />
udp checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
==== Udplite ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udplite match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udplite dport 22<br />
udplite dport != 33-45<br />
udplite dport { 33-55 }<br />
udplite dport { telnet, http, https }<br />
udplite dport vmap { 22 : accept, 23 : drop }<br />
udplite dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udplite sport 22<br />
udplite sport != 33-45<br />
udplite sport { 33, 55, 67, 88 }<br />
udplite sport { 33-55 }<br />
udplite sport vmap { 25:accept, 28:drop }<br />
udplite sport 1024 udplite dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
udplite checksum 22<br />
udplite checksum != 33-45<br />
udplite checksum { 33, 55, 67, 88 }<br />
udplite checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
==== Sctp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|sctp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
sctp dport 22<br />
sctp dport != 33-45<br />
sctp dport { 33-55 }<br />
sctp dport { telnet, http, https }<br />
sctp dport vmap { 22 : accept, 23 : drop }<br />
sctp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
sctp sport 22<br />
sctp sport != 33-45<br />
sctp sport { 33, 55, 67, 88 }<br />
sctp sport { 33-55 }<br />
sctp sport vmap { 25:accept, 28:drop }<br />
sctp sport 1024 sctp dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
sctp checksum 22<br />
sctp checksum != 33-45<br />
sctp checksum { 33, 55, 67, 88 }<br />
sctp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''vtag <tag>''<br />
| Verification tag<br />
|<source lang="bash"><br />
sctp vtag 22<br />
sctp vtag != 33-45<br />
sctp vtag { 33, 55, 67, 88 }<br />
sctp vtag { 33-55 }<br />
</source><br />
|-<br />
| ''chunk <type>''<br />
| Existence of a chunk with given type in packet<br />
|<source lang="bash"><br />
sctp chunk init exists<br />
sctp chunk error missing<br />
</source><br />
|-<br />
| ''chunk <type> <field>''<br />
| A chunk's field value (implies chunk existence)<br />
|<sourcex lang="bash"><br />
sctp chunk init flags 0x1<br />
sctp chunk data tsn 0x23<br />
</source><br />
|}<br />
<br />
==== Dccp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dccp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
dccp dport 22<br />
dccp dport != 33-45<br />
dccp dport { 33-55 }<br />
dccp dport { telnet, http, https }<br />
dccp dport vmap { 22 : accept, 23 : drop }<br />
dccp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
dccp sport 22<br />
dccp sport != 33-45<br />
dccp sport { 33, 55, 67, 88 }<br />
dccp sport { 33-55 }<br />
dccp sport vmap { 25:accept, 28:drop }<br />
dccp sport 1024 dccp dport 22<br />
</source><br />
|-<br />
| ''type <type>''<br />
| Type of packet<br />
|<source lang="bash"><br />
dccp type { request, response, data, ack, dataack, closereq, close, reset, sync, syncack }<br />
dccp type request<br />
dccp type != request<br />
</source><br />
|}<br />
<br />
==== Ah ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ah match<br />
|-<br />
| ''hdrlength <length>''<br />
| AH header length<br />
|<source lang="bash"><br />
ah hdrlength 11-23<br />
ah hdrlength != 11-23<br />
ah hdrlength { 11, 23, 44 }<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
ah reserved 22<br />
ah reserved != 33-45<br />
ah reserved { 23, 100 }<br />
ah reserved { 33-55 }<br />
</source><br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
ah spi 111<br />
ah spi != 111-222<br />
ah spi { 111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
ah sequence 123<br />
ah sequence { 23, 25, 33 }<br />
ah sequence != 23-33<br />
</source><br />
|}<br />
<br />
==== Esp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|esp match<br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
esp spi 111<br />
esp spi != 111-222<br />
esp spi { 111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
esp sequence 123<br />
esp sequence { 23, 25, 33 }<br />
esp sequence != 23-33<br />
</source><br />
|}<br />
<br />
==== Comp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|comp match<br />
|-<br />
| ''nexthdr <protocol>''<br />
| Next header protocol (Upper layer protocol)<br />
|<source lang="bash"><br />
comp nexthdr != esp<br />
comp nexthdr { esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| Flags<br />
|<source lang="bash"><br />
comp flags 0x0<br />
comp flags != 0x33-0x45<br />
comp flags { 0x33, 0x55, 0x67, 0x88 }<br />
</source><br />
|-<br />
| ''cpi <value>''<br />
| Compression Parameter Index<br />
|<source lang="bash"><br />
comp cpi 22<br />
comp cpi != 33-45<br />
comp cpi { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
==== Icmp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmp match<br />
|-<br />
| ''type <type>''<br />
| ICMP packet type<br />
|<source lang="bash"><br />
icmp type { echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation }<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMP packet code<br />
|<source lang="bash"><br />
icmp code 111<br />
icmp code != 33-55<br />
icmp code { 2, 4, 54, 33, 56 }<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMP packet checksum<br />
|<source lang="bash"><br />
icmp checksum 12343<br />
icmp checksum != 11-343<br />
icmp checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMP packet id<br />
|<source lang="bash"><br />
icmp id 12343<br />
icmp id != 11-343<br />
icmp id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMP packet sequence<br />
|<source lang="bash"><br />
icmp sequence 12343<br />
icmp sequence != 11-343<br />
icmp sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMP packet mtu<br />
|<source lang="bash"><br />
icmp mtu 12343<br />
icmp mtu != 11-343<br />
icmp mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''gateway <value>''<br />
| ICMP packet gateway<br />
|<source lang="bash"><br />
icmp gateway 12343<br />
icmp gateway != 11-343<br />
icmp gateway { 1111, 222, 343 }<br />
</source><br />
|}<br />
<br />
<br />
==== Icmpv6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmpv6 match<br />
|-<br />
| ''type <type>''<br />
| ICMPv6 packet type<br />
|<source lang="bash"><br />
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, parameter-problem, mld2-listener-report }<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMPv6 packet code<br />
|<source lang="bash"><br />
icmpv6 code 4<br />
icmpv6 code 3-66<br />
icmpv6 code { 5, 6, 7 }<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMPv6 packet checksum<br />
|<source lang="bash"><br />
icmpv6 checksum 12343<br />
icmpv6 checksum != 11-343<br />
icmpv6 checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMPv6 packet id<br />
|<source lang="bash"><br />
icmpv6 id 12343<br />
icmpv6 id != 11-343<br />
icmpv6 id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMPv6 packet sequence<br />
|<source lang="bash"><br />
icmpv6 sequence 12343<br />
icmpv6 sequence != 11-343<br />
icmpv6 sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMPv6 packet mtu<br />
|<source lang="bash"><br />
icmpv6 mtu 12343<br />
icmpv6 mtu != 11-343<br />
icmpv6 mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''max-delay <value>''<br />
| ICMPv6 packet max delay<br />
|<source lang="bash"><br />
icmpv6 max-delay 33-45<br />
icmpv6 max-delay != 33-45<br />
icmpv6 max-delay { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Ether ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ether match<br />
|-<br />
| ''saddr <mac address>''<br />
| Source mac address<br />
|<source lang="bash"><br />
ether saddr 00:0f:54:0c:11:04<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
ether type vlan<br />
</source><br />
|}<br />
<br />
==== Dst ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dst match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
dst nexthdr 22<br />
dst nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
dst hdrlength 22<br />
dst hdrlength != 33-45<br />
dst hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Frag ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|frag match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp }<br />
frag nexthdr 6<br />
frag nexthdr != 50-51<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
frag reserved 22<br />
frag reserved != 33-45<br />
frag reserved { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| <br />
|<source lang="bash"><br />
frag frag-off 22<br />
frag frag-off != 33-45<br />
frag frag-off { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''more-fragments <value>''<br />
| <br />
|<source lang="bash"><br />
frag more-fragments 0<br />
frag more-fragments 0<br />
</source><br />
|-<br />
| ''id <value>''<br />
| <br />
|<source lang="bash"><br />
frag id 1<br />
frag id 33-45<br />
</source><br />
|}<br />
<br />
<br />
==== Hbh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|hbh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6 }<br />
hbh nexthdr 22<br />
hbh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
hbh hdrlength 22<br />
hbh hdrlength != 33-45<br />
hbh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Mh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|mh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
mh nexthdr 22<br />
mh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
mh hdrlength 22<br />
mh hdrlength != 33-45<br />
mh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
mh type { binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message }<br />
mh type home-agent-switch-message<br />
mh type != home-agent-switch-message<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
mh reserved 22<br />
mh reserved != 33-45<br />
mh reserved { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| <br />
|<source lang="bash"><br />
mh checksum 22<br />
mh checksum != 33-45<br />
mh checksum { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Rt ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|rt match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
rt nexthdr 22<br />
rt nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
rt hdrlength 22<br />
rt hdrlength != 33-45<br />
rt hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
rt type 22<br />
rt type != 33-45<br />
rt type { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''seg-left <value>''<br />
| <br />
|<source lang="bash"><br />
rt seg-left 22<br />
rt seg-left != 33-45<br />
rt seg-left { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Vlan ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|vlan match<br />
|-<br />
| ''id <value>''<br />
| Vlan tag ID<br />
|<source lang="bash"><br />
vlan id 4094<br />
vlan id 0<br />
</source><br />
|-<br />
| ''cfi <value>''<br />
| <br />
|<source lang="bash"><br />
vlan cfi 0<br />
vlan cfi 1<br />
</source><br />
|-<br />
| ''pcp <value>''<br />
| <br />
|<source lang="bash"><br />
vlan pcp 7<br />
vlan pcp 3<br />
</source><br />
|}<br />
<br />
<br />
==== Arp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|arp match<br />
|-<br />
| ''ptype <value>''<br />
| Payload type<br />
|<source lang="bash"><br />
arp ptype 0x0800<br />
</source><br />
|-<br />
| ''htype <value>''<br />
| Header type<br />
|<source lang="bash"><br />
arp htype 1<br />
arp htype != 33-45<br />
arp htype { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''hlen <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
arp hlen 1<br />
arp hlen != 33-45<br />
arp hlen { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''plen <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
arp plen 1<br />
arp plen != 33-45<br />
arp plen { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''operation <value>''<br />
| <br />
|<source lang="bash"><br />
arp operation { nak, inreply, inrequest, rreply, rrequest, reply, request }<br />
</source><br />
|}<br />
<br />
<br />
==== Ct ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ct match<br />
|-<br />
| ''state <state>''<br />
| State of the connection<br />
|<source lang="bash"><br />
ct state { new, established, related, untracked }<br />
ct state != related<br />
ct state established<br />
ct state 8<br />
</source><br />
|-<br />
| ''direction <value>''<br />
| Direction of the packet relative to the connection<br />
|<source lang="bash"><br />
ct direction original<br />
ct direction != original<br />
ct direction { reply, original }<br />
</source><br />
|-<br />
| ''status <status>''<br />
| Status of the connection<br />
|<source lang="bash"><br />
ct status expected<br />
(ct status & expected) != expected<br />
ct status { expected, seen-reply, assured, confirmed, snat, dnat, dying }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Mark of the connection<br />
|<source lang="bash"><br />
ct mark 0<br />
ct mark or 0x23 == 0x11<br />
ct mark or 0x3 != 0x1<br />
ct mark and 0x23 == 0x11<br />
ct mark and 0x3 != 0x1<br />
ct mark xor 0x23 == 0x11<br />
ct mark xor 0x3 != 0x1<br />
ct mark 0x00000032<br />
ct mark != 0x00000032<br />
ct mark 0x00000032-0x00000045<br />
ct mark != 0x00000032-0x00000045<br />
ct mark { 0x32, 0x2222, 0x42de3 }<br />
ct mark { 0x32-0x2222, 0x4444-0x42de3 }<br />
ct mark set 0x11 xor 0x1331<br />
ct mark set 0x11333 and 0x11<br />
ct mark set 0x12 or 0x11<br />
ct mark set 0x11<br />
ct mark set mark<br />
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }<br />
</source><br />
|-<br />
| ''expiration <time>''<br />
| Connection expiration time<br />
|<source lang="bash"><br />
ct expiration 30<br />
ct expiration 30s<br />
ct expiration != 233<br />
ct expiration != 3m53s<br />
ct expiration 33-45<br />
ct expiration 33s-45s<br />
ct expiration != 33-45<br />
ct expiration != 33s-45s<br />
ct expiration { 33, 55, 67, 88 }<br />
ct expiration { 1m7s, 33s, 55s, 1m28s }<br />
</source><br />
|-<br />
| ''helper "<helper>"''<br />
| Helper associated with the connection<br />
|<source lang="bash"><br />
ct helper "ftp"<br />
</source><br />
|-<br />
| | ''[original | reply] bytes <value>''<br />
| <br />
|<source lang="bash"><br />
ct original bytes > 100000<br />
ct bytes > 100000<br />
</source><br />
|-<br />
| | ''[original | reply] packets <value>''<br />
| <br />
|<source lang="bash"><br />
ct reply packets < 100<br />
</source><br />
|-<br />
| | ''[original | reply] ip saddr <ip source address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip saddr 192.168.0.1<br />
ct reply ip saddr 192.168.0.1<br />
ct original ip saddr 192.168.1.0/24<br />
ct reply ip saddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] ip daddr <ip destination address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip daddr 192.168.0.1<br />
ct reply ip daddr 192.168.0.1<br />
ct original ip daddr 192.168.1.0/24<br />
ct reply ip daddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] l3proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original l3proto ipv4<br />
</source><br />
|-<br />
| | ''[original | reply] protocol <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original protocol 6<br />
</source><br />
|-<br />
| | ''[original | reply] proto-dst <port>''<br />
| <br />
|<source lang="bash"><br />
ct original proto-dst 22<br />
</source><br />
|-<br />
| | ''[original | reply] proto-src <port>''<br />
| <br />
|<source lang="bash"><br />
ct reply proto-src 53<br />
</source><br />
|-<br />
| | ''count [over] <number of connections>''<br />
| <br />
|<source lang="bash"><br />
ct count over 2<br />
<br />
tcp dport 22 add @ssh_flood { ip saddr ct count over 2 } reject<br />
[ which requires an existing ssh_flood set, ie. add set filter ssh_flood { type ipv4_addr; flags dynamic; } ]<br />
</source><br />
|}<br />
<br />
==== Meta ====<br />
<br />
[[Matching packet metainformation|''meta'']] matches packet by metainformation.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|meta match<br />
|-<br />
| ''iifname <input interface name>''<br />
| Input interface name<br />
|<source lang="bash"><br />
meta iifname "eth0"<br />
meta iifname != "eth0"<br />
meta iifname { "eth0", "lo" }<br />
meta iifname "eth*"<br />
</source><br />
|-<br />
| ''oifname <output interface name>''<br />
| Output interface name<br />
|<source lang="bash"><br />
meta oifname "eth0"<br />
meta oifname != "eth0"<br />
meta oifname { "eth0", "lo" }<br />
meta oifname "eth*"<br />
</source><br />
|-<br />
| ''iif <input interface index>''<br />
| Input interface index<br />
|<source lang="bash"><br />
meta iif eth0<br />
meta iif != eth0<br />
</source><br />
|-<br />
| ''oif <output interface index>''<br />
| Output interface index<br />
|<source lang="bash"><br />
meta oif lo<br />
meta oif != lo<br />
meta oif { eth0, lo }<br />
</source><br />
|-<br />
| ''iiftype <input interface type>''<br />
| Input interface type<br />
|<source lang="bash"><br />
meta iiftype { ether, ppp, ipip, ipip6, loopback, sit, ipgre }<br />
meta iiftype != ether<br />
meta iiftype ether<br />
</source><br />
|-<br />
| ''oiftype <output interface type>''<br />
| Output interface hardware type<br />
|<source lang="bash"><br />
meta oiftype { ether, ppp, ipip, ipip6, loopback, sit, ipgre }<br />
meta oiftype != ether<br />
meta oiftype ether<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Length of the packet in bytes<br />
|<source lang="bash"><br />
meta length 1000<br />
meta length != 1000<br />
meta length > 1000<br />
meta length 33-45<br />
meta length != 33-45<br />
meta length { 33, 55, 67, 88 }<br />
meta length { 33-55, 67-88 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| ethertype protocol<br />
|<source lang="bash"><br />
meta protocol ip<br />
meta protocol != ip<br />
meta protocol { ip, arp, ip6, vlan }<br />
</source><br />
|-<br />
| ''nfproto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta nfproto ipv4<br />
meta nfproto != ipv6<br />
meta nfproto { ipv4, ipv6 }<br />
</source><br />
|-<br />
| ''l4proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta l4proto 22<br />
meta l4proto != 233<br />
meta l4proto 33-45<br />
meta l4proto { 33, 55, 67, 88 }<br />
meta l4proto { 33-55 }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Packet mark<br />
|<source lang="bash"><br />
meta mark 0x4<br />
meta mark 0x00000032<br />
meta mark and 0x03 == 0x01<br />
meta mark and 0x03 != 0x01<br />
meta mark != 0x10<br />
meta mark or 0x03 == 0x01<br />
meta mark or 0x03 != 0x01<br />
meta mark xor 0x03 == 0x01<br />
meta mark xor 0x03 != 0x01<br />
meta mark set 0xffffffc8 xor 0x16<br />
meta mark set 0x16 and 0x16<br />
meta mark set 0xffffffe9 or 0x16<br />
meta mark set 0xffffffde and 0x16<br />
meta mark set 0x32 or 0xfffff<br />
meta mark set 0xfffe xor 0x16<br />
</source><br />
|-<br />
| ''priority [set] <priority>''<br />
| tc class id<br />
|<source lang="bash"><br />
meta priority none<br />
meta priority 0x1:0x1<br />
meta priority 0x1:0xffff<br />
meta priority 0xffff:0xffff<br />
meta priority set 0x1:0x1<br />
meta priority set 0x1:0xffff<br />
meta priority set 0xffff:0xffff<br />
</source><br />
|-<br />
| ''skuid <user id>''<br />
| UID associated with originating socket<br />
|<source lang="bash"><br />
meta skuid { bin, root, daemon }<br />
meta skuid root<br />
meta skuid != root<br />
meta skuid lt 3000<br />
meta skuid gt 3000<br />
meta skuid eq 3000<br />
meta skuid 3001-3005<br />
meta skuid != 2001-2005<br />
meta skuid { 2001-2005 }<br />
</source><br />
|-<br />
| ''skgid <group id>''<br />
| GID associated with originating socket<br />
|<source lang="bash"><br />
meta skgid { bin, root, daemon }<br />
meta skgid root<br />
meta skgid != root<br />
meta skgid lt 3000<br />
meta skgid gt 3000<br />
meta skgid eq 3000<br />
meta skgid 3001-3005<br />
meta skgid != 2001-2005<br />
meta skgid { 2001-2005 }<br />
</source><br />
|-<br />
| ''rtclassid <class>''<br />
| Routing realm<br />
|<source lang="bash"><br />
meta rtclassid cosmos<br />
</source><br />
|-<br />
| ''pkttype <type>''<br />
| Packet type<br />
|<source lang="bash"><br />
meta pkttype broadcast<br />
meta pkttype != broadcast<br />
meta pkttype { broadcast, unicast, multicast }<br />
</source><br />
|-<br />
| ''cpu <cpu index>''<br />
| CPU ID<br />
|<source lang="bash"><br />
meta cpu 1<br />
meta cpu != 1<br />
meta cpu 1-3<br />
meta cpu != 1-2<br />
meta cpu { 2,3 }<br />
meta cpu { 2-3, 5-7 }<br />
</source><br />
|-<br />
| ''iifgroup <input group>''<br />
| Input interface group<br />
|<source lang="bash"><br />
meta iifgroup 0<br />
meta iifgroup != 0<br />
meta iifgroup default<br />
meta iifgroup != default<br />
meta iifgroup { default }<br />
meta iifgroup { 11,33 }<br />
meta iifgroup { 11-33 }<br />
</source><br />
|-<br />
| ''oifgroup <group>''<br />
| Output interface group<br />
|<source lang="bash"><br />
meta oifgroup 0<br />
meta oifgroup != 0<br />
meta oifgroup default<br />
meta oifgroup != default<br />
meta oifgroup { default }<br />
meta oifgroup { 11,33 }<br />
meta oifgroup { 11-33 }<br />
</source><br />
|-<br />
| ''cgroup <group>''<br />
| <br />
|<source lang="bash"><br />
meta cgroup 1048577<br />
meta cgroup != 1048577<br />
meta cgroup { 1048577, 1048578 }<br />
meta cgroup 1048577-1048578<br />
meta cgroup != 1048577-1048578<br />
meta cgroup { 1048577-1048578 }<br />
</source><br />
|}<br />
<br />
=== Statements ===<br />
<br />
'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.<br />
<br />
==== Verdict statements ====<br />
<br />
The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:<br />
<br />
* ''accept'': Accept the packet and stop the remain rules evaluation.<br />
* ''drop'': Drop the packet and stop the remain rules evaluation.<br />
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.<br />
* ''continue'': Continue the ruleset evaluation with the next rule.<br />
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept<br />
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued<br />
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement<br />
<br />
==== Log ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|log statement<br />
|-<br />
| ''level [over] <value> <unit> [burst <value> <unit>]''<br />
| Log level<br />
|<source lang="bash"><br />
log<br />
log level emerg<br />
log level alert<br />
log level crit<br />
log level err<br />
log level warn<br />
log level notice<br />
log level info<br />
log level debug<br />
</source><br />
|-<br />
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''<br />
| <br />
|<source lang="bash"><br />
log prefix aaaaa-aaaaaa group 2 snaplen 33<br />
log group 2 queue-threshold 2<br />
log group 2 snaplen 33<br />
</source><br />
|}<br />
<br />
<br />
==== Reject ====<br />
<br />
The default '''reject''' will be the ICMP type '''port-unreachable'''. The '''icmpx''' is only used for inet family support.<br />
<br />
More information on the [[Rejecting_traffic]] page.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|reject statement<br />
|-<br />
| ''with <protocol> type <type>''<br />
| <br />
|<source lang="bash"><br />
reject<br />
reject with icmp type host-unreachable<br />
reject with icmp type net-unreachable<br />
reject with icmp type prot-unreachable<br />
reject with icmp type port-unreachable<br />
reject with icmp type net-prohibited<br />
reject with icmp type host-prohibited<br />
reject with icmp type admin-prohibited<br />
reject with icmpv6 type no-route<br />
reject with icmpv6 type admin-prohibited<br />
reject with icmpv6 type addr-unreachable<br />
reject with icmpv6 type port-unreachable<br />
reject with icmpx type host-unreachable<br />
reject with icmpx type no-route<br />
reject with icmpx type admin-prohibited<br />
reject with icmpx type port-unreachable<br />
ip protocol tcp reject with tcp reset<br />
</source><br />
|}<br />
<br />
==== Counter ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|counter statement<br />
|-<br />
| ''packets <packets> bytes <bytes>''<br />
| <br />
|<source lang="bash"><br />
counter<br />
counter packets 0 bytes 0<br />
</source><br />
|}<br />
<br />
<br />
==== Limit ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|limit statement<br />
|-<br />
| ''rate [over] <value> <unit> [burst <value> <unit>]''<br />
| Rate limit<br />
|<source lang="bash"><br />
limit rate 400/minute<br />
limit rate 400/hour<br />
limit rate over 40/day<br />
limit rate over 400/week<br />
limit rate over 1023/second burst 10 packets<br />
limit rate 1025 kbytes/second<br />
limit rate 1023000 mbytes/second<br />
limit rate 1025 bytes/second burst 512 bytes<br />
limit rate 1025 kbytes/second burst 1023 kbytes<br />
limit rate 1025 mbytes/second burst 1025 kbytes<br />
limit rate 1025000 mbytes/second burst 1023 mbytes<br />
</source><br />
|}<br />
<br />
==== Nat ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|nat statement<br />
|-<br />
| ''dnat to <destination address>''<br />
| Destination address translation<br />
|<source lang="bash"><br />
dnat to 192.168.3.2<br />
dnat to ct mark map { 0x00000014 : 1.2.3.4 }<br />
</source><br />
|-<br />
| ''snat to <ip source address>''<br />
| Source address translation<br />
|<source lang="bash"><br />
snat to 192.168.3.2<br />
snat to 2001:838:35f:1::-2001:838:35f:2:::100<br />
</source><br />
|-<br />
| ''masquerade [<type>] [to :<port>]''<br />
| Masquerade<br />
|<source lang="bash"><br />
masquerade<br />
masquerade persistent,fully-random,random<br />
masquerade to :1024<br />
masquerade to :1024-2048<br />
</source><br />
|}<br />
<br />
==== Queue ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|queue statement<br />
|-<br />
| ''num <value> <scheduler>''<br />
| <br />
|<source lang="bash"><br />
queue<br />
queue num 2<br />
queue num 2-3<br />
queue num 4-5 fanout bypass<br />
queue num 4-5 fanout<br />
queue num 4-5 bypass<br />
</source><br />
|}<br />
<br />
== Extras ==<br />
<br />
=== Export Configuration ===<br />
<br />
<source lang="bash"><br />
% nft export (xml | json)<br />
</source><br />
<br />
=== Monitor Events ===<br />
<br />
Monitor events from Netlink creating filters.<br />
<br />
<source lang="bash"><br />
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]<br />
</source><br />
<br />
<br />
= Nft scripting =<br />
<br />
== List ruleset ==<br />
<br />
<source lang="bash"><br />
% nft list ruleset<br />
</source><br />
<br />
== Flush ruleset ==<br />
<br />
<source lang="bash"><br />
% nft flush ruleset<br />
</source><br />
<br />
== Load ruleset ==<br />
<br />
Create a command batch file and load it with the nft interpreter,<br />
<br />
<source lang="bash"><br />
% echo "flush ruleset" > /etc/nftables.rules<br />
% echo "add table filter" >> /etc/nftables.rules<br />
% echo "add chain filter input" >> /etc/nftables.rules<br />
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file,<br />
<br />
<source lang="bash"><br />
% cat << EOF > /etc/nftables.rules<br />
> #!/usr/local/sbin/nft -f<br />
> flush ruleset<br />
> add table filter<br />
> add chain filter input<br />
> add rule filter input meta iifname lo accept<br />
> EOF<br />
% chmod u+x /etc/nftables.rules<br />
% /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file from an already created ruleset,<br />
<br />
<source lang="bash"><br />
% nft list ruleset > /etc/nftables.rules<br />
% nft flush ruleset<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
<br />
= Examples =<br />
<br />
== Simple IP/IPv6 Firewall ==<br />
<br />
<source lang="bash"><br />
flush ruleset<br />
<br />
table firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
icmp type echo-request accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport { ssh, http } accept<br />
}<br />
}<br />
<br />
table ip6 firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# invalid connections<br />
ct state invalid drop<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
# routers may also want: mld-listener-query, nd-router-solicit<br />
icmpv6 type { echo-request, nd-neighbor-solicit } accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport { ssh, http } accept<br />
}<br />
}<br />
</source></div>
Aurelien
http://wiki.nftables.org/wiki-nftables/index.php?title=Quick_reference-nftables_in_10_minutes&diff=1131
Quick reference-nftables in 10 minutes
2024-04-21T07:47:18Z
<p>Aurelien: /* Rules */ Clarify that <position> is just a handle (not some other type of identifier), and the new rule is inserted just before the rule with that handle.</p>
<hr />
<div>Find below some basic concepts to know before using nftables.<br />
<br />
'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.<br />
<br />
'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].<br />
<br />
'''rule''' refers to an action to be configured within a ''chain''.<br />
<br />
<br />
= nft command line =<br />
<br />
''nft'' is the command line tool in order to interact with nftables at userspace.<br />
<br />
== Tables ==<br />
<br />
'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''. It defaults to ''ip''.<br />
<br />
<source lang="bash"><br />
% nft list tables [<family>]<br />
% nft [-n] [-a] list table [<family>] <name><br />
% nft (add | delete | flush) table [<family>] <name><br />
</source><br />
<br />
The argument ''-n'' shows the addresses and other information that use names in numeric format. The ''-a'' argument is used to display each rule's ''handle'' (i.e., a numerical identifier).<br />
<br />
== Chains ==<br />
<br />
'''type''' refers to the kind of chain to be created. Possible types are:<br />
<br />
* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.<br />
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.<br />
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.<br />
<br />
'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].<br />
<br />
* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.<br />
* The hooks for ''arp'' family are: '' input'', ''output''.<br />
* The ''bridge'' family handles ethernet packets traversing bridge devices.<br />
* The hooks for ''netdev'' are: ''ingress'', ''egress''.<br />
<br />
'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.<br />
<br />
'''policy''' is the default verdict statement to control the flow in the base chain. Possible values are: ''accept'' (default) and ''drop''. Warning: Setting the policy to ''drop'' discards all packets that<br />
have not been accepted by the ruleset.<br />
<br />
<source lang="bash"><br />
% nft (add | create) chain [<family>] <table> <name> [ \{ type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] \} ]<br />
% nft (delete | list | flush) chain [<family>] <table> <name><br />
% nft rename chain [<family>] <table> <name> <newname><br />
</source><br />
<br />
== Rules ==<br />
<br />
'''handle''' is an internal number that identifies a certain ''rule''.<br />
<br />
<source lang="bash"><br />
% nft add rule [<family>] <table> <chain> <matches> <statements><br />
% nft insert rule [<family>] <table> <chain> [position <handle>] <matches> <statements><br />
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements><br />
% nft delete rule [<family>] <table> <chain> [handle <handle>]<br />
</source><br />
<br />
Inserting a new rule with ''nft insert'' inserts it at the beginning of the chain, by default. However, if you specify a ''position'' handle, then the new rule is inserted just before the rule with that handle.<br />
<br />
=== Matches ===<br />
<br />
'''matches''' are clues used to access to certain packet information and create filters according to them.<br />
<br />
==== Ip ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip match<br />
|-<br />
| | ''dscp <value>''<br />
|<br />
|<source lang="bash"><br />
ip dscp cs1<br />
ip dscp != cs1<br />
ip dscp 0x38<br />
ip dscp != 0x20<br />
ip dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, <br />
af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
ip length 232<br />
ip length != 233<br />
ip length 333-435<br />
ip length != 333-453<br />
ip length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''id <id>''<br />
| IP ID<br />
|<source lang="bash"><br />
ip id 22<br />
ip id != 233<br />
ip id 33-45<br />
ip id != 33-45<br />
ip id { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| Fragmentation offset<br />
|<source lang="bash"><br />
ip frag-off & 0x1fff != 0 # match fragments<br />
ip frag-off & 0x2000 != 0 # match MF flag <br />
ip frag-off & 0x4000 != 0 # match DF flag <br />
</source><br />
|-<br />
| ''ttl <ttl>''<br />
| Time to live<br />
|<source lang="bash"><br />
ip ttl 0<br />
ip ttl 233<br />
ip ttl 33-55<br />
ip ttl != 45-50<br />
ip ttl { 43, 53, 45 }<br />
ip ttl { 33-55 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| Upper layer protocol<br />
|<source lang="bash"><br />
ip protocol tcp<br />
ip protocol 6<br />
ip protocol != tcp<br />
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
ip checksum 13172<br />
ip checksum 22<br />
ip checksum != 233<br />
ip checksum 33-45<br />
ip checksum != 33-45<br />
ip checksum { 33, 55, 67, 88 }<br />
ip checksum { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source address<br />
|<source lang="bash"><br />
ip saddr 192.168.2.0/24<br />
ip saddr != 192.168.2.0/24<br />
ip saddr 192.168.3.1 ip daddr 192.168.3.100<br />
ip saddr != 1.1.1.1<br />
ip saddr 1.1.1.1<br />
ip saddr & 0xff == 1<br />
ip saddr & 0.0.0.255 < 0.0.0.127<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination address<br />
|<source lang="bash"><br />
ip daddr 192.168.0.1<br />
ip daddr != 192.168.0.1<br />
ip daddr 192.168.0.1-192.168.0.250<br />
ip daddr 10.0.0.0-10.255.255.255<br />
ip daddr 172.16.0.0-172.31.255.255<br />
ip daddr 192.168.3.1-192.168.4.250<br />
ip daddr != 192.168.0.1-192.168.0.250<br />
ip daddr { 192.168.0.1-192.168.0.250 }<br />
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }<br />
</source><br />
|-<br />
| ''version <version>''<br />
| Ip Header version<br />
|<source lang="bash"><br />
ip version 4<br />
</source><br />
|-<br />
| ''hdrlength <header length>''<br />
| IP header length<br />
|<source lang="bash"><br />
ip hdrlength 0<br />
ip hdrlength 15<br />
</source><br />
|}<br />
<br />
==== Ip6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip6 match<br />
|-<br />
| ''dscp <value>''<br />
| <br />
|<source lang="bash"><br />
ip6 dscp cs1<br />
ip6 dscp != cs1<br />
ip6 dscp 0x38<br />
ip6 dscp != 0x20<br />
ip6 dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''flowlabel <label>''<br />
| Flow label<br />
|<source lang="bash"><br />
ip6 flowlabel 22<br />
ip6 flowlabel != 233<br />
ip6 flowlabel { 33, 55, 67, 88 }<br />
ip6 flowlabel { 33-55 }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
ip6 length 232<br />
ip6 length != 233<br />
ip6 length 333-435<br />
ip6 length != 333-453<br />
ip6 length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''nexthdr <header>''<br />
| Next header type (Upper layer protocol number)<br />
|<source lang="bash"><br />
ip6 nexthdr { esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6 }<br />
ip6 nexthdr esp<br />
ip6 nexthdr != esp<br />
ip6 nexthdr { 33-44 }<br />
ip6 nexthdr 33-44<br />
ip6 nexthdr != 33-44<br />
</source><br />
|-<br />
| ''hoplimit <hoplimit>''<br />
| Hop limit<br />
|<source lang="bash"><br />
ip6 hoplimit 1<br />
ip6 hoplimit != 233<br />
ip6 hoplimit 33-45<br />
ip6 hoplimit != 33-45<br />
ip6 hoplimit { 33, 55, 67, 88 }<br />
ip6 hoplimit { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source Address<br />
|<source lang="bash"><br />
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::/64<br />
ip6 saddr ::1 ip6 daddr ::2<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination Address<br />
|<source lang="bash"><br />
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234<br />
</source><br />
|-<br />
| ''version <version>''<br />
| IP header version<br />
|<source lang="bash"><br />
ip6 version 6<br />
</source><br />
|}<br />
<br />
==== Tcp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|tcp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
tcp dport 22<br />
tcp dport != 33-45<br />
tcp dport { 33-55 }<br />
tcp dport { telnet, http, https }<br />
tcp dport vmap { 22 : accept, 23 : drop }<br />
tcp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
tcp sport 22<br />
tcp sport != 33-45<br />
tcp sport { 33, 55, 67, 88 }<br />
tcp sport { 33-55 }<br />
tcp sport vmap { 25:accept, 28:drop }<br />
tcp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| Sequence number<br />
|<source lang="bash"><br />
tcp sequence 22<br />
tcp sequence != 33-45<br />
</source><br />
|-<br />
| ''ackseq <value>''<br />
| Acknowledgement number<br />
|<source lang="bash"><br />
tcp ackseq 22<br />
tcp ackseq != 33-45<br />
tcp ackseq { 33, 55, 67, 88 }<br />
tcp ackseq { 33-55 }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| TCP flags<br />
|<source lang="bash"><br />
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr }<br />
tcp flags cwr<br />
tcp flags != cwr<br />
</source><br />
|-<br />
| ''window <value>''<br />
| Window<br />
|<source lang="bash"><br />
tcp window 22<br />
tcp window != 33-45<br />
tcp window { 33, 55, 67, 88 }<br />
tcp window { 33-55 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
tcp checksum 22<br />
tcp checksum != 33-45<br />
tcp checksum { 33, 55, 67, 88 }<br />
tcp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''urgptr <pointer>''<br />
| Urgent pointer<br />
|<source lang="bash"><br />
tcp urgptr 22<br />
tcp urgptr != 33-45<br />
tcp urgptr { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''doff <offset>''<br />
| Data offset<br />
|<source lang="bash"><br />
tcp doff 8<br />
</source><br />
|}<br />
<br />
==== Udp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udp dport 22<br />
udp dport != 33-45<br />
udp dport { 33-55 }<br />
udp dport { telnet, http, https }<br />
udp dport vmap { 22 : accept, 23 : drop }<br />
udp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udp sport 22<br />
udp sport != 33-45<br />
udp sport { 33, 55, 67, 88 }<br />
udp sport { 33-55 }<br />
udp sport vmap { 25:accept, 28:drop }<br />
udp sport 1024 udp dport 22<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
udp length 6666<br />
udp length != 50-65<br />
udp length { 50, 65 }<br />
udp length { 35-50 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| UDP checksum<br />
|<source lang="bash"><br />
udp checksum 22<br />
udp checksum != 33-45<br />
udp checksum { 33, 55, 67, 88 }<br />
udp checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
==== Udplite ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udplite match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udplite dport 22<br />
udplite dport != 33-45<br />
udplite dport { 33-55 }<br />
udplite dport { telnet, http, https }<br />
udplite dport vmap { 22 : accept, 23 : drop }<br />
udplite dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udplite sport 22<br />
udplite sport != 33-45<br />
udplite sport { 33, 55, 67, 88 }<br />
udplite sport { 33-55 }<br />
udplite sport vmap { 25:accept, 28:drop }<br />
udplite sport 1024 udplite dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
udplite checksum 22<br />
udplite checksum != 33-45<br />
udplite checksum { 33, 55, 67, 88 }<br />
udplite checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
==== Sctp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|sctp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
sctp dport 22<br />
sctp dport != 33-45<br />
sctp dport { 33-55 }<br />
sctp dport { telnet, http, https }<br />
sctp dport vmap { 22 : accept, 23 : drop }<br />
sctp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
sctp sport 22<br />
sctp sport != 33-45<br />
sctp sport { 33, 55, 67, 88 }<br />
sctp sport { 33-55 }<br />
sctp sport vmap { 25:accept, 28:drop }<br />
sctp sport 1024 sctp dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
sctp checksum 22<br />
sctp checksum != 33-45<br />
sctp checksum { 33, 55, 67, 88 }<br />
sctp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''vtag <tag>''<br />
| Verification tag<br />
|<source lang="bash"><br />
sctp vtag 22<br />
sctp vtag != 33-45<br />
sctp vtag { 33, 55, 67, 88 }<br />
sctp vtag { 33-55 }<br />
</source><br />
|-<br />
| ''chunk <type>''<br />
| Existence of a chunk with given type in packet<br />
|<source lang="bash"><br />
sctp chunk init exists<br />
sctp chunk error missing<br />
</source><br />
|-<br />
| ''chunk <type> <field>''<br />
| A chunk's field value (implies chunk existence)<br />
|<sourcex lang="bash"><br />
sctp chunk init flags 0x1<br />
sctp chunk data tsn 0x23<br />
</source><br />
|}<br />
<br />
==== Dccp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dccp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
dccp dport 22<br />
dccp dport != 33-45<br />
dccp dport { 33-55 }<br />
dccp dport { telnet, http, https }<br />
dccp dport vmap { 22 : accept, 23 : drop }<br />
dccp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
dccp sport 22<br />
dccp sport != 33-45<br />
dccp sport { 33, 55, 67, 88 }<br />
dccp sport { 33-55 }<br />
dccp sport vmap { 25:accept, 28:drop }<br />
dccp sport 1024 dccp dport 22<br />
</source><br />
|-<br />
| ''type <type>''<br />
| Type of packet<br />
|<source lang="bash"><br />
dccp type { request, response, data, ack, dataack, closereq, close, reset, sync, syncack }<br />
dccp type request<br />
dccp type != request<br />
</source><br />
|}<br />
<br />
==== Ah ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ah match<br />
|-<br />
| ''hdrlength <length>''<br />
| AH header length<br />
|<source lang="bash"><br />
ah hdrlength 11-23<br />
ah hdrlength != 11-23<br />
ah hdrlength { 11, 23, 44 }<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
ah reserved 22<br />
ah reserved != 33-45<br />
ah reserved { 23, 100 }<br />
ah reserved { 33-55 }<br />
</source><br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
ah spi 111<br />
ah spi != 111-222<br />
ah spi { 111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
ah sequence 123<br />
ah sequence { 23, 25, 33 }<br />
ah sequence != 23-33<br />
</source><br />
|}<br />
<br />
==== Esp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|esp match<br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
esp spi 111<br />
esp spi != 111-222<br />
esp spi { 111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
esp sequence 123<br />
esp sequence { 23, 25, 33 }<br />
esp sequence != 23-33<br />
</source><br />
|}<br />
<br />
==== Comp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|comp match<br />
|-<br />
| ''nexthdr <protocol>''<br />
| Next header protocol (Upper layer protocol)<br />
|<source lang="bash"><br />
comp nexthdr != esp<br />
comp nexthdr { esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| Flags<br />
|<source lang="bash"><br />
comp flags 0x0<br />
comp flags != 0x33-0x45<br />
comp flags { 0x33, 0x55, 0x67, 0x88 }<br />
</source><br />
|-<br />
| ''cpi <value>''<br />
| Compression Parameter Index<br />
|<source lang="bash"><br />
comp cpi 22<br />
comp cpi != 33-45<br />
comp cpi { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
==== Icmp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmp match<br />
|-<br />
| ''type <type>''<br />
| ICMP packet type<br />
|<source lang="bash"><br />
icmp type { echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation }<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMP packet code<br />
|<source lang="bash"><br />
icmp code 111<br />
icmp code != 33-55<br />
icmp code { 2, 4, 54, 33, 56 }<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMP packet checksum<br />
|<source lang="bash"><br />
icmp checksum 12343<br />
icmp checksum != 11-343<br />
icmp checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMP packet id<br />
|<source lang="bash"><br />
icmp id 12343<br />
icmp id != 11-343<br />
icmp id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMP packet sequence<br />
|<source lang="bash"><br />
icmp sequence 12343<br />
icmp sequence != 11-343<br />
icmp sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMP packet mtu<br />
|<source lang="bash"><br />
icmp mtu 12343<br />
icmp mtu != 11-343<br />
icmp mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''gateway <value>''<br />
| ICMP packet gateway<br />
|<source lang="bash"><br />
icmp gateway 12343<br />
icmp gateway != 11-343<br />
icmp gateway { 1111, 222, 343 }<br />
</source><br />
|}<br />
<br />
<br />
==== Icmpv6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmpv6 match<br />
|-<br />
| ''type <type>''<br />
| ICMPv6 packet type<br />
|<source lang="bash"><br />
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, parameter-problem, mld2-listener-report }<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMPv6 packet code<br />
|<source lang="bash"><br />
icmpv6 code 4<br />
icmpv6 code 3-66<br />
icmpv6 code { 5, 6, 7 }<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMPv6 packet checksum<br />
|<source lang="bash"><br />
icmpv6 checksum 12343<br />
icmpv6 checksum != 11-343<br />
icmpv6 checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMPv6 packet id<br />
|<source lang="bash"><br />
icmpv6 id 12343<br />
icmpv6 id != 11-343<br />
icmpv6 id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMPv6 packet sequence<br />
|<source lang="bash"><br />
icmpv6 sequence 12343<br />
icmpv6 sequence != 11-343<br />
icmpv6 sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMPv6 packet mtu<br />
|<source lang="bash"><br />
icmpv6 mtu 12343<br />
icmpv6 mtu != 11-343<br />
icmpv6 mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''max-delay <value>''<br />
| ICMPv6 packet max delay<br />
|<source lang="bash"><br />
icmpv6 max-delay 33-45<br />
icmpv6 max-delay != 33-45<br />
icmpv6 max-delay { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Ether ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ether match<br />
|-<br />
| ''saddr <mac address>''<br />
| Source mac address<br />
|<source lang="bash"><br />
ether saddr 00:0f:54:0c:11:04<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
ether type vlan<br />
</source><br />
|}<br />
<br />
==== Dst ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dst match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
dst nexthdr 22<br />
dst nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
dst hdrlength 22<br />
dst hdrlength != 33-45<br />
dst hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Frag ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|frag match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp }<br />
frag nexthdr 6<br />
frag nexthdr != 50-51<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
frag reserved 22<br />
frag reserved != 33-45<br />
frag reserved { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| <br />
|<source lang="bash"><br />
frag frag-off 22<br />
frag frag-off != 33-45<br />
frag frag-off { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''more-fragments <value>''<br />
| <br />
|<source lang="bash"><br />
frag more-fragments 0<br />
frag more-fragments 0<br />
</source><br />
|-<br />
| ''id <value>''<br />
| <br />
|<source lang="bash"><br />
frag id 1<br />
frag id 33-45<br />
</source><br />
|}<br />
<br />
<br />
==== Hbh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|hbh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6 }<br />
hbh nexthdr 22<br />
hbh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
hbh hdrlength 22<br />
hbh hdrlength != 33-45<br />
hbh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Mh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|mh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
mh nexthdr 22<br />
mh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
mh hdrlength 22<br />
mh hdrlength != 33-45<br />
mh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
mh type { binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message }<br />
mh type home-agent-switch-message<br />
mh type != home-agent-switch-message<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
mh reserved 22<br />
mh reserved != 33-45<br />
mh reserved { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| <br />
|<source lang="bash"><br />
mh checksum 22<br />
mh checksum != 33-45<br />
mh checksum { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Rt ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|rt match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
rt nexthdr 22<br />
rt nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
rt hdrlength 22<br />
rt hdrlength != 33-45<br />
rt hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
rt type 22<br />
rt type != 33-45<br />
rt type { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''seg-left <value>''<br />
| <br />
|<source lang="bash"><br />
rt seg-left 22<br />
rt seg-left != 33-45<br />
rt seg-left { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Vlan ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|vlan match<br />
|-<br />
| ''id <value>''<br />
| Vlan tag ID<br />
|<source lang="bash"><br />
vlan id 4094<br />
vlan id 0<br />
</source><br />
|-<br />
| ''cfi <value>''<br />
| <br />
|<source lang="bash"><br />
vlan cfi 0<br />
vlan cfi 1<br />
</source><br />
|-<br />
| ''pcp <value>''<br />
| <br />
|<source lang="bash"><br />
vlan pcp 7<br />
vlan pcp 3<br />
</source><br />
|}<br />
<br />
<br />
==== Arp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|arp match<br />
|-<br />
| ''ptype <value>''<br />
| Payload type<br />
|<source lang="bash"><br />
arp ptype 0x0800<br />
</source><br />
|-<br />
| ''htype <value>''<br />
| Header type<br />
|<source lang="bash"><br />
arp htype 1<br />
arp htype != 33-45<br />
arp htype { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''hlen <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
arp hlen 1<br />
arp hlen != 33-45<br />
arp hlen { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''plen <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
arp plen 1<br />
arp plen != 33-45<br />
arp plen { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''operation <value>''<br />
| <br />
|<source lang="bash"><br />
arp operation { nak, inreply, inrequest, rreply, rrequest, reply, request }<br />
</source><br />
|}<br />
<br />
<br />
==== Ct ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ct match<br />
|-<br />
| ''state <state>''<br />
| State of the connection<br />
|<source lang="bash"><br />
ct state { new, established, related, untracked }<br />
ct state != related<br />
ct state established<br />
ct state 8<br />
</source><br />
|-<br />
| ''direction <value>''<br />
| Direction of the packet relative to the connection<br />
|<source lang="bash"><br />
ct direction original<br />
ct direction != original<br />
ct direction { reply, original }<br />
</source><br />
|-<br />
| ''status <status>''<br />
| Status of the connection<br />
|<source lang="bash"><br />
ct status expected<br />
(ct status & expected) != expected<br />
ct status { expected, seen-reply, assured, confirmed, snat, dnat, dying }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Mark of the connection<br />
|<source lang="bash"><br />
ct mark 0<br />
ct mark or 0x23 == 0x11<br />
ct mark or 0x3 != 0x1<br />
ct mark and 0x23 == 0x11<br />
ct mark and 0x3 != 0x1<br />
ct mark xor 0x23 == 0x11<br />
ct mark xor 0x3 != 0x1<br />
ct mark 0x00000032<br />
ct mark != 0x00000032<br />
ct mark 0x00000032-0x00000045<br />
ct mark != 0x00000032-0x00000045<br />
ct mark { 0x32, 0x2222, 0x42de3 }<br />
ct mark { 0x32-0x2222, 0x4444-0x42de3 }<br />
ct mark set 0x11 xor 0x1331<br />
ct mark set 0x11333 and 0x11<br />
ct mark set 0x12 or 0x11<br />
ct mark set 0x11<br />
ct mark set mark<br />
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }<br />
</source><br />
|-<br />
| ''expiration <time>''<br />
| Connection expiration time<br />
|<source lang="bash"><br />
ct expiration 30<br />
ct expiration 30s<br />
ct expiration != 233<br />
ct expiration != 3m53s<br />
ct expiration 33-45<br />
ct expiration 33s-45s<br />
ct expiration != 33-45<br />
ct expiration != 33s-45s<br />
ct expiration { 33, 55, 67, 88 }<br />
ct expiration { 1m7s, 33s, 55s, 1m28s }<br />
</source><br />
|-<br />
| ''helper "<helper>"''<br />
| Helper associated with the connection<br />
|<source lang="bash"><br />
ct helper "ftp"<br />
</source><br />
|-<br />
| | ''[original | reply] bytes <value>''<br />
| <br />
|<source lang="bash"><br />
ct original bytes > 100000<br />
ct bytes > 100000<br />
</source><br />
|-<br />
| | ''[original | reply] packets <value>''<br />
| <br />
|<source lang="bash"><br />
ct reply packets < 100<br />
</source><br />
|-<br />
| | ''[original | reply] ip saddr <ip source address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip saddr 192.168.0.1<br />
ct reply ip saddr 192.168.0.1<br />
ct original ip saddr 192.168.1.0/24<br />
ct reply ip saddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] ip daddr <ip destination address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip daddr 192.168.0.1<br />
ct reply ip daddr 192.168.0.1<br />
ct original ip daddr 192.168.1.0/24<br />
ct reply ip daddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] l3proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original l3proto ipv4<br />
</source><br />
|-<br />
| | ''[original | reply] protocol <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original protocol 6<br />
</source><br />
|-<br />
| | ''[original | reply] proto-dst <port>''<br />
| <br />
|<source lang="bash"><br />
ct original proto-dst 22<br />
</source><br />
|-<br />
| | ''[original | reply] proto-src <port>''<br />
| <br />
|<source lang="bash"><br />
ct reply proto-src 53<br />
</source><br />
|-<br />
| | ''count [over] <number of connections>''<br />
| <br />
|<source lang="bash"><br />
ct count over 2<br />
<br />
tcp dport 22 add @ssh_flood { ip saddr ct count over 2 } reject<br />
[ which requires an existing ssh_flood set, ie. add set filter ssh_flood { type ipv4_addr; flags dynamic; } ]<br />
</source><br />
|}<br />
<br />
==== Meta ====<br />
<br />
[[Matching packet metainformation|''meta'']] matches packet by metainformation.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|meta match<br />
|-<br />
| ''iifname <input interface name>''<br />
| Input interface name<br />
|<source lang="bash"><br />
meta iifname "eth0"<br />
meta iifname != "eth0"<br />
meta iifname { "eth0", "lo" }<br />
meta iifname "eth*"<br />
</source><br />
|-<br />
| ''oifname <output interface name>''<br />
| Output interface name<br />
|<source lang="bash"><br />
meta oifname "eth0"<br />
meta oifname != "eth0"<br />
meta oifname { "eth0", "lo" }<br />
meta oifname "eth*"<br />
</source><br />
|-<br />
| ''iif <input interface index>''<br />
| Input interface index<br />
|<source lang="bash"><br />
meta iif eth0<br />
meta iif != eth0<br />
</source><br />
|-<br />
| ''oif <output interface index>''<br />
| Output interface index<br />
|<source lang="bash"><br />
meta oif lo<br />
meta oif != lo<br />
meta oif { eth0, lo }<br />
</source><br />
|-<br />
| ''iiftype <input interface type>''<br />
| Input interface type<br />
|<source lang="bash"><br />
meta iiftype { ether, ppp, ipip, ipip6, loopback, sit, ipgre }<br />
meta iiftype != ether<br />
meta iiftype ether<br />
</source><br />
|-<br />
| ''oiftype <output interface type>''<br />
| Output interface hardware type<br />
|<source lang="bash"><br />
meta oiftype { ether, ppp, ipip, ipip6, loopback, sit, ipgre }<br />
meta oiftype != ether<br />
meta oiftype ether<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Length of the packet in bytes<br />
|<source lang="bash"><br />
meta length 1000<br />
meta length != 1000<br />
meta length > 1000<br />
meta length 33-45<br />
meta length != 33-45<br />
meta length { 33, 55, 67, 88 }<br />
meta length { 33-55, 67-88 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| ethertype protocol<br />
|<source lang="bash"><br />
meta protocol ip<br />
meta protocol != ip<br />
meta protocol { ip, arp, ip6, vlan }<br />
</source><br />
|-<br />
| ''nfproto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta nfproto ipv4<br />
meta nfproto != ipv6<br />
meta nfproto { ipv4, ipv6 }<br />
</source><br />
|-<br />
| ''l4proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta l4proto 22<br />
meta l4proto != 233<br />
meta l4proto 33-45<br />
meta l4proto { 33, 55, 67, 88 }<br />
meta l4proto { 33-55 }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Packet mark<br />
|<source lang="bash"><br />
meta mark 0x4<br />
meta mark 0x00000032<br />
meta mark and 0x03 == 0x01<br />
meta mark and 0x03 != 0x01<br />
meta mark != 0x10<br />
meta mark or 0x03 == 0x01<br />
meta mark or 0x03 != 0x01<br />
meta mark xor 0x03 == 0x01<br />
meta mark xor 0x03 != 0x01<br />
meta mark set 0xffffffc8 xor 0x16<br />
meta mark set 0x16 and 0x16<br />
meta mark set 0xffffffe9 or 0x16<br />
meta mark set 0xffffffde and 0x16<br />
meta mark set 0x32 or 0xfffff<br />
meta mark set 0xfffe xor 0x16<br />
</source><br />
|-<br />
| ''priority [set] <priority>''<br />
| tc class id<br />
|<source lang="bash"><br />
meta priority none<br />
meta priority 0x1:0x1<br />
meta priority 0x1:0xffff<br />
meta priority 0xffff:0xffff<br />
meta priority set 0x1:0x1<br />
meta priority set 0x1:0xffff<br />
meta priority set 0xffff:0xffff<br />
</source><br />
|-<br />
| ''skuid <user id>''<br />
| UID associated with originating socket<br />
|<source lang="bash"><br />
meta skuid { bin, root, daemon }<br />
meta skuid root<br />
meta skuid != root<br />
meta skuid lt 3000<br />
meta skuid gt 3000<br />
meta skuid eq 3000<br />
meta skuid 3001-3005<br />
meta skuid != 2001-2005<br />
meta skuid { 2001-2005 }<br />
</source><br />
|-<br />
| ''skgid <group id>''<br />
| GID associated with originating socket<br />
|<source lang="bash"><br />
meta skgid { bin, root, daemon }<br />
meta skgid root<br />
meta skgid != root<br />
meta skgid lt 3000<br />
meta skgid gt 3000<br />
meta skgid eq 3000<br />
meta skgid 3001-3005<br />
meta skgid != 2001-2005<br />
meta skgid { 2001-2005 }<br />
</source><br />
|-<br />
| ''rtclassid <class>''<br />
| Routing realm<br />
|<source lang="bash"><br />
meta rtclassid cosmos<br />
</source><br />
|-<br />
| ''pkttype <type>''<br />
| Packet type<br />
|<source lang="bash"><br />
meta pkttype broadcast<br />
meta pkttype != broadcast<br />
meta pkttype { broadcast, unicast, multicast }<br />
</source><br />
|-<br />
| ''cpu <cpu index>''<br />
| CPU ID<br />
|<source lang="bash"><br />
meta cpu 1<br />
meta cpu != 1<br />
meta cpu 1-3<br />
meta cpu != 1-2<br />
meta cpu { 2,3 }<br />
meta cpu { 2-3, 5-7 }<br />
</source><br />
|-<br />
| ''iifgroup <input group>''<br />
| Input interface group<br />
|<source lang="bash"><br />
meta iifgroup 0<br />
meta iifgroup != 0<br />
meta iifgroup default<br />
meta iifgroup != default<br />
meta iifgroup { default }<br />
meta iifgroup { 11,33 }<br />
meta iifgroup { 11-33 }<br />
</source><br />
|-<br />
| ''oifgroup <group>''<br />
| Output interface group<br />
|<source lang="bash"><br />
meta oifgroup 0<br />
meta oifgroup != 0<br />
meta oifgroup default<br />
meta oifgroup != default<br />
meta oifgroup { default }<br />
meta oifgroup { 11,33 }<br />
meta oifgroup { 11-33 }<br />
</source><br />
|-<br />
| ''cgroup <group>''<br />
| <br />
|<source lang="bash"><br />
meta cgroup 1048577<br />
meta cgroup != 1048577<br />
meta cgroup { 1048577, 1048578 }<br />
meta cgroup 1048577-1048578<br />
meta cgroup != 1048577-1048578<br />
meta cgroup { 1048577-1048578 }<br />
</source><br />
|}<br />
<br />
=== Statements ===<br />
<br />
'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.<br />
<br />
==== Verdict statements ====<br />
<br />
The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:<br />
<br />
* ''accept'': Accept the packet and stop the remain rules evaluation.<br />
* ''drop'': Drop the packet and stop the remain rules evaluation.<br />
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.<br />
* ''continue'': Continue the ruleset evaluation with the next rule.<br />
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept<br />
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued<br />
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement<br />
<br />
==== Log ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|log statement<br />
|-<br />
| ''level [over] <value> <unit> [burst <value> <unit>]''<br />
| Log level<br />
|<source lang="bash"><br />
log<br />
log level emerg<br />
log level alert<br />
log level crit<br />
log level err<br />
log level warn<br />
log level notice<br />
log level info<br />
log level debug<br />
</source><br />
|-<br />
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''<br />
| <br />
|<source lang="bash"><br />
log prefix aaaaa-aaaaaa group 2 snaplen 33<br />
log group 2 queue-threshold 2<br />
log group 2 snaplen 33<br />
</source><br />
|}<br />
<br />
<br />
==== Reject ====<br />
<br />
The default '''reject''' will be the ICMP type '''port-unreachable'''. The '''icmpx''' is only used for inet family support.<br />
<br />
More information on the [[Rejecting_traffic]] page.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|reject statement<br />
|-<br />
| ''with <protocol> type <type>''<br />
| <br />
|<source lang="bash"><br />
reject<br />
reject with icmp type host-unreachable<br />
reject with icmp type net-unreachable<br />
reject with icmp type prot-unreachable<br />
reject with icmp type port-unreachable<br />
reject with icmp type net-prohibited<br />
reject with icmp type host-prohibited<br />
reject with icmp type admin-prohibited<br />
reject with icmpv6 type no-route<br />
reject with icmpv6 type admin-prohibited<br />
reject with icmpv6 type addr-unreachable<br />
reject with icmpv6 type port-unreachable<br />
reject with icmpx type host-unreachable<br />
reject with icmpx type no-route<br />
reject with icmpx type admin-prohibited<br />
reject with icmpx type port-unreachable<br />
ip protocol tcp reject with tcp reset<br />
</source><br />
|}<br />
<br />
==== Counter ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|counter statement<br />
|-<br />
| ''packets <packets> bytes <bytes>''<br />
| <br />
|<source lang="bash"><br />
counter<br />
counter packets 0 bytes 0<br />
</source><br />
|}<br />
<br />
<br />
==== Limit ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|limit statement<br />
|-<br />
| ''rate [over] <value> <unit> [burst <value> <unit>]''<br />
| Rate limit<br />
|<source lang="bash"><br />
limit rate 400/minute<br />
limit rate 400/hour<br />
limit rate over 40/day<br />
limit rate over 400/week<br />
limit rate over 1023/second burst 10 packets<br />
limit rate 1025 kbytes/second<br />
limit rate 1023000 mbytes/second<br />
limit rate 1025 bytes/second burst 512 bytes<br />
limit rate 1025 kbytes/second burst 1023 kbytes<br />
limit rate 1025 mbytes/second burst 1025 kbytes<br />
limit rate 1025000 mbytes/second burst 1023 mbytes<br />
</source><br />
|}<br />
<br />
==== Nat ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|nat statement<br />
|-<br />
| ''dnat to <destination address>''<br />
| Destination address translation<br />
|<source lang="bash"><br />
dnat to 192.168.3.2<br />
dnat to ct mark map { 0x00000014 : 1.2.3.4 }<br />
</source><br />
|-<br />
| ''snat to <ip source address>''<br />
| Source address translation<br />
|<source lang="bash"><br />
snat to 192.168.3.2<br />
snat to 2001:838:35f:1::-2001:838:35f:2:::100<br />
</source><br />
|-<br />
| ''masquerade [<type>] [to :<port>]''<br />
| Masquerade<br />
|<source lang="bash"><br />
masquerade<br />
masquerade persistent,fully-random,random<br />
masquerade to :1024<br />
masquerade to :1024-2048<br />
</source><br />
|}<br />
<br />
==== Queue ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|queue statement<br />
|-<br />
| ''num <value> <scheduler>''<br />
| <br />
|<source lang="bash"><br />
queue<br />
queue num 2<br />
queue num 2-3<br />
queue num 4-5 fanout bypass<br />
queue num 4-5 fanout<br />
queue num 4-5 bypass<br />
</source><br />
|}<br />
<br />
== Extras ==<br />
<br />
=== Export Configuration ===<br />
<br />
<source lang="bash"><br />
% nft export (xml | json)<br />
</source><br />
<br />
=== Monitor Events ===<br />
<br />
Monitor events from Netlink creating filters.<br />
<br />
<source lang="bash"><br />
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]<br />
</source><br />
<br />
<br />
= Nft scripting =<br />
<br />
== List ruleset ==<br />
<br />
<source lang="bash"><br />
% nft list ruleset<br />
</source><br />
<br />
== Flush ruleset ==<br />
<br />
<source lang="bash"><br />
% nft flush ruleset<br />
</source><br />
<br />
== Load ruleset ==<br />
<br />
Create a command batch file and load it with the nft interpreter,<br />
<br />
<source lang="bash"><br />
% echo "flush ruleset" > /etc/nftables.rules<br />
% echo "add table filter" >> /etc/nftables.rules<br />
% echo "add chain filter input" >> /etc/nftables.rules<br />
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file,<br />
<br />
<source lang="bash"><br />
% cat << EOF > /etc/nftables.rules<br />
> #!/usr/local/sbin/nft -f<br />
> flush ruleset<br />
> add table filter<br />
> add chain filter input<br />
> add rule filter input meta iifname lo accept<br />
> EOF<br />
% chmod u+x /etc/nftables.rules<br />
% /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file from an already created ruleset,<br />
<br />
<source lang="bash"><br />
% nft list ruleset > /etc/nftables.rules<br />
% nft flush ruleset<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
<br />
= Examples =<br />
<br />
== Simple IP/IPv6 Firewall ==<br />
<br />
<source lang="bash"><br />
flush ruleset<br />
<br />
table firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
icmp type echo-request accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport { ssh, http } accept<br />
}<br />
}<br />
<br />
table ip6 firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# invalid connections<br />
ct state invalid drop<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
# routers may also want: mld-listener-query, nd-router-solicit<br />
icmpv6 type { echo-request, nd-neighbor-solicit } accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport { ssh, http } accept<br />
}<br />
}<br />
</source></div>
Aurelien
http://wiki.nftables.org/wiki-nftables/index.php?title=Quick_reference-nftables_in_10_minutes&diff=1130
Quick reference-nftables in 10 minutes
2024-04-21T06:29:38Z
<p>Aurelien: More consistent spacing, e.g., { a, b, c } instead of { a,b, c} or {a, b, c }</p>
<hr />
<div>Find below some basic concepts to know before using nftables.<br />
<br />
'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.<br />
<br />
'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].<br />
<br />
'''rule''' refers to an action to be configured within a ''chain''.<br />
<br />
<br />
= nft command line =<br />
<br />
''nft'' is the command line tool in order to interact with nftables at userspace.<br />
<br />
== Tables ==<br />
<br />
'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''. It defaults to ''ip''.<br />
<br />
<source lang="bash"><br />
% nft list tables [<family>]<br />
% nft [-n] [-a] list table [<family>] <name><br />
% nft (add | delete | flush) table [<family>] <name><br />
</source><br />
<br />
The argument ''-n'' shows the addresses and other information that use names in numeric format. The ''-a'' argument is used to display each rule's ''handle'' (i.e., a numerical identifier).<br />
<br />
== Chains ==<br />
<br />
'''type''' refers to the kind of chain to be created. Possible types are:<br />
<br />
* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.<br />
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.<br />
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.<br />
<br />
'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].<br />
<br />
* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.<br />
* The hooks for ''arp'' family are: '' input'', ''output''.<br />
* The ''bridge'' family handles ethernet packets traversing bridge devices.<br />
* The hooks for ''netdev'' are: ''ingress'', ''egress''.<br />
<br />
'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.<br />
<br />
'''policy''' is the default verdict statement to control the flow in the base chain. Possible values are: ''accept'' (default) and ''drop''. Warning: Setting the policy to ''drop'' discards all packets that<br />
have not been accepted by the ruleset.<br />
<br />
<source lang="bash"><br />
% nft (add | create) chain [<family>] <table> <name> [ \{ type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] \} ]<br />
% nft (delete | list | flush) chain [<family>] <table> <name><br />
% nft rename chain [<family>] <table> <name> <newname><br />
</source><br />
<br />
== Rules ==<br />
<br />
'''handle''' is an internal number that identifies a certain ''rule''.<br />
<br />
'''position''' is an internal number that is used to insert a ''rule'' before a certain ''handle''.<br />
<br />
<source lang="bash"><br />
% nft add rule [<family>] <table> <chain> <matches> <statements><br />
% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements><br />
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements><br />
% nft delete rule [<family>] <table> <chain> [handle <handle>]<br />
</source><br />
<br />
=== Matches ===<br />
<br />
'''matches''' are clues used to access to certain packet information and create filters according to them.<br />
<br />
==== Ip ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip match<br />
|-<br />
| | ''dscp <value>''<br />
|<br />
|<source lang="bash"><br />
ip dscp cs1<br />
ip dscp != cs1<br />
ip dscp 0x38<br />
ip dscp != 0x20<br />
ip dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, <br />
af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
ip length 232<br />
ip length != 233<br />
ip length 333-435<br />
ip length != 333-453<br />
ip length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''id <id>''<br />
| IP ID<br />
|<source lang="bash"><br />
ip id 22<br />
ip id != 233<br />
ip id 33-45<br />
ip id != 33-45<br />
ip id { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| Fragmentation offset<br />
|<source lang="bash"><br />
ip frag-off & 0x1fff != 0 # match fragments<br />
ip frag-off & 0x2000 != 0 # match MF flag <br />
ip frag-off & 0x4000 != 0 # match DF flag <br />
</source><br />
|-<br />
| ''ttl <ttl>''<br />
| Time to live<br />
|<source lang="bash"><br />
ip ttl 0<br />
ip ttl 233<br />
ip ttl 33-55<br />
ip ttl != 45-50<br />
ip ttl { 43, 53, 45 }<br />
ip ttl { 33-55 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| Upper layer protocol<br />
|<source lang="bash"><br />
ip protocol tcp<br />
ip protocol 6<br />
ip protocol != tcp<br />
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
ip checksum 13172<br />
ip checksum 22<br />
ip checksum != 233<br />
ip checksum 33-45<br />
ip checksum != 33-45<br />
ip checksum { 33, 55, 67, 88 }<br />
ip checksum { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source address<br />
|<source lang="bash"><br />
ip saddr 192.168.2.0/24<br />
ip saddr != 192.168.2.0/24<br />
ip saddr 192.168.3.1 ip daddr 192.168.3.100<br />
ip saddr != 1.1.1.1<br />
ip saddr 1.1.1.1<br />
ip saddr & 0xff == 1<br />
ip saddr & 0.0.0.255 < 0.0.0.127<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination address<br />
|<source lang="bash"><br />
ip daddr 192.168.0.1<br />
ip daddr != 192.168.0.1<br />
ip daddr 192.168.0.1-192.168.0.250<br />
ip daddr 10.0.0.0-10.255.255.255<br />
ip daddr 172.16.0.0-172.31.255.255<br />
ip daddr 192.168.3.1-192.168.4.250<br />
ip daddr != 192.168.0.1-192.168.0.250<br />
ip daddr { 192.168.0.1-192.168.0.250 }<br />
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }<br />
</source><br />
|-<br />
| ''version <version>''<br />
| Ip Header version<br />
|<source lang="bash"><br />
ip version 4<br />
</source><br />
|-<br />
| ''hdrlength <header length>''<br />
| IP header length<br />
|<source lang="bash"><br />
ip hdrlength 0<br />
ip hdrlength 15<br />
</source><br />
|}<br />
<br />
==== Ip6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip6 match<br />
|-<br />
| ''dscp <value>''<br />
| <br />
|<source lang="bash"><br />
ip6 dscp cs1<br />
ip6 dscp != cs1<br />
ip6 dscp 0x38<br />
ip6 dscp != 0x20<br />
ip6 dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''flowlabel <label>''<br />
| Flow label<br />
|<source lang="bash"><br />
ip6 flowlabel 22<br />
ip6 flowlabel != 233<br />
ip6 flowlabel { 33, 55, 67, 88 }<br />
ip6 flowlabel { 33-55 }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
ip6 length 232<br />
ip6 length != 233<br />
ip6 length 333-435<br />
ip6 length != 333-453<br />
ip6 length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''nexthdr <header>''<br />
| Next header type (Upper layer protocol number)<br />
|<source lang="bash"><br />
ip6 nexthdr { esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6 }<br />
ip6 nexthdr esp<br />
ip6 nexthdr != esp<br />
ip6 nexthdr { 33-44 }<br />
ip6 nexthdr 33-44<br />
ip6 nexthdr != 33-44<br />
</source><br />
|-<br />
| ''hoplimit <hoplimit>''<br />
| Hop limit<br />
|<source lang="bash"><br />
ip6 hoplimit 1<br />
ip6 hoplimit != 233<br />
ip6 hoplimit 33-45<br />
ip6 hoplimit != 33-45<br />
ip6 hoplimit { 33, 55, 67, 88 }<br />
ip6 hoplimit { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source Address<br />
|<source lang="bash"><br />
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::/64<br />
ip6 saddr ::1 ip6 daddr ::2<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination Address<br />
|<source lang="bash"><br />
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234<br />
</source><br />
|-<br />
| ''version <version>''<br />
| IP header version<br />
|<source lang="bash"><br />
ip6 version 6<br />
</source><br />
|}<br />
<br />
==== Tcp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|tcp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
tcp dport 22<br />
tcp dport != 33-45<br />
tcp dport { 33-55 }<br />
tcp dport { telnet, http, https }<br />
tcp dport vmap { 22 : accept, 23 : drop }<br />
tcp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
tcp sport 22<br />
tcp sport != 33-45<br />
tcp sport { 33, 55, 67, 88 }<br />
tcp sport { 33-55 }<br />
tcp sport vmap { 25:accept, 28:drop }<br />
tcp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| Sequence number<br />
|<source lang="bash"><br />
tcp sequence 22<br />
tcp sequence != 33-45<br />
</source><br />
|-<br />
| ''ackseq <value>''<br />
| Acknowledgement number<br />
|<source lang="bash"><br />
tcp ackseq 22<br />
tcp ackseq != 33-45<br />
tcp ackseq { 33, 55, 67, 88 }<br />
tcp ackseq { 33-55 }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| TCP flags<br />
|<source lang="bash"><br />
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr }<br />
tcp flags cwr<br />
tcp flags != cwr<br />
</source><br />
|-<br />
| ''window <value>''<br />
| Window<br />
|<source lang="bash"><br />
tcp window 22<br />
tcp window != 33-45<br />
tcp window { 33, 55, 67, 88 }<br />
tcp window { 33-55 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
tcp checksum 22<br />
tcp checksum != 33-45<br />
tcp checksum { 33, 55, 67, 88 }<br />
tcp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''urgptr <pointer>''<br />
| Urgent pointer<br />
|<source lang="bash"><br />
tcp urgptr 22<br />
tcp urgptr != 33-45<br />
tcp urgptr { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''doff <offset>''<br />
| Data offset<br />
|<source lang="bash"><br />
tcp doff 8<br />
</source><br />
|}<br />
<br />
==== Udp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udp dport 22<br />
udp dport != 33-45<br />
udp dport { 33-55 }<br />
udp dport { telnet, http, https }<br />
udp dport vmap { 22 : accept, 23 : drop }<br />
udp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udp sport 22<br />
udp sport != 33-45<br />
udp sport { 33, 55, 67, 88 }<br />
udp sport { 33-55 }<br />
udp sport vmap { 25:accept, 28:drop }<br />
udp sport 1024 udp dport 22<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
udp length 6666<br />
udp length != 50-65<br />
udp length { 50, 65 }<br />
udp length { 35-50 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| UDP checksum<br />
|<source lang="bash"><br />
udp checksum 22<br />
udp checksum != 33-45<br />
udp checksum { 33, 55, 67, 88 }<br />
udp checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
==== Udplite ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udplite match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udplite dport 22<br />
udplite dport != 33-45<br />
udplite dport { 33-55 }<br />
udplite dport { telnet, http, https }<br />
udplite dport vmap { 22 : accept, 23 : drop }<br />
udplite dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udplite sport 22<br />
udplite sport != 33-45<br />
udplite sport { 33, 55, 67, 88 }<br />
udplite sport { 33-55 }<br />
udplite sport vmap { 25:accept, 28:drop }<br />
udplite sport 1024 udplite dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
udplite checksum 22<br />
udplite checksum != 33-45<br />
udplite checksum { 33, 55, 67, 88 }<br />
udplite checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
==== Sctp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|sctp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
sctp dport 22<br />
sctp dport != 33-45<br />
sctp dport { 33-55 }<br />
sctp dport { telnet, http, https }<br />
sctp dport vmap { 22 : accept, 23 : drop }<br />
sctp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
sctp sport 22<br />
sctp sport != 33-45<br />
sctp sport { 33, 55, 67, 88 }<br />
sctp sport { 33-55 }<br />
sctp sport vmap { 25:accept, 28:drop }<br />
sctp sport 1024 sctp dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
sctp checksum 22<br />
sctp checksum != 33-45<br />
sctp checksum { 33, 55, 67, 88 }<br />
sctp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''vtag <tag>''<br />
| Verification tag<br />
|<source lang="bash"><br />
sctp vtag 22<br />
sctp vtag != 33-45<br />
sctp vtag { 33, 55, 67, 88 }<br />
sctp vtag { 33-55 }<br />
</source><br />
|-<br />
| ''chunk <type>''<br />
| Existence of a chunk with given type in packet<br />
|<source lang="bash"><br />
sctp chunk init exists<br />
sctp chunk error missing<br />
</source><br />
|-<br />
| ''chunk <type> <field>''<br />
| A chunk's field value (implies chunk existence)<br />
|<sourcex lang="bash"><br />
sctp chunk init flags 0x1<br />
sctp chunk data tsn 0x23<br />
</source><br />
|}<br />
<br />
==== Dccp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dccp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
dccp dport 22<br />
dccp dport != 33-45<br />
dccp dport { 33-55 }<br />
dccp dport { telnet, http, https }<br />
dccp dport vmap { 22 : accept, 23 : drop }<br />
dccp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
dccp sport 22<br />
dccp sport != 33-45<br />
dccp sport { 33, 55, 67, 88 }<br />
dccp sport { 33-55 }<br />
dccp sport vmap { 25:accept, 28:drop }<br />
dccp sport 1024 dccp dport 22<br />
</source><br />
|-<br />
| ''type <type>''<br />
| Type of packet<br />
|<source lang="bash"><br />
dccp type { request, response, data, ack, dataack, closereq, close, reset, sync, syncack }<br />
dccp type request<br />
dccp type != request<br />
</source><br />
|}<br />
<br />
==== Ah ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ah match<br />
|-<br />
| ''hdrlength <length>''<br />
| AH header length<br />
|<source lang="bash"><br />
ah hdrlength 11-23<br />
ah hdrlength != 11-23<br />
ah hdrlength { 11, 23, 44 }<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
ah reserved 22<br />
ah reserved != 33-45<br />
ah reserved { 23, 100 }<br />
ah reserved { 33-55 }<br />
</source><br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
ah spi 111<br />
ah spi != 111-222<br />
ah spi { 111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
ah sequence 123<br />
ah sequence { 23, 25, 33 }<br />
ah sequence != 23-33<br />
</source><br />
|}<br />
<br />
==== Esp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|esp match<br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
esp spi 111<br />
esp spi != 111-222<br />
esp spi { 111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
esp sequence 123<br />
esp sequence { 23, 25, 33 }<br />
esp sequence != 23-33<br />
</source><br />
|}<br />
<br />
==== Comp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|comp match<br />
|-<br />
| ''nexthdr <protocol>''<br />
| Next header protocol (Upper layer protocol)<br />
|<source lang="bash"><br />
comp nexthdr != esp<br />
comp nexthdr { esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| Flags<br />
|<source lang="bash"><br />
comp flags 0x0<br />
comp flags != 0x33-0x45<br />
comp flags { 0x33, 0x55, 0x67, 0x88 }<br />
</source><br />
|-<br />
| ''cpi <value>''<br />
| Compression Parameter Index<br />
|<source lang="bash"><br />
comp cpi 22<br />
comp cpi != 33-45<br />
comp cpi { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
==== Icmp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmp match<br />
|-<br />
| ''type <type>''<br />
| ICMP packet type<br />
|<source lang="bash"><br />
icmp type { echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation }<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMP packet code<br />
|<source lang="bash"><br />
icmp code 111<br />
icmp code != 33-55<br />
icmp code { 2, 4, 54, 33, 56 }<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMP packet checksum<br />
|<source lang="bash"><br />
icmp checksum 12343<br />
icmp checksum != 11-343<br />
icmp checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMP packet id<br />
|<source lang="bash"><br />
icmp id 12343<br />
icmp id != 11-343<br />
icmp id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMP packet sequence<br />
|<source lang="bash"><br />
icmp sequence 12343<br />
icmp sequence != 11-343<br />
icmp sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMP packet mtu<br />
|<source lang="bash"><br />
icmp mtu 12343<br />
icmp mtu != 11-343<br />
icmp mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''gateway <value>''<br />
| ICMP packet gateway<br />
|<source lang="bash"><br />
icmp gateway 12343<br />
icmp gateway != 11-343<br />
icmp gateway { 1111, 222, 343 }<br />
</source><br />
|}<br />
<br />
<br />
==== Icmpv6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmpv6 match<br />
|-<br />
| ''type <type>''<br />
| ICMPv6 packet type<br />
|<source lang="bash"><br />
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, parameter-problem, mld2-listener-report }<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMPv6 packet code<br />
|<source lang="bash"><br />
icmpv6 code 4<br />
icmpv6 code 3-66<br />
icmpv6 code { 5, 6, 7 }<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMPv6 packet checksum<br />
|<source lang="bash"><br />
icmpv6 checksum 12343<br />
icmpv6 checksum != 11-343<br />
icmpv6 checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMPv6 packet id<br />
|<source lang="bash"><br />
icmpv6 id 12343<br />
icmpv6 id != 11-343<br />
icmpv6 id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMPv6 packet sequence<br />
|<source lang="bash"><br />
icmpv6 sequence 12343<br />
icmpv6 sequence != 11-343<br />
icmpv6 sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMPv6 packet mtu<br />
|<source lang="bash"><br />
icmpv6 mtu 12343<br />
icmpv6 mtu != 11-343<br />
icmpv6 mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''max-delay <value>''<br />
| ICMPv6 packet max delay<br />
|<source lang="bash"><br />
icmpv6 max-delay 33-45<br />
icmpv6 max-delay != 33-45<br />
icmpv6 max-delay { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Ether ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ether match<br />
|-<br />
| ''saddr <mac address>''<br />
| Source mac address<br />
|<source lang="bash"><br />
ether saddr 00:0f:54:0c:11:04<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
ether type vlan<br />
</source><br />
|}<br />
<br />
==== Dst ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dst match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
dst nexthdr 22<br />
dst nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
dst hdrlength 22<br />
dst hdrlength != 33-45<br />
dst hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Frag ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|frag match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp }<br />
frag nexthdr 6<br />
frag nexthdr != 50-51<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
frag reserved 22<br />
frag reserved != 33-45<br />
frag reserved { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| <br />
|<source lang="bash"><br />
frag frag-off 22<br />
frag frag-off != 33-45<br />
frag frag-off { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''more-fragments <value>''<br />
| <br />
|<source lang="bash"><br />
frag more-fragments 0<br />
frag more-fragments 0<br />
</source><br />
|-<br />
| ''id <value>''<br />
| <br />
|<source lang="bash"><br />
frag id 1<br />
frag id 33-45<br />
</source><br />
|}<br />
<br />
<br />
==== Hbh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|hbh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6 }<br />
hbh nexthdr 22<br />
hbh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
hbh hdrlength 22<br />
hbh hdrlength != 33-45<br />
hbh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Mh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|mh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
mh nexthdr 22<br />
mh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
mh hdrlength 22<br />
mh hdrlength != 33-45<br />
mh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
mh type { binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message }<br />
mh type home-agent-switch-message<br />
mh type != home-agent-switch-message<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
mh reserved 22<br />
mh reserved != 33-45<br />
mh reserved { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| <br />
|<source lang="bash"><br />
mh checksum 22<br />
mh checksum != 33-45<br />
mh checksum { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Rt ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|rt match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
rt nexthdr 22<br />
rt nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
rt hdrlength 22<br />
rt hdrlength != 33-45<br />
rt hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
rt type 22<br />
rt type != 33-45<br />
rt type { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''seg-left <value>''<br />
| <br />
|<source lang="bash"><br />
rt seg-left 22<br />
rt seg-left != 33-45<br />
rt seg-left { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Vlan ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|vlan match<br />
|-<br />
| ''id <value>''<br />
| Vlan tag ID<br />
|<source lang="bash"><br />
vlan id 4094<br />
vlan id 0<br />
</source><br />
|-<br />
| ''cfi <value>''<br />
| <br />
|<source lang="bash"><br />
vlan cfi 0<br />
vlan cfi 1<br />
</source><br />
|-<br />
| ''pcp <value>''<br />
| <br />
|<source lang="bash"><br />
vlan pcp 7<br />
vlan pcp 3<br />
</source><br />
|}<br />
<br />
<br />
==== Arp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|arp match<br />
|-<br />
| ''ptype <value>''<br />
| Payload type<br />
|<source lang="bash"><br />
arp ptype 0x0800<br />
</source><br />
|-<br />
| ''htype <value>''<br />
| Header type<br />
|<source lang="bash"><br />
arp htype 1<br />
arp htype != 33-45<br />
arp htype { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''hlen <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
arp hlen 1<br />
arp hlen != 33-45<br />
arp hlen { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''plen <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
arp plen 1<br />
arp plen != 33-45<br />
arp plen { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''operation <value>''<br />
| <br />
|<source lang="bash"><br />
arp operation { nak, inreply, inrequest, rreply, rrequest, reply, request }<br />
</source><br />
|}<br />
<br />
<br />
==== Ct ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ct match<br />
|-<br />
| ''state <state>''<br />
| State of the connection<br />
|<source lang="bash"><br />
ct state { new, established, related, untracked }<br />
ct state != related<br />
ct state established<br />
ct state 8<br />
</source><br />
|-<br />
| ''direction <value>''<br />
| Direction of the packet relative to the connection<br />
|<source lang="bash"><br />
ct direction original<br />
ct direction != original<br />
ct direction { reply, original }<br />
</source><br />
|-<br />
| ''status <status>''<br />
| Status of the connection<br />
|<source lang="bash"><br />
ct status expected<br />
(ct status & expected) != expected<br />
ct status { expected, seen-reply, assured, confirmed, snat, dnat, dying }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Mark of the connection<br />
|<source lang="bash"><br />
ct mark 0<br />
ct mark or 0x23 == 0x11<br />
ct mark or 0x3 != 0x1<br />
ct mark and 0x23 == 0x11<br />
ct mark and 0x3 != 0x1<br />
ct mark xor 0x23 == 0x11<br />
ct mark xor 0x3 != 0x1<br />
ct mark 0x00000032<br />
ct mark != 0x00000032<br />
ct mark 0x00000032-0x00000045<br />
ct mark != 0x00000032-0x00000045<br />
ct mark { 0x32, 0x2222, 0x42de3 }<br />
ct mark { 0x32-0x2222, 0x4444-0x42de3 }<br />
ct mark set 0x11 xor 0x1331<br />
ct mark set 0x11333 and 0x11<br />
ct mark set 0x12 or 0x11<br />
ct mark set 0x11<br />
ct mark set mark<br />
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }<br />
</source><br />
|-<br />
| ''expiration <time>''<br />
| Connection expiration time<br />
|<source lang="bash"><br />
ct expiration 30<br />
ct expiration 30s<br />
ct expiration != 233<br />
ct expiration != 3m53s<br />
ct expiration 33-45<br />
ct expiration 33s-45s<br />
ct expiration != 33-45<br />
ct expiration != 33s-45s<br />
ct expiration { 33, 55, 67, 88 }<br />
ct expiration { 1m7s, 33s, 55s, 1m28s }<br />
</source><br />
|-<br />
| ''helper "<helper>"''<br />
| Helper associated with the connection<br />
|<source lang="bash"><br />
ct helper "ftp"<br />
</source><br />
|-<br />
| | ''[original | reply] bytes <value>''<br />
| <br />
|<source lang="bash"><br />
ct original bytes > 100000<br />
ct bytes > 100000<br />
</source><br />
|-<br />
| | ''[original | reply] packets <value>''<br />
| <br />
|<source lang="bash"><br />
ct reply packets < 100<br />
</source><br />
|-<br />
| | ''[original | reply] ip saddr <ip source address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip saddr 192.168.0.1<br />
ct reply ip saddr 192.168.0.1<br />
ct original ip saddr 192.168.1.0/24<br />
ct reply ip saddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] ip daddr <ip destination address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip daddr 192.168.0.1<br />
ct reply ip daddr 192.168.0.1<br />
ct original ip daddr 192.168.1.0/24<br />
ct reply ip daddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] l3proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original l3proto ipv4<br />
</source><br />
|-<br />
| | ''[original | reply] protocol <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original protocol 6<br />
</source><br />
|-<br />
| | ''[original | reply] proto-dst <port>''<br />
| <br />
|<source lang="bash"><br />
ct original proto-dst 22<br />
</source><br />
|-<br />
| | ''[original | reply] proto-src <port>''<br />
| <br />
|<source lang="bash"><br />
ct reply proto-src 53<br />
</source><br />
|-<br />
| | ''count [over] <number of connections>''<br />
| <br />
|<source lang="bash"><br />
ct count over 2<br />
<br />
tcp dport 22 add @ssh_flood { ip saddr ct count over 2 } reject<br />
[ which requires an existing ssh_flood set, ie. add set filter ssh_flood { type ipv4_addr; flags dynamic; } ]<br />
</source><br />
|}<br />
<br />
==== Meta ====<br />
<br />
[[Matching packet metainformation|''meta'']] matches packet by metainformation.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|meta match<br />
|-<br />
| ''iifname <input interface name>''<br />
| Input interface name<br />
|<source lang="bash"><br />
meta iifname "eth0"<br />
meta iifname != "eth0"<br />
meta iifname { "eth0", "lo" }<br />
meta iifname "eth*"<br />
</source><br />
|-<br />
| ''oifname <output interface name>''<br />
| Output interface name<br />
|<source lang="bash"><br />
meta oifname "eth0"<br />
meta oifname != "eth0"<br />
meta oifname { "eth0", "lo" }<br />
meta oifname "eth*"<br />
</source><br />
|-<br />
| ''iif <input interface index>''<br />
| Input interface index<br />
|<source lang="bash"><br />
meta iif eth0<br />
meta iif != eth0<br />
</source><br />
|-<br />
| ''oif <output interface index>''<br />
| Output interface index<br />
|<source lang="bash"><br />
meta oif lo<br />
meta oif != lo<br />
meta oif { eth0, lo }<br />
</source><br />
|-<br />
| ''iiftype <input interface type>''<br />
| Input interface type<br />
|<source lang="bash"><br />
meta iiftype { ether, ppp, ipip, ipip6, loopback, sit, ipgre }<br />
meta iiftype != ether<br />
meta iiftype ether<br />
</source><br />
|-<br />
| ''oiftype <output interface type>''<br />
| Output interface hardware type<br />
|<source lang="bash"><br />
meta oiftype { ether, ppp, ipip, ipip6, loopback, sit, ipgre }<br />
meta oiftype != ether<br />
meta oiftype ether<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Length of the packet in bytes<br />
|<source lang="bash"><br />
meta length 1000<br />
meta length != 1000<br />
meta length > 1000<br />
meta length 33-45<br />
meta length != 33-45<br />
meta length { 33, 55, 67, 88 }<br />
meta length { 33-55, 67-88 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| ethertype protocol<br />
|<source lang="bash"><br />
meta protocol ip<br />
meta protocol != ip<br />
meta protocol { ip, arp, ip6, vlan }<br />
</source><br />
|-<br />
| ''nfproto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta nfproto ipv4<br />
meta nfproto != ipv6<br />
meta nfproto { ipv4, ipv6 }<br />
</source><br />
|-<br />
| ''l4proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta l4proto 22<br />
meta l4proto != 233<br />
meta l4proto 33-45<br />
meta l4proto { 33, 55, 67, 88 }<br />
meta l4proto { 33-55 }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Packet mark<br />
|<source lang="bash"><br />
meta mark 0x4<br />
meta mark 0x00000032<br />
meta mark and 0x03 == 0x01<br />
meta mark and 0x03 != 0x01<br />
meta mark != 0x10<br />
meta mark or 0x03 == 0x01<br />
meta mark or 0x03 != 0x01<br />
meta mark xor 0x03 == 0x01<br />
meta mark xor 0x03 != 0x01<br />
meta mark set 0xffffffc8 xor 0x16<br />
meta mark set 0x16 and 0x16<br />
meta mark set 0xffffffe9 or 0x16<br />
meta mark set 0xffffffde and 0x16<br />
meta mark set 0x32 or 0xfffff<br />
meta mark set 0xfffe xor 0x16<br />
</source><br />
|-<br />
| ''priority [set] <priority>''<br />
| tc class id<br />
|<source lang="bash"><br />
meta priority none<br />
meta priority 0x1:0x1<br />
meta priority 0x1:0xffff<br />
meta priority 0xffff:0xffff<br />
meta priority set 0x1:0x1<br />
meta priority set 0x1:0xffff<br />
meta priority set 0xffff:0xffff<br />
</source><br />
|-<br />
| ''skuid <user id>''<br />
| UID associated with originating socket<br />
|<source lang="bash"><br />
meta skuid { bin, root, daemon }<br />
meta skuid root<br />
meta skuid != root<br />
meta skuid lt 3000<br />
meta skuid gt 3000<br />
meta skuid eq 3000<br />
meta skuid 3001-3005<br />
meta skuid != 2001-2005<br />
meta skuid { 2001-2005 }<br />
</source><br />
|-<br />
| ''skgid <group id>''<br />
| GID associated with originating socket<br />
|<source lang="bash"><br />
meta skgid { bin, root, daemon }<br />
meta skgid root<br />
meta skgid != root<br />
meta skgid lt 3000<br />
meta skgid gt 3000<br />
meta skgid eq 3000<br />
meta skgid 3001-3005<br />
meta skgid != 2001-2005<br />
meta skgid { 2001-2005 }<br />
</source><br />
|-<br />
| ''rtclassid <class>''<br />
| Routing realm<br />
|<source lang="bash"><br />
meta rtclassid cosmos<br />
</source><br />
|-<br />
| ''pkttype <type>''<br />
| Packet type<br />
|<source lang="bash"><br />
meta pkttype broadcast<br />
meta pkttype != broadcast<br />
meta pkttype { broadcast, unicast, multicast }<br />
</source><br />
|-<br />
| ''cpu <cpu index>''<br />
| CPU ID<br />
|<source lang="bash"><br />
meta cpu 1<br />
meta cpu != 1<br />
meta cpu 1-3<br />
meta cpu != 1-2<br />
meta cpu { 2,3 }<br />
meta cpu { 2-3, 5-7 }<br />
</source><br />
|-<br />
| ''iifgroup <input group>''<br />
| Input interface group<br />
|<source lang="bash"><br />
meta iifgroup 0<br />
meta iifgroup != 0<br />
meta iifgroup default<br />
meta iifgroup != default<br />
meta iifgroup { default }<br />
meta iifgroup { 11,33 }<br />
meta iifgroup { 11-33 }<br />
</source><br />
|-<br />
| ''oifgroup <group>''<br />
| Output interface group<br />
|<source lang="bash"><br />
meta oifgroup 0<br />
meta oifgroup != 0<br />
meta oifgroup default<br />
meta oifgroup != default<br />
meta oifgroup { default }<br />
meta oifgroup { 11,33 }<br />
meta oifgroup { 11-33 }<br />
</source><br />
|-<br />
| ''cgroup <group>''<br />
| <br />
|<source lang="bash"><br />
meta cgroup 1048577<br />
meta cgroup != 1048577<br />
meta cgroup { 1048577, 1048578 }<br />
meta cgroup 1048577-1048578<br />
meta cgroup != 1048577-1048578<br />
meta cgroup { 1048577-1048578 }<br />
</source><br />
|}<br />
<br />
=== Statements ===<br />
<br />
'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.<br />
<br />
==== Verdict statements ====<br />
<br />
The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:<br />
<br />
* ''accept'': Accept the packet and stop the remain rules evaluation.<br />
* ''drop'': Drop the packet and stop the remain rules evaluation.<br />
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.<br />
* ''continue'': Continue the ruleset evaluation with the next rule.<br />
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept<br />
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued<br />
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement<br />
<br />
==== Log ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|log statement<br />
|-<br />
| ''level [over] <value> <unit> [burst <value> <unit>]''<br />
| Log level<br />
|<source lang="bash"><br />
log<br />
log level emerg<br />
log level alert<br />
log level crit<br />
log level err<br />
log level warn<br />
log level notice<br />
log level info<br />
log level debug<br />
</source><br />
|-<br />
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''<br />
| <br />
|<source lang="bash"><br />
log prefix aaaaa-aaaaaa group 2 snaplen 33<br />
log group 2 queue-threshold 2<br />
log group 2 snaplen 33<br />
</source><br />
|}<br />
<br />
<br />
==== Reject ====<br />
<br />
The default '''reject''' will be the ICMP type '''port-unreachable'''. The '''icmpx''' is only used for inet family support.<br />
<br />
More information on the [[Rejecting_traffic]] page.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|reject statement<br />
|-<br />
| ''with <protocol> type <type>''<br />
| <br />
|<source lang="bash"><br />
reject<br />
reject with icmp type host-unreachable<br />
reject with icmp type net-unreachable<br />
reject with icmp type prot-unreachable<br />
reject with icmp type port-unreachable<br />
reject with icmp type net-prohibited<br />
reject with icmp type host-prohibited<br />
reject with icmp type admin-prohibited<br />
reject with icmpv6 type no-route<br />
reject with icmpv6 type admin-prohibited<br />
reject with icmpv6 type addr-unreachable<br />
reject with icmpv6 type port-unreachable<br />
reject with icmpx type host-unreachable<br />
reject with icmpx type no-route<br />
reject with icmpx type admin-prohibited<br />
reject with icmpx type port-unreachable<br />
ip protocol tcp reject with tcp reset<br />
</source><br />
|}<br />
<br />
==== Counter ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|counter statement<br />
|-<br />
| ''packets <packets> bytes <bytes>''<br />
| <br />
|<source lang="bash"><br />
counter<br />
counter packets 0 bytes 0<br />
</source><br />
|}<br />
<br />
<br />
==== Limit ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|limit statement<br />
|-<br />
| ''rate [over] <value> <unit> [burst <value> <unit>]''<br />
| Rate limit<br />
|<source lang="bash"><br />
limit rate 400/minute<br />
limit rate 400/hour<br />
limit rate over 40/day<br />
limit rate over 400/week<br />
limit rate over 1023/second burst 10 packets<br />
limit rate 1025 kbytes/second<br />
limit rate 1023000 mbytes/second<br />
limit rate 1025 bytes/second burst 512 bytes<br />
limit rate 1025 kbytes/second burst 1023 kbytes<br />
limit rate 1025 mbytes/second burst 1025 kbytes<br />
limit rate 1025000 mbytes/second burst 1023 mbytes<br />
</source><br />
|}<br />
<br />
==== Nat ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|nat statement<br />
|-<br />
| ''dnat to <destination address>''<br />
| Destination address translation<br />
|<source lang="bash"><br />
dnat to 192.168.3.2<br />
dnat to ct mark map { 0x00000014 : 1.2.3.4 }<br />
</source><br />
|-<br />
| ''snat to <ip source address>''<br />
| Source address translation<br />
|<source lang="bash"><br />
snat to 192.168.3.2<br />
snat to 2001:838:35f:1::-2001:838:35f:2:::100<br />
</source><br />
|-<br />
| ''masquerade [<type>] [to :<port>]''<br />
| Masquerade<br />
|<source lang="bash"><br />
masquerade<br />
masquerade persistent,fully-random,random<br />
masquerade to :1024<br />
masquerade to :1024-2048<br />
</source><br />
|}<br />
<br />
==== Queue ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|queue statement<br />
|-<br />
| ''num <value> <scheduler>''<br />
| <br />
|<source lang="bash"><br />
queue<br />
queue num 2<br />
queue num 2-3<br />
queue num 4-5 fanout bypass<br />
queue num 4-5 fanout<br />
queue num 4-5 bypass<br />
</source><br />
|}<br />
<br />
== Extras ==<br />
<br />
=== Export Configuration ===<br />
<br />
<source lang="bash"><br />
% nft export (xml | json)<br />
</source><br />
<br />
=== Monitor Events ===<br />
<br />
Monitor events from Netlink creating filters.<br />
<br />
<source lang="bash"><br />
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]<br />
</source><br />
<br />
<br />
= Nft scripting =<br />
<br />
== List ruleset ==<br />
<br />
<source lang="bash"><br />
% nft list ruleset<br />
</source><br />
<br />
== Flush ruleset ==<br />
<br />
<source lang="bash"><br />
% nft flush ruleset<br />
</source><br />
<br />
== Load ruleset ==<br />
<br />
Create a command batch file and load it with the nft interpreter,<br />
<br />
<source lang="bash"><br />
% echo "flush ruleset" > /etc/nftables.rules<br />
% echo "add table filter" >> /etc/nftables.rules<br />
% echo "add chain filter input" >> /etc/nftables.rules<br />
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file,<br />
<br />
<source lang="bash"><br />
% cat << EOF > /etc/nftables.rules<br />
> #!/usr/local/sbin/nft -f<br />
> flush ruleset<br />
> add table filter<br />
> add chain filter input<br />
> add rule filter input meta iifname lo accept<br />
> EOF<br />
% chmod u+x /etc/nftables.rules<br />
% /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file from an already created ruleset,<br />
<br />
<source lang="bash"><br />
% nft list ruleset > /etc/nftables.rules<br />
% nft flush ruleset<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
<br />
= Examples =<br />
<br />
== Simple IP/IPv6 Firewall ==<br />
<br />
<source lang="bash"><br />
flush ruleset<br />
<br />
table firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
icmp type echo-request accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport { ssh, http } accept<br />
}<br />
}<br />
<br />
table ip6 firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# invalid connections<br />
ct state invalid drop<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
# routers may also want: mld-listener-query, nd-router-solicit<br />
icmpv6 type { echo-request, nd-neighbor-solicit } accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport { ssh, http } accept<br />
}<br />
}<br />
</source></div>
Aurelien
http://wiki.nftables.org/wiki-nftables/index.php?title=Quick_reference-nftables_in_10_minutes&diff=1129
Quick reference-nftables in 10 minutes
2024-04-21T06:22:45Z
<p>Aurelien: /* Comp */ More consistent space after { and before }</p>
<hr />
<div>Find below some basic concepts to know before using nftables.<br />
<br />
'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.<br />
<br />
'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].<br />
<br />
'''rule''' refers to an action to be configured within a ''chain''.<br />
<br />
<br />
= nft command line =<br />
<br />
''nft'' is the command line tool in order to interact with nftables at userspace.<br />
<br />
== Tables ==<br />
<br />
'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''. It defaults to ''ip''.<br />
<br />
<source lang="bash"><br />
% nft list tables [<family>]<br />
% nft [-n] [-a] list table [<family>] <name><br />
% nft (add | delete | flush) table [<family>] <name><br />
</source><br />
<br />
The argument ''-n'' shows the addresses and other information that use names in numeric format. The ''-a'' argument is used to display each rule's ''handle'' (i.e., a numerical identifier).<br />
<br />
== Chains ==<br />
<br />
'''type''' refers to the kind of chain to be created. Possible types are:<br />
<br />
* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.<br />
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.<br />
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.<br />
<br />
'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].<br />
<br />
* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.<br />
* The hooks for ''arp'' family are: '' input'', ''output''.<br />
* The ''bridge'' family handles ethernet packets traversing bridge devices.<br />
* The hooks for ''netdev'' are: ''ingress'', ''egress''.<br />
<br />
'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.<br />
<br />
'''policy''' is the default verdict statement to control the flow in the base chain. Possible values are: ''accept'' (default) and ''drop''. Warning: Setting the policy to ''drop'' discards all packets that<br />
have not been accepted by the ruleset.<br />
<br />
<source lang="bash"><br />
% nft (add | create) chain [<family>] <table> <name> [ \{ type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] \} ]<br />
% nft (delete | list | flush) chain [<family>] <table> <name><br />
% nft rename chain [<family>] <table> <name> <newname><br />
</source><br />
<br />
== Rules ==<br />
<br />
'''handle''' is an internal number that identifies a certain ''rule''.<br />
<br />
'''position''' is an internal number that is used to insert a ''rule'' before a certain ''handle''.<br />
<br />
<source lang="bash"><br />
% nft add rule [<family>] <table> <chain> <matches> <statements><br />
% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements><br />
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements><br />
% nft delete rule [<family>] <table> <chain> [handle <handle>]<br />
</source><br />
<br />
=== Matches ===<br />
<br />
'''matches''' are clues used to access to certain packet information and create filters according to them.<br />
<br />
==== Ip ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip match<br />
|-<br />
| | ''dscp <value>''<br />
|<br />
|<source lang="bash"><br />
ip dscp cs1<br />
ip dscp != cs1<br />
ip dscp 0x38<br />
ip dscp != 0x20<br />
ip dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, <br />
af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
ip length 232<br />
ip length != 233<br />
ip length 333-435<br />
ip length != 333-453<br />
ip length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''id <id>''<br />
| IP ID<br />
|<source lang="bash"><br />
ip id 22<br />
ip id != 233<br />
ip id 33-45<br />
ip id != 33-45<br />
ip id { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| Fragmentation offset<br />
|<source lang="bash"><br />
ip frag-off & 0x1fff != 0 # match fragments<br />
ip frag-off & 0x2000 != 0 # match MF flag <br />
ip frag-off & 0x4000 != 0 # match DF flag <br />
</source><br />
|-<br />
| ''ttl <ttl>''<br />
| Time to live<br />
|<source lang="bash"><br />
ip ttl 0<br />
ip ttl 233<br />
ip ttl 33-55<br />
ip ttl != 45-50<br />
ip ttl { 43, 53, 45 }<br />
ip ttl { 33-55 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| Upper layer protocol<br />
|<source lang="bash"><br />
ip protocol tcp<br />
ip protocol 6<br />
ip protocol != tcp<br />
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
ip checksum 13172<br />
ip checksum 22<br />
ip checksum != 233<br />
ip checksum 33-45<br />
ip checksum != 33-45<br />
ip checksum { 33, 55, 67, 88 }<br />
ip checksum { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source address<br />
|<source lang="bash"><br />
ip saddr 192.168.2.0/24<br />
ip saddr != 192.168.2.0/24<br />
ip saddr 192.168.3.1 ip daddr 192.168.3.100<br />
ip saddr != 1.1.1.1<br />
ip saddr 1.1.1.1<br />
ip saddr & 0xff == 1<br />
ip saddr & 0.0.0.255 < 0.0.0.127<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination address<br />
|<source lang="bash"><br />
ip daddr 192.168.0.1<br />
ip daddr != 192.168.0.1<br />
ip daddr 192.168.0.1-192.168.0.250<br />
ip daddr 10.0.0.0-10.255.255.255<br />
ip daddr 172.16.0.0-172.31.255.255<br />
ip daddr 192.168.3.1-192.168.4.250<br />
ip daddr != 192.168.0.1-192.168.0.250<br />
ip daddr { 192.168.0.1-192.168.0.250 }<br />
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }<br />
</source><br />
|-<br />
| ''version <version>''<br />
| Ip Header version<br />
|<source lang="bash"><br />
ip version 4<br />
</source><br />
|-<br />
| ''hdrlength <header length>''<br />
| IP header length<br />
|<source lang="bash"><br />
ip hdrlength 0<br />
ip hdrlength 15<br />
</source><br />
|}<br />
<br />
==== Ip6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip6 match<br />
|-<br />
| ''dscp <value>''<br />
| <br />
|<source lang="bash"><br />
ip6 dscp cs1<br />
ip6 dscp != cs1<br />
ip6 dscp 0x38<br />
ip6 dscp != 0x20<br />
ip6 dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''flowlabel <label>''<br />
| Flow label<br />
|<source lang="bash"><br />
ip6 flowlabel 22<br />
ip6 flowlabel != 233<br />
ip6 flowlabel { 33, 55, 67, 88 }<br />
ip6 flowlabel { 33-55 }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
ip6 length 232<br />
ip6 length != 233<br />
ip6 length 333-435<br />
ip6 length != 333-453<br />
ip6 length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''nexthdr <header>''<br />
| Next header type (Upper layer protocol number)<br />
|<source lang="bash"><br />
ip6 nexthdr { esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6 }<br />
ip6 nexthdr esp<br />
ip6 nexthdr != esp<br />
ip6 nexthdr { 33-44 }<br />
ip6 nexthdr 33-44<br />
ip6 nexthdr != 33-44<br />
</source><br />
|-<br />
| ''hoplimit <hoplimit>''<br />
| Hop limit<br />
|<source lang="bash"><br />
ip6 hoplimit 1<br />
ip6 hoplimit != 233<br />
ip6 hoplimit 33-45<br />
ip6 hoplimit != 33-45<br />
ip6 hoplimit { 33, 55, 67, 88 }<br />
ip6 hoplimit { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source Address<br />
|<source lang="bash"><br />
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::/64<br />
ip6 saddr ::1 ip6 daddr ::2<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination Address<br />
|<source lang="bash"><br />
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234<br />
</source><br />
|-<br />
| ''version <version>''<br />
| IP header version<br />
|<source lang="bash"><br />
ip6 version 6<br />
</source><br />
|}<br />
<br />
==== Tcp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|tcp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
tcp dport 22<br />
tcp dport != 33-45<br />
tcp dport { 33-55 }<br />
tcp dport { telnet, http, https }<br />
tcp dport vmap { 22 : accept, 23 : drop }<br />
tcp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
tcp sport 22<br />
tcp sport != 33-45<br />
tcp sport { 33, 55, 67, 88 }<br />
tcp sport { 33-55 }<br />
tcp sport vmap { 25:accept, 28:drop }<br />
tcp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| Sequence number<br />
|<source lang="bash"><br />
tcp sequence 22<br />
tcp sequence != 33-45<br />
</source><br />
|-<br />
| ''ackseq <value>''<br />
| Acknowledgement number<br />
|<source lang="bash"><br />
tcp ackseq 22<br />
tcp ackseq != 33-45<br />
tcp ackseq { 33, 55, 67, 88 }<br />
tcp ackseq { 33-55 }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| TCP flags<br />
|<source lang="bash"><br />
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr }<br />
tcp flags cwr<br />
tcp flags != cwr<br />
</source><br />
|-<br />
| ''window <value>''<br />
| Window<br />
|<source lang="bash"><br />
tcp window 22<br />
tcp window != 33-45<br />
tcp window { 33, 55, 67, 88 }<br />
tcp window { 33-55 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
tcp checksum 22<br />
tcp checksum != 33-45<br />
tcp checksum { 33, 55, 67, 88 }<br />
tcp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''urgptr <pointer>''<br />
| Urgent pointer<br />
|<source lang="bash"><br />
tcp urgptr 22<br />
tcp urgptr != 33-45<br />
tcp urgptr { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''doff <offset>''<br />
| Data offset<br />
|<source lang="bash"><br />
tcp doff 8<br />
</source><br />
|}<br />
<br />
==== Udp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udp dport 22<br />
udp dport != 33-45<br />
udp dport { 33-55 }<br />
udp dport { telnet, http, https }<br />
udp dport vmap { 22 : accept, 23 : drop }<br />
udp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udp sport 22<br />
udp sport != 33-45<br />
udp sport { 33, 55, 67, 88 }<br />
udp sport { 33-55 }<br />
udp sport vmap { 25:accept, 28:drop }<br />
udp sport 1024 udp dport 22<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
udp length 6666<br />
udp length != 50-65<br />
udp length { 50, 65 }<br />
udp length { 35-50 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| UDP checksum<br />
|<source lang="bash"><br />
udp checksum 22<br />
udp checksum != 33-45<br />
udp checksum { 33, 55, 67, 88 }<br />
udp checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
==== Udplite ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udplite match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udplite dport 22<br />
udplite dport != 33-45<br />
udplite dport { 33-55 }<br />
udplite dport { telnet, http, https }<br />
udplite dport vmap { 22 : accept, 23 : drop }<br />
udplite dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udplite sport 22<br />
udplite sport != 33-45<br />
udplite sport { 33, 55, 67, 88 }<br />
udplite sport { 33-55 }<br />
udplite sport vmap { 25:accept, 28:drop }<br />
udplite sport 1024 udplite dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
udplite checksum 22<br />
udplite checksum != 33-45<br />
udplite checksum { 33, 55, 67, 88 }<br />
udplite checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
==== Sctp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|sctp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
sctp dport 22<br />
sctp dport != 33-45<br />
sctp dport { 33-55 }<br />
sctp dport { telnet, http, https }<br />
sctp dport vmap { 22 : accept, 23 : drop }<br />
sctp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
sctp sport 22<br />
sctp sport != 33-45<br />
sctp sport { 33, 55, 67, 88 }<br />
sctp sport { 33-55 }<br />
sctp sport vmap { 25:accept, 28:drop }<br />
sctp sport 1024 sctp dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
sctp checksum 22<br />
sctp checksum != 33-45<br />
sctp checksum { 33, 55, 67, 88 }<br />
sctp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''vtag <tag>''<br />
| Verification tag<br />
|<source lang="bash"><br />
sctp vtag 22<br />
sctp vtag != 33-45<br />
sctp vtag { 33, 55, 67, 88 }<br />
sctp vtag { 33-55 }<br />
</source><br />
|-<br />
| ''chunk <type>''<br />
| Existence of a chunk with given type in packet<br />
|<source lang="bash"><br />
sctp chunk init exists<br />
sctp chunk error missing<br />
</source><br />
|-<br />
| ''chunk <type> <field>''<br />
| A chunk's field value (implies chunk existence)<br />
|<sourcex lang="bash"><br />
sctp chunk init flags 0x1<br />
sctp chunk data tsn 0x23<br />
</source><br />
|}<br />
<br />
==== Dccp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dccp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
dccp dport 22<br />
dccp dport != 33-45<br />
dccp dport { 33-55 }<br />
dccp dport { telnet, http, https }<br />
dccp dport vmap { 22 : accept, 23 : drop }<br />
dccp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
dccp sport 22<br />
dccp sport != 33-45<br />
dccp sport { 33, 55, 67, 88 }<br />
dccp sport { 33-55 }<br />
dccp sport vmap { 25:accept, 28:drop }<br />
dccp sport 1024 dccp dport 22<br />
</source><br />
|-<br />
| ''type <type>''<br />
| Type of packet<br />
|<source lang="bash"><br />
dccp type { request, response, data, ack, dataack, closereq, close, reset, sync, syncack }<br />
dccp type request<br />
dccp type != request<br />
</source><br />
|}<br />
<br />
==== Ah ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ah match<br />
|-<br />
| ''hdrlength <length>''<br />
| AH header length<br />
|<source lang="bash"><br />
ah hdrlength 11-23<br />
ah hdrlength != 11-23<br />
ah hdrlength { 11, 23, 44 }<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
ah reserved 22<br />
ah reserved != 33-45<br />
ah reserved { 23, 100 }<br />
ah reserved { 33-55 }<br />
</source><br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
ah spi 111<br />
ah spi != 111-222<br />
ah spi { 111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
ah sequence 123<br />
ah sequence { 23, 25, 33 }<br />
ah sequence != 23-33<br />
</source><br />
|}<br />
<br />
==== Esp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|esp match<br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
esp spi 111<br />
esp spi != 111-222<br />
esp spi { 111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
esp sequence 123<br />
esp sequence { 23, 25, 33 }<br />
esp sequence != 23-33<br />
</source><br />
|}<br />
<br />
==== Comp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|comp match<br />
|-<br />
| ''nexthdr <protocol>''<br />
| Next header protocol (Upper layer protocol)<br />
|<source lang="bash"><br />
comp nexthdr != esp<br />
comp nexthdr { esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| Flags<br />
|<source lang="bash"><br />
comp flags 0x0<br />
comp flags != 0x33-0x45<br />
comp flags { 0x33, 0x55, 0x67, 0x88 }<br />
</source><br />
|-<br />
| ''cpi <value>''<br />
| Compression Parameter Index<br />
|<source lang="bash"><br />
comp cpi 22<br />
comp cpi != 33-45<br />
comp cpi { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
==== Icmp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmp match<br />
|-<br />
| ''type <type>''<br />
| ICMP packet type<br />
|<source lang="bash"><br />
icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation}<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMP packet code<br />
|<source lang="bash"><br />
icmp code 111<br />
icmp code != 33-55<br />
icmp code { 2, 4, 54, 33, 56}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMP packet checksum<br />
|<source lang="bash"><br />
icmp checksum 12343<br />
icmp checksum != 11-343<br />
icmp checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMP packet id<br />
|<source lang="bash"><br />
icmp id 12343<br />
icmp id != 11-343<br />
icmp id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMP packet sequence<br />
|<source lang="bash"><br />
icmp sequence 12343<br />
icmp sequence != 11-343<br />
icmp sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMP packet mtu<br />
|<source lang="bash"><br />
icmp mtu 12343<br />
icmp mtu != 11-343<br />
icmp mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''gateway <value>''<br />
| ICMP packet gateway<br />
|<source lang="bash"><br />
icmp gateway 12343<br />
icmp gateway != 11-343<br />
icmp gateway { 1111, 222, 343 }<br />
</source><br />
|}<br />
<br />
<br />
==== Icmpv6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmpv6 match<br />
|-<br />
| ''type <type>''<br />
| ICMPv6 packet type<br />
|<source lang="bash"><br />
icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, parameter-problem, mld2-listener-report }<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMPv6 packet code<br />
|<source lang="bash"><br />
icmpv6 code 4<br />
icmpv6 code 3-66<br />
icmpv6 code {5, 6, 7}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMPv6 packet checksum<br />
|<source lang="bash"><br />
icmpv6 checksum 12343<br />
icmpv6 checksum != 11-343<br />
icmpv6 checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMPv6 packet id<br />
|<source lang="bash"><br />
icmpv6 id 12343<br />
icmpv6 id != 11-343<br />
icmpv6 id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMPv6 packet sequence<br />
|<source lang="bash"><br />
icmpv6 sequence 12343<br />
icmpv6 sequence != 11-343<br />
icmpv6 sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMPv6 packet mtu<br />
|<source lang="bash"><br />
icmpv6 mtu 12343<br />
icmpv6 mtu != 11-343<br />
icmpv6 mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''max-delay <value>''<br />
| ICMPv6 packet max delay<br />
|<source lang="bash"><br />
icmpv6 max-delay 33-45<br />
icmpv6 max-delay != 33-45<br />
icmpv6 max-delay {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Ether ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ether match<br />
|-<br />
| ''saddr <mac address>''<br />
| Source mac address<br />
|<source lang="bash"><br />
ether saddr 00:0f:54:0c:11:04<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
ether type vlan<br />
</source><br />
|}<br />
<br />
==== Dst ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dst match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}<br />
dst nexthdr 22<br />
dst nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
dst hdrlength 22<br />
dst hdrlength != 33-45<br />
dst hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Frag ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|frag match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp}<br />
frag nexthdr 6<br />
frag nexthdr != 50-51<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
frag reserved 22<br />
frag reserved != 33-45<br />
frag reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| <br />
|<source lang="bash"><br />
frag frag-off 22<br />
frag frag-off != 33-45<br />
frag frag-off { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''more-fragments <value>''<br />
| <br />
|<source lang="bash"><br />
frag more-fragments 0<br />
frag more-fragments 0<br />
</source><br />
|-<br />
| ''id <value>''<br />
| <br />
|<source lang="bash"><br />
frag id 1<br />
frag id 33-45<br />
</source><br />
|}<br />
<br />
<br />
==== Hbh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|hbh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6}<br />
hbh nexthdr 22<br />
hbh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
hbh hdrlength 22<br />
hbh hdrlength != 33-45<br />
hbh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Mh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|mh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
mh nexthdr 22<br />
mh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
mh hdrlength 22<br />
mh hdrlength != 33-45<br />
mh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}<br />
mh type home-agent-switch-message<br />
mh type != home-agent-switch-message<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
mh reserved 22<br />
mh reserved != 33-45<br />
mh reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| <br />
|<source lang="bash"><br />
mh checksum 22<br />
mh checksum != 33-45<br />
mh checksum { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Rt ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|rt match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
rt nexthdr 22<br />
rt nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
rt hdrlength 22<br />
rt hdrlength != 33-45<br />
rt hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
rt type 22<br />
rt type != 33-45<br />
rt type { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''seg-left <value>''<br />
| <br />
|<source lang="bash"><br />
rt seg-left 22<br />
rt seg-left != 33-45<br />
rt seg-left { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Vlan ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|vlan match<br />
|-<br />
| ''id <value>''<br />
| Vlan tag ID<br />
|<source lang="bash"><br />
vlan id 4094<br />
vlan id 0<br />
</source><br />
|-<br />
| ''cfi <value>''<br />
| <br />
|<source lang="bash"><br />
vlan cfi 0<br />
vlan cfi 1<br />
</source><br />
|-<br />
| ''pcp <value>''<br />
| <br />
|<source lang="bash"><br />
vlan pcp 7<br />
vlan pcp 3<br />
</source><br />
|}<br />
<br />
<br />
==== Arp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|arp match<br />
|-<br />
| ''ptype <value>''<br />
| Payload type<br />
|<source lang="bash"><br />
arp ptype 0x0800<br />
</source><br />
|-<br />
| ''htype <value>''<br />
| Header type<br />
|<source lang="bash"><br />
arp htype 1<br />
arp htype != 33-45<br />
arp htype { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''hlen <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
arp hlen 1<br />
arp hlen != 33-45<br />
arp hlen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''plen <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
arp plen 1<br />
arp plen != 33-45<br />
arp plen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''operation <value>''<br />
| <br />
|<source lang="bash"><br />
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}<br />
</source><br />
|}<br />
<br />
<br />
==== Ct ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ct match<br />
|-<br />
| ''state <state>''<br />
| State of the connection<br />
|<source lang="bash"><br />
ct state { new, established, related, untracked }<br />
ct state != related<br />
ct state established<br />
ct state 8<br />
</source><br />
|-<br />
| ''direction <value>''<br />
| Direction of the packet relative to the connection<br />
|<source lang="bash"><br />
ct direction original<br />
ct direction != original<br />
ct direction {reply, original}<br />
</source><br />
|-<br />
| ''status <status>''<br />
| Status of the connection<br />
|<source lang="bash"><br />
ct status expected<br />
(ct status & expected) != expected<br />
ct status {expected,seen-reply,assured,confirmed,snat,dnat,dying}<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Mark of the connection<br />
|<source lang="bash"><br />
ct mark 0<br />
ct mark or 0x23 == 0x11<br />
ct mark or 0x3 != 0x1<br />
ct mark and 0x23 == 0x11<br />
ct mark and 0x3 != 0x1<br />
ct mark xor 0x23 == 0x11<br />
ct mark xor 0x3 != 0x1<br />
ct mark 0x00000032<br />
ct mark != 0x00000032<br />
ct mark 0x00000032-0x00000045<br />
ct mark != 0x00000032-0x00000045<br />
ct mark {0x32, 0x2222, 0x42de3}<br />
ct mark {0x32-0x2222, 0x4444-0x42de3}<br />
ct mark set 0x11 xor 0x1331<br />
ct mark set 0x11333 and 0x11<br />
ct mark set 0x12 or 0x11<br />
ct mark set 0x11<br />
ct mark set mark<br />
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }<br />
</source><br />
|-<br />
| ''expiration <time>''<br />
| Connection expiration time<br />
|<source lang="bash"><br />
ct expiration 30<br />
ct expiration 30s<br />
ct expiration != 233<br />
ct expiration != 3m53s<br />
ct expiration 33-45<br />
ct expiration 33s-45s<br />
ct expiration != 33-45<br />
ct expiration != 33s-45s<br />
ct expiration {33, 55, 67, 88}<br />
ct expiration { 1m7s, 33s, 55s, 1m28s}<br />
</source><br />
|-<br />
| ''helper "<helper>"''<br />
| Helper associated with the connection<br />
|<source lang="bash"><br />
ct helper "ftp"<br />
</source><br />
|-<br />
| | ''[original | reply] bytes <value>''<br />
| <br />
|<source lang="bash"><br />
ct original bytes > 100000<br />
ct bytes > 100000<br />
</source><br />
|-<br />
| | ''[original | reply] packets <value>''<br />
| <br />
|<source lang="bash"><br />
ct reply packets < 100<br />
</source><br />
|-<br />
| | ''[original | reply] ip saddr <ip source address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip saddr 192.168.0.1<br />
ct reply ip saddr 192.168.0.1<br />
ct original ip saddr 192.168.1.0/24<br />
ct reply ip saddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] ip daddr <ip destination address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip daddr 192.168.0.1<br />
ct reply ip daddr 192.168.0.1<br />
ct original ip daddr 192.168.1.0/24<br />
ct reply ip daddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] l3proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original l3proto ipv4<br />
</source><br />
|-<br />
| | ''[original | reply] protocol <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original protocol 6<br />
</source><br />
|-<br />
| | ''[original | reply] proto-dst <port>''<br />
| <br />
|<source lang="bash"><br />
ct original proto-dst 22<br />
</source><br />
|-<br />
| | ''[original | reply] proto-src <port>''<br />
| <br />
|<source lang="bash"><br />
ct reply proto-src 53<br />
</source><br />
|-<br />
| | ''count [over] <number of connections>''<br />
| <br />
|<source lang="bash"><br />
ct count over 2<br />
<br />
tcp dport 22 add @ssh_flood { ip saddr ct count over 2 } reject<br />
[ which requires an existing ssh_flood set, ie. add set filter ssh_flood { type ipv4_addr; flags dynamic; } ]<br />
</source><br />
|}<br />
<br />
==== Meta ====<br />
<br />
[[Matching packet metainformation|''meta'']] matches packet by metainformation.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|meta match<br />
|-<br />
| ''iifname <input interface name>''<br />
| Input interface name<br />
|<source lang="bash"><br />
meta iifname "eth0"<br />
meta iifname != "eth0"<br />
meta iifname {"eth0", "lo"}<br />
meta iifname "eth*"<br />
</source><br />
|-<br />
| ''oifname <output interface name>''<br />
| Output interface name<br />
|<source lang="bash"><br />
meta oifname "eth0"<br />
meta oifname != "eth0"<br />
meta oifname {"eth0", "lo"}<br />
meta oifname "eth*"<br />
</source><br />
|-<br />
| ''iif <input interface index>''<br />
| Input interface index<br />
|<source lang="bash"><br />
meta iif eth0<br />
meta iif != eth0<br />
</source><br />
|-<br />
| ''oif <output interface index>''<br />
| Output interface index<br />
|<source lang="bash"><br />
meta oif lo<br />
meta oif != lo<br />
meta oif {eth0, lo}<br />
</source><br />
|-<br />
| ''iiftype <input interface type>''<br />
| Input interface type<br />
|<source lang="bash"><br />
meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta iiftype != ether<br />
meta iiftype ether<br />
</source><br />
|-<br />
| ''oiftype <output interface type>''<br />
| Output interface hardware type<br />
|<source lang="bash"><br />
meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta oiftype != ether<br />
meta oiftype ether<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Length of the packet in bytes<br />
|<source lang="bash"><br />
meta length 1000<br />
meta length != 1000<br />
meta length > 1000<br />
meta length 33-45<br />
meta length != 33-45<br />
meta length { 33, 55, 67, 88 }<br />
meta length { 33-55, 67-88 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| ethertype protocol<br />
|<source lang="bash"><br />
meta protocol ip<br />
meta protocol != ip<br />
meta protocol { ip, arp, ip6, vlan }<br />
</source><br />
|-<br />
| ''nfproto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta nfproto ipv4<br />
meta nfproto != ipv6<br />
meta nfproto { ipv4, ipv6 }<br />
</source><br />
|-<br />
| ''l4proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta l4proto 22<br />
meta l4proto != 233<br />
meta l4proto 33-45<br />
meta l4proto { 33, 55, 67, 88 }<br />
meta l4proto { 33-55 }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Packet mark<br />
|<source lang="bash"><br />
meta mark 0x4<br />
meta mark 0x00000032<br />
meta mark and 0x03 == 0x01<br />
meta mark and 0x03 != 0x01<br />
meta mark != 0x10<br />
meta mark or 0x03 == 0x01<br />
meta mark or 0x03 != 0x01<br />
meta mark xor 0x03 == 0x01<br />
meta mark xor 0x03 != 0x01<br />
meta mark set 0xffffffc8 xor 0x16<br />
meta mark set 0x16 and 0x16<br />
meta mark set 0xffffffe9 or 0x16<br />
meta mark set 0xffffffde and 0x16<br />
meta mark set 0x32 or 0xfffff<br />
meta mark set 0xfffe xor 0x16<br />
</source><br />
|-<br />
| ''priority [set] <priority>''<br />
| tc class id<br />
|<source lang="bash"><br />
meta priority none<br />
meta priority 0x1:0x1<br />
meta priority 0x1:0xffff<br />
meta priority 0xffff:0xffff<br />
meta priority set 0x1:0x1<br />
meta priority set 0x1:0xffff<br />
meta priority set 0xffff:0xffff<br />
</source><br />
|-<br />
| ''skuid <user id>''<br />
| UID associated with originating socket<br />
|<source lang="bash"><br />
meta skuid {bin, root, daemon}<br />
meta skuid root<br />
meta skuid != root<br />
meta skuid lt 3000<br />
meta skuid gt 3000<br />
meta skuid eq 3000<br />
meta skuid 3001-3005<br />
meta skuid != 2001-2005<br />
meta skuid { 2001-2005 }<br />
</source><br />
|-<br />
| ''skgid <group id>''<br />
| GID associated with originating socket<br />
|<source lang="bash"><br />
meta skgid {bin, root, daemon}<br />
meta skgid root<br />
meta skgid != root<br />
meta skgid lt 3000<br />
meta skgid gt 3000<br />
meta skgid eq 3000<br />
meta skgid 3001-3005<br />
meta skgid != 2001-2005<br />
meta skgid { 2001-2005 }<br />
</source><br />
|-<br />
| ''rtclassid <class>''<br />
| Routing realm<br />
|<source lang="bash"><br />
meta rtclassid cosmos<br />
</source><br />
|-<br />
| ''pkttype <type>''<br />
| Packet type<br />
|<source lang="bash"><br />
meta pkttype broadcast<br />
meta pkttype != broadcast<br />
meta pkttype { broadcast, unicast, multicast}<br />
</source><br />
|-<br />
| ''cpu <cpu index>''<br />
| CPU ID<br />
|<source lang="bash"><br />
meta cpu 1<br />
meta cpu != 1<br />
meta cpu 1-3<br />
meta cpu != 1-2<br />
meta cpu { 2,3 }<br />
meta cpu { 2-3, 5-7 }<br />
</source><br />
|-<br />
| ''iifgroup <input group>''<br />
| Input interface group<br />
|<source lang="bash"><br />
meta iifgroup 0<br />
meta iifgroup != 0<br />
meta iifgroup default<br />
meta iifgroup != default<br />
meta iifgroup {default}<br />
meta iifgroup { 11,33 }<br />
meta iifgroup {11-33}<br />
</source><br />
|-<br />
| ''oifgroup <group>''<br />
| Output interface group<br />
|<source lang="bash"><br />
meta oifgroup 0<br />
meta oifgroup != 0<br />
meta oifgroup default<br />
meta oifgroup != default<br />
meta oifgroup {default}<br />
meta oifgroup { 11,33 }<br />
meta oifgroup {11-33}<br />
</source><br />
|-<br />
| ''cgroup <group>''<br />
| <br />
|<source lang="bash"><br />
meta cgroup 1048577<br />
meta cgroup != 1048577<br />
meta cgroup { 1048577, 1048578 }<br />
meta cgroup 1048577-1048578<br />
meta cgroup != 1048577-1048578<br />
meta cgroup {1048577-1048578}<br />
</source><br />
|}<br />
<br />
=== Statements ===<br />
<br />
'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.<br />
<br />
==== Verdict statements ====<br />
<br />
The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:<br />
<br />
* ''accept'': Accept the packet and stop the remain rules evaluation.<br />
* ''drop'': Drop the packet and stop the remain rules evaluation.<br />
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.<br />
* ''continue'': Continue the ruleset evaluation with the next rule.<br />
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept<br />
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued<br />
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement<br />
<br />
==== Log ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|log statement<br />
|-<br />
| ''level [over] <value> <unit> [burst <value> <unit>]''<br />
| Log level<br />
|<source lang="bash"><br />
log<br />
log level emerg<br />
log level alert<br />
log level crit<br />
log level err<br />
log level warn<br />
log level notice<br />
log level info<br />
log level debug<br />
</source><br />
|-<br />
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''<br />
| <br />
|<source lang="bash"><br />
log prefix aaaaa-aaaaaa group 2 snaplen 33<br />
log group 2 queue-threshold 2<br />
log group 2 snaplen 33<br />
</source><br />
|}<br />
<br />
<br />
==== Reject ====<br />
<br />
The default '''reject''' will be the ICMP type '''port-unreachable'''. The '''icmpx''' is only used for inet family support.<br />
<br />
More information on the [[Rejecting_traffic]] page.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|reject statement<br />
|-<br />
| ''with <protocol> type <type>''<br />
| <br />
|<source lang="bash"><br />
reject<br />
reject with icmp type host-unreachable<br />
reject with icmp type net-unreachable<br />
reject with icmp type prot-unreachable<br />
reject with icmp type port-unreachable<br />
reject with icmp type net-prohibited<br />
reject with icmp type host-prohibited<br />
reject with icmp type admin-prohibited<br />
reject with icmpv6 type no-route<br />
reject with icmpv6 type admin-prohibited<br />
reject with icmpv6 type addr-unreachable<br />
reject with icmpv6 type port-unreachable<br />
reject with icmpx type host-unreachable<br />
reject with icmpx type no-route<br />
reject with icmpx type admin-prohibited<br />
reject with icmpx type port-unreachable<br />
ip protocol tcp reject with tcp reset<br />
</source><br />
|}<br />
<br />
==== Counter ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|counter statement<br />
|-<br />
| ''packets <packets> bytes <bytes>''<br />
| <br />
|<source lang="bash"><br />
counter<br />
counter packets 0 bytes 0<br />
</source><br />
|}<br />
<br />
<br />
==== Limit ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|limit statement<br />
|-<br />
| ''rate [over] <value> <unit> [burst <value> <unit>]''<br />
| Rate limit<br />
|<source lang="bash"><br />
limit rate 400/minute<br />
limit rate 400/hour<br />
limit rate over 40/day<br />
limit rate over 400/week<br />
limit rate over 1023/second burst 10 packets<br />
limit rate 1025 kbytes/second<br />
limit rate 1023000 mbytes/second<br />
limit rate 1025 bytes/second burst 512 bytes<br />
limit rate 1025 kbytes/second burst 1023 kbytes<br />
limit rate 1025 mbytes/second burst 1025 kbytes<br />
limit rate 1025000 mbytes/second burst 1023 mbytes<br />
</source><br />
|}<br />
<br />
==== Nat ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|nat statement<br />
|-<br />
| ''dnat to <destination address>''<br />
| Destination address translation<br />
|<source lang="bash"><br />
dnat to 192.168.3.2<br />
dnat to ct mark map { 0x00000014 : 1.2.3.4}<br />
</source><br />
|-<br />
| ''snat to <ip source address>''<br />
| Source address translation<br />
|<source lang="bash"><br />
snat to 192.168.3.2<br />
snat to 2001:838:35f:1::-2001:838:35f:2:::100<br />
</source><br />
|-<br />
| ''masquerade [<type>] [to :<port>]''<br />
| Masquerade<br />
|<source lang="bash"><br />
masquerade<br />
masquerade persistent,fully-random,random<br />
masquerade to :1024<br />
masquerade to :1024-2048<br />
</source><br />
|}<br />
<br />
==== Queue ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|queue statement<br />
|-<br />
| ''num <value> <scheduler>''<br />
| <br />
|<source lang="bash"><br />
queue<br />
queue num 2<br />
queue num 2-3<br />
queue num 4-5 fanout bypass<br />
queue num 4-5 fanout<br />
queue num 4-5 bypass<br />
</source><br />
|}<br />
<br />
== Extras ==<br />
<br />
=== Export Configuration ===<br />
<br />
<source lang="bash"><br />
% nft export (xml | json)<br />
</source><br />
<br />
=== Monitor Events ===<br />
<br />
Monitor events from Netlink creating filters.<br />
<br />
<source lang="bash"><br />
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]<br />
</source><br />
<br />
<br />
= Nft scripting =<br />
<br />
== List ruleset ==<br />
<br />
<source lang="bash"><br />
% nft list ruleset<br />
</source><br />
<br />
== Flush ruleset ==<br />
<br />
<source lang="bash"><br />
% nft flush ruleset<br />
</source><br />
<br />
== Load ruleset ==<br />
<br />
Create a command batch file and load it with the nft interpreter,<br />
<br />
<source lang="bash"><br />
% echo "flush ruleset" > /etc/nftables.rules<br />
% echo "add table filter" >> /etc/nftables.rules<br />
% echo "add chain filter input" >> /etc/nftables.rules<br />
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file,<br />
<br />
<source lang="bash"><br />
% cat << EOF > /etc/nftables.rules<br />
> #!/usr/local/sbin/nft -f<br />
> flush ruleset<br />
> add table filter<br />
> add chain filter input<br />
> add rule filter input meta iifname lo accept<br />
> EOF<br />
% chmod u+x /etc/nftables.rules<br />
% /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file from an already created ruleset,<br />
<br />
<source lang="bash"><br />
% nft list ruleset > /etc/nftables.rules<br />
% nft flush ruleset<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
<br />
= Examples =<br />
<br />
== Simple IP/IPv6 Firewall ==<br />
<br />
<source lang="bash"><br />
flush ruleset<br />
<br />
table firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
icmp type echo-request accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
<br />
table ip6 firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# invalid connections<br />
ct state invalid drop<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
# routers may also want: mld-listener-query, nd-router-solicit<br />
icmpv6 type {echo-request,nd-neighbor-solicit} accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
</source></div>
Aurelien
http://wiki.nftables.org/wiki-nftables/index.php?title=Quick_reference-nftables_in_10_minutes&diff=1128
Quick reference-nftables in 10 minutes
2024-04-21T06:22:19Z
<p>Aurelien: /* Esp */ More consistent space after { and before }</p>
<hr />
<div>Find below some basic concepts to know before using nftables.<br />
<br />
'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.<br />
<br />
'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].<br />
<br />
'''rule''' refers to an action to be configured within a ''chain''.<br />
<br />
<br />
= nft command line =<br />
<br />
''nft'' is the command line tool in order to interact with nftables at userspace.<br />
<br />
== Tables ==<br />
<br />
'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''. It defaults to ''ip''.<br />
<br />
<source lang="bash"><br />
% nft list tables [<family>]<br />
% nft [-n] [-a] list table [<family>] <name><br />
% nft (add | delete | flush) table [<family>] <name><br />
</source><br />
<br />
The argument ''-n'' shows the addresses and other information that use names in numeric format. The ''-a'' argument is used to display each rule's ''handle'' (i.e., a numerical identifier).<br />
<br />
== Chains ==<br />
<br />
'''type''' refers to the kind of chain to be created. Possible types are:<br />
<br />
* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.<br />
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.<br />
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.<br />
<br />
'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].<br />
<br />
* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.<br />
* The hooks for ''arp'' family are: '' input'', ''output''.<br />
* The ''bridge'' family handles ethernet packets traversing bridge devices.<br />
* The hooks for ''netdev'' are: ''ingress'', ''egress''.<br />
<br />
'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.<br />
<br />
'''policy''' is the default verdict statement to control the flow in the base chain. Possible values are: ''accept'' (default) and ''drop''. Warning: Setting the policy to ''drop'' discards all packets that<br />
have not been accepted by the ruleset.<br />
<br />
<source lang="bash"><br />
% nft (add | create) chain [<family>] <table> <name> [ \{ type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] \} ]<br />
% nft (delete | list | flush) chain [<family>] <table> <name><br />
% nft rename chain [<family>] <table> <name> <newname><br />
</source><br />
<br />
== Rules ==<br />
<br />
'''handle''' is an internal number that identifies a certain ''rule''.<br />
<br />
'''position''' is an internal number that is used to insert a ''rule'' before a certain ''handle''.<br />
<br />
<source lang="bash"><br />
% nft add rule [<family>] <table> <chain> <matches> <statements><br />
% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements><br />
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements><br />
% nft delete rule [<family>] <table> <chain> [handle <handle>]<br />
</source><br />
<br />
=== Matches ===<br />
<br />
'''matches''' are clues used to access to certain packet information and create filters according to them.<br />
<br />
==== Ip ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip match<br />
|-<br />
| | ''dscp <value>''<br />
|<br />
|<source lang="bash"><br />
ip dscp cs1<br />
ip dscp != cs1<br />
ip dscp 0x38<br />
ip dscp != 0x20<br />
ip dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, <br />
af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
ip length 232<br />
ip length != 233<br />
ip length 333-435<br />
ip length != 333-453<br />
ip length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''id <id>''<br />
| IP ID<br />
|<source lang="bash"><br />
ip id 22<br />
ip id != 233<br />
ip id 33-45<br />
ip id != 33-45<br />
ip id { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| Fragmentation offset<br />
|<source lang="bash"><br />
ip frag-off & 0x1fff != 0 # match fragments<br />
ip frag-off & 0x2000 != 0 # match MF flag <br />
ip frag-off & 0x4000 != 0 # match DF flag <br />
</source><br />
|-<br />
| ''ttl <ttl>''<br />
| Time to live<br />
|<source lang="bash"><br />
ip ttl 0<br />
ip ttl 233<br />
ip ttl 33-55<br />
ip ttl != 45-50<br />
ip ttl { 43, 53, 45 }<br />
ip ttl { 33-55 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| Upper layer protocol<br />
|<source lang="bash"><br />
ip protocol tcp<br />
ip protocol 6<br />
ip protocol != tcp<br />
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
ip checksum 13172<br />
ip checksum 22<br />
ip checksum != 233<br />
ip checksum 33-45<br />
ip checksum != 33-45<br />
ip checksum { 33, 55, 67, 88 }<br />
ip checksum { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source address<br />
|<source lang="bash"><br />
ip saddr 192.168.2.0/24<br />
ip saddr != 192.168.2.0/24<br />
ip saddr 192.168.3.1 ip daddr 192.168.3.100<br />
ip saddr != 1.1.1.1<br />
ip saddr 1.1.1.1<br />
ip saddr & 0xff == 1<br />
ip saddr & 0.0.0.255 < 0.0.0.127<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination address<br />
|<source lang="bash"><br />
ip daddr 192.168.0.1<br />
ip daddr != 192.168.0.1<br />
ip daddr 192.168.0.1-192.168.0.250<br />
ip daddr 10.0.0.0-10.255.255.255<br />
ip daddr 172.16.0.0-172.31.255.255<br />
ip daddr 192.168.3.1-192.168.4.250<br />
ip daddr != 192.168.0.1-192.168.0.250<br />
ip daddr { 192.168.0.1-192.168.0.250 }<br />
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }<br />
</source><br />
|-<br />
| ''version <version>''<br />
| Ip Header version<br />
|<source lang="bash"><br />
ip version 4<br />
</source><br />
|-<br />
| ''hdrlength <header length>''<br />
| IP header length<br />
|<source lang="bash"><br />
ip hdrlength 0<br />
ip hdrlength 15<br />
</source><br />
|}<br />
<br />
==== Ip6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip6 match<br />
|-<br />
| ''dscp <value>''<br />
| <br />
|<source lang="bash"><br />
ip6 dscp cs1<br />
ip6 dscp != cs1<br />
ip6 dscp 0x38<br />
ip6 dscp != 0x20<br />
ip6 dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''flowlabel <label>''<br />
| Flow label<br />
|<source lang="bash"><br />
ip6 flowlabel 22<br />
ip6 flowlabel != 233<br />
ip6 flowlabel { 33, 55, 67, 88 }<br />
ip6 flowlabel { 33-55 }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
ip6 length 232<br />
ip6 length != 233<br />
ip6 length 333-435<br />
ip6 length != 333-453<br />
ip6 length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''nexthdr <header>''<br />
| Next header type (Upper layer protocol number)<br />
|<source lang="bash"><br />
ip6 nexthdr { esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6 }<br />
ip6 nexthdr esp<br />
ip6 nexthdr != esp<br />
ip6 nexthdr { 33-44 }<br />
ip6 nexthdr 33-44<br />
ip6 nexthdr != 33-44<br />
</source><br />
|-<br />
| ''hoplimit <hoplimit>''<br />
| Hop limit<br />
|<source lang="bash"><br />
ip6 hoplimit 1<br />
ip6 hoplimit != 233<br />
ip6 hoplimit 33-45<br />
ip6 hoplimit != 33-45<br />
ip6 hoplimit { 33, 55, 67, 88 }<br />
ip6 hoplimit { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source Address<br />
|<source lang="bash"><br />
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::/64<br />
ip6 saddr ::1 ip6 daddr ::2<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination Address<br />
|<source lang="bash"><br />
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234<br />
</source><br />
|-<br />
| ''version <version>''<br />
| IP header version<br />
|<source lang="bash"><br />
ip6 version 6<br />
</source><br />
|}<br />
<br />
==== Tcp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|tcp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
tcp dport 22<br />
tcp dport != 33-45<br />
tcp dport { 33-55 }<br />
tcp dport { telnet, http, https }<br />
tcp dport vmap { 22 : accept, 23 : drop }<br />
tcp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
tcp sport 22<br />
tcp sport != 33-45<br />
tcp sport { 33, 55, 67, 88 }<br />
tcp sport { 33-55 }<br />
tcp sport vmap { 25:accept, 28:drop }<br />
tcp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| Sequence number<br />
|<source lang="bash"><br />
tcp sequence 22<br />
tcp sequence != 33-45<br />
</source><br />
|-<br />
| ''ackseq <value>''<br />
| Acknowledgement number<br />
|<source lang="bash"><br />
tcp ackseq 22<br />
tcp ackseq != 33-45<br />
tcp ackseq { 33, 55, 67, 88 }<br />
tcp ackseq { 33-55 }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| TCP flags<br />
|<source lang="bash"><br />
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr }<br />
tcp flags cwr<br />
tcp flags != cwr<br />
</source><br />
|-<br />
| ''window <value>''<br />
| Window<br />
|<source lang="bash"><br />
tcp window 22<br />
tcp window != 33-45<br />
tcp window { 33, 55, 67, 88 }<br />
tcp window { 33-55 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
tcp checksum 22<br />
tcp checksum != 33-45<br />
tcp checksum { 33, 55, 67, 88 }<br />
tcp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''urgptr <pointer>''<br />
| Urgent pointer<br />
|<source lang="bash"><br />
tcp urgptr 22<br />
tcp urgptr != 33-45<br />
tcp urgptr { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''doff <offset>''<br />
| Data offset<br />
|<source lang="bash"><br />
tcp doff 8<br />
</source><br />
|}<br />
<br />
==== Udp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udp dport 22<br />
udp dport != 33-45<br />
udp dport { 33-55 }<br />
udp dport { telnet, http, https }<br />
udp dport vmap { 22 : accept, 23 : drop }<br />
udp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udp sport 22<br />
udp sport != 33-45<br />
udp sport { 33, 55, 67, 88 }<br />
udp sport { 33-55 }<br />
udp sport vmap { 25:accept, 28:drop }<br />
udp sport 1024 udp dport 22<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
udp length 6666<br />
udp length != 50-65<br />
udp length { 50, 65 }<br />
udp length { 35-50 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| UDP checksum<br />
|<source lang="bash"><br />
udp checksum 22<br />
udp checksum != 33-45<br />
udp checksum { 33, 55, 67, 88 }<br />
udp checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
==== Udplite ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udplite match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udplite dport 22<br />
udplite dport != 33-45<br />
udplite dport { 33-55 }<br />
udplite dport { telnet, http, https }<br />
udplite dport vmap { 22 : accept, 23 : drop }<br />
udplite dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udplite sport 22<br />
udplite sport != 33-45<br />
udplite sport { 33, 55, 67, 88 }<br />
udplite sport { 33-55 }<br />
udplite sport vmap { 25:accept, 28:drop }<br />
udplite sport 1024 udplite dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
udplite checksum 22<br />
udplite checksum != 33-45<br />
udplite checksum { 33, 55, 67, 88 }<br />
udplite checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
==== Sctp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|sctp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
sctp dport 22<br />
sctp dport != 33-45<br />
sctp dport { 33-55 }<br />
sctp dport { telnet, http, https }<br />
sctp dport vmap { 22 : accept, 23 : drop }<br />
sctp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
sctp sport 22<br />
sctp sport != 33-45<br />
sctp sport { 33, 55, 67, 88 }<br />
sctp sport { 33-55 }<br />
sctp sport vmap { 25:accept, 28:drop }<br />
sctp sport 1024 sctp dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
sctp checksum 22<br />
sctp checksum != 33-45<br />
sctp checksum { 33, 55, 67, 88 }<br />
sctp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''vtag <tag>''<br />
| Verification tag<br />
|<source lang="bash"><br />
sctp vtag 22<br />
sctp vtag != 33-45<br />
sctp vtag { 33, 55, 67, 88 }<br />
sctp vtag { 33-55 }<br />
</source><br />
|-<br />
| ''chunk <type>''<br />
| Existence of a chunk with given type in packet<br />
|<source lang="bash"><br />
sctp chunk init exists<br />
sctp chunk error missing<br />
</source><br />
|-<br />
| ''chunk <type> <field>''<br />
| A chunk's field value (implies chunk existence)<br />
|<sourcex lang="bash"><br />
sctp chunk init flags 0x1<br />
sctp chunk data tsn 0x23<br />
</source><br />
|}<br />
<br />
==== Dccp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dccp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
dccp dport 22<br />
dccp dport != 33-45<br />
dccp dport { 33-55 }<br />
dccp dport { telnet, http, https }<br />
dccp dport vmap { 22 : accept, 23 : drop }<br />
dccp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
dccp sport 22<br />
dccp sport != 33-45<br />
dccp sport { 33, 55, 67, 88 }<br />
dccp sport { 33-55 }<br />
dccp sport vmap { 25:accept, 28:drop }<br />
dccp sport 1024 dccp dport 22<br />
</source><br />
|-<br />
| ''type <type>''<br />
| Type of packet<br />
|<source lang="bash"><br />
dccp type { request, response, data, ack, dataack, closereq, close, reset, sync, syncack }<br />
dccp type request<br />
dccp type != request<br />
</source><br />
|}<br />
<br />
==== Ah ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ah match<br />
|-<br />
| ''hdrlength <length>''<br />
| AH header length<br />
|<source lang="bash"><br />
ah hdrlength 11-23<br />
ah hdrlength != 11-23<br />
ah hdrlength { 11, 23, 44 }<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
ah reserved 22<br />
ah reserved != 33-45<br />
ah reserved { 23, 100 }<br />
ah reserved { 33-55 }<br />
</source><br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
ah spi 111<br />
ah spi != 111-222<br />
ah spi { 111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
ah sequence 123<br />
ah sequence { 23, 25, 33 }<br />
ah sequence != 23-33<br />
</source><br />
|}<br />
<br />
==== Esp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|esp match<br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
esp spi 111<br />
esp spi != 111-222<br />
esp spi { 111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
esp sequence 123<br />
esp sequence { 23, 25, 33 }<br />
esp sequence != 23-33<br />
</source><br />
|}<br />
<br />
==== Comp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|comp match<br />
|-<br />
| ''nexthdr <protocol>''<br />
| Next header protocol (Upper layer protocol)<br />
|<source lang="bash"><br />
comp nexthdr != esp<br />
comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp}<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| Flags<br />
|<source lang="bash"><br />
comp flags 0x0<br />
comp flags != 0x33-0x45<br />
comp flags {0x33, 0x55, 0x67, 0x88}<br />
</source><br />
|-<br />
| ''cpi <value>''<br />
| Compression Parameter Index<br />
|<source lang="bash"><br />
comp cpi 22<br />
comp cpi != 33-45<br />
comp cpi {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Icmp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmp match<br />
|-<br />
| ''type <type>''<br />
| ICMP packet type<br />
|<source lang="bash"><br />
icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation}<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMP packet code<br />
|<source lang="bash"><br />
icmp code 111<br />
icmp code != 33-55<br />
icmp code { 2, 4, 54, 33, 56}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMP packet checksum<br />
|<source lang="bash"><br />
icmp checksum 12343<br />
icmp checksum != 11-343<br />
icmp checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMP packet id<br />
|<source lang="bash"><br />
icmp id 12343<br />
icmp id != 11-343<br />
icmp id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMP packet sequence<br />
|<source lang="bash"><br />
icmp sequence 12343<br />
icmp sequence != 11-343<br />
icmp sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMP packet mtu<br />
|<source lang="bash"><br />
icmp mtu 12343<br />
icmp mtu != 11-343<br />
icmp mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''gateway <value>''<br />
| ICMP packet gateway<br />
|<source lang="bash"><br />
icmp gateway 12343<br />
icmp gateway != 11-343<br />
icmp gateway { 1111, 222, 343 }<br />
</source><br />
|}<br />
<br />
<br />
==== Icmpv6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmpv6 match<br />
|-<br />
| ''type <type>''<br />
| ICMPv6 packet type<br />
|<source lang="bash"><br />
icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, parameter-problem, mld2-listener-report }<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMPv6 packet code<br />
|<source lang="bash"><br />
icmpv6 code 4<br />
icmpv6 code 3-66<br />
icmpv6 code {5, 6, 7}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMPv6 packet checksum<br />
|<source lang="bash"><br />
icmpv6 checksum 12343<br />
icmpv6 checksum != 11-343<br />
icmpv6 checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMPv6 packet id<br />
|<source lang="bash"><br />
icmpv6 id 12343<br />
icmpv6 id != 11-343<br />
icmpv6 id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMPv6 packet sequence<br />
|<source lang="bash"><br />
icmpv6 sequence 12343<br />
icmpv6 sequence != 11-343<br />
icmpv6 sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMPv6 packet mtu<br />
|<source lang="bash"><br />
icmpv6 mtu 12343<br />
icmpv6 mtu != 11-343<br />
icmpv6 mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''max-delay <value>''<br />
| ICMPv6 packet max delay<br />
|<source lang="bash"><br />
icmpv6 max-delay 33-45<br />
icmpv6 max-delay != 33-45<br />
icmpv6 max-delay {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Ether ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ether match<br />
|-<br />
| ''saddr <mac address>''<br />
| Source mac address<br />
|<source lang="bash"><br />
ether saddr 00:0f:54:0c:11:04<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
ether type vlan<br />
</source><br />
|}<br />
<br />
==== Dst ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dst match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}<br />
dst nexthdr 22<br />
dst nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
dst hdrlength 22<br />
dst hdrlength != 33-45<br />
dst hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Frag ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|frag match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp}<br />
frag nexthdr 6<br />
frag nexthdr != 50-51<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
frag reserved 22<br />
frag reserved != 33-45<br />
frag reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| <br />
|<source lang="bash"><br />
frag frag-off 22<br />
frag frag-off != 33-45<br />
frag frag-off { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''more-fragments <value>''<br />
| <br />
|<source lang="bash"><br />
frag more-fragments 0<br />
frag more-fragments 0<br />
</source><br />
|-<br />
| ''id <value>''<br />
| <br />
|<source lang="bash"><br />
frag id 1<br />
frag id 33-45<br />
</source><br />
|}<br />
<br />
<br />
==== Hbh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|hbh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6}<br />
hbh nexthdr 22<br />
hbh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
hbh hdrlength 22<br />
hbh hdrlength != 33-45<br />
hbh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Mh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|mh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
mh nexthdr 22<br />
mh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
mh hdrlength 22<br />
mh hdrlength != 33-45<br />
mh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}<br />
mh type home-agent-switch-message<br />
mh type != home-agent-switch-message<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
mh reserved 22<br />
mh reserved != 33-45<br />
mh reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| <br />
|<source lang="bash"><br />
mh checksum 22<br />
mh checksum != 33-45<br />
mh checksum { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Rt ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|rt match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
rt nexthdr 22<br />
rt nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
rt hdrlength 22<br />
rt hdrlength != 33-45<br />
rt hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
rt type 22<br />
rt type != 33-45<br />
rt type { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''seg-left <value>''<br />
| <br />
|<source lang="bash"><br />
rt seg-left 22<br />
rt seg-left != 33-45<br />
rt seg-left { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Vlan ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|vlan match<br />
|-<br />
| ''id <value>''<br />
| Vlan tag ID<br />
|<source lang="bash"><br />
vlan id 4094<br />
vlan id 0<br />
</source><br />
|-<br />
| ''cfi <value>''<br />
| <br />
|<source lang="bash"><br />
vlan cfi 0<br />
vlan cfi 1<br />
</source><br />
|-<br />
| ''pcp <value>''<br />
| <br />
|<source lang="bash"><br />
vlan pcp 7<br />
vlan pcp 3<br />
</source><br />
|}<br />
<br />
<br />
==== Arp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|arp match<br />
|-<br />
| ''ptype <value>''<br />
| Payload type<br />
|<source lang="bash"><br />
arp ptype 0x0800<br />
</source><br />
|-<br />
| ''htype <value>''<br />
| Header type<br />
|<source lang="bash"><br />
arp htype 1<br />
arp htype != 33-45<br />
arp htype { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''hlen <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
arp hlen 1<br />
arp hlen != 33-45<br />
arp hlen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''plen <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
arp plen 1<br />
arp plen != 33-45<br />
arp plen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''operation <value>''<br />
| <br />
|<source lang="bash"><br />
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}<br />
</source><br />
|}<br />
<br />
<br />
==== Ct ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ct match<br />
|-<br />
| ''state <state>''<br />
| State of the connection<br />
|<source lang="bash"><br />
ct state { new, established, related, untracked }<br />
ct state != related<br />
ct state established<br />
ct state 8<br />
</source><br />
|-<br />
| ''direction <value>''<br />
| Direction of the packet relative to the connection<br />
|<source lang="bash"><br />
ct direction original<br />
ct direction != original<br />
ct direction {reply, original}<br />
</source><br />
|-<br />
| ''status <status>''<br />
| Status of the connection<br />
|<source lang="bash"><br />
ct status expected<br />
(ct status & expected) != expected<br />
ct status {expected,seen-reply,assured,confirmed,snat,dnat,dying}<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Mark of the connection<br />
|<source lang="bash"><br />
ct mark 0<br />
ct mark or 0x23 == 0x11<br />
ct mark or 0x3 != 0x1<br />
ct mark and 0x23 == 0x11<br />
ct mark and 0x3 != 0x1<br />
ct mark xor 0x23 == 0x11<br />
ct mark xor 0x3 != 0x1<br />
ct mark 0x00000032<br />
ct mark != 0x00000032<br />
ct mark 0x00000032-0x00000045<br />
ct mark != 0x00000032-0x00000045<br />
ct mark {0x32, 0x2222, 0x42de3}<br />
ct mark {0x32-0x2222, 0x4444-0x42de3}<br />
ct mark set 0x11 xor 0x1331<br />
ct mark set 0x11333 and 0x11<br />
ct mark set 0x12 or 0x11<br />
ct mark set 0x11<br />
ct mark set mark<br />
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }<br />
</source><br />
|-<br />
| ''expiration <time>''<br />
| Connection expiration time<br />
|<source lang="bash"><br />
ct expiration 30<br />
ct expiration 30s<br />
ct expiration != 233<br />
ct expiration != 3m53s<br />
ct expiration 33-45<br />
ct expiration 33s-45s<br />
ct expiration != 33-45<br />
ct expiration != 33s-45s<br />
ct expiration {33, 55, 67, 88}<br />
ct expiration { 1m7s, 33s, 55s, 1m28s}<br />
</source><br />
|-<br />
| ''helper "<helper>"''<br />
| Helper associated with the connection<br />
|<source lang="bash"><br />
ct helper "ftp"<br />
</source><br />
|-<br />
| | ''[original | reply] bytes <value>''<br />
| <br />
|<source lang="bash"><br />
ct original bytes > 100000<br />
ct bytes > 100000<br />
</source><br />
|-<br />
| | ''[original | reply] packets <value>''<br />
| <br />
|<source lang="bash"><br />
ct reply packets < 100<br />
</source><br />
|-<br />
| | ''[original | reply] ip saddr <ip source address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip saddr 192.168.0.1<br />
ct reply ip saddr 192.168.0.1<br />
ct original ip saddr 192.168.1.0/24<br />
ct reply ip saddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] ip daddr <ip destination address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip daddr 192.168.0.1<br />
ct reply ip daddr 192.168.0.1<br />
ct original ip daddr 192.168.1.0/24<br />
ct reply ip daddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] l3proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original l3proto ipv4<br />
</source><br />
|-<br />
| | ''[original | reply] protocol <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original protocol 6<br />
</source><br />
|-<br />
| | ''[original | reply] proto-dst <port>''<br />
| <br />
|<source lang="bash"><br />
ct original proto-dst 22<br />
</source><br />
|-<br />
| | ''[original | reply] proto-src <port>''<br />
| <br />
|<source lang="bash"><br />
ct reply proto-src 53<br />
</source><br />
|-<br />
| | ''count [over] <number of connections>''<br />
| <br />
|<source lang="bash"><br />
ct count over 2<br />
<br />
tcp dport 22 add @ssh_flood { ip saddr ct count over 2 } reject<br />
[ which requires an existing ssh_flood set, ie. add set filter ssh_flood { type ipv4_addr; flags dynamic; } ]<br />
</source><br />
|}<br />
<br />
==== Meta ====<br />
<br />
[[Matching packet metainformation|''meta'']] matches packet by metainformation.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|meta match<br />
|-<br />
| ''iifname <input interface name>''<br />
| Input interface name<br />
|<source lang="bash"><br />
meta iifname "eth0"<br />
meta iifname != "eth0"<br />
meta iifname {"eth0", "lo"}<br />
meta iifname "eth*"<br />
</source><br />
|-<br />
| ''oifname <output interface name>''<br />
| Output interface name<br />
|<source lang="bash"><br />
meta oifname "eth0"<br />
meta oifname != "eth0"<br />
meta oifname {"eth0", "lo"}<br />
meta oifname "eth*"<br />
</source><br />
|-<br />
| ''iif <input interface index>''<br />
| Input interface index<br />
|<source lang="bash"><br />
meta iif eth0<br />
meta iif != eth0<br />
</source><br />
|-<br />
| ''oif <output interface index>''<br />
| Output interface index<br />
|<source lang="bash"><br />
meta oif lo<br />
meta oif != lo<br />
meta oif {eth0, lo}<br />
</source><br />
|-<br />
| ''iiftype <input interface type>''<br />
| Input interface type<br />
|<source lang="bash"><br />
meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta iiftype != ether<br />
meta iiftype ether<br />
</source><br />
|-<br />
| ''oiftype <output interface type>''<br />
| Output interface hardware type<br />
|<source lang="bash"><br />
meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta oiftype != ether<br />
meta oiftype ether<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Length of the packet in bytes<br />
|<source lang="bash"><br />
meta length 1000<br />
meta length != 1000<br />
meta length > 1000<br />
meta length 33-45<br />
meta length != 33-45<br />
meta length { 33, 55, 67, 88 }<br />
meta length { 33-55, 67-88 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| ethertype protocol<br />
|<source lang="bash"><br />
meta protocol ip<br />
meta protocol != ip<br />
meta protocol { ip, arp, ip6, vlan }<br />
</source><br />
|-<br />
| ''nfproto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta nfproto ipv4<br />
meta nfproto != ipv6<br />
meta nfproto { ipv4, ipv6 }<br />
</source><br />
|-<br />
| ''l4proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta l4proto 22<br />
meta l4proto != 233<br />
meta l4proto 33-45<br />
meta l4proto { 33, 55, 67, 88 }<br />
meta l4proto { 33-55 }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Packet mark<br />
|<source lang="bash"><br />
meta mark 0x4<br />
meta mark 0x00000032<br />
meta mark and 0x03 == 0x01<br />
meta mark and 0x03 != 0x01<br />
meta mark != 0x10<br />
meta mark or 0x03 == 0x01<br />
meta mark or 0x03 != 0x01<br />
meta mark xor 0x03 == 0x01<br />
meta mark xor 0x03 != 0x01<br />
meta mark set 0xffffffc8 xor 0x16<br />
meta mark set 0x16 and 0x16<br />
meta mark set 0xffffffe9 or 0x16<br />
meta mark set 0xffffffde and 0x16<br />
meta mark set 0x32 or 0xfffff<br />
meta mark set 0xfffe xor 0x16<br />
</source><br />
|-<br />
| ''priority [set] <priority>''<br />
| tc class id<br />
|<source lang="bash"><br />
meta priority none<br />
meta priority 0x1:0x1<br />
meta priority 0x1:0xffff<br />
meta priority 0xffff:0xffff<br />
meta priority set 0x1:0x1<br />
meta priority set 0x1:0xffff<br />
meta priority set 0xffff:0xffff<br />
</source><br />
|-<br />
| ''skuid <user id>''<br />
| UID associated with originating socket<br />
|<source lang="bash"><br />
meta skuid {bin, root, daemon}<br />
meta skuid root<br />
meta skuid != root<br />
meta skuid lt 3000<br />
meta skuid gt 3000<br />
meta skuid eq 3000<br />
meta skuid 3001-3005<br />
meta skuid != 2001-2005<br />
meta skuid { 2001-2005 }<br />
</source><br />
|-<br />
| ''skgid <group id>''<br />
| GID associated with originating socket<br />
|<source lang="bash"><br />
meta skgid {bin, root, daemon}<br />
meta skgid root<br />
meta skgid != root<br />
meta skgid lt 3000<br />
meta skgid gt 3000<br />
meta skgid eq 3000<br />
meta skgid 3001-3005<br />
meta skgid != 2001-2005<br />
meta skgid { 2001-2005 }<br />
</source><br />
|-<br />
| ''rtclassid <class>''<br />
| Routing realm<br />
|<source lang="bash"><br />
meta rtclassid cosmos<br />
</source><br />
|-<br />
| ''pkttype <type>''<br />
| Packet type<br />
|<source lang="bash"><br />
meta pkttype broadcast<br />
meta pkttype != broadcast<br />
meta pkttype { broadcast, unicast, multicast}<br />
</source><br />
|-<br />
| ''cpu <cpu index>''<br />
| CPU ID<br />
|<source lang="bash"><br />
meta cpu 1<br />
meta cpu != 1<br />
meta cpu 1-3<br />
meta cpu != 1-2<br />
meta cpu { 2,3 }<br />
meta cpu { 2-3, 5-7 }<br />
</source><br />
|-<br />
| ''iifgroup <input group>''<br />
| Input interface group<br />
|<source lang="bash"><br />
meta iifgroup 0<br />
meta iifgroup != 0<br />
meta iifgroup default<br />
meta iifgroup != default<br />
meta iifgroup {default}<br />
meta iifgroup { 11,33 }<br />
meta iifgroup {11-33}<br />
</source><br />
|-<br />
| ''oifgroup <group>''<br />
| Output interface group<br />
|<source lang="bash"><br />
meta oifgroup 0<br />
meta oifgroup != 0<br />
meta oifgroup default<br />
meta oifgroup != default<br />
meta oifgroup {default}<br />
meta oifgroup { 11,33 }<br />
meta oifgroup {11-33}<br />
</source><br />
|-<br />
| ''cgroup <group>''<br />
| <br />
|<source lang="bash"><br />
meta cgroup 1048577<br />
meta cgroup != 1048577<br />
meta cgroup { 1048577, 1048578 }<br />
meta cgroup 1048577-1048578<br />
meta cgroup != 1048577-1048578<br />
meta cgroup {1048577-1048578}<br />
</source><br />
|}<br />
<br />
=== Statements ===<br />
<br />
'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.<br />
<br />
==== Verdict statements ====<br />
<br />
The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:<br />
<br />
* ''accept'': Accept the packet and stop the remain rules evaluation.<br />
* ''drop'': Drop the packet and stop the remain rules evaluation.<br />
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.<br />
* ''continue'': Continue the ruleset evaluation with the next rule.<br />
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept<br />
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued<br />
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement<br />
<br />
==== Log ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|log statement<br />
|-<br />
| ''level [over] <value> <unit> [burst <value> <unit>]''<br />
| Log level<br />
|<source lang="bash"><br />
log<br />
log level emerg<br />
log level alert<br />
log level crit<br />
log level err<br />
log level warn<br />
log level notice<br />
log level info<br />
log level debug<br />
</source><br />
|-<br />
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''<br />
| <br />
|<source lang="bash"><br />
log prefix aaaaa-aaaaaa group 2 snaplen 33<br />
log group 2 queue-threshold 2<br />
log group 2 snaplen 33<br />
</source><br />
|}<br />
<br />
<br />
==== Reject ====<br />
<br />
The default '''reject''' will be the ICMP type '''port-unreachable'''. The '''icmpx''' is only used for inet family support.<br />
<br />
More information on the [[Rejecting_traffic]] page.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|reject statement<br />
|-<br />
| ''with <protocol> type <type>''<br />
| <br />
|<source lang="bash"><br />
reject<br />
reject with icmp type host-unreachable<br />
reject with icmp type net-unreachable<br />
reject with icmp type prot-unreachable<br />
reject with icmp type port-unreachable<br />
reject with icmp type net-prohibited<br />
reject with icmp type host-prohibited<br />
reject with icmp type admin-prohibited<br />
reject with icmpv6 type no-route<br />
reject with icmpv6 type admin-prohibited<br />
reject with icmpv6 type addr-unreachable<br />
reject with icmpv6 type port-unreachable<br />
reject with icmpx type host-unreachable<br />
reject with icmpx type no-route<br />
reject with icmpx type admin-prohibited<br />
reject with icmpx type port-unreachable<br />
ip protocol tcp reject with tcp reset<br />
</source><br />
|}<br />
<br />
==== Counter ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|counter statement<br />
|-<br />
| ''packets <packets> bytes <bytes>''<br />
| <br />
|<source lang="bash"><br />
counter<br />
counter packets 0 bytes 0<br />
</source><br />
|}<br />
<br />
<br />
==== Limit ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|limit statement<br />
|-<br />
| ''rate [over] <value> <unit> [burst <value> <unit>]''<br />
| Rate limit<br />
|<source lang="bash"><br />
limit rate 400/minute<br />
limit rate 400/hour<br />
limit rate over 40/day<br />
limit rate over 400/week<br />
limit rate over 1023/second burst 10 packets<br />
limit rate 1025 kbytes/second<br />
limit rate 1023000 mbytes/second<br />
limit rate 1025 bytes/second burst 512 bytes<br />
limit rate 1025 kbytes/second burst 1023 kbytes<br />
limit rate 1025 mbytes/second burst 1025 kbytes<br />
limit rate 1025000 mbytes/second burst 1023 mbytes<br />
</source><br />
|}<br />
<br />
==== Nat ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|nat statement<br />
|-<br />
| ''dnat to <destination address>''<br />
| Destination address translation<br />
|<source lang="bash"><br />
dnat to 192.168.3.2<br />
dnat to ct mark map { 0x00000014 : 1.2.3.4}<br />
</source><br />
|-<br />
| ''snat to <ip source address>''<br />
| Source address translation<br />
|<source lang="bash"><br />
snat to 192.168.3.2<br />
snat to 2001:838:35f:1::-2001:838:35f:2:::100<br />
</source><br />
|-<br />
| ''masquerade [<type>] [to :<port>]''<br />
| Masquerade<br />
|<source lang="bash"><br />
masquerade<br />
masquerade persistent,fully-random,random<br />
masquerade to :1024<br />
masquerade to :1024-2048<br />
</source><br />
|}<br />
<br />
==== Queue ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|queue statement<br />
|-<br />
| ''num <value> <scheduler>''<br />
| <br />
|<source lang="bash"><br />
queue<br />
queue num 2<br />
queue num 2-3<br />
queue num 4-5 fanout bypass<br />
queue num 4-5 fanout<br />
queue num 4-5 bypass<br />
</source><br />
|}<br />
<br />
== Extras ==<br />
<br />
=== Export Configuration ===<br />
<br />
<source lang="bash"><br />
% nft export (xml | json)<br />
</source><br />
<br />
=== Monitor Events ===<br />
<br />
Monitor events from Netlink creating filters.<br />
<br />
<source lang="bash"><br />
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]<br />
</source><br />
<br />
<br />
= Nft scripting =<br />
<br />
== List ruleset ==<br />
<br />
<source lang="bash"><br />
% nft list ruleset<br />
</source><br />
<br />
== Flush ruleset ==<br />
<br />
<source lang="bash"><br />
% nft flush ruleset<br />
</source><br />
<br />
== Load ruleset ==<br />
<br />
Create a command batch file and load it with the nft interpreter,<br />
<br />
<source lang="bash"><br />
% echo "flush ruleset" > /etc/nftables.rules<br />
% echo "add table filter" >> /etc/nftables.rules<br />
% echo "add chain filter input" >> /etc/nftables.rules<br />
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file,<br />
<br />
<source lang="bash"><br />
% cat << EOF > /etc/nftables.rules<br />
> #!/usr/local/sbin/nft -f<br />
> flush ruleset<br />
> add table filter<br />
> add chain filter input<br />
> add rule filter input meta iifname lo accept<br />
> EOF<br />
% chmod u+x /etc/nftables.rules<br />
% /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file from an already created ruleset,<br />
<br />
<source lang="bash"><br />
% nft list ruleset > /etc/nftables.rules<br />
% nft flush ruleset<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
<br />
= Examples =<br />
<br />
== Simple IP/IPv6 Firewall ==<br />
<br />
<source lang="bash"><br />
flush ruleset<br />
<br />
table firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
icmp type echo-request accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
<br />
table ip6 firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# invalid connections<br />
ct state invalid drop<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
# routers may also want: mld-listener-query, nd-router-solicit<br />
icmpv6 type {echo-request,nd-neighbor-solicit} accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
</source></div>
Aurelien
http://wiki.nftables.org/wiki-nftables/index.php?title=Quick_reference-nftables_in_10_minutes&diff=1127
Quick reference-nftables in 10 minutes
2024-04-21T06:21:59Z
<p>Aurelien: /* Ah */ More consistent space after { and before }</p>
<hr />
<div>Find below some basic concepts to know before using nftables.<br />
<br />
'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.<br />
<br />
'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].<br />
<br />
'''rule''' refers to an action to be configured within a ''chain''.<br />
<br />
<br />
= nft command line =<br />
<br />
''nft'' is the command line tool in order to interact with nftables at userspace.<br />
<br />
== Tables ==<br />
<br />
'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''. It defaults to ''ip''.<br />
<br />
<source lang="bash"><br />
% nft list tables [<family>]<br />
% nft [-n] [-a] list table [<family>] <name><br />
% nft (add | delete | flush) table [<family>] <name><br />
</source><br />
<br />
The argument ''-n'' shows the addresses and other information that use names in numeric format. The ''-a'' argument is used to display each rule's ''handle'' (i.e., a numerical identifier).<br />
<br />
== Chains ==<br />
<br />
'''type''' refers to the kind of chain to be created. Possible types are:<br />
<br />
* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.<br />
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.<br />
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.<br />
<br />
'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].<br />
<br />
* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.<br />
* The hooks for ''arp'' family are: '' input'', ''output''.<br />
* The ''bridge'' family handles ethernet packets traversing bridge devices.<br />
* The hooks for ''netdev'' are: ''ingress'', ''egress''.<br />
<br />
'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.<br />
<br />
'''policy''' is the default verdict statement to control the flow in the base chain. Possible values are: ''accept'' (default) and ''drop''. Warning: Setting the policy to ''drop'' discards all packets that<br />
have not been accepted by the ruleset.<br />
<br />
<source lang="bash"><br />
% nft (add | create) chain [<family>] <table> <name> [ \{ type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] \} ]<br />
% nft (delete | list | flush) chain [<family>] <table> <name><br />
% nft rename chain [<family>] <table> <name> <newname><br />
</source><br />
<br />
== Rules ==<br />
<br />
'''handle''' is an internal number that identifies a certain ''rule''.<br />
<br />
'''position''' is an internal number that is used to insert a ''rule'' before a certain ''handle''.<br />
<br />
<source lang="bash"><br />
% nft add rule [<family>] <table> <chain> <matches> <statements><br />
% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements><br />
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements><br />
% nft delete rule [<family>] <table> <chain> [handle <handle>]<br />
</source><br />
<br />
=== Matches ===<br />
<br />
'''matches''' are clues used to access to certain packet information and create filters according to them.<br />
<br />
==== Ip ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip match<br />
|-<br />
| | ''dscp <value>''<br />
|<br />
|<source lang="bash"><br />
ip dscp cs1<br />
ip dscp != cs1<br />
ip dscp 0x38<br />
ip dscp != 0x20<br />
ip dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, <br />
af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
ip length 232<br />
ip length != 233<br />
ip length 333-435<br />
ip length != 333-453<br />
ip length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''id <id>''<br />
| IP ID<br />
|<source lang="bash"><br />
ip id 22<br />
ip id != 233<br />
ip id 33-45<br />
ip id != 33-45<br />
ip id { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| Fragmentation offset<br />
|<source lang="bash"><br />
ip frag-off & 0x1fff != 0 # match fragments<br />
ip frag-off & 0x2000 != 0 # match MF flag <br />
ip frag-off & 0x4000 != 0 # match DF flag <br />
</source><br />
|-<br />
| ''ttl <ttl>''<br />
| Time to live<br />
|<source lang="bash"><br />
ip ttl 0<br />
ip ttl 233<br />
ip ttl 33-55<br />
ip ttl != 45-50<br />
ip ttl { 43, 53, 45 }<br />
ip ttl { 33-55 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| Upper layer protocol<br />
|<source lang="bash"><br />
ip protocol tcp<br />
ip protocol 6<br />
ip protocol != tcp<br />
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
ip checksum 13172<br />
ip checksum 22<br />
ip checksum != 233<br />
ip checksum 33-45<br />
ip checksum != 33-45<br />
ip checksum { 33, 55, 67, 88 }<br />
ip checksum { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source address<br />
|<source lang="bash"><br />
ip saddr 192.168.2.0/24<br />
ip saddr != 192.168.2.0/24<br />
ip saddr 192.168.3.1 ip daddr 192.168.3.100<br />
ip saddr != 1.1.1.1<br />
ip saddr 1.1.1.1<br />
ip saddr & 0xff == 1<br />
ip saddr & 0.0.0.255 < 0.0.0.127<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination address<br />
|<source lang="bash"><br />
ip daddr 192.168.0.1<br />
ip daddr != 192.168.0.1<br />
ip daddr 192.168.0.1-192.168.0.250<br />
ip daddr 10.0.0.0-10.255.255.255<br />
ip daddr 172.16.0.0-172.31.255.255<br />
ip daddr 192.168.3.1-192.168.4.250<br />
ip daddr != 192.168.0.1-192.168.0.250<br />
ip daddr { 192.168.0.1-192.168.0.250 }<br />
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }<br />
</source><br />
|-<br />
| ''version <version>''<br />
| Ip Header version<br />
|<source lang="bash"><br />
ip version 4<br />
</source><br />
|-<br />
| ''hdrlength <header length>''<br />
| IP header length<br />
|<source lang="bash"><br />
ip hdrlength 0<br />
ip hdrlength 15<br />
</source><br />
|}<br />
<br />
==== Ip6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip6 match<br />
|-<br />
| ''dscp <value>''<br />
| <br />
|<source lang="bash"><br />
ip6 dscp cs1<br />
ip6 dscp != cs1<br />
ip6 dscp 0x38<br />
ip6 dscp != 0x20<br />
ip6 dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''flowlabel <label>''<br />
| Flow label<br />
|<source lang="bash"><br />
ip6 flowlabel 22<br />
ip6 flowlabel != 233<br />
ip6 flowlabel { 33, 55, 67, 88 }<br />
ip6 flowlabel { 33-55 }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
ip6 length 232<br />
ip6 length != 233<br />
ip6 length 333-435<br />
ip6 length != 333-453<br />
ip6 length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''nexthdr <header>''<br />
| Next header type (Upper layer protocol number)<br />
|<source lang="bash"><br />
ip6 nexthdr { esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6 }<br />
ip6 nexthdr esp<br />
ip6 nexthdr != esp<br />
ip6 nexthdr { 33-44 }<br />
ip6 nexthdr 33-44<br />
ip6 nexthdr != 33-44<br />
</source><br />
|-<br />
| ''hoplimit <hoplimit>''<br />
| Hop limit<br />
|<source lang="bash"><br />
ip6 hoplimit 1<br />
ip6 hoplimit != 233<br />
ip6 hoplimit 33-45<br />
ip6 hoplimit != 33-45<br />
ip6 hoplimit { 33, 55, 67, 88 }<br />
ip6 hoplimit { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source Address<br />
|<source lang="bash"><br />
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::/64<br />
ip6 saddr ::1 ip6 daddr ::2<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination Address<br />
|<source lang="bash"><br />
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234<br />
</source><br />
|-<br />
| ''version <version>''<br />
| IP header version<br />
|<source lang="bash"><br />
ip6 version 6<br />
</source><br />
|}<br />
<br />
==== Tcp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|tcp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
tcp dport 22<br />
tcp dport != 33-45<br />
tcp dport { 33-55 }<br />
tcp dport { telnet, http, https }<br />
tcp dport vmap { 22 : accept, 23 : drop }<br />
tcp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
tcp sport 22<br />
tcp sport != 33-45<br />
tcp sport { 33, 55, 67, 88 }<br />
tcp sport { 33-55 }<br />
tcp sport vmap { 25:accept, 28:drop }<br />
tcp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| Sequence number<br />
|<source lang="bash"><br />
tcp sequence 22<br />
tcp sequence != 33-45<br />
</source><br />
|-<br />
| ''ackseq <value>''<br />
| Acknowledgement number<br />
|<source lang="bash"><br />
tcp ackseq 22<br />
tcp ackseq != 33-45<br />
tcp ackseq { 33, 55, 67, 88 }<br />
tcp ackseq { 33-55 }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| TCP flags<br />
|<source lang="bash"><br />
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr }<br />
tcp flags cwr<br />
tcp flags != cwr<br />
</source><br />
|-<br />
| ''window <value>''<br />
| Window<br />
|<source lang="bash"><br />
tcp window 22<br />
tcp window != 33-45<br />
tcp window { 33, 55, 67, 88 }<br />
tcp window { 33-55 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
tcp checksum 22<br />
tcp checksum != 33-45<br />
tcp checksum { 33, 55, 67, 88 }<br />
tcp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''urgptr <pointer>''<br />
| Urgent pointer<br />
|<source lang="bash"><br />
tcp urgptr 22<br />
tcp urgptr != 33-45<br />
tcp urgptr { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''doff <offset>''<br />
| Data offset<br />
|<source lang="bash"><br />
tcp doff 8<br />
</source><br />
|}<br />
<br />
==== Udp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udp dport 22<br />
udp dport != 33-45<br />
udp dport { 33-55 }<br />
udp dport { telnet, http, https }<br />
udp dport vmap { 22 : accept, 23 : drop }<br />
udp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udp sport 22<br />
udp sport != 33-45<br />
udp sport { 33, 55, 67, 88 }<br />
udp sport { 33-55 }<br />
udp sport vmap { 25:accept, 28:drop }<br />
udp sport 1024 udp dport 22<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
udp length 6666<br />
udp length != 50-65<br />
udp length { 50, 65 }<br />
udp length { 35-50 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| UDP checksum<br />
|<source lang="bash"><br />
udp checksum 22<br />
udp checksum != 33-45<br />
udp checksum { 33, 55, 67, 88 }<br />
udp checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
==== Udplite ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udplite match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udplite dport 22<br />
udplite dport != 33-45<br />
udplite dport { 33-55 }<br />
udplite dport { telnet, http, https }<br />
udplite dport vmap { 22 : accept, 23 : drop }<br />
udplite dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udplite sport 22<br />
udplite sport != 33-45<br />
udplite sport { 33, 55, 67, 88 }<br />
udplite sport { 33-55 }<br />
udplite sport vmap { 25:accept, 28:drop }<br />
udplite sport 1024 udplite dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
udplite checksum 22<br />
udplite checksum != 33-45<br />
udplite checksum { 33, 55, 67, 88 }<br />
udplite checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
==== Sctp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|sctp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
sctp dport 22<br />
sctp dport != 33-45<br />
sctp dport { 33-55 }<br />
sctp dport { telnet, http, https }<br />
sctp dport vmap { 22 : accept, 23 : drop }<br />
sctp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
sctp sport 22<br />
sctp sport != 33-45<br />
sctp sport { 33, 55, 67, 88 }<br />
sctp sport { 33-55 }<br />
sctp sport vmap { 25:accept, 28:drop }<br />
sctp sport 1024 sctp dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
sctp checksum 22<br />
sctp checksum != 33-45<br />
sctp checksum { 33, 55, 67, 88 }<br />
sctp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''vtag <tag>''<br />
| Verification tag<br />
|<source lang="bash"><br />
sctp vtag 22<br />
sctp vtag != 33-45<br />
sctp vtag { 33, 55, 67, 88 }<br />
sctp vtag { 33-55 }<br />
</source><br />
|-<br />
| ''chunk <type>''<br />
| Existence of a chunk with given type in packet<br />
|<source lang="bash"><br />
sctp chunk init exists<br />
sctp chunk error missing<br />
</source><br />
|-<br />
| ''chunk <type> <field>''<br />
| A chunk's field value (implies chunk existence)<br />
|<sourcex lang="bash"><br />
sctp chunk init flags 0x1<br />
sctp chunk data tsn 0x23<br />
</source><br />
|}<br />
<br />
==== Dccp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dccp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
dccp dport 22<br />
dccp dport != 33-45<br />
dccp dport { 33-55 }<br />
dccp dport { telnet, http, https }<br />
dccp dport vmap { 22 : accept, 23 : drop }<br />
dccp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
dccp sport 22<br />
dccp sport != 33-45<br />
dccp sport { 33, 55, 67, 88 }<br />
dccp sport { 33-55 }<br />
dccp sport vmap { 25:accept, 28:drop }<br />
dccp sport 1024 dccp dport 22<br />
</source><br />
|-<br />
| ''type <type>''<br />
| Type of packet<br />
|<source lang="bash"><br />
dccp type { request, response, data, ack, dataack, closereq, close, reset, sync, syncack }<br />
dccp type request<br />
dccp type != request<br />
</source><br />
|}<br />
<br />
==== Ah ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ah match<br />
|-<br />
| ''hdrlength <length>''<br />
| AH header length<br />
|<source lang="bash"><br />
ah hdrlength 11-23<br />
ah hdrlength != 11-23<br />
ah hdrlength { 11, 23, 44 }<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
ah reserved 22<br />
ah reserved != 33-45<br />
ah reserved { 23, 100 }<br />
ah reserved { 33-55 }<br />
</source><br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
ah spi 111<br />
ah spi != 111-222<br />
ah spi { 111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
ah sequence 123<br />
ah sequence { 23, 25, 33 }<br />
ah sequence != 23-33<br />
</source><br />
|}<br />
<br />
==== Esp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|esp match<br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
esp spi 111<br />
esp spi != 111-222<br />
esp spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
esp sequence 123<br />
esp sequence {23, 25, 33}<br />
esp sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Comp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|comp match<br />
|-<br />
| ''nexthdr <protocol>''<br />
| Next header protocol (Upper layer protocol)<br />
|<source lang="bash"><br />
comp nexthdr != esp<br />
comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp}<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| Flags<br />
|<source lang="bash"><br />
comp flags 0x0<br />
comp flags != 0x33-0x45<br />
comp flags {0x33, 0x55, 0x67, 0x88}<br />
</source><br />
|-<br />
| ''cpi <value>''<br />
| Compression Parameter Index<br />
|<source lang="bash"><br />
comp cpi 22<br />
comp cpi != 33-45<br />
comp cpi {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Icmp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmp match<br />
|-<br />
| ''type <type>''<br />
| ICMP packet type<br />
|<source lang="bash"><br />
icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation}<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMP packet code<br />
|<source lang="bash"><br />
icmp code 111<br />
icmp code != 33-55<br />
icmp code { 2, 4, 54, 33, 56}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMP packet checksum<br />
|<source lang="bash"><br />
icmp checksum 12343<br />
icmp checksum != 11-343<br />
icmp checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMP packet id<br />
|<source lang="bash"><br />
icmp id 12343<br />
icmp id != 11-343<br />
icmp id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMP packet sequence<br />
|<source lang="bash"><br />
icmp sequence 12343<br />
icmp sequence != 11-343<br />
icmp sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMP packet mtu<br />
|<source lang="bash"><br />
icmp mtu 12343<br />
icmp mtu != 11-343<br />
icmp mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''gateway <value>''<br />
| ICMP packet gateway<br />
|<source lang="bash"><br />
icmp gateway 12343<br />
icmp gateway != 11-343<br />
icmp gateway { 1111, 222, 343 }<br />
</source><br />
|}<br />
<br />
<br />
==== Icmpv6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmpv6 match<br />
|-<br />
| ''type <type>''<br />
| ICMPv6 packet type<br />
|<source lang="bash"><br />
icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, parameter-problem, mld2-listener-report }<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMPv6 packet code<br />
|<source lang="bash"><br />
icmpv6 code 4<br />
icmpv6 code 3-66<br />
icmpv6 code {5, 6, 7}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMPv6 packet checksum<br />
|<source lang="bash"><br />
icmpv6 checksum 12343<br />
icmpv6 checksum != 11-343<br />
icmpv6 checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMPv6 packet id<br />
|<source lang="bash"><br />
icmpv6 id 12343<br />
icmpv6 id != 11-343<br />
icmpv6 id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMPv6 packet sequence<br />
|<source lang="bash"><br />
icmpv6 sequence 12343<br />
icmpv6 sequence != 11-343<br />
icmpv6 sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMPv6 packet mtu<br />
|<source lang="bash"><br />
icmpv6 mtu 12343<br />
icmpv6 mtu != 11-343<br />
icmpv6 mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''max-delay <value>''<br />
| ICMPv6 packet max delay<br />
|<source lang="bash"><br />
icmpv6 max-delay 33-45<br />
icmpv6 max-delay != 33-45<br />
icmpv6 max-delay {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Ether ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ether match<br />
|-<br />
| ''saddr <mac address>''<br />
| Source mac address<br />
|<source lang="bash"><br />
ether saddr 00:0f:54:0c:11:04<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
ether type vlan<br />
</source><br />
|}<br />
<br />
==== Dst ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dst match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}<br />
dst nexthdr 22<br />
dst nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
dst hdrlength 22<br />
dst hdrlength != 33-45<br />
dst hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Frag ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|frag match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp}<br />
frag nexthdr 6<br />
frag nexthdr != 50-51<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
frag reserved 22<br />
frag reserved != 33-45<br />
frag reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| <br />
|<source lang="bash"><br />
frag frag-off 22<br />
frag frag-off != 33-45<br />
frag frag-off { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''more-fragments <value>''<br />
| <br />
|<source lang="bash"><br />
frag more-fragments 0<br />
frag more-fragments 0<br />
</source><br />
|-<br />
| ''id <value>''<br />
| <br />
|<source lang="bash"><br />
frag id 1<br />
frag id 33-45<br />
</source><br />
|}<br />
<br />
<br />
==== Hbh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|hbh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6}<br />
hbh nexthdr 22<br />
hbh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
hbh hdrlength 22<br />
hbh hdrlength != 33-45<br />
hbh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Mh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|mh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
mh nexthdr 22<br />
mh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
mh hdrlength 22<br />
mh hdrlength != 33-45<br />
mh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}<br />
mh type home-agent-switch-message<br />
mh type != home-agent-switch-message<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
mh reserved 22<br />
mh reserved != 33-45<br />
mh reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| <br />
|<source lang="bash"><br />
mh checksum 22<br />
mh checksum != 33-45<br />
mh checksum { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Rt ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|rt match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
rt nexthdr 22<br />
rt nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
rt hdrlength 22<br />
rt hdrlength != 33-45<br />
rt hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
rt type 22<br />
rt type != 33-45<br />
rt type { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''seg-left <value>''<br />
| <br />
|<source lang="bash"><br />
rt seg-left 22<br />
rt seg-left != 33-45<br />
rt seg-left { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Vlan ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|vlan match<br />
|-<br />
| ''id <value>''<br />
| Vlan tag ID<br />
|<source lang="bash"><br />
vlan id 4094<br />
vlan id 0<br />
</source><br />
|-<br />
| ''cfi <value>''<br />
| <br />
|<source lang="bash"><br />
vlan cfi 0<br />
vlan cfi 1<br />
</source><br />
|-<br />
| ''pcp <value>''<br />
| <br />
|<source lang="bash"><br />
vlan pcp 7<br />
vlan pcp 3<br />
</source><br />
|}<br />
<br />
<br />
==== Arp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|arp match<br />
|-<br />
| ''ptype <value>''<br />
| Payload type<br />
|<source lang="bash"><br />
arp ptype 0x0800<br />
</source><br />
|-<br />
| ''htype <value>''<br />
| Header type<br />
|<source lang="bash"><br />
arp htype 1<br />
arp htype != 33-45<br />
arp htype { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''hlen <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
arp hlen 1<br />
arp hlen != 33-45<br />
arp hlen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''plen <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
arp plen 1<br />
arp plen != 33-45<br />
arp plen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''operation <value>''<br />
| <br />
|<source lang="bash"><br />
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}<br />
</source><br />
|}<br />
<br />
<br />
==== Ct ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ct match<br />
|-<br />
| ''state <state>''<br />
| State of the connection<br />
|<source lang="bash"><br />
ct state { new, established, related, untracked }<br />
ct state != related<br />
ct state established<br />
ct state 8<br />
</source><br />
|-<br />
| ''direction <value>''<br />
| Direction of the packet relative to the connection<br />
|<source lang="bash"><br />
ct direction original<br />
ct direction != original<br />
ct direction {reply, original}<br />
</source><br />
|-<br />
| ''status <status>''<br />
| Status of the connection<br />
|<source lang="bash"><br />
ct status expected<br />
(ct status & expected) != expected<br />
ct status {expected,seen-reply,assured,confirmed,snat,dnat,dying}<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Mark of the connection<br />
|<source lang="bash"><br />
ct mark 0<br />
ct mark or 0x23 == 0x11<br />
ct mark or 0x3 != 0x1<br />
ct mark and 0x23 == 0x11<br />
ct mark and 0x3 != 0x1<br />
ct mark xor 0x23 == 0x11<br />
ct mark xor 0x3 != 0x1<br />
ct mark 0x00000032<br />
ct mark != 0x00000032<br />
ct mark 0x00000032-0x00000045<br />
ct mark != 0x00000032-0x00000045<br />
ct mark {0x32, 0x2222, 0x42de3}<br />
ct mark {0x32-0x2222, 0x4444-0x42de3}<br />
ct mark set 0x11 xor 0x1331<br />
ct mark set 0x11333 and 0x11<br />
ct mark set 0x12 or 0x11<br />
ct mark set 0x11<br />
ct mark set mark<br />
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }<br />
</source><br />
|-<br />
| ''expiration <time>''<br />
| Connection expiration time<br />
|<source lang="bash"><br />
ct expiration 30<br />
ct expiration 30s<br />
ct expiration != 233<br />
ct expiration != 3m53s<br />
ct expiration 33-45<br />
ct expiration 33s-45s<br />
ct expiration != 33-45<br />
ct expiration != 33s-45s<br />
ct expiration {33, 55, 67, 88}<br />
ct expiration { 1m7s, 33s, 55s, 1m28s}<br />
</source><br />
|-<br />
| ''helper "<helper>"''<br />
| Helper associated with the connection<br />
|<source lang="bash"><br />
ct helper "ftp"<br />
</source><br />
|-<br />
| | ''[original | reply] bytes <value>''<br />
| <br />
|<source lang="bash"><br />
ct original bytes > 100000<br />
ct bytes > 100000<br />
</source><br />
|-<br />
| | ''[original | reply] packets <value>''<br />
| <br />
|<source lang="bash"><br />
ct reply packets < 100<br />
</source><br />
|-<br />
| | ''[original | reply] ip saddr <ip source address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip saddr 192.168.0.1<br />
ct reply ip saddr 192.168.0.1<br />
ct original ip saddr 192.168.1.0/24<br />
ct reply ip saddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] ip daddr <ip destination address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip daddr 192.168.0.1<br />
ct reply ip daddr 192.168.0.1<br />
ct original ip daddr 192.168.1.0/24<br />
ct reply ip daddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] l3proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original l3proto ipv4<br />
</source><br />
|-<br />
| | ''[original | reply] protocol <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original protocol 6<br />
</source><br />
|-<br />
| | ''[original | reply] proto-dst <port>''<br />
| <br />
|<source lang="bash"><br />
ct original proto-dst 22<br />
</source><br />
|-<br />
| | ''[original | reply] proto-src <port>''<br />
| <br />
|<source lang="bash"><br />
ct reply proto-src 53<br />
</source><br />
|-<br />
| | ''count [over] <number of connections>''<br />
| <br />
|<source lang="bash"><br />
ct count over 2<br />
<br />
tcp dport 22 add @ssh_flood { ip saddr ct count over 2 } reject<br />
[ which requires an existing ssh_flood set, ie. add set filter ssh_flood { type ipv4_addr; flags dynamic; } ]<br />
</source><br />
|}<br />
<br />
==== Meta ====<br />
<br />
[[Matching packet metainformation|''meta'']] matches packet by metainformation.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|meta match<br />
|-<br />
| ''iifname <input interface name>''<br />
| Input interface name<br />
|<source lang="bash"><br />
meta iifname "eth0"<br />
meta iifname != "eth0"<br />
meta iifname {"eth0", "lo"}<br />
meta iifname "eth*"<br />
</source><br />
|-<br />
| ''oifname <output interface name>''<br />
| Output interface name<br />
|<source lang="bash"><br />
meta oifname "eth0"<br />
meta oifname != "eth0"<br />
meta oifname {"eth0", "lo"}<br />
meta oifname "eth*"<br />
</source><br />
|-<br />
| ''iif <input interface index>''<br />
| Input interface index<br />
|<source lang="bash"><br />
meta iif eth0<br />
meta iif != eth0<br />
</source><br />
|-<br />
| ''oif <output interface index>''<br />
| Output interface index<br />
|<source lang="bash"><br />
meta oif lo<br />
meta oif != lo<br />
meta oif {eth0, lo}<br />
</source><br />
|-<br />
| ''iiftype <input interface type>''<br />
| Input interface type<br />
|<source lang="bash"><br />
meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta iiftype != ether<br />
meta iiftype ether<br />
</source><br />
|-<br />
| ''oiftype <output interface type>''<br />
| Output interface hardware type<br />
|<source lang="bash"><br />
meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta oiftype != ether<br />
meta oiftype ether<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Length of the packet in bytes<br />
|<source lang="bash"><br />
meta length 1000<br />
meta length != 1000<br />
meta length > 1000<br />
meta length 33-45<br />
meta length != 33-45<br />
meta length { 33, 55, 67, 88 }<br />
meta length { 33-55, 67-88 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| ethertype protocol<br />
|<source lang="bash"><br />
meta protocol ip<br />
meta protocol != ip<br />
meta protocol { ip, arp, ip6, vlan }<br />
</source><br />
|-<br />
| ''nfproto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta nfproto ipv4<br />
meta nfproto != ipv6<br />
meta nfproto { ipv4, ipv6 }<br />
</source><br />
|-<br />
| ''l4proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta l4proto 22<br />
meta l4proto != 233<br />
meta l4proto 33-45<br />
meta l4proto { 33, 55, 67, 88 }<br />
meta l4proto { 33-55 }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Packet mark<br />
|<source lang="bash"><br />
meta mark 0x4<br />
meta mark 0x00000032<br />
meta mark and 0x03 == 0x01<br />
meta mark and 0x03 != 0x01<br />
meta mark != 0x10<br />
meta mark or 0x03 == 0x01<br />
meta mark or 0x03 != 0x01<br />
meta mark xor 0x03 == 0x01<br />
meta mark xor 0x03 != 0x01<br />
meta mark set 0xffffffc8 xor 0x16<br />
meta mark set 0x16 and 0x16<br />
meta mark set 0xffffffe9 or 0x16<br />
meta mark set 0xffffffde and 0x16<br />
meta mark set 0x32 or 0xfffff<br />
meta mark set 0xfffe xor 0x16<br />
</source><br />
|-<br />
| ''priority [set] <priority>''<br />
| tc class id<br />
|<source lang="bash"><br />
meta priority none<br />
meta priority 0x1:0x1<br />
meta priority 0x1:0xffff<br />
meta priority 0xffff:0xffff<br />
meta priority set 0x1:0x1<br />
meta priority set 0x1:0xffff<br />
meta priority set 0xffff:0xffff<br />
</source><br />
|-<br />
| ''skuid <user id>''<br />
| UID associated with originating socket<br />
|<source lang="bash"><br />
meta skuid {bin, root, daemon}<br />
meta skuid root<br />
meta skuid != root<br />
meta skuid lt 3000<br />
meta skuid gt 3000<br />
meta skuid eq 3000<br />
meta skuid 3001-3005<br />
meta skuid != 2001-2005<br />
meta skuid { 2001-2005 }<br />
</source><br />
|-<br />
| ''skgid <group id>''<br />
| GID associated with originating socket<br />
|<source lang="bash"><br />
meta skgid {bin, root, daemon}<br />
meta skgid root<br />
meta skgid != root<br />
meta skgid lt 3000<br />
meta skgid gt 3000<br />
meta skgid eq 3000<br />
meta skgid 3001-3005<br />
meta skgid != 2001-2005<br />
meta skgid { 2001-2005 }<br />
</source><br />
|-<br />
| ''rtclassid <class>''<br />
| Routing realm<br />
|<source lang="bash"><br />
meta rtclassid cosmos<br />
</source><br />
|-<br />
| ''pkttype <type>''<br />
| Packet type<br />
|<source lang="bash"><br />
meta pkttype broadcast<br />
meta pkttype != broadcast<br />
meta pkttype { broadcast, unicast, multicast}<br />
</source><br />
|-<br />
| ''cpu <cpu index>''<br />
| CPU ID<br />
|<source lang="bash"><br />
meta cpu 1<br />
meta cpu != 1<br />
meta cpu 1-3<br />
meta cpu != 1-2<br />
meta cpu { 2,3 }<br />
meta cpu { 2-3, 5-7 }<br />
</source><br />
|-<br />
| ''iifgroup <input group>''<br />
| Input interface group<br />
|<source lang="bash"><br />
meta iifgroup 0<br />
meta iifgroup != 0<br />
meta iifgroup default<br />
meta iifgroup != default<br />
meta iifgroup {default}<br />
meta iifgroup { 11,33 }<br />
meta iifgroup {11-33}<br />
</source><br />
|-<br />
| ''oifgroup <group>''<br />
| Output interface group<br />
|<source lang="bash"><br />
meta oifgroup 0<br />
meta oifgroup != 0<br />
meta oifgroup default<br />
meta oifgroup != default<br />
meta oifgroup {default}<br />
meta oifgroup { 11,33 }<br />
meta oifgroup {11-33}<br />
</source><br />
|-<br />
| ''cgroup <group>''<br />
| <br />
|<source lang="bash"><br />
meta cgroup 1048577<br />
meta cgroup != 1048577<br />
meta cgroup { 1048577, 1048578 }<br />
meta cgroup 1048577-1048578<br />
meta cgroup != 1048577-1048578<br />
meta cgroup {1048577-1048578}<br />
</source><br />
|}<br />
<br />
=== Statements ===<br />
<br />
'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.<br />
<br />
==== Verdict statements ====<br />
<br />
The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:<br />
<br />
* ''accept'': Accept the packet and stop the remain rules evaluation.<br />
* ''drop'': Drop the packet and stop the remain rules evaluation.<br />
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.<br />
* ''continue'': Continue the ruleset evaluation with the next rule.<br />
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept<br />
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued<br />
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement<br />
<br />
==== Log ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|log statement<br />
|-<br />
| ''level [over] <value> <unit> [burst <value> <unit>]''<br />
| Log level<br />
|<source lang="bash"><br />
log<br />
log level emerg<br />
log level alert<br />
log level crit<br />
log level err<br />
log level warn<br />
log level notice<br />
log level info<br />
log level debug<br />
</source><br />
|-<br />
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''<br />
| <br />
|<source lang="bash"><br />
log prefix aaaaa-aaaaaa group 2 snaplen 33<br />
log group 2 queue-threshold 2<br />
log group 2 snaplen 33<br />
</source><br />
|}<br />
<br />
<br />
==== Reject ====<br />
<br />
The default '''reject''' will be the ICMP type '''port-unreachable'''. The '''icmpx''' is only used for inet family support.<br />
<br />
More information on the [[Rejecting_traffic]] page.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|reject statement<br />
|-<br />
| ''with <protocol> type <type>''<br />
| <br />
|<source lang="bash"><br />
reject<br />
reject with icmp type host-unreachable<br />
reject with icmp type net-unreachable<br />
reject with icmp type prot-unreachable<br />
reject with icmp type port-unreachable<br />
reject with icmp type net-prohibited<br />
reject with icmp type host-prohibited<br />
reject with icmp type admin-prohibited<br />
reject with icmpv6 type no-route<br />
reject with icmpv6 type admin-prohibited<br />
reject with icmpv6 type addr-unreachable<br />
reject with icmpv6 type port-unreachable<br />
reject with icmpx type host-unreachable<br />
reject with icmpx type no-route<br />
reject with icmpx type admin-prohibited<br />
reject with icmpx type port-unreachable<br />
ip protocol tcp reject with tcp reset<br />
</source><br />
|}<br />
<br />
==== Counter ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|counter statement<br />
|-<br />
| ''packets <packets> bytes <bytes>''<br />
| <br />
|<source lang="bash"><br />
counter<br />
counter packets 0 bytes 0<br />
</source><br />
|}<br />
<br />
<br />
==== Limit ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|limit statement<br />
|-<br />
| ''rate [over] <value> <unit> [burst <value> <unit>]''<br />
| Rate limit<br />
|<source lang="bash"><br />
limit rate 400/minute<br />
limit rate 400/hour<br />
limit rate over 40/day<br />
limit rate over 400/week<br />
limit rate over 1023/second burst 10 packets<br />
limit rate 1025 kbytes/second<br />
limit rate 1023000 mbytes/second<br />
limit rate 1025 bytes/second burst 512 bytes<br />
limit rate 1025 kbytes/second burst 1023 kbytes<br />
limit rate 1025 mbytes/second burst 1025 kbytes<br />
limit rate 1025000 mbytes/second burst 1023 mbytes<br />
</source><br />
|}<br />
<br />
==== Nat ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|nat statement<br />
|-<br />
| ''dnat to <destination address>''<br />
| Destination address translation<br />
|<source lang="bash"><br />
dnat to 192.168.3.2<br />
dnat to ct mark map { 0x00000014 : 1.2.3.4}<br />
</source><br />
|-<br />
| ''snat to <ip source address>''<br />
| Source address translation<br />
|<source lang="bash"><br />
snat to 192.168.3.2<br />
snat to 2001:838:35f:1::-2001:838:35f:2:::100<br />
</source><br />
|-<br />
| ''masquerade [<type>] [to :<port>]''<br />
| Masquerade<br />
|<source lang="bash"><br />
masquerade<br />
masquerade persistent,fully-random,random<br />
masquerade to :1024<br />
masquerade to :1024-2048<br />
</source><br />
|}<br />
<br />
==== Queue ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|queue statement<br />
|-<br />
| ''num <value> <scheduler>''<br />
| <br />
|<source lang="bash"><br />
queue<br />
queue num 2<br />
queue num 2-3<br />
queue num 4-5 fanout bypass<br />
queue num 4-5 fanout<br />
queue num 4-5 bypass<br />
</source><br />
|}<br />
<br />
== Extras ==<br />
<br />
=== Export Configuration ===<br />
<br />
<source lang="bash"><br />
% nft export (xml | json)<br />
</source><br />
<br />
=== Monitor Events ===<br />
<br />
Monitor events from Netlink creating filters.<br />
<br />
<source lang="bash"><br />
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]<br />
</source><br />
<br />
<br />
= Nft scripting =<br />
<br />
== List ruleset ==<br />
<br />
<source lang="bash"><br />
% nft list ruleset<br />
</source><br />
<br />
== Flush ruleset ==<br />
<br />
<source lang="bash"><br />
% nft flush ruleset<br />
</source><br />
<br />
== Load ruleset ==<br />
<br />
Create a command batch file and load it with the nft interpreter,<br />
<br />
<source lang="bash"><br />
% echo "flush ruleset" > /etc/nftables.rules<br />
% echo "add table filter" >> /etc/nftables.rules<br />
% echo "add chain filter input" >> /etc/nftables.rules<br />
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file,<br />
<br />
<source lang="bash"><br />
% cat << EOF > /etc/nftables.rules<br />
> #!/usr/local/sbin/nft -f<br />
> flush ruleset<br />
> add table filter<br />
> add chain filter input<br />
> add rule filter input meta iifname lo accept<br />
> EOF<br />
% chmod u+x /etc/nftables.rules<br />
% /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file from an already created ruleset,<br />
<br />
<source lang="bash"><br />
% nft list ruleset > /etc/nftables.rules<br />
% nft flush ruleset<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
<br />
= Examples =<br />
<br />
== Simple IP/IPv6 Firewall ==<br />
<br />
<source lang="bash"><br />
flush ruleset<br />
<br />
table firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
icmp type echo-request accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
<br />
table ip6 firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# invalid connections<br />
ct state invalid drop<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
# routers may also want: mld-listener-query, nd-router-solicit<br />
icmpv6 type {echo-request,nd-neighbor-solicit} accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
</source></div>
Aurelien
http://wiki.nftables.org/wiki-nftables/index.php?title=Quick_reference-nftables_in_10_minutes&diff=1126
Quick reference-nftables in 10 minutes
2024-04-21T06:21:26Z
<p>Aurelien: /* Dccp */ More consistent space after { and before }</p>
<hr />
<div>Find below some basic concepts to know before using nftables.<br />
<br />
'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.<br />
<br />
'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].<br />
<br />
'''rule''' refers to an action to be configured within a ''chain''.<br />
<br />
<br />
= nft command line =<br />
<br />
''nft'' is the command line tool in order to interact with nftables at userspace.<br />
<br />
== Tables ==<br />
<br />
'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''. It defaults to ''ip''.<br />
<br />
<source lang="bash"><br />
% nft list tables [<family>]<br />
% nft [-n] [-a] list table [<family>] <name><br />
% nft (add | delete | flush) table [<family>] <name><br />
</source><br />
<br />
The argument ''-n'' shows the addresses and other information that use names in numeric format. The ''-a'' argument is used to display each rule's ''handle'' (i.e., a numerical identifier).<br />
<br />
== Chains ==<br />
<br />
'''type''' refers to the kind of chain to be created. Possible types are:<br />
<br />
* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.<br />
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.<br />
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.<br />
<br />
'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].<br />
<br />
* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.<br />
* The hooks for ''arp'' family are: '' input'', ''output''.<br />
* The ''bridge'' family handles ethernet packets traversing bridge devices.<br />
* The hooks for ''netdev'' are: ''ingress'', ''egress''.<br />
<br />
'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.<br />
<br />
'''policy''' is the default verdict statement to control the flow in the base chain. Possible values are: ''accept'' (default) and ''drop''. Warning: Setting the policy to ''drop'' discards all packets that<br />
have not been accepted by the ruleset.<br />
<br />
<source lang="bash"><br />
% nft (add | create) chain [<family>] <table> <name> [ \{ type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] \} ]<br />
% nft (delete | list | flush) chain [<family>] <table> <name><br />
% nft rename chain [<family>] <table> <name> <newname><br />
</source><br />
<br />
== Rules ==<br />
<br />
'''handle''' is an internal number that identifies a certain ''rule''.<br />
<br />
'''position''' is an internal number that is used to insert a ''rule'' before a certain ''handle''.<br />
<br />
<source lang="bash"><br />
% nft add rule [<family>] <table> <chain> <matches> <statements><br />
% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements><br />
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements><br />
% nft delete rule [<family>] <table> <chain> [handle <handle>]<br />
</source><br />
<br />
=== Matches ===<br />
<br />
'''matches''' are clues used to access to certain packet information and create filters according to them.<br />
<br />
==== Ip ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip match<br />
|-<br />
| | ''dscp <value>''<br />
|<br />
|<source lang="bash"><br />
ip dscp cs1<br />
ip dscp != cs1<br />
ip dscp 0x38<br />
ip dscp != 0x20<br />
ip dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, <br />
af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
ip length 232<br />
ip length != 233<br />
ip length 333-435<br />
ip length != 333-453<br />
ip length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''id <id>''<br />
| IP ID<br />
|<source lang="bash"><br />
ip id 22<br />
ip id != 233<br />
ip id 33-45<br />
ip id != 33-45<br />
ip id { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| Fragmentation offset<br />
|<source lang="bash"><br />
ip frag-off & 0x1fff != 0 # match fragments<br />
ip frag-off & 0x2000 != 0 # match MF flag <br />
ip frag-off & 0x4000 != 0 # match DF flag <br />
</source><br />
|-<br />
| ''ttl <ttl>''<br />
| Time to live<br />
|<source lang="bash"><br />
ip ttl 0<br />
ip ttl 233<br />
ip ttl 33-55<br />
ip ttl != 45-50<br />
ip ttl { 43, 53, 45 }<br />
ip ttl { 33-55 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| Upper layer protocol<br />
|<source lang="bash"><br />
ip protocol tcp<br />
ip protocol 6<br />
ip protocol != tcp<br />
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
ip checksum 13172<br />
ip checksum 22<br />
ip checksum != 233<br />
ip checksum 33-45<br />
ip checksum != 33-45<br />
ip checksum { 33, 55, 67, 88 }<br />
ip checksum { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source address<br />
|<source lang="bash"><br />
ip saddr 192.168.2.0/24<br />
ip saddr != 192.168.2.0/24<br />
ip saddr 192.168.3.1 ip daddr 192.168.3.100<br />
ip saddr != 1.1.1.1<br />
ip saddr 1.1.1.1<br />
ip saddr & 0xff == 1<br />
ip saddr & 0.0.0.255 < 0.0.0.127<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination address<br />
|<source lang="bash"><br />
ip daddr 192.168.0.1<br />
ip daddr != 192.168.0.1<br />
ip daddr 192.168.0.1-192.168.0.250<br />
ip daddr 10.0.0.0-10.255.255.255<br />
ip daddr 172.16.0.0-172.31.255.255<br />
ip daddr 192.168.3.1-192.168.4.250<br />
ip daddr != 192.168.0.1-192.168.0.250<br />
ip daddr { 192.168.0.1-192.168.0.250 }<br />
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }<br />
</source><br />
|-<br />
| ''version <version>''<br />
| Ip Header version<br />
|<source lang="bash"><br />
ip version 4<br />
</source><br />
|-<br />
| ''hdrlength <header length>''<br />
| IP header length<br />
|<source lang="bash"><br />
ip hdrlength 0<br />
ip hdrlength 15<br />
</source><br />
|}<br />
<br />
==== Ip6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip6 match<br />
|-<br />
| ''dscp <value>''<br />
| <br />
|<source lang="bash"><br />
ip6 dscp cs1<br />
ip6 dscp != cs1<br />
ip6 dscp 0x38<br />
ip6 dscp != 0x20<br />
ip6 dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''flowlabel <label>''<br />
| Flow label<br />
|<source lang="bash"><br />
ip6 flowlabel 22<br />
ip6 flowlabel != 233<br />
ip6 flowlabel { 33, 55, 67, 88 }<br />
ip6 flowlabel { 33-55 }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
ip6 length 232<br />
ip6 length != 233<br />
ip6 length 333-435<br />
ip6 length != 333-453<br />
ip6 length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''nexthdr <header>''<br />
| Next header type (Upper layer protocol number)<br />
|<source lang="bash"><br />
ip6 nexthdr { esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6 }<br />
ip6 nexthdr esp<br />
ip6 nexthdr != esp<br />
ip6 nexthdr { 33-44 }<br />
ip6 nexthdr 33-44<br />
ip6 nexthdr != 33-44<br />
</source><br />
|-<br />
| ''hoplimit <hoplimit>''<br />
| Hop limit<br />
|<source lang="bash"><br />
ip6 hoplimit 1<br />
ip6 hoplimit != 233<br />
ip6 hoplimit 33-45<br />
ip6 hoplimit != 33-45<br />
ip6 hoplimit { 33, 55, 67, 88 }<br />
ip6 hoplimit { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source Address<br />
|<source lang="bash"><br />
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::/64<br />
ip6 saddr ::1 ip6 daddr ::2<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination Address<br />
|<source lang="bash"><br />
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234<br />
</source><br />
|-<br />
| ''version <version>''<br />
| IP header version<br />
|<source lang="bash"><br />
ip6 version 6<br />
</source><br />
|}<br />
<br />
==== Tcp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|tcp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
tcp dport 22<br />
tcp dport != 33-45<br />
tcp dport { 33-55 }<br />
tcp dport { telnet, http, https }<br />
tcp dport vmap { 22 : accept, 23 : drop }<br />
tcp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
tcp sport 22<br />
tcp sport != 33-45<br />
tcp sport { 33, 55, 67, 88 }<br />
tcp sport { 33-55 }<br />
tcp sport vmap { 25:accept, 28:drop }<br />
tcp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| Sequence number<br />
|<source lang="bash"><br />
tcp sequence 22<br />
tcp sequence != 33-45<br />
</source><br />
|-<br />
| ''ackseq <value>''<br />
| Acknowledgement number<br />
|<source lang="bash"><br />
tcp ackseq 22<br />
tcp ackseq != 33-45<br />
tcp ackseq { 33, 55, 67, 88 }<br />
tcp ackseq { 33-55 }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| TCP flags<br />
|<source lang="bash"><br />
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr }<br />
tcp flags cwr<br />
tcp flags != cwr<br />
</source><br />
|-<br />
| ''window <value>''<br />
| Window<br />
|<source lang="bash"><br />
tcp window 22<br />
tcp window != 33-45<br />
tcp window { 33, 55, 67, 88 }<br />
tcp window { 33-55 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
tcp checksum 22<br />
tcp checksum != 33-45<br />
tcp checksum { 33, 55, 67, 88 }<br />
tcp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''urgptr <pointer>''<br />
| Urgent pointer<br />
|<source lang="bash"><br />
tcp urgptr 22<br />
tcp urgptr != 33-45<br />
tcp urgptr { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''doff <offset>''<br />
| Data offset<br />
|<source lang="bash"><br />
tcp doff 8<br />
</source><br />
|}<br />
<br />
==== Udp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udp dport 22<br />
udp dport != 33-45<br />
udp dport { 33-55 }<br />
udp dport { telnet, http, https }<br />
udp dport vmap { 22 : accept, 23 : drop }<br />
udp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udp sport 22<br />
udp sport != 33-45<br />
udp sport { 33, 55, 67, 88 }<br />
udp sport { 33-55 }<br />
udp sport vmap { 25:accept, 28:drop }<br />
udp sport 1024 udp dport 22<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
udp length 6666<br />
udp length != 50-65<br />
udp length { 50, 65 }<br />
udp length { 35-50 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| UDP checksum<br />
|<source lang="bash"><br />
udp checksum 22<br />
udp checksum != 33-45<br />
udp checksum { 33, 55, 67, 88 }<br />
udp checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
==== Udplite ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udplite match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udplite dport 22<br />
udplite dport != 33-45<br />
udplite dport { 33-55 }<br />
udplite dport { telnet, http, https }<br />
udplite dport vmap { 22 : accept, 23 : drop }<br />
udplite dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udplite sport 22<br />
udplite sport != 33-45<br />
udplite sport { 33, 55, 67, 88 }<br />
udplite sport { 33-55 }<br />
udplite sport vmap { 25:accept, 28:drop }<br />
udplite sport 1024 udplite dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
udplite checksum 22<br />
udplite checksum != 33-45<br />
udplite checksum { 33, 55, 67, 88 }<br />
udplite checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
==== Sctp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|sctp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
sctp dport 22<br />
sctp dport != 33-45<br />
sctp dport { 33-55 }<br />
sctp dport { telnet, http, https }<br />
sctp dport vmap { 22 : accept, 23 : drop }<br />
sctp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
sctp sport 22<br />
sctp sport != 33-45<br />
sctp sport { 33, 55, 67, 88 }<br />
sctp sport { 33-55 }<br />
sctp sport vmap { 25:accept, 28:drop }<br />
sctp sport 1024 sctp dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
sctp checksum 22<br />
sctp checksum != 33-45<br />
sctp checksum { 33, 55, 67, 88 }<br />
sctp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''vtag <tag>''<br />
| Verification tag<br />
|<source lang="bash"><br />
sctp vtag 22<br />
sctp vtag != 33-45<br />
sctp vtag { 33, 55, 67, 88 }<br />
sctp vtag { 33-55 }<br />
</source><br />
|-<br />
| ''chunk <type>''<br />
| Existence of a chunk with given type in packet<br />
|<source lang="bash"><br />
sctp chunk init exists<br />
sctp chunk error missing<br />
</source><br />
|-<br />
| ''chunk <type> <field>''<br />
| A chunk's field value (implies chunk existence)<br />
|<sourcex lang="bash"><br />
sctp chunk init flags 0x1<br />
sctp chunk data tsn 0x23<br />
</source><br />
|}<br />
<br />
==== Dccp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dccp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
dccp dport 22<br />
dccp dport != 33-45<br />
dccp dport { 33-55 }<br />
dccp dport { telnet, http, https }<br />
dccp dport vmap { 22 : accept, 23 : drop }<br />
dccp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
dccp sport 22<br />
dccp sport != 33-45<br />
dccp sport { 33, 55, 67, 88 }<br />
dccp sport { 33-55 }<br />
dccp sport vmap { 25:accept, 28:drop }<br />
dccp sport 1024 dccp dport 22<br />
</source><br />
|-<br />
| ''type <type>''<br />
| Type of packet<br />
|<source lang="bash"><br />
dccp type { request, response, data, ack, dataack, closereq, close, reset, sync, syncack }<br />
dccp type request<br />
dccp type != request<br />
</source><br />
|}<br />
<br />
==== Ah ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ah match<br />
|-<br />
| ''hdrlength <length>''<br />
| AH header length<br />
|<source lang="bash"><br />
ah hdrlength 11-23<br />
ah hdrlength != 11-23<br />
ah hdrlength {11, 23, 44 }<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
ah reserved 22<br />
ah reserved != 33-45<br />
ah reserved {23, 100 }<br />
ah reserved { 33-55 }<br />
</source><br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
ah spi 111<br />
ah spi != 111-222<br />
ah spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
ah sequence 123<br />
ah sequence {23, 25, 33}<br />
ah sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Esp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|esp match<br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
esp spi 111<br />
esp spi != 111-222<br />
esp spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
esp sequence 123<br />
esp sequence {23, 25, 33}<br />
esp sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Comp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|comp match<br />
|-<br />
| ''nexthdr <protocol>''<br />
| Next header protocol (Upper layer protocol)<br />
|<source lang="bash"><br />
comp nexthdr != esp<br />
comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp}<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| Flags<br />
|<source lang="bash"><br />
comp flags 0x0<br />
comp flags != 0x33-0x45<br />
comp flags {0x33, 0x55, 0x67, 0x88}<br />
</source><br />
|-<br />
| ''cpi <value>''<br />
| Compression Parameter Index<br />
|<source lang="bash"><br />
comp cpi 22<br />
comp cpi != 33-45<br />
comp cpi {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Icmp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmp match<br />
|-<br />
| ''type <type>''<br />
| ICMP packet type<br />
|<source lang="bash"><br />
icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation}<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMP packet code<br />
|<source lang="bash"><br />
icmp code 111<br />
icmp code != 33-55<br />
icmp code { 2, 4, 54, 33, 56}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMP packet checksum<br />
|<source lang="bash"><br />
icmp checksum 12343<br />
icmp checksum != 11-343<br />
icmp checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMP packet id<br />
|<source lang="bash"><br />
icmp id 12343<br />
icmp id != 11-343<br />
icmp id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMP packet sequence<br />
|<source lang="bash"><br />
icmp sequence 12343<br />
icmp sequence != 11-343<br />
icmp sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMP packet mtu<br />
|<source lang="bash"><br />
icmp mtu 12343<br />
icmp mtu != 11-343<br />
icmp mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''gateway <value>''<br />
| ICMP packet gateway<br />
|<source lang="bash"><br />
icmp gateway 12343<br />
icmp gateway != 11-343<br />
icmp gateway { 1111, 222, 343 }<br />
</source><br />
|}<br />
<br />
<br />
==== Icmpv6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmpv6 match<br />
|-<br />
| ''type <type>''<br />
| ICMPv6 packet type<br />
|<source lang="bash"><br />
icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, parameter-problem, mld2-listener-report }<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMPv6 packet code<br />
|<source lang="bash"><br />
icmpv6 code 4<br />
icmpv6 code 3-66<br />
icmpv6 code {5, 6, 7}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMPv6 packet checksum<br />
|<source lang="bash"><br />
icmpv6 checksum 12343<br />
icmpv6 checksum != 11-343<br />
icmpv6 checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMPv6 packet id<br />
|<source lang="bash"><br />
icmpv6 id 12343<br />
icmpv6 id != 11-343<br />
icmpv6 id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMPv6 packet sequence<br />
|<source lang="bash"><br />
icmpv6 sequence 12343<br />
icmpv6 sequence != 11-343<br />
icmpv6 sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMPv6 packet mtu<br />
|<source lang="bash"><br />
icmpv6 mtu 12343<br />
icmpv6 mtu != 11-343<br />
icmpv6 mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''max-delay <value>''<br />
| ICMPv6 packet max delay<br />
|<source lang="bash"><br />
icmpv6 max-delay 33-45<br />
icmpv6 max-delay != 33-45<br />
icmpv6 max-delay {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Ether ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ether match<br />
|-<br />
| ''saddr <mac address>''<br />
| Source mac address<br />
|<source lang="bash"><br />
ether saddr 00:0f:54:0c:11:04<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
ether type vlan<br />
</source><br />
|}<br />
<br />
==== Dst ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dst match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}<br />
dst nexthdr 22<br />
dst nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
dst hdrlength 22<br />
dst hdrlength != 33-45<br />
dst hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Frag ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|frag match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp}<br />
frag nexthdr 6<br />
frag nexthdr != 50-51<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
frag reserved 22<br />
frag reserved != 33-45<br />
frag reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| <br />
|<source lang="bash"><br />
frag frag-off 22<br />
frag frag-off != 33-45<br />
frag frag-off { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''more-fragments <value>''<br />
| <br />
|<source lang="bash"><br />
frag more-fragments 0<br />
frag more-fragments 0<br />
</source><br />
|-<br />
| ''id <value>''<br />
| <br />
|<source lang="bash"><br />
frag id 1<br />
frag id 33-45<br />
</source><br />
|}<br />
<br />
<br />
==== Hbh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|hbh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6}<br />
hbh nexthdr 22<br />
hbh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
hbh hdrlength 22<br />
hbh hdrlength != 33-45<br />
hbh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Mh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|mh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
mh nexthdr 22<br />
mh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
mh hdrlength 22<br />
mh hdrlength != 33-45<br />
mh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}<br />
mh type home-agent-switch-message<br />
mh type != home-agent-switch-message<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
mh reserved 22<br />
mh reserved != 33-45<br />
mh reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| <br />
|<source lang="bash"><br />
mh checksum 22<br />
mh checksum != 33-45<br />
mh checksum { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Rt ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|rt match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
rt nexthdr 22<br />
rt nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
rt hdrlength 22<br />
rt hdrlength != 33-45<br />
rt hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
rt type 22<br />
rt type != 33-45<br />
rt type { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''seg-left <value>''<br />
| <br />
|<source lang="bash"><br />
rt seg-left 22<br />
rt seg-left != 33-45<br />
rt seg-left { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Vlan ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|vlan match<br />
|-<br />
| ''id <value>''<br />
| Vlan tag ID<br />
|<source lang="bash"><br />
vlan id 4094<br />
vlan id 0<br />
</source><br />
|-<br />
| ''cfi <value>''<br />
| <br />
|<source lang="bash"><br />
vlan cfi 0<br />
vlan cfi 1<br />
</source><br />
|-<br />
| ''pcp <value>''<br />
| <br />
|<source lang="bash"><br />
vlan pcp 7<br />
vlan pcp 3<br />
</source><br />
|}<br />
<br />
<br />
==== Arp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|arp match<br />
|-<br />
| ''ptype <value>''<br />
| Payload type<br />
|<source lang="bash"><br />
arp ptype 0x0800<br />
</source><br />
|-<br />
| ''htype <value>''<br />
| Header type<br />
|<source lang="bash"><br />
arp htype 1<br />
arp htype != 33-45<br />
arp htype { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''hlen <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
arp hlen 1<br />
arp hlen != 33-45<br />
arp hlen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''plen <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
arp plen 1<br />
arp plen != 33-45<br />
arp plen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''operation <value>''<br />
| <br />
|<source lang="bash"><br />
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}<br />
</source><br />
|}<br />
<br />
<br />
==== Ct ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ct match<br />
|-<br />
| ''state <state>''<br />
| State of the connection<br />
|<source lang="bash"><br />
ct state { new, established, related, untracked }<br />
ct state != related<br />
ct state established<br />
ct state 8<br />
</source><br />
|-<br />
| ''direction <value>''<br />
| Direction of the packet relative to the connection<br />
|<source lang="bash"><br />
ct direction original<br />
ct direction != original<br />
ct direction {reply, original}<br />
</source><br />
|-<br />
| ''status <status>''<br />
| Status of the connection<br />
|<source lang="bash"><br />
ct status expected<br />
(ct status & expected) != expected<br />
ct status {expected,seen-reply,assured,confirmed,snat,dnat,dying}<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Mark of the connection<br />
|<source lang="bash"><br />
ct mark 0<br />
ct mark or 0x23 == 0x11<br />
ct mark or 0x3 != 0x1<br />
ct mark and 0x23 == 0x11<br />
ct mark and 0x3 != 0x1<br />
ct mark xor 0x23 == 0x11<br />
ct mark xor 0x3 != 0x1<br />
ct mark 0x00000032<br />
ct mark != 0x00000032<br />
ct mark 0x00000032-0x00000045<br />
ct mark != 0x00000032-0x00000045<br />
ct mark {0x32, 0x2222, 0x42de3}<br />
ct mark {0x32-0x2222, 0x4444-0x42de3}<br />
ct mark set 0x11 xor 0x1331<br />
ct mark set 0x11333 and 0x11<br />
ct mark set 0x12 or 0x11<br />
ct mark set 0x11<br />
ct mark set mark<br />
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }<br />
</source><br />
|-<br />
| ''expiration <time>''<br />
| Connection expiration time<br />
|<source lang="bash"><br />
ct expiration 30<br />
ct expiration 30s<br />
ct expiration != 233<br />
ct expiration != 3m53s<br />
ct expiration 33-45<br />
ct expiration 33s-45s<br />
ct expiration != 33-45<br />
ct expiration != 33s-45s<br />
ct expiration {33, 55, 67, 88}<br />
ct expiration { 1m7s, 33s, 55s, 1m28s}<br />
</source><br />
|-<br />
| ''helper "<helper>"''<br />
| Helper associated with the connection<br />
|<source lang="bash"><br />
ct helper "ftp"<br />
</source><br />
|-<br />
| | ''[original | reply] bytes <value>''<br />
| <br />
|<source lang="bash"><br />
ct original bytes > 100000<br />
ct bytes > 100000<br />
</source><br />
|-<br />
| | ''[original | reply] packets <value>''<br />
| <br />
|<source lang="bash"><br />
ct reply packets < 100<br />
</source><br />
|-<br />
| | ''[original | reply] ip saddr <ip source address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip saddr 192.168.0.1<br />
ct reply ip saddr 192.168.0.1<br />
ct original ip saddr 192.168.1.0/24<br />
ct reply ip saddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] ip daddr <ip destination address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip daddr 192.168.0.1<br />
ct reply ip daddr 192.168.0.1<br />
ct original ip daddr 192.168.1.0/24<br />
ct reply ip daddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] l3proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original l3proto ipv4<br />
</source><br />
|-<br />
| | ''[original | reply] protocol <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original protocol 6<br />
</source><br />
|-<br />
| | ''[original | reply] proto-dst <port>''<br />
| <br />
|<source lang="bash"><br />
ct original proto-dst 22<br />
</source><br />
|-<br />
| | ''[original | reply] proto-src <port>''<br />
| <br />
|<source lang="bash"><br />
ct reply proto-src 53<br />
</source><br />
|-<br />
| | ''count [over] <number of connections>''<br />
| <br />
|<source lang="bash"><br />
ct count over 2<br />
<br />
tcp dport 22 add @ssh_flood { ip saddr ct count over 2 } reject<br />
[ which requires an existing ssh_flood set, ie. add set filter ssh_flood { type ipv4_addr; flags dynamic; } ]<br />
</source><br />
|}<br />
<br />
==== Meta ====<br />
<br />
[[Matching packet metainformation|''meta'']] matches packet by metainformation.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|meta match<br />
|-<br />
| ''iifname <input interface name>''<br />
| Input interface name<br />
|<source lang="bash"><br />
meta iifname "eth0"<br />
meta iifname != "eth0"<br />
meta iifname {"eth0", "lo"}<br />
meta iifname "eth*"<br />
</source><br />
|-<br />
| ''oifname <output interface name>''<br />
| Output interface name<br />
|<source lang="bash"><br />
meta oifname "eth0"<br />
meta oifname != "eth0"<br />
meta oifname {"eth0", "lo"}<br />
meta oifname "eth*"<br />
</source><br />
|-<br />
| ''iif <input interface index>''<br />
| Input interface index<br />
|<source lang="bash"><br />
meta iif eth0<br />
meta iif != eth0<br />
</source><br />
|-<br />
| ''oif <output interface index>''<br />
| Output interface index<br />
|<source lang="bash"><br />
meta oif lo<br />
meta oif != lo<br />
meta oif {eth0, lo}<br />
</source><br />
|-<br />
| ''iiftype <input interface type>''<br />
| Input interface type<br />
|<source lang="bash"><br />
meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta iiftype != ether<br />
meta iiftype ether<br />
</source><br />
|-<br />
| ''oiftype <output interface type>''<br />
| Output interface hardware type<br />
|<source lang="bash"><br />
meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta oiftype != ether<br />
meta oiftype ether<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Length of the packet in bytes<br />
|<source lang="bash"><br />
meta length 1000<br />
meta length != 1000<br />
meta length > 1000<br />
meta length 33-45<br />
meta length != 33-45<br />
meta length { 33, 55, 67, 88 }<br />
meta length { 33-55, 67-88 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| ethertype protocol<br />
|<source lang="bash"><br />
meta protocol ip<br />
meta protocol != ip<br />
meta protocol { ip, arp, ip6, vlan }<br />
</source><br />
|-<br />
| ''nfproto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta nfproto ipv4<br />
meta nfproto != ipv6<br />
meta nfproto { ipv4, ipv6 }<br />
</source><br />
|-<br />
| ''l4proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta l4proto 22<br />
meta l4proto != 233<br />
meta l4proto 33-45<br />
meta l4proto { 33, 55, 67, 88 }<br />
meta l4proto { 33-55 }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Packet mark<br />
|<source lang="bash"><br />
meta mark 0x4<br />
meta mark 0x00000032<br />
meta mark and 0x03 == 0x01<br />
meta mark and 0x03 != 0x01<br />
meta mark != 0x10<br />
meta mark or 0x03 == 0x01<br />
meta mark or 0x03 != 0x01<br />
meta mark xor 0x03 == 0x01<br />
meta mark xor 0x03 != 0x01<br />
meta mark set 0xffffffc8 xor 0x16<br />
meta mark set 0x16 and 0x16<br />
meta mark set 0xffffffe9 or 0x16<br />
meta mark set 0xffffffde and 0x16<br />
meta mark set 0x32 or 0xfffff<br />
meta mark set 0xfffe xor 0x16<br />
</source><br />
|-<br />
| ''priority [set] <priority>''<br />
| tc class id<br />
|<source lang="bash"><br />
meta priority none<br />
meta priority 0x1:0x1<br />
meta priority 0x1:0xffff<br />
meta priority 0xffff:0xffff<br />
meta priority set 0x1:0x1<br />
meta priority set 0x1:0xffff<br />
meta priority set 0xffff:0xffff<br />
</source><br />
|-<br />
| ''skuid <user id>''<br />
| UID associated with originating socket<br />
|<source lang="bash"><br />
meta skuid {bin, root, daemon}<br />
meta skuid root<br />
meta skuid != root<br />
meta skuid lt 3000<br />
meta skuid gt 3000<br />
meta skuid eq 3000<br />
meta skuid 3001-3005<br />
meta skuid != 2001-2005<br />
meta skuid { 2001-2005 }<br />
</source><br />
|-<br />
| ''skgid <group id>''<br />
| GID associated with originating socket<br />
|<source lang="bash"><br />
meta skgid {bin, root, daemon}<br />
meta skgid root<br />
meta skgid != root<br />
meta skgid lt 3000<br />
meta skgid gt 3000<br />
meta skgid eq 3000<br />
meta skgid 3001-3005<br />
meta skgid != 2001-2005<br />
meta skgid { 2001-2005 }<br />
</source><br />
|-<br />
| ''rtclassid <class>''<br />
| Routing realm<br />
|<source lang="bash"><br />
meta rtclassid cosmos<br />
</source><br />
|-<br />
| ''pkttype <type>''<br />
| Packet type<br />
|<source lang="bash"><br />
meta pkttype broadcast<br />
meta pkttype != broadcast<br />
meta pkttype { broadcast, unicast, multicast}<br />
</source><br />
|-<br />
| ''cpu <cpu index>''<br />
| CPU ID<br />
|<source lang="bash"><br />
meta cpu 1<br />
meta cpu != 1<br />
meta cpu 1-3<br />
meta cpu != 1-2<br />
meta cpu { 2,3 }<br />
meta cpu { 2-3, 5-7 }<br />
</source><br />
|-<br />
| ''iifgroup <input group>''<br />
| Input interface group<br />
|<source lang="bash"><br />
meta iifgroup 0<br />
meta iifgroup != 0<br />
meta iifgroup default<br />
meta iifgroup != default<br />
meta iifgroup {default}<br />
meta iifgroup { 11,33 }<br />
meta iifgroup {11-33}<br />
</source><br />
|-<br />
| ''oifgroup <group>''<br />
| Output interface group<br />
|<source lang="bash"><br />
meta oifgroup 0<br />
meta oifgroup != 0<br />
meta oifgroup default<br />
meta oifgroup != default<br />
meta oifgroup {default}<br />
meta oifgroup { 11,33 }<br />
meta oifgroup {11-33}<br />
</source><br />
|-<br />
| ''cgroup <group>''<br />
| <br />
|<source lang="bash"><br />
meta cgroup 1048577<br />
meta cgroup != 1048577<br />
meta cgroup { 1048577, 1048578 }<br />
meta cgroup 1048577-1048578<br />
meta cgroup != 1048577-1048578<br />
meta cgroup {1048577-1048578}<br />
</source><br />
|}<br />
<br />
=== Statements ===<br />
<br />
'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.<br />
<br />
==== Verdict statements ====<br />
<br />
The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:<br />
<br />
* ''accept'': Accept the packet and stop the remain rules evaluation.<br />
* ''drop'': Drop the packet and stop the remain rules evaluation.<br />
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.<br />
* ''continue'': Continue the ruleset evaluation with the next rule.<br />
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept<br />
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued<br />
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement<br />
<br />
==== Log ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|log statement<br />
|-<br />
| ''level [over] <value> <unit> [burst <value> <unit>]''<br />
| Log level<br />
|<source lang="bash"><br />
log<br />
log level emerg<br />
log level alert<br />
log level crit<br />
log level err<br />
log level warn<br />
log level notice<br />
log level info<br />
log level debug<br />
</source><br />
|-<br />
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''<br />
| <br />
|<source lang="bash"><br />
log prefix aaaaa-aaaaaa group 2 snaplen 33<br />
log group 2 queue-threshold 2<br />
log group 2 snaplen 33<br />
</source><br />
|}<br />
<br />
<br />
==== Reject ====<br />
<br />
The default '''reject''' will be the ICMP type '''port-unreachable'''. The '''icmpx''' is only used for inet family support.<br />
<br />
More information on the [[Rejecting_traffic]] page.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|reject statement<br />
|-<br />
| ''with <protocol> type <type>''<br />
| <br />
|<source lang="bash"><br />
reject<br />
reject with icmp type host-unreachable<br />
reject with icmp type net-unreachable<br />
reject with icmp type prot-unreachable<br />
reject with icmp type port-unreachable<br />
reject with icmp type net-prohibited<br />
reject with icmp type host-prohibited<br />
reject with icmp type admin-prohibited<br />
reject with icmpv6 type no-route<br />
reject with icmpv6 type admin-prohibited<br />
reject with icmpv6 type addr-unreachable<br />
reject with icmpv6 type port-unreachable<br />
reject with icmpx type host-unreachable<br />
reject with icmpx type no-route<br />
reject with icmpx type admin-prohibited<br />
reject with icmpx type port-unreachable<br />
ip protocol tcp reject with tcp reset<br />
</source><br />
|}<br />
<br />
==== Counter ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|counter statement<br />
|-<br />
| ''packets <packets> bytes <bytes>''<br />
| <br />
|<source lang="bash"><br />
counter<br />
counter packets 0 bytes 0<br />
</source><br />
|}<br />
<br />
<br />
==== Limit ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|limit statement<br />
|-<br />
| ''rate [over] <value> <unit> [burst <value> <unit>]''<br />
| Rate limit<br />
|<source lang="bash"><br />
limit rate 400/minute<br />
limit rate 400/hour<br />
limit rate over 40/day<br />
limit rate over 400/week<br />
limit rate over 1023/second burst 10 packets<br />
limit rate 1025 kbytes/second<br />
limit rate 1023000 mbytes/second<br />
limit rate 1025 bytes/second burst 512 bytes<br />
limit rate 1025 kbytes/second burst 1023 kbytes<br />
limit rate 1025 mbytes/second burst 1025 kbytes<br />
limit rate 1025000 mbytes/second burst 1023 mbytes<br />
</source><br />
|}<br />
<br />
==== Nat ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|nat statement<br />
|-<br />
| ''dnat to <destination address>''<br />
| Destination address translation<br />
|<source lang="bash"><br />
dnat to 192.168.3.2<br />
dnat to ct mark map { 0x00000014 : 1.2.3.4}<br />
</source><br />
|-<br />
| ''snat to <ip source address>''<br />
| Source address translation<br />
|<source lang="bash"><br />
snat to 192.168.3.2<br />
snat to 2001:838:35f:1::-2001:838:35f:2:::100<br />
</source><br />
|-<br />
| ''masquerade [<type>] [to :<port>]''<br />
| Masquerade<br />
|<source lang="bash"><br />
masquerade<br />
masquerade persistent,fully-random,random<br />
masquerade to :1024<br />
masquerade to :1024-2048<br />
</source><br />
|}<br />
<br />
==== Queue ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|queue statement<br />
|-<br />
| ''num <value> <scheduler>''<br />
| <br />
|<source lang="bash"><br />
queue<br />
queue num 2<br />
queue num 2-3<br />
queue num 4-5 fanout bypass<br />
queue num 4-5 fanout<br />
queue num 4-5 bypass<br />
</source><br />
|}<br />
<br />
== Extras ==<br />
<br />
=== Export Configuration ===<br />
<br />
<source lang="bash"><br />
% nft export (xml | json)<br />
</source><br />
<br />
=== Monitor Events ===<br />
<br />
Monitor events from Netlink creating filters.<br />
<br />
<source lang="bash"><br />
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]<br />
</source><br />
<br />
<br />
= Nft scripting =<br />
<br />
== List ruleset ==<br />
<br />
<source lang="bash"><br />
% nft list ruleset<br />
</source><br />
<br />
== Flush ruleset ==<br />
<br />
<source lang="bash"><br />
% nft flush ruleset<br />
</source><br />
<br />
== Load ruleset ==<br />
<br />
Create a command batch file and load it with the nft interpreter,<br />
<br />
<source lang="bash"><br />
% echo "flush ruleset" > /etc/nftables.rules<br />
% echo "add table filter" >> /etc/nftables.rules<br />
% echo "add chain filter input" >> /etc/nftables.rules<br />
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file,<br />
<br />
<source lang="bash"><br />
% cat << EOF > /etc/nftables.rules<br />
> #!/usr/local/sbin/nft -f<br />
> flush ruleset<br />
> add table filter<br />
> add chain filter input<br />
> add rule filter input meta iifname lo accept<br />
> EOF<br />
% chmod u+x /etc/nftables.rules<br />
% /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file from an already created ruleset,<br />
<br />
<source lang="bash"><br />
% nft list ruleset > /etc/nftables.rules<br />
% nft flush ruleset<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
<br />
= Examples =<br />
<br />
== Simple IP/IPv6 Firewall ==<br />
<br />
<source lang="bash"><br />
flush ruleset<br />
<br />
table firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
icmp type echo-request accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
<br />
table ip6 firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# invalid connections<br />
ct state invalid drop<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
# routers may also want: mld-listener-query, nd-router-solicit<br />
icmpv6 type {echo-request,nd-neighbor-solicit} accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
</source></div>
Aurelien
http://wiki.nftables.org/wiki-nftables/index.php?title=Quick_reference-nftables_in_10_minutes&diff=1125
Quick reference-nftables in 10 minutes
2024-04-21T06:20:58Z
<p>Aurelien: /* Sctp */ More consistent space after { and before }</p>
<hr />
<div>Find below some basic concepts to know before using nftables.<br />
<br />
'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.<br />
<br />
'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].<br />
<br />
'''rule''' refers to an action to be configured within a ''chain''.<br />
<br />
<br />
= nft command line =<br />
<br />
''nft'' is the command line tool in order to interact with nftables at userspace.<br />
<br />
== Tables ==<br />
<br />
'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''. It defaults to ''ip''.<br />
<br />
<source lang="bash"><br />
% nft list tables [<family>]<br />
% nft [-n] [-a] list table [<family>] <name><br />
% nft (add | delete | flush) table [<family>] <name><br />
</source><br />
<br />
The argument ''-n'' shows the addresses and other information that use names in numeric format. The ''-a'' argument is used to display each rule's ''handle'' (i.e., a numerical identifier).<br />
<br />
== Chains ==<br />
<br />
'''type''' refers to the kind of chain to be created. Possible types are:<br />
<br />
* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.<br />
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.<br />
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.<br />
<br />
'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].<br />
<br />
* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.<br />
* The hooks for ''arp'' family are: '' input'', ''output''.<br />
* The ''bridge'' family handles ethernet packets traversing bridge devices.<br />
* The hooks for ''netdev'' are: ''ingress'', ''egress''.<br />
<br />
'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.<br />
<br />
'''policy''' is the default verdict statement to control the flow in the base chain. Possible values are: ''accept'' (default) and ''drop''. Warning: Setting the policy to ''drop'' discards all packets that<br />
have not been accepted by the ruleset.<br />
<br />
<source lang="bash"><br />
% nft (add | create) chain [<family>] <table> <name> [ \{ type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] \} ]<br />
% nft (delete | list | flush) chain [<family>] <table> <name><br />
% nft rename chain [<family>] <table> <name> <newname><br />
</source><br />
<br />
== Rules ==<br />
<br />
'''handle''' is an internal number that identifies a certain ''rule''.<br />
<br />
'''position''' is an internal number that is used to insert a ''rule'' before a certain ''handle''.<br />
<br />
<source lang="bash"><br />
% nft add rule [<family>] <table> <chain> <matches> <statements><br />
% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements><br />
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements><br />
% nft delete rule [<family>] <table> <chain> [handle <handle>]<br />
</source><br />
<br />
=== Matches ===<br />
<br />
'''matches''' are clues used to access to certain packet information and create filters according to them.<br />
<br />
==== Ip ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip match<br />
|-<br />
| | ''dscp <value>''<br />
|<br />
|<source lang="bash"><br />
ip dscp cs1<br />
ip dscp != cs1<br />
ip dscp 0x38<br />
ip dscp != 0x20<br />
ip dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, <br />
af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
ip length 232<br />
ip length != 233<br />
ip length 333-435<br />
ip length != 333-453<br />
ip length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''id <id>''<br />
| IP ID<br />
|<source lang="bash"><br />
ip id 22<br />
ip id != 233<br />
ip id 33-45<br />
ip id != 33-45<br />
ip id { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| Fragmentation offset<br />
|<source lang="bash"><br />
ip frag-off & 0x1fff != 0 # match fragments<br />
ip frag-off & 0x2000 != 0 # match MF flag <br />
ip frag-off & 0x4000 != 0 # match DF flag <br />
</source><br />
|-<br />
| ''ttl <ttl>''<br />
| Time to live<br />
|<source lang="bash"><br />
ip ttl 0<br />
ip ttl 233<br />
ip ttl 33-55<br />
ip ttl != 45-50<br />
ip ttl { 43, 53, 45 }<br />
ip ttl { 33-55 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| Upper layer protocol<br />
|<source lang="bash"><br />
ip protocol tcp<br />
ip protocol 6<br />
ip protocol != tcp<br />
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
ip checksum 13172<br />
ip checksum 22<br />
ip checksum != 233<br />
ip checksum 33-45<br />
ip checksum != 33-45<br />
ip checksum { 33, 55, 67, 88 }<br />
ip checksum { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source address<br />
|<source lang="bash"><br />
ip saddr 192.168.2.0/24<br />
ip saddr != 192.168.2.0/24<br />
ip saddr 192.168.3.1 ip daddr 192.168.3.100<br />
ip saddr != 1.1.1.1<br />
ip saddr 1.1.1.1<br />
ip saddr & 0xff == 1<br />
ip saddr & 0.0.0.255 < 0.0.0.127<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination address<br />
|<source lang="bash"><br />
ip daddr 192.168.0.1<br />
ip daddr != 192.168.0.1<br />
ip daddr 192.168.0.1-192.168.0.250<br />
ip daddr 10.0.0.0-10.255.255.255<br />
ip daddr 172.16.0.0-172.31.255.255<br />
ip daddr 192.168.3.1-192.168.4.250<br />
ip daddr != 192.168.0.1-192.168.0.250<br />
ip daddr { 192.168.0.1-192.168.0.250 }<br />
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }<br />
</source><br />
|-<br />
| ''version <version>''<br />
| Ip Header version<br />
|<source lang="bash"><br />
ip version 4<br />
</source><br />
|-<br />
| ''hdrlength <header length>''<br />
| IP header length<br />
|<source lang="bash"><br />
ip hdrlength 0<br />
ip hdrlength 15<br />
</source><br />
|}<br />
<br />
==== Ip6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip6 match<br />
|-<br />
| ''dscp <value>''<br />
| <br />
|<source lang="bash"><br />
ip6 dscp cs1<br />
ip6 dscp != cs1<br />
ip6 dscp 0x38<br />
ip6 dscp != 0x20<br />
ip6 dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''flowlabel <label>''<br />
| Flow label<br />
|<source lang="bash"><br />
ip6 flowlabel 22<br />
ip6 flowlabel != 233<br />
ip6 flowlabel { 33, 55, 67, 88 }<br />
ip6 flowlabel { 33-55 }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
ip6 length 232<br />
ip6 length != 233<br />
ip6 length 333-435<br />
ip6 length != 333-453<br />
ip6 length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''nexthdr <header>''<br />
| Next header type (Upper layer protocol number)<br />
|<source lang="bash"><br />
ip6 nexthdr { esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6 }<br />
ip6 nexthdr esp<br />
ip6 nexthdr != esp<br />
ip6 nexthdr { 33-44 }<br />
ip6 nexthdr 33-44<br />
ip6 nexthdr != 33-44<br />
</source><br />
|-<br />
| ''hoplimit <hoplimit>''<br />
| Hop limit<br />
|<source lang="bash"><br />
ip6 hoplimit 1<br />
ip6 hoplimit != 233<br />
ip6 hoplimit 33-45<br />
ip6 hoplimit != 33-45<br />
ip6 hoplimit { 33, 55, 67, 88 }<br />
ip6 hoplimit { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source Address<br />
|<source lang="bash"><br />
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::/64<br />
ip6 saddr ::1 ip6 daddr ::2<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination Address<br />
|<source lang="bash"><br />
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234<br />
</source><br />
|-<br />
| ''version <version>''<br />
| IP header version<br />
|<source lang="bash"><br />
ip6 version 6<br />
</source><br />
|}<br />
<br />
==== Tcp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|tcp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
tcp dport 22<br />
tcp dport != 33-45<br />
tcp dport { 33-55 }<br />
tcp dport { telnet, http, https }<br />
tcp dport vmap { 22 : accept, 23 : drop }<br />
tcp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
tcp sport 22<br />
tcp sport != 33-45<br />
tcp sport { 33, 55, 67, 88 }<br />
tcp sport { 33-55 }<br />
tcp sport vmap { 25:accept, 28:drop }<br />
tcp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| Sequence number<br />
|<source lang="bash"><br />
tcp sequence 22<br />
tcp sequence != 33-45<br />
</source><br />
|-<br />
| ''ackseq <value>''<br />
| Acknowledgement number<br />
|<source lang="bash"><br />
tcp ackseq 22<br />
tcp ackseq != 33-45<br />
tcp ackseq { 33, 55, 67, 88 }<br />
tcp ackseq { 33-55 }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| TCP flags<br />
|<source lang="bash"><br />
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr }<br />
tcp flags cwr<br />
tcp flags != cwr<br />
</source><br />
|-<br />
| ''window <value>''<br />
| Window<br />
|<source lang="bash"><br />
tcp window 22<br />
tcp window != 33-45<br />
tcp window { 33, 55, 67, 88 }<br />
tcp window { 33-55 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
tcp checksum 22<br />
tcp checksum != 33-45<br />
tcp checksum { 33, 55, 67, 88 }<br />
tcp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''urgptr <pointer>''<br />
| Urgent pointer<br />
|<source lang="bash"><br />
tcp urgptr 22<br />
tcp urgptr != 33-45<br />
tcp urgptr { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''doff <offset>''<br />
| Data offset<br />
|<source lang="bash"><br />
tcp doff 8<br />
</source><br />
|}<br />
<br />
==== Udp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udp dport 22<br />
udp dport != 33-45<br />
udp dport { 33-55 }<br />
udp dport { telnet, http, https }<br />
udp dport vmap { 22 : accept, 23 : drop }<br />
udp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udp sport 22<br />
udp sport != 33-45<br />
udp sport { 33, 55, 67, 88 }<br />
udp sport { 33-55 }<br />
udp sport vmap { 25:accept, 28:drop }<br />
udp sport 1024 udp dport 22<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
udp length 6666<br />
udp length != 50-65<br />
udp length { 50, 65 }<br />
udp length { 35-50 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| UDP checksum<br />
|<source lang="bash"><br />
udp checksum 22<br />
udp checksum != 33-45<br />
udp checksum { 33, 55, 67, 88 }<br />
udp checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
==== Udplite ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udplite match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udplite dport 22<br />
udplite dport != 33-45<br />
udplite dport { 33-55 }<br />
udplite dport { telnet, http, https }<br />
udplite dport vmap { 22 : accept, 23 : drop }<br />
udplite dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udplite sport 22<br />
udplite sport != 33-45<br />
udplite sport { 33, 55, 67, 88 }<br />
udplite sport { 33-55 }<br />
udplite sport vmap { 25:accept, 28:drop }<br />
udplite sport 1024 udplite dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
udplite checksum 22<br />
udplite checksum != 33-45<br />
udplite checksum { 33, 55, 67, 88 }<br />
udplite checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
==== Sctp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|sctp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
sctp dport 22<br />
sctp dport != 33-45<br />
sctp dport { 33-55 }<br />
sctp dport { telnet, http, https }<br />
sctp dport vmap { 22 : accept, 23 : drop }<br />
sctp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
sctp sport 22<br />
sctp sport != 33-45<br />
sctp sport { 33, 55, 67, 88 }<br />
sctp sport { 33-55 }<br />
sctp sport vmap { 25:accept, 28:drop }<br />
sctp sport 1024 sctp dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
sctp checksum 22<br />
sctp checksum != 33-45<br />
sctp checksum { 33, 55, 67, 88 }<br />
sctp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''vtag <tag>''<br />
| Verification tag<br />
|<source lang="bash"><br />
sctp vtag 22<br />
sctp vtag != 33-45<br />
sctp vtag { 33, 55, 67, 88 }<br />
sctp vtag { 33-55 }<br />
</source><br />
|-<br />
| ''chunk <type>''<br />
| Existence of a chunk with given type in packet<br />
|<source lang="bash"><br />
sctp chunk init exists<br />
sctp chunk error missing<br />
</source><br />
|-<br />
| ''chunk <type> <field>''<br />
| A chunk's field value (implies chunk existence)<br />
|<sourcex lang="bash"><br />
sctp chunk init flags 0x1<br />
sctp chunk data tsn 0x23<br />
</source><br />
|}<br />
<br />
==== Dccp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dccp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
dccp dport 22<br />
dccp dport != 33-45<br />
dccp dport { 33-55 }<br />
dccp dport {telnet, http, https }<br />
dccp dport vmap { 22 : accept, 23 : drop }<br />
dccp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
dccp sport 22<br />
dccp sport != 33-45<br />
dccp sport { 33, 55, 67, 88}<br />
dccp sport { 33-55}<br />
dccp sport vmap { 25:accept, 28:drop }<br />
dccp sport 1024 dccp dport 22<br />
</source><br />
|-<br />
| ''type <type>''<br />
| Type of packet<br />
|<source lang="bash"><br />
dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}<br />
dccp type request<br />
dccp type != request<br />
</source><br />
|}<br />
<br />
<br />
==== Ah ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ah match<br />
|-<br />
| ''hdrlength <length>''<br />
| AH header length<br />
|<source lang="bash"><br />
ah hdrlength 11-23<br />
ah hdrlength != 11-23<br />
ah hdrlength {11, 23, 44 }<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
ah reserved 22<br />
ah reserved != 33-45<br />
ah reserved {23, 100 }<br />
ah reserved { 33-55 }<br />
</source><br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
ah spi 111<br />
ah spi != 111-222<br />
ah spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
ah sequence 123<br />
ah sequence {23, 25, 33}<br />
ah sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Esp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|esp match<br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
esp spi 111<br />
esp spi != 111-222<br />
esp spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
esp sequence 123<br />
esp sequence {23, 25, 33}<br />
esp sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Comp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|comp match<br />
|-<br />
| ''nexthdr <protocol>''<br />
| Next header protocol (Upper layer protocol)<br />
|<source lang="bash"><br />
comp nexthdr != esp<br />
comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp}<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| Flags<br />
|<source lang="bash"><br />
comp flags 0x0<br />
comp flags != 0x33-0x45<br />
comp flags {0x33, 0x55, 0x67, 0x88}<br />
</source><br />
|-<br />
| ''cpi <value>''<br />
| Compression Parameter Index<br />
|<source lang="bash"><br />
comp cpi 22<br />
comp cpi != 33-45<br />
comp cpi {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Icmp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmp match<br />
|-<br />
| ''type <type>''<br />
| ICMP packet type<br />
|<source lang="bash"><br />
icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation}<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMP packet code<br />
|<source lang="bash"><br />
icmp code 111<br />
icmp code != 33-55<br />
icmp code { 2, 4, 54, 33, 56}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMP packet checksum<br />
|<source lang="bash"><br />
icmp checksum 12343<br />
icmp checksum != 11-343<br />
icmp checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMP packet id<br />
|<source lang="bash"><br />
icmp id 12343<br />
icmp id != 11-343<br />
icmp id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMP packet sequence<br />
|<source lang="bash"><br />
icmp sequence 12343<br />
icmp sequence != 11-343<br />
icmp sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMP packet mtu<br />
|<source lang="bash"><br />
icmp mtu 12343<br />
icmp mtu != 11-343<br />
icmp mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''gateway <value>''<br />
| ICMP packet gateway<br />
|<source lang="bash"><br />
icmp gateway 12343<br />
icmp gateway != 11-343<br />
icmp gateway { 1111, 222, 343 }<br />
</source><br />
|}<br />
<br />
<br />
==== Icmpv6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmpv6 match<br />
|-<br />
| ''type <type>''<br />
| ICMPv6 packet type<br />
|<source lang="bash"><br />
icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, parameter-problem, mld2-listener-report }<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMPv6 packet code<br />
|<source lang="bash"><br />
icmpv6 code 4<br />
icmpv6 code 3-66<br />
icmpv6 code {5, 6, 7}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMPv6 packet checksum<br />
|<source lang="bash"><br />
icmpv6 checksum 12343<br />
icmpv6 checksum != 11-343<br />
icmpv6 checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMPv6 packet id<br />
|<source lang="bash"><br />
icmpv6 id 12343<br />
icmpv6 id != 11-343<br />
icmpv6 id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMPv6 packet sequence<br />
|<source lang="bash"><br />
icmpv6 sequence 12343<br />
icmpv6 sequence != 11-343<br />
icmpv6 sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMPv6 packet mtu<br />
|<source lang="bash"><br />
icmpv6 mtu 12343<br />
icmpv6 mtu != 11-343<br />
icmpv6 mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''max-delay <value>''<br />
| ICMPv6 packet max delay<br />
|<source lang="bash"><br />
icmpv6 max-delay 33-45<br />
icmpv6 max-delay != 33-45<br />
icmpv6 max-delay {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Ether ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ether match<br />
|-<br />
| ''saddr <mac address>''<br />
| Source mac address<br />
|<source lang="bash"><br />
ether saddr 00:0f:54:0c:11:04<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
ether type vlan<br />
</source><br />
|}<br />
<br />
==== Dst ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dst match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}<br />
dst nexthdr 22<br />
dst nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
dst hdrlength 22<br />
dst hdrlength != 33-45<br />
dst hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Frag ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|frag match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp}<br />
frag nexthdr 6<br />
frag nexthdr != 50-51<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
frag reserved 22<br />
frag reserved != 33-45<br />
frag reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| <br />
|<source lang="bash"><br />
frag frag-off 22<br />
frag frag-off != 33-45<br />
frag frag-off { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''more-fragments <value>''<br />
| <br />
|<source lang="bash"><br />
frag more-fragments 0<br />
frag more-fragments 0<br />
</source><br />
|-<br />
| ''id <value>''<br />
| <br />
|<source lang="bash"><br />
frag id 1<br />
frag id 33-45<br />
</source><br />
|}<br />
<br />
<br />
==== Hbh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|hbh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6}<br />
hbh nexthdr 22<br />
hbh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
hbh hdrlength 22<br />
hbh hdrlength != 33-45<br />
hbh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Mh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|mh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
mh nexthdr 22<br />
mh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
mh hdrlength 22<br />
mh hdrlength != 33-45<br />
mh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}<br />
mh type home-agent-switch-message<br />
mh type != home-agent-switch-message<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
mh reserved 22<br />
mh reserved != 33-45<br />
mh reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| <br />
|<source lang="bash"><br />
mh checksum 22<br />
mh checksum != 33-45<br />
mh checksum { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Rt ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|rt match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
rt nexthdr 22<br />
rt nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
rt hdrlength 22<br />
rt hdrlength != 33-45<br />
rt hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
rt type 22<br />
rt type != 33-45<br />
rt type { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''seg-left <value>''<br />
| <br />
|<source lang="bash"><br />
rt seg-left 22<br />
rt seg-left != 33-45<br />
rt seg-left { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Vlan ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|vlan match<br />
|-<br />
| ''id <value>''<br />
| Vlan tag ID<br />
|<source lang="bash"><br />
vlan id 4094<br />
vlan id 0<br />
</source><br />
|-<br />
| ''cfi <value>''<br />
| <br />
|<source lang="bash"><br />
vlan cfi 0<br />
vlan cfi 1<br />
</source><br />
|-<br />
| ''pcp <value>''<br />
| <br />
|<source lang="bash"><br />
vlan pcp 7<br />
vlan pcp 3<br />
</source><br />
|}<br />
<br />
<br />
==== Arp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|arp match<br />
|-<br />
| ''ptype <value>''<br />
| Payload type<br />
|<source lang="bash"><br />
arp ptype 0x0800<br />
</source><br />
|-<br />
| ''htype <value>''<br />
| Header type<br />
|<source lang="bash"><br />
arp htype 1<br />
arp htype != 33-45<br />
arp htype { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''hlen <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
arp hlen 1<br />
arp hlen != 33-45<br />
arp hlen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''plen <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
arp plen 1<br />
arp plen != 33-45<br />
arp plen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''operation <value>''<br />
| <br />
|<source lang="bash"><br />
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}<br />
</source><br />
|}<br />
<br />
<br />
==== Ct ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ct match<br />
|-<br />
| ''state <state>''<br />
| State of the connection<br />
|<source lang="bash"><br />
ct state { new, established, related, untracked }<br />
ct state != related<br />
ct state established<br />
ct state 8<br />
</source><br />
|-<br />
| ''direction <value>''<br />
| Direction of the packet relative to the connection<br />
|<source lang="bash"><br />
ct direction original<br />
ct direction != original<br />
ct direction {reply, original}<br />
</source><br />
|-<br />
| ''status <status>''<br />
| Status of the connection<br />
|<source lang="bash"><br />
ct status expected<br />
(ct status & expected) != expected<br />
ct status {expected,seen-reply,assured,confirmed,snat,dnat,dying}<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Mark of the connection<br />
|<source lang="bash"><br />
ct mark 0<br />
ct mark or 0x23 == 0x11<br />
ct mark or 0x3 != 0x1<br />
ct mark and 0x23 == 0x11<br />
ct mark and 0x3 != 0x1<br />
ct mark xor 0x23 == 0x11<br />
ct mark xor 0x3 != 0x1<br />
ct mark 0x00000032<br />
ct mark != 0x00000032<br />
ct mark 0x00000032-0x00000045<br />
ct mark != 0x00000032-0x00000045<br />
ct mark {0x32, 0x2222, 0x42de3}<br />
ct mark {0x32-0x2222, 0x4444-0x42de3}<br />
ct mark set 0x11 xor 0x1331<br />
ct mark set 0x11333 and 0x11<br />
ct mark set 0x12 or 0x11<br />
ct mark set 0x11<br />
ct mark set mark<br />
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }<br />
</source><br />
|-<br />
| ''expiration <time>''<br />
| Connection expiration time<br />
|<source lang="bash"><br />
ct expiration 30<br />
ct expiration 30s<br />
ct expiration != 233<br />
ct expiration != 3m53s<br />
ct expiration 33-45<br />
ct expiration 33s-45s<br />
ct expiration != 33-45<br />
ct expiration != 33s-45s<br />
ct expiration {33, 55, 67, 88}<br />
ct expiration { 1m7s, 33s, 55s, 1m28s}<br />
</source><br />
|-<br />
| ''helper "<helper>"''<br />
| Helper associated with the connection<br />
|<source lang="bash"><br />
ct helper "ftp"<br />
</source><br />
|-<br />
| | ''[original | reply] bytes <value>''<br />
| <br />
|<source lang="bash"><br />
ct original bytes > 100000<br />
ct bytes > 100000<br />
</source><br />
|-<br />
| | ''[original | reply] packets <value>''<br />
| <br />
|<source lang="bash"><br />
ct reply packets < 100<br />
</source><br />
|-<br />
| | ''[original | reply] ip saddr <ip source address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip saddr 192.168.0.1<br />
ct reply ip saddr 192.168.0.1<br />
ct original ip saddr 192.168.1.0/24<br />
ct reply ip saddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] ip daddr <ip destination address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip daddr 192.168.0.1<br />
ct reply ip daddr 192.168.0.1<br />
ct original ip daddr 192.168.1.0/24<br />
ct reply ip daddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] l3proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original l3proto ipv4<br />
</source><br />
|-<br />
| | ''[original | reply] protocol <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original protocol 6<br />
</source><br />
|-<br />
| | ''[original | reply] proto-dst <port>''<br />
| <br />
|<source lang="bash"><br />
ct original proto-dst 22<br />
</source><br />
|-<br />
| | ''[original | reply] proto-src <port>''<br />
| <br />
|<source lang="bash"><br />
ct reply proto-src 53<br />
</source><br />
|-<br />
| | ''count [over] <number of connections>''<br />
| <br />
|<source lang="bash"><br />
ct count over 2<br />
<br />
tcp dport 22 add @ssh_flood { ip saddr ct count over 2 } reject<br />
[ which requires an existing ssh_flood set, ie. add set filter ssh_flood { type ipv4_addr; flags dynamic; } ]<br />
</source><br />
|}<br />
<br />
==== Meta ====<br />
<br />
[[Matching packet metainformation|''meta'']] matches packet by metainformation.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|meta match<br />
|-<br />
| ''iifname <input interface name>''<br />
| Input interface name<br />
|<source lang="bash"><br />
meta iifname "eth0"<br />
meta iifname != "eth0"<br />
meta iifname {"eth0", "lo"}<br />
meta iifname "eth*"<br />
</source><br />
|-<br />
| ''oifname <output interface name>''<br />
| Output interface name<br />
|<source lang="bash"><br />
meta oifname "eth0"<br />
meta oifname != "eth0"<br />
meta oifname {"eth0", "lo"}<br />
meta oifname "eth*"<br />
</source><br />
|-<br />
| ''iif <input interface index>''<br />
| Input interface index<br />
|<source lang="bash"><br />
meta iif eth0<br />
meta iif != eth0<br />
</source><br />
|-<br />
| ''oif <output interface index>''<br />
| Output interface index<br />
|<source lang="bash"><br />
meta oif lo<br />
meta oif != lo<br />
meta oif {eth0, lo}<br />
</source><br />
|-<br />
| ''iiftype <input interface type>''<br />
| Input interface type<br />
|<source lang="bash"><br />
meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta iiftype != ether<br />
meta iiftype ether<br />
</source><br />
|-<br />
| ''oiftype <output interface type>''<br />
| Output interface hardware type<br />
|<source lang="bash"><br />
meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta oiftype != ether<br />
meta oiftype ether<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Length of the packet in bytes<br />
|<source lang="bash"><br />
meta length 1000<br />
meta length != 1000<br />
meta length > 1000<br />
meta length 33-45<br />
meta length != 33-45<br />
meta length { 33, 55, 67, 88 }<br />
meta length { 33-55, 67-88 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| ethertype protocol<br />
|<source lang="bash"><br />
meta protocol ip<br />
meta protocol != ip<br />
meta protocol { ip, arp, ip6, vlan }<br />
</source><br />
|-<br />
| ''nfproto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta nfproto ipv4<br />
meta nfproto != ipv6<br />
meta nfproto { ipv4, ipv6 }<br />
</source><br />
|-<br />
| ''l4proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta l4proto 22<br />
meta l4proto != 233<br />
meta l4proto 33-45<br />
meta l4proto { 33, 55, 67, 88 }<br />
meta l4proto { 33-55 }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Packet mark<br />
|<source lang="bash"><br />
meta mark 0x4<br />
meta mark 0x00000032<br />
meta mark and 0x03 == 0x01<br />
meta mark and 0x03 != 0x01<br />
meta mark != 0x10<br />
meta mark or 0x03 == 0x01<br />
meta mark or 0x03 != 0x01<br />
meta mark xor 0x03 == 0x01<br />
meta mark xor 0x03 != 0x01<br />
meta mark set 0xffffffc8 xor 0x16<br />
meta mark set 0x16 and 0x16<br />
meta mark set 0xffffffe9 or 0x16<br />
meta mark set 0xffffffde and 0x16<br />
meta mark set 0x32 or 0xfffff<br />
meta mark set 0xfffe xor 0x16<br />
</source><br />
|-<br />
| ''priority [set] <priority>''<br />
| tc class id<br />
|<source lang="bash"><br />
meta priority none<br />
meta priority 0x1:0x1<br />
meta priority 0x1:0xffff<br />
meta priority 0xffff:0xffff<br />
meta priority set 0x1:0x1<br />
meta priority set 0x1:0xffff<br />
meta priority set 0xffff:0xffff<br />
</source><br />
|-<br />
| ''skuid <user id>''<br />
| UID associated with originating socket<br />
|<source lang="bash"><br />
meta skuid {bin, root, daemon}<br />
meta skuid root<br />
meta skuid != root<br />
meta skuid lt 3000<br />
meta skuid gt 3000<br />
meta skuid eq 3000<br />
meta skuid 3001-3005<br />
meta skuid != 2001-2005<br />
meta skuid { 2001-2005 }<br />
</source><br />
|-<br />
| ''skgid <group id>''<br />
| GID associated with originating socket<br />
|<source lang="bash"><br />
meta skgid {bin, root, daemon}<br />
meta skgid root<br />
meta skgid != root<br />
meta skgid lt 3000<br />
meta skgid gt 3000<br />
meta skgid eq 3000<br />
meta skgid 3001-3005<br />
meta skgid != 2001-2005<br />
meta skgid { 2001-2005 }<br />
</source><br />
|-<br />
| ''rtclassid <class>''<br />
| Routing realm<br />
|<source lang="bash"><br />
meta rtclassid cosmos<br />
</source><br />
|-<br />
| ''pkttype <type>''<br />
| Packet type<br />
|<source lang="bash"><br />
meta pkttype broadcast<br />
meta pkttype != broadcast<br />
meta pkttype { broadcast, unicast, multicast}<br />
</source><br />
|-<br />
| ''cpu <cpu index>''<br />
| CPU ID<br />
|<source lang="bash"><br />
meta cpu 1<br />
meta cpu != 1<br />
meta cpu 1-3<br />
meta cpu != 1-2<br />
meta cpu { 2,3 }<br />
meta cpu { 2-3, 5-7 }<br />
</source><br />
|-<br />
| ''iifgroup <input group>''<br />
| Input interface group<br />
|<source lang="bash"><br />
meta iifgroup 0<br />
meta iifgroup != 0<br />
meta iifgroup default<br />
meta iifgroup != default<br />
meta iifgroup {default}<br />
meta iifgroup { 11,33 }<br />
meta iifgroup {11-33}<br />
</source><br />
|-<br />
| ''oifgroup <group>''<br />
| Output interface group<br />
|<source lang="bash"><br />
meta oifgroup 0<br />
meta oifgroup != 0<br />
meta oifgroup default<br />
meta oifgroup != default<br />
meta oifgroup {default}<br />
meta oifgroup { 11,33 }<br />
meta oifgroup {11-33}<br />
</source><br />
|-<br />
| ''cgroup <group>''<br />
| <br />
|<source lang="bash"><br />
meta cgroup 1048577<br />
meta cgroup != 1048577<br />
meta cgroup { 1048577, 1048578 }<br />
meta cgroup 1048577-1048578<br />
meta cgroup != 1048577-1048578<br />
meta cgroup {1048577-1048578}<br />
</source><br />
|}<br />
<br />
=== Statements ===<br />
<br />
'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.<br />
<br />
==== Verdict statements ====<br />
<br />
The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:<br />
<br />
* ''accept'': Accept the packet and stop the remain rules evaluation.<br />
* ''drop'': Drop the packet and stop the remain rules evaluation.<br />
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.<br />
* ''continue'': Continue the ruleset evaluation with the next rule.<br />
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept<br />
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued<br />
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement<br />
<br />
==== Log ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|log statement<br />
|-<br />
| ''level [over] <value> <unit> [burst <value> <unit>]''<br />
| Log level<br />
|<source lang="bash"><br />
log<br />
log level emerg<br />
log level alert<br />
log level crit<br />
log level err<br />
log level warn<br />
log level notice<br />
log level info<br />
log level debug<br />
</source><br />
|-<br />
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''<br />
| <br />
|<source lang="bash"><br />
log prefix aaaaa-aaaaaa group 2 snaplen 33<br />
log group 2 queue-threshold 2<br />
log group 2 snaplen 33<br />
</source><br />
|}<br />
<br />
<br />
==== Reject ====<br />
<br />
The default '''reject''' will be the ICMP type '''port-unreachable'''. The '''icmpx''' is only used for inet family support.<br />
<br />
More information on the [[Rejecting_traffic]] page.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|reject statement<br />
|-<br />
| ''with <protocol> type <type>''<br />
| <br />
|<source lang="bash"><br />
reject<br />
reject with icmp type host-unreachable<br />
reject with icmp type net-unreachable<br />
reject with icmp type prot-unreachable<br />
reject with icmp type port-unreachable<br />
reject with icmp type net-prohibited<br />
reject with icmp type host-prohibited<br />
reject with icmp type admin-prohibited<br />
reject with icmpv6 type no-route<br />
reject with icmpv6 type admin-prohibited<br />
reject with icmpv6 type addr-unreachable<br />
reject with icmpv6 type port-unreachable<br />
reject with icmpx type host-unreachable<br />
reject with icmpx type no-route<br />
reject with icmpx type admin-prohibited<br />
reject with icmpx type port-unreachable<br />
ip protocol tcp reject with tcp reset<br />
</source><br />
|}<br />
<br />
==== Counter ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|counter statement<br />
|-<br />
| ''packets <packets> bytes <bytes>''<br />
| <br />
|<source lang="bash"><br />
counter<br />
counter packets 0 bytes 0<br />
</source><br />
|}<br />
<br />
<br />
==== Limit ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|limit statement<br />
|-<br />
| ''rate [over] <value> <unit> [burst <value> <unit>]''<br />
| Rate limit<br />
|<source lang="bash"><br />
limit rate 400/minute<br />
limit rate 400/hour<br />
limit rate over 40/day<br />
limit rate over 400/week<br />
limit rate over 1023/second burst 10 packets<br />
limit rate 1025 kbytes/second<br />
limit rate 1023000 mbytes/second<br />
limit rate 1025 bytes/second burst 512 bytes<br />
limit rate 1025 kbytes/second burst 1023 kbytes<br />
limit rate 1025 mbytes/second burst 1025 kbytes<br />
limit rate 1025000 mbytes/second burst 1023 mbytes<br />
</source><br />
|}<br />
<br />
==== Nat ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|nat statement<br />
|-<br />
| ''dnat to <destination address>''<br />
| Destination address translation<br />
|<source lang="bash"><br />
dnat to 192.168.3.2<br />
dnat to ct mark map { 0x00000014 : 1.2.3.4}<br />
</source><br />
|-<br />
| ''snat to <ip source address>''<br />
| Source address translation<br />
|<source lang="bash"><br />
snat to 192.168.3.2<br />
snat to 2001:838:35f:1::-2001:838:35f:2:::100<br />
</source><br />
|-<br />
| ''masquerade [<type>] [to :<port>]''<br />
| Masquerade<br />
|<source lang="bash"><br />
masquerade<br />
masquerade persistent,fully-random,random<br />
masquerade to :1024<br />
masquerade to :1024-2048<br />
</source><br />
|}<br />
<br />
==== Queue ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|queue statement<br />
|-<br />
| ''num <value> <scheduler>''<br />
| <br />
|<source lang="bash"><br />
queue<br />
queue num 2<br />
queue num 2-3<br />
queue num 4-5 fanout bypass<br />
queue num 4-5 fanout<br />
queue num 4-5 bypass<br />
</source><br />
|}<br />
<br />
== Extras ==<br />
<br />
=== Export Configuration ===<br />
<br />
<source lang="bash"><br />
% nft export (xml | json)<br />
</source><br />
<br />
=== Monitor Events ===<br />
<br />
Monitor events from Netlink creating filters.<br />
<br />
<source lang="bash"><br />
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]<br />
</source><br />
<br />
<br />
= Nft scripting =<br />
<br />
== List ruleset ==<br />
<br />
<source lang="bash"><br />
% nft list ruleset<br />
</source><br />
<br />
== Flush ruleset ==<br />
<br />
<source lang="bash"><br />
% nft flush ruleset<br />
</source><br />
<br />
== Load ruleset ==<br />
<br />
Create a command batch file and load it with the nft interpreter,<br />
<br />
<source lang="bash"><br />
% echo "flush ruleset" > /etc/nftables.rules<br />
% echo "add table filter" >> /etc/nftables.rules<br />
% echo "add chain filter input" >> /etc/nftables.rules<br />
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file,<br />
<br />
<source lang="bash"><br />
% cat << EOF > /etc/nftables.rules<br />
> #!/usr/local/sbin/nft -f<br />
> flush ruleset<br />
> add table filter<br />
> add chain filter input<br />
> add rule filter input meta iifname lo accept<br />
> EOF<br />
% chmod u+x /etc/nftables.rules<br />
% /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file from an already created ruleset,<br />
<br />
<source lang="bash"><br />
% nft list ruleset > /etc/nftables.rules<br />
% nft flush ruleset<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
<br />
= Examples =<br />
<br />
== Simple IP/IPv6 Firewall ==<br />
<br />
<source lang="bash"><br />
flush ruleset<br />
<br />
table firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
icmp type echo-request accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
<br />
table ip6 firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# invalid connections<br />
ct state invalid drop<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
# routers may also want: mld-listener-query, nd-router-solicit<br />
icmpv6 type {echo-request,nd-neighbor-solicit} accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
</source></div>
Aurelien
http://wiki.nftables.org/wiki-nftables/index.php?title=Quick_reference-nftables_in_10_minutes&diff=1124
Quick reference-nftables in 10 minutes
2024-04-21T06:20:26Z
<p>Aurelien: /* Udplite */ More consistent space after { and before }</p>
<hr />
<div>Find below some basic concepts to know before using nftables.<br />
<br />
'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.<br />
<br />
'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].<br />
<br />
'''rule''' refers to an action to be configured within a ''chain''.<br />
<br />
<br />
= nft command line =<br />
<br />
''nft'' is the command line tool in order to interact with nftables at userspace.<br />
<br />
== Tables ==<br />
<br />
'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''. It defaults to ''ip''.<br />
<br />
<source lang="bash"><br />
% nft list tables [<family>]<br />
% nft [-n] [-a] list table [<family>] <name><br />
% nft (add | delete | flush) table [<family>] <name><br />
</source><br />
<br />
The argument ''-n'' shows the addresses and other information that use names in numeric format. The ''-a'' argument is used to display each rule's ''handle'' (i.e., a numerical identifier).<br />
<br />
== Chains ==<br />
<br />
'''type''' refers to the kind of chain to be created. Possible types are:<br />
<br />
* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.<br />
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.<br />
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.<br />
<br />
'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].<br />
<br />
* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.<br />
* The hooks for ''arp'' family are: '' input'', ''output''.<br />
* The ''bridge'' family handles ethernet packets traversing bridge devices.<br />
* The hooks for ''netdev'' are: ''ingress'', ''egress''.<br />
<br />
'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.<br />
<br />
'''policy''' is the default verdict statement to control the flow in the base chain. Possible values are: ''accept'' (default) and ''drop''. Warning: Setting the policy to ''drop'' discards all packets that<br />
have not been accepted by the ruleset.<br />
<br />
<source lang="bash"><br />
% nft (add | create) chain [<family>] <table> <name> [ \{ type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] \} ]<br />
% nft (delete | list | flush) chain [<family>] <table> <name><br />
% nft rename chain [<family>] <table> <name> <newname><br />
</source><br />
<br />
== Rules ==<br />
<br />
'''handle''' is an internal number that identifies a certain ''rule''.<br />
<br />
'''position''' is an internal number that is used to insert a ''rule'' before a certain ''handle''.<br />
<br />
<source lang="bash"><br />
% nft add rule [<family>] <table> <chain> <matches> <statements><br />
% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements><br />
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements><br />
% nft delete rule [<family>] <table> <chain> [handle <handle>]<br />
</source><br />
<br />
=== Matches ===<br />
<br />
'''matches''' are clues used to access to certain packet information and create filters according to them.<br />
<br />
==== Ip ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip match<br />
|-<br />
| | ''dscp <value>''<br />
|<br />
|<source lang="bash"><br />
ip dscp cs1<br />
ip dscp != cs1<br />
ip dscp 0x38<br />
ip dscp != 0x20<br />
ip dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, <br />
af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
ip length 232<br />
ip length != 233<br />
ip length 333-435<br />
ip length != 333-453<br />
ip length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''id <id>''<br />
| IP ID<br />
|<source lang="bash"><br />
ip id 22<br />
ip id != 233<br />
ip id 33-45<br />
ip id != 33-45<br />
ip id { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| Fragmentation offset<br />
|<source lang="bash"><br />
ip frag-off & 0x1fff != 0 # match fragments<br />
ip frag-off & 0x2000 != 0 # match MF flag <br />
ip frag-off & 0x4000 != 0 # match DF flag <br />
</source><br />
|-<br />
| ''ttl <ttl>''<br />
| Time to live<br />
|<source lang="bash"><br />
ip ttl 0<br />
ip ttl 233<br />
ip ttl 33-55<br />
ip ttl != 45-50<br />
ip ttl { 43, 53, 45 }<br />
ip ttl { 33-55 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| Upper layer protocol<br />
|<source lang="bash"><br />
ip protocol tcp<br />
ip protocol 6<br />
ip protocol != tcp<br />
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
ip checksum 13172<br />
ip checksum 22<br />
ip checksum != 233<br />
ip checksum 33-45<br />
ip checksum != 33-45<br />
ip checksum { 33, 55, 67, 88 }<br />
ip checksum { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source address<br />
|<source lang="bash"><br />
ip saddr 192.168.2.0/24<br />
ip saddr != 192.168.2.0/24<br />
ip saddr 192.168.3.1 ip daddr 192.168.3.100<br />
ip saddr != 1.1.1.1<br />
ip saddr 1.1.1.1<br />
ip saddr & 0xff == 1<br />
ip saddr & 0.0.0.255 < 0.0.0.127<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination address<br />
|<source lang="bash"><br />
ip daddr 192.168.0.1<br />
ip daddr != 192.168.0.1<br />
ip daddr 192.168.0.1-192.168.0.250<br />
ip daddr 10.0.0.0-10.255.255.255<br />
ip daddr 172.16.0.0-172.31.255.255<br />
ip daddr 192.168.3.1-192.168.4.250<br />
ip daddr != 192.168.0.1-192.168.0.250<br />
ip daddr { 192.168.0.1-192.168.0.250 }<br />
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }<br />
</source><br />
|-<br />
| ''version <version>''<br />
| Ip Header version<br />
|<source lang="bash"><br />
ip version 4<br />
</source><br />
|-<br />
| ''hdrlength <header length>''<br />
| IP header length<br />
|<source lang="bash"><br />
ip hdrlength 0<br />
ip hdrlength 15<br />
</source><br />
|}<br />
<br />
==== Ip6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip6 match<br />
|-<br />
| ''dscp <value>''<br />
| <br />
|<source lang="bash"><br />
ip6 dscp cs1<br />
ip6 dscp != cs1<br />
ip6 dscp 0x38<br />
ip6 dscp != 0x20<br />
ip6 dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''flowlabel <label>''<br />
| Flow label<br />
|<source lang="bash"><br />
ip6 flowlabel 22<br />
ip6 flowlabel != 233<br />
ip6 flowlabel { 33, 55, 67, 88 }<br />
ip6 flowlabel { 33-55 }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
ip6 length 232<br />
ip6 length != 233<br />
ip6 length 333-435<br />
ip6 length != 333-453<br />
ip6 length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''nexthdr <header>''<br />
| Next header type (Upper layer protocol number)<br />
|<source lang="bash"><br />
ip6 nexthdr { esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6 }<br />
ip6 nexthdr esp<br />
ip6 nexthdr != esp<br />
ip6 nexthdr { 33-44 }<br />
ip6 nexthdr 33-44<br />
ip6 nexthdr != 33-44<br />
</source><br />
|-<br />
| ''hoplimit <hoplimit>''<br />
| Hop limit<br />
|<source lang="bash"><br />
ip6 hoplimit 1<br />
ip6 hoplimit != 233<br />
ip6 hoplimit 33-45<br />
ip6 hoplimit != 33-45<br />
ip6 hoplimit { 33, 55, 67, 88 }<br />
ip6 hoplimit { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source Address<br />
|<source lang="bash"><br />
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::/64<br />
ip6 saddr ::1 ip6 daddr ::2<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination Address<br />
|<source lang="bash"><br />
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234<br />
</source><br />
|-<br />
| ''version <version>''<br />
| IP header version<br />
|<source lang="bash"><br />
ip6 version 6<br />
</source><br />
|}<br />
<br />
==== Tcp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|tcp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
tcp dport 22<br />
tcp dport != 33-45<br />
tcp dport { 33-55 }<br />
tcp dport { telnet, http, https }<br />
tcp dport vmap { 22 : accept, 23 : drop }<br />
tcp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
tcp sport 22<br />
tcp sport != 33-45<br />
tcp sport { 33, 55, 67, 88 }<br />
tcp sport { 33-55 }<br />
tcp sport vmap { 25:accept, 28:drop }<br />
tcp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| Sequence number<br />
|<source lang="bash"><br />
tcp sequence 22<br />
tcp sequence != 33-45<br />
</source><br />
|-<br />
| ''ackseq <value>''<br />
| Acknowledgement number<br />
|<source lang="bash"><br />
tcp ackseq 22<br />
tcp ackseq != 33-45<br />
tcp ackseq { 33, 55, 67, 88 }<br />
tcp ackseq { 33-55 }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| TCP flags<br />
|<source lang="bash"><br />
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr }<br />
tcp flags cwr<br />
tcp flags != cwr<br />
</source><br />
|-<br />
| ''window <value>''<br />
| Window<br />
|<source lang="bash"><br />
tcp window 22<br />
tcp window != 33-45<br />
tcp window { 33, 55, 67, 88 }<br />
tcp window { 33-55 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
tcp checksum 22<br />
tcp checksum != 33-45<br />
tcp checksum { 33, 55, 67, 88 }<br />
tcp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''urgptr <pointer>''<br />
| Urgent pointer<br />
|<source lang="bash"><br />
tcp urgptr 22<br />
tcp urgptr != 33-45<br />
tcp urgptr { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''doff <offset>''<br />
| Data offset<br />
|<source lang="bash"><br />
tcp doff 8<br />
</source><br />
|}<br />
<br />
==== Udp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udp dport 22<br />
udp dport != 33-45<br />
udp dport { 33-55 }<br />
udp dport { telnet, http, https }<br />
udp dport vmap { 22 : accept, 23 : drop }<br />
udp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udp sport 22<br />
udp sport != 33-45<br />
udp sport { 33, 55, 67, 88 }<br />
udp sport { 33-55 }<br />
udp sport vmap { 25:accept, 28:drop }<br />
udp sport 1024 udp dport 22<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
udp length 6666<br />
udp length != 50-65<br />
udp length { 50, 65 }<br />
udp length { 35-50 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| UDP checksum<br />
|<source lang="bash"><br />
udp checksum 22<br />
udp checksum != 33-45<br />
udp checksum { 33, 55, 67, 88 }<br />
udp checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
==== Udplite ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udplite match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udplite dport 22<br />
udplite dport != 33-45<br />
udplite dport { 33-55 }<br />
udplite dport { telnet, http, https }<br />
udplite dport vmap { 22 : accept, 23 : drop }<br />
udplite dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udplite sport 22<br />
udplite sport != 33-45<br />
udplite sport { 33, 55, 67, 88 }<br />
udplite sport { 33-55 }<br />
udplite sport vmap { 25:accept, 28:drop }<br />
udplite sport 1024 udplite dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
udplite checksum 22<br />
udplite checksum != 33-45<br />
udplite checksum { 33, 55, 67, 88 }<br />
udplite checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
==== Sctp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|sctp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
sctp dport 22<br />
sctp dport != 33-45<br />
sctp dport { 33-55 }<br />
sctp dport {telnet, http, https }<br />
sctp dport vmap { 22 : accept, 23 : drop }<br />
sctp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
sctp sport 22<br />
sctp sport != 33-45<br />
sctp sport { 33, 55, 67, 88}<br />
sctp sport { 33-55}<br />
sctp sport vmap { 25:accept, 28:drop }<br />
sctp sport 1024 sctp dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
sctp checksum 22<br />
sctp checksum != 33-45<br />
sctp checksum { 33, 55, 67, 88 }<br />
sctp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''vtag <tag>''<br />
| Verification tag<br />
|<source lang="bash"><br />
sctp vtag 22<br />
sctp vtag != 33-45<br />
sctp vtag { 33, 55, 67, 88 }<br />
sctp vtag { 33-55 }<br />
</source><br />
|-<br />
| ''chunk <type>''<br />
| Existence of a chunk with given type in packet<br />
|<source lang="bash"><br />
sctp chunk init exists<br />
sctp chunk error missing<br />
</source><br />
|-<br />
| ''chunk <type> <field>''<br />
| A chunk's field value (implies chunk existence)<br />
|<sourcex lang="bash"><br />
sctp chunk init flags 0x1<br />
sctp chunk data tsn 0x23<br />
</source><br />
|}<br />
<br />
==== Dccp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dccp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
dccp dport 22<br />
dccp dport != 33-45<br />
dccp dport { 33-55 }<br />
dccp dport {telnet, http, https }<br />
dccp dport vmap { 22 : accept, 23 : drop }<br />
dccp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
dccp sport 22<br />
dccp sport != 33-45<br />
dccp sport { 33, 55, 67, 88}<br />
dccp sport { 33-55}<br />
dccp sport vmap { 25:accept, 28:drop }<br />
dccp sport 1024 dccp dport 22<br />
</source><br />
|-<br />
| ''type <type>''<br />
| Type of packet<br />
|<source lang="bash"><br />
dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}<br />
dccp type request<br />
dccp type != request<br />
</source><br />
|}<br />
<br />
<br />
==== Ah ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ah match<br />
|-<br />
| ''hdrlength <length>''<br />
| AH header length<br />
|<source lang="bash"><br />
ah hdrlength 11-23<br />
ah hdrlength != 11-23<br />
ah hdrlength {11, 23, 44 }<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
ah reserved 22<br />
ah reserved != 33-45<br />
ah reserved {23, 100 }<br />
ah reserved { 33-55 }<br />
</source><br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
ah spi 111<br />
ah spi != 111-222<br />
ah spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
ah sequence 123<br />
ah sequence {23, 25, 33}<br />
ah sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Esp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|esp match<br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
esp spi 111<br />
esp spi != 111-222<br />
esp spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
esp sequence 123<br />
esp sequence {23, 25, 33}<br />
esp sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Comp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|comp match<br />
|-<br />
| ''nexthdr <protocol>''<br />
| Next header protocol (Upper layer protocol)<br />
|<source lang="bash"><br />
comp nexthdr != esp<br />
comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp}<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| Flags<br />
|<source lang="bash"><br />
comp flags 0x0<br />
comp flags != 0x33-0x45<br />
comp flags {0x33, 0x55, 0x67, 0x88}<br />
</source><br />
|-<br />
| ''cpi <value>''<br />
| Compression Parameter Index<br />
|<source lang="bash"><br />
comp cpi 22<br />
comp cpi != 33-45<br />
comp cpi {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Icmp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmp match<br />
|-<br />
| ''type <type>''<br />
| ICMP packet type<br />
|<source lang="bash"><br />
icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation}<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMP packet code<br />
|<source lang="bash"><br />
icmp code 111<br />
icmp code != 33-55<br />
icmp code { 2, 4, 54, 33, 56}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMP packet checksum<br />
|<source lang="bash"><br />
icmp checksum 12343<br />
icmp checksum != 11-343<br />
icmp checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMP packet id<br />
|<source lang="bash"><br />
icmp id 12343<br />
icmp id != 11-343<br />
icmp id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMP packet sequence<br />
|<source lang="bash"><br />
icmp sequence 12343<br />
icmp sequence != 11-343<br />
icmp sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMP packet mtu<br />
|<source lang="bash"><br />
icmp mtu 12343<br />
icmp mtu != 11-343<br />
icmp mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''gateway <value>''<br />
| ICMP packet gateway<br />
|<source lang="bash"><br />
icmp gateway 12343<br />
icmp gateway != 11-343<br />
icmp gateway { 1111, 222, 343 }<br />
</source><br />
|}<br />
<br />
<br />
==== Icmpv6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmpv6 match<br />
|-<br />
| ''type <type>''<br />
| ICMPv6 packet type<br />
|<source lang="bash"><br />
icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, parameter-problem, mld2-listener-report }<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMPv6 packet code<br />
|<source lang="bash"><br />
icmpv6 code 4<br />
icmpv6 code 3-66<br />
icmpv6 code {5, 6, 7}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMPv6 packet checksum<br />
|<source lang="bash"><br />
icmpv6 checksum 12343<br />
icmpv6 checksum != 11-343<br />
icmpv6 checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMPv6 packet id<br />
|<source lang="bash"><br />
icmpv6 id 12343<br />
icmpv6 id != 11-343<br />
icmpv6 id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMPv6 packet sequence<br />
|<source lang="bash"><br />
icmpv6 sequence 12343<br />
icmpv6 sequence != 11-343<br />
icmpv6 sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMPv6 packet mtu<br />
|<source lang="bash"><br />
icmpv6 mtu 12343<br />
icmpv6 mtu != 11-343<br />
icmpv6 mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''max-delay <value>''<br />
| ICMPv6 packet max delay<br />
|<source lang="bash"><br />
icmpv6 max-delay 33-45<br />
icmpv6 max-delay != 33-45<br />
icmpv6 max-delay {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Ether ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ether match<br />
|-<br />
| ''saddr <mac address>''<br />
| Source mac address<br />
|<source lang="bash"><br />
ether saddr 00:0f:54:0c:11:04<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
ether type vlan<br />
</source><br />
|}<br />
<br />
==== Dst ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dst match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}<br />
dst nexthdr 22<br />
dst nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
dst hdrlength 22<br />
dst hdrlength != 33-45<br />
dst hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Frag ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|frag match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp}<br />
frag nexthdr 6<br />
frag nexthdr != 50-51<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
frag reserved 22<br />
frag reserved != 33-45<br />
frag reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| <br />
|<source lang="bash"><br />
frag frag-off 22<br />
frag frag-off != 33-45<br />
frag frag-off { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''more-fragments <value>''<br />
| <br />
|<source lang="bash"><br />
frag more-fragments 0<br />
frag more-fragments 0<br />
</source><br />
|-<br />
| ''id <value>''<br />
| <br />
|<source lang="bash"><br />
frag id 1<br />
frag id 33-45<br />
</source><br />
|}<br />
<br />
<br />
==== Hbh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|hbh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6}<br />
hbh nexthdr 22<br />
hbh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
hbh hdrlength 22<br />
hbh hdrlength != 33-45<br />
hbh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Mh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|mh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
mh nexthdr 22<br />
mh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
mh hdrlength 22<br />
mh hdrlength != 33-45<br />
mh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}<br />
mh type home-agent-switch-message<br />
mh type != home-agent-switch-message<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
mh reserved 22<br />
mh reserved != 33-45<br />
mh reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| <br />
|<source lang="bash"><br />
mh checksum 22<br />
mh checksum != 33-45<br />
mh checksum { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Rt ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|rt match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
rt nexthdr 22<br />
rt nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
rt hdrlength 22<br />
rt hdrlength != 33-45<br />
rt hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
rt type 22<br />
rt type != 33-45<br />
rt type { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''seg-left <value>''<br />
| <br />
|<source lang="bash"><br />
rt seg-left 22<br />
rt seg-left != 33-45<br />
rt seg-left { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Vlan ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|vlan match<br />
|-<br />
| ''id <value>''<br />
| Vlan tag ID<br />
|<source lang="bash"><br />
vlan id 4094<br />
vlan id 0<br />
</source><br />
|-<br />
| ''cfi <value>''<br />
| <br />
|<source lang="bash"><br />
vlan cfi 0<br />
vlan cfi 1<br />
</source><br />
|-<br />
| ''pcp <value>''<br />
| <br />
|<source lang="bash"><br />
vlan pcp 7<br />
vlan pcp 3<br />
</source><br />
|}<br />
<br />
<br />
==== Arp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|arp match<br />
|-<br />
| ''ptype <value>''<br />
| Payload type<br />
|<source lang="bash"><br />
arp ptype 0x0800<br />
</source><br />
|-<br />
| ''htype <value>''<br />
| Header type<br />
|<source lang="bash"><br />
arp htype 1<br />
arp htype != 33-45<br />
arp htype { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''hlen <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
arp hlen 1<br />
arp hlen != 33-45<br />
arp hlen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''plen <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
arp plen 1<br />
arp plen != 33-45<br />
arp plen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''operation <value>''<br />
| <br />
|<source lang="bash"><br />
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}<br />
</source><br />
|}<br />
<br />
<br />
==== Ct ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ct match<br />
|-<br />
| ''state <state>''<br />
| State of the connection<br />
|<source lang="bash"><br />
ct state { new, established, related, untracked }<br />
ct state != related<br />
ct state established<br />
ct state 8<br />
</source><br />
|-<br />
| ''direction <value>''<br />
| Direction of the packet relative to the connection<br />
|<source lang="bash"><br />
ct direction original<br />
ct direction != original<br />
ct direction {reply, original}<br />
</source><br />
|-<br />
| ''status <status>''<br />
| Status of the connection<br />
|<source lang="bash"><br />
ct status expected<br />
(ct status & expected) != expected<br />
ct status {expected,seen-reply,assured,confirmed,snat,dnat,dying}<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Mark of the connection<br />
|<source lang="bash"><br />
ct mark 0<br />
ct mark or 0x23 == 0x11<br />
ct mark or 0x3 != 0x1<br />
ct mark and 0x23 == 0x11<br />
ct mark and 0x3 != 0x1<br />
ct mark xor 0x23 == 0x11<br />
ct mark xor 0x3 != 0x1<br />
ct mark 0x00000032<br />
ct mark != 0x00000032<br />
ct mark 0x00000032-0x00000045<br />
ct mark != 0x00000032-0x00000045<br />
ct mark {0x32, 0x2222, 0x42de3}<br />
ct mark {0x32-0x2222, 0x4444-0x42de3}<br />
ct mark set 0x11 xor 0x1331<br />
ct mark set 0x11333 and 0x11<br />
ct mark set 0x12 or 0x11<br />
ct mark set 0x11<br />
ct mark set mark<br />
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }<br />
</source><br />
|-<br />
| ''expiration <time>''<br />
| Connection expiration time<br />
|<source lang="bash"><br />
ct expiration 30<br />
ct expiration 30s<br />
ct expiration != 233<br />
ct expiration != 3m53s<br />
ct expiration 33-45<br />
ct expiration 33s-45s<br />
ct expiration != 33-45<br />
ct expiration != 33s-45s<br />
ct expiration {33, 55, 67, 88}<br />
ct expiration { 1m7s, 33s, 55s, 1m28s}<br />
</source><br />
|-<br />
| ''helper "<helper>"''<br />
| Helper associated with the connection<br />
|<source lang="bash"><br />
ct helper "ftp"<br />
</source><br />
|-<br />
| | ''[original | reply] bytes <value>''<br />
| <br />
|<source lang="bash"><br />
ct original bytes > 100000<br />
ct bytes > 100000<br />
</source><br />
|-<br />
| | ''[original | reply] packets <value>''<br />
| <br />
|<source lang="bash"><br />
ct reply packets < 100<br />
</source><br />
|-<br />
| | ''[original | reply] ip saddr <ip source address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip saddr 192.168.0.1<br />
ct reply ip saddr 192.168.0.1<br />
ct original ip saddr 192.168.1.0/24<br />
ct reply ip saddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] ip daddr <ip destination address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip daddr 192.168.0.1<br />
ct reply ip daddr 192.168.0.1<br />
ct original ip daddr 192.168.1.0/24<br />
ct reply ip daddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] l3proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original l3proto ipv4<br />
</source><br />
|-<br />
| | ''[original | reply] protocol <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original protocol 6<br />
</source><br />
|-<br />
| | ''[original | reply] proto-dst <port>''<br />
| <br />
|<source lang="bash"><br />
ct original proto-dst 22<br />
</source><br />
|-<br />
| | ''[original | reply] proto-src <port>''<br />
| <br />
|<source lang="bash"><br />
ct reply proto-src 53<br />
</source><br />
|-<br />
| | ''count [over] <number of connections>''<br />
| <br />
|<source lang="bash"><br />
ct count over 2<br />
<br />
tcp dport 22 add @ssh_flood { ip saddr ct count over 2 } reject<br />
[ which requires an existing ssh_flood set, ie. add set filter ssh_flood { type ipv4_addr; flags dynamic; } ]<br />
</source><br />
|}<br />
<br />
==== Meta ====<br />
<br />
[[Matching packet metainformation|''meta'']] matches packet by metainformation.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|meta match<br />
|-<br />
| ''iifname <input interface name>''<br />
| Input interface name<br />
|<source lang="bash"><br />
meta iifname "eth0"<br />
meta iifname != "eth0"<br />
meta iifname {"eth0", "lo"}<br />
meta iifname "eth*"<br />
</source><br />
|-<br />
| ''oifname <output interface name>''<br />
| Output interface name<br />
|<source lang="bash"><br />
meta oifname "eth0"<br />
meta oifname != "eth0"<br />
meta oifname {"eth0", "lo"}<br />
meta oifname "eth*"<br />
</source><br />
|-<br />
| ''iif <input interface index>''<br />
| Input interface index<br />
|<source lang="bash"><br />
meta iif eth0<br />
meta iif != eth0<br />
</source><br />
|-<br />
| ''oif <output interface index>''<br />
| Output interface index<br />
|<source lang="bash"><br />
meta oif lo<br />
meta oif != lo<br />
meta oif {eth0, lo}<br />
</source><br />
|-<br />
| ''iiftype <input interface type>''<br />
| Input interface type<br />
|<source lang="bash"><br />
meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta iiftype != ether<br />
meta iiftype ether<br />
</source><br />
|-<br />
| ''oiftype <output interface type>''<br />
| Output interface hardware type<br />
|<source lang="bash"><br />
meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta oiftype != ether<br />
meta oiftype ether<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Length of the packet in bytes<br />
|<source lang="bash"><br />
meta length 1000<br />
meta length != 1000<br />
meta length > 1000<br />
meta length 33-45<br />
meta length != 33-45<br />
meta length { 33, 55, 67, 88 }<br />
meta length { 33-55, 67-88 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| ethertype protocol<br />
|<source lang="bash"><br />
meta protocol ip<br />
meta protocol != ip<br />
meta protocol { ip, arp, ip6, vlan }<br />
</source><br />
|-<br />
| ''nfproto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta nfproto ipv4<br />
meta nfproto != ipv6<br />
meta nfproto { ipv4, ipv6 }<br />
</source><br />
|-<br />
| ''l4proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta l4proto 22<br />
meta l4proto != 233<br />
meta l4proto 33-45<br />
meta l4proto { 33, 55, 67, 88 }<br />
meta l4proto { 33-55 }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Packet mark<br />
|<source lang="bash"><br />
meta mark 0x4<br />
meta mark 0x00000032<br />
meta mark and 0x03 == 0x01<br />
meta mark and 0x03 != 0x01<br />
meta mark != 0x10<br />
meta mark or 0x03 == 0x01<br />
meta mark or 0x03 != 0x01<br />
meta mark xor 0x03 == 0x01<br />
meta mark xor 0x03 != 0x01<br />
meta mark set 0xffffffc8 xor 0x16<br />
meta mark set 0x16 and 0x16<br />
meta mark set 0xffffffe9 or 0x16<br />
meta mark set 0xffffffde and 0x16<br />
meta mark set 0x32 or 0xfffff<br />
meta mark set 0xfffe xor 0x16<br />
</source><br />
|-<br />
| ''priority [set] <priority>''<br />
| tc class id<br />
|<source lang="bash"><br />
meta priority none<br />
meta priority 0x1:0x1<br />
meta priority 0x1:0xffff<br />
meta priority 0xffff:0xffff<br />
meta priority set 0x1:0x1<br />
meta priority set 0x1:0xffff<br />
meta priority set 0xffff:0xffff<br />
</source><br />
|-<br />
| ''skuid <user id>''<br />
| UID associated with originating socket<br />
|<source lang="bash"><br />
meta skuid {bin, root, daemon}<br />
meta skuid root<br />
meta skuid != root<br />
meta skuid lt 3000<br />
meta skuid gt 3000<br />
meta skuid eq 3000<br />
meta skuid 3001-3005<br />
meta skuid != 2001-2005<br />
meta skuid { 2001-2005 }<br />
</source><br />
|-<br />
| ''skgid <group id>''<br />
| GID associated with originating socket<br />
|<source lang="bash"><br />
meta skgid {bin, root, daemon}<br />
meta skgid root<br />
meta skgid != root<br />
meta skgid lt 3000<br />
meta skgid gt 3000<br />
meta skgid eq 3000<br />
meta skgid 3001-3005<br />
meta skgid != 2001-2005<br />
meta skgid { 2001-2005 }<br />
</source><br />
|-<br />
| ''rtclassid <class>''<br />
| Routing realm<br />
|<source lang="bash"><br />
meta rtclassid cosmos<br />
</source><br />
|-<br />
| ''pkttype <type>''<br />
| Packet type<br />
|<source lang="bash"><br />
meta pkttype broadcast<br />
meta pkttype != broadcast<br />
meta pkttype { broadcast, unicast, multicast}<br />
</source><br />
|-<br />
| ''cpu <cpu index>''<br />
| CPU ID<br />
|<source lang="bash"><br />
meta cpu 1<br />
meta cpu != 1<br />
meta cpu 1-3<br />
meta cpu != 1-2<br />
meta cpu { 2,3 }<br />
meta cpu { 2-3, 5-7 }<br />
</source><br />
|-<br />
| ''iifgroup <input group>''<br />
| Input interface group<br />
|<source lang="bash"><br />
meta iifgroup 0<br />
meta iifgroup != 0<br />
meta iifgroup default<br />
meta iifgroup != default<br />
meta iifgroup {default}<br />
meta iifgroup { 11,33 }<br />
meta iifgroup {11-33}<br />
</source><br />
|-<br />
| ''oifgroup <group>''<br />
| Output interface group<br />
|<source lang="bash"><br />
meta oifgroup 0<br />
meta oifgroup != 0<br />
meta oifgroup default<br />
meta oifgroup != default<br />
meta oifgroup {default}<br />
meta oifgroup { 11,33 }<br />
meta oifgroup {11-33}<br />
</source><br />
|-<br />
| ''cgroup <group>''<br />
| <br />
|<source lang="bash"><br />
meta cgroup 1048577<br />
meta cgroup != 1048577<br />
meta cgroup { 1048577, 1048578 }<br />
meta cgroup 1048577-1048578<br />
meta cgroup != 1048577-1048578<br />
meta cgroup {1048577-1048578}<br />
</source><br />
|}<br />
<br />
=== Statements ===<br />
<br />
'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.<br />
<br />
==== Verdict statements ====<br />
<br />
The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:<br />
<br />
* ''accept'': Accept the packet and stop the remain rules evaluation.<br />
* ''drop'': Drop the packet and stop the remain rules evaluation.<br />
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.<br />
* ''continue'': Continue the ruleset evaluation with the next rule.<br />
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept<br />
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued<br />
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement<br />
<br />
==== Log ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|log statement<br />
|-<br />
| ''level [over] <value> <unit> [burst <value> <unit>]''<br />
| Log level<br />
|<source lang="bash"><br />
log<br />
log level emerg<br />
log level alert<br />
log level crit<br />
log level err<br />
log level warn<br />
log level notice<br />
log level info<br />
log level debug<br />
</source><br />
|-<br />
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''<br />
| <br />
|<source lang="bash"><br />
log prefix aaaaa-aaaaaa group 2 snaplen 33<br />
log group 2 queue-threshold 2<br />
log group 2 snaplen 33<br />
</source><br />
|}<br />
<br />
<br />
==== Reject ====<br />
<br />
The default '''reject''' will be the ICMP type '''port-unreachable'''. The '''icmpx''' is only used for inet family support.<br />
<br />
More information on the [[Rejecting_traffic]] page.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|reject statement<br />
|-<br />
| ''with <protocol> type <type>''<br />
| <br />
|<source lang="bash"><br />
reject<br />
reject with icmp type host-unreachable<br />
reject with icmp type net-unreachable<br />
reject with icmp type prot-unreachable<br />
reject with icmp type port-unreachable<br />
reject with icmp type net-prohibited<br />
reject with icmp type host-prohibited<br />
reject with icmp type admin-prohibited<br />
reject with icmpv6 type no-route<br />
reject with icmpv6 type admin-prohibited<br />
reject with icmpv6 type addr-unreachable<br />
reject with icmpv6 type port-unreachable<br />
reject with icmpx type host-unreachable<br />
reject with icmpx type no-route<br />
reject with icmpx type admin-prohibited<br />
reject with icmpx type port-unreachable<br />
ip protocol tcp reject with tcp reset<br />
</source><br />
|}<br />
<br />
==== Counter ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|counter statement<br />
|-<br />
| ''packets <packets> bytes <bytes>''<br />
| <br />
|<source lang="bash"><br />
counter<br />
counter packets 0 bytes 0<br />
</source><br />
|}<br />
<br />
<br />
==== Limit ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|limit statement<br />
|-<br />
| ''rate [over] <value> <unit> [burst <value> <unit>]''<br />
| Rate limit<br />
|<source lang="bash"><br />
limit rate 400/minute<br />
limit rate 400/hour<br />
limit rate over 40/day<br />
limit rate over 400/week<br />
limit rate over 1023/second burst 10 packets<br />
limit rate 1025 kbytes/second<br />
limit rate 1023000 mbytes/second<br />
limit rate 1025 bytes/second burst 512 bytes<br />
limit rate 1025 kbytes/second burst 1023 kbytes<br />
limit rate 1025 mbytes/second burst 1025 kbytes<br />
limit rate 1025000 mbytes/second burst 1023 mbytes<br />
</source><br />
|}<br />
<br />
==== Nat ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|nat statement<br />
|-<br />
| ''dnat to <destination address>''<br />
| Destination address translation<br />
|<source lang="bash"><br />
dnat to 192.168.3.2<br />
dnat to ct mark map { 0x00000014 : 1.2.3.4}<br />
</source><br />
|-<br />
| ''snat to <ip source address>''<br />
| Source address translation<br />
|<source lang="bash"><br />
snat to 192.168.3.2<br />
snat to 2001:838:35f:1::-2001:838:35f:2:::100<br />
</source><br />
|-<br />
| ''masquerade [<type>] [to :<port>]''<br />
| Masquerade<br />
|<source lang="bash"><br />
masquerade<br />
masquerade persistent,fully-random,random<br />
masquerade to :1024<br />
masquerade to :1024-2048<br />
</source><br />
|}<br />
<br />
==== Queue ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|queue statement<br />
|-<br />
| ''num <value> <scheduler>''<br />
| <br />
|<source lang="bash"><br />
queue<br />
queue num 2<br />
queue num 2-3<br />
queue num 4-5 fanout bypass<br />
queue num 4-5 fanout<br />
queue num 4-5 bypass<br />
</source><br />
|}<br />
<br />
== Extras ==<br />
<br />
=== Export Configuration ===<br />
<br />
<source lang="bash"><br />
% nft export (xml | json)<br />
</source><br />
<br />
=== Monitor Events ===<br />
<br />
Monitor events from Netlink creating filters.<br />
<br />
<source lang="bash"><br />
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]<br />
</source><br />
<br />
<br />
= Nft scripting =<br />
<br />
== List ruleset ==<br />
<br />
<source lang="bash"><br />
% nft list ruleset<br />
</source><br />
<br />
== Flush ruleset ==<br />
<br />
<source lang="bash"><br />
% nft flush ruleset<br />
</source><br />
<br />
== Load ruleset ==<br />
<br />
Create a command batch file and load it with the nft interpreter,<br />
<br />
<source lang="bash"><br />
% echo "flush ruleset" > /etc/nftables.rules<br />
% echo "add table filter" >> /etc/nftables.rules<br />
% echo "add chain filter input" >> /etc/nftables.rules<br />
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file,<br />
<br />
<source lang="bash"><br />
% cat << EOF > /etc/nftables.rules<br />
> #!/usr/local/sbin/nft -f<br />
> flush ruleset<br />
> add table filter<br />
> add chain filter input<br />
> add rule filter input meta iifname lo accept<br />
> EOF<br />
% chmod u+x /etc/nftables.rules<br />
% /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file from an already created ruleset,<br />
<br />
<source lang="bash"><br />
% nft list ruleset > /etc/nftables.rules<br />
% nft flush ruleset<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
<br />
= Examples =<br />
<br />
== Simple IP/IPv6 Firewall ==<br />
<br />
<source lang="bash"><br />
flush ruleset<br />
<br />
table firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
icmp type echo-request accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
<br />
table ip6 firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# invalid connections<br />
ct state invalid drop<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
# routers may also want: mld-listener-query, nd-router-solicit<br />
icmpv6 type {echo-request,nd-neighbor-solicit} accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
</source></div>
Aurelien
http://wiki.nftables.org/wiki-nftables/index.php?title=Quick_reference-nftables_in_10_minutes&diff=1123
Quick reference-nftables in 10 minutes
2024-04-21T06:19:52Z
<p>Aurelien: /* Udp */ More consistent space after { and before }</p>
<hr />
<div>Find below some basic concepts to know before using nftables.<br />
<br />
'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.<br />
<br />
'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].<br />
<br />
'''rule''' refers to an action to be configured within a ''chain''.<br />
<br />
<br />
= nft command line =<br />
<br />
''nft'' is the command line tool in order to interact with nftables at userspace.<br />
<br />
== Tables ==<br />
<br />
'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''. It defaults to ''ip''.<br />
<br />
<source lang="bash"><br />
% nft list tables [<family>]<br />
% nft [-n] [-a] list table [<family>] <name><br />
% nft (add | delete | flush) table [<family>] <name><br />
</source><br />
<br />
The argument ''-n'' shows the addresses and other information that use names in numeric format. The ''-a'' argument is used to display each rule's ''handle'' (i.e., a numerical identifier).<br />
<br />
== Chains ==<br />
<br />
'''type''' refers to the kind of chain to be created. Possible types are:<br />
<br />
* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.<br />
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.<br />
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.<br />
<br />
'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].<br />
<br />
* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.<br />
* The hooks for ''arp'' family are: '' input'', ''output''.<br />
* The ''bridge'' family handles ethernet packets traversing bridge devices.<br />
* The hooks for ''netdev'' are: ''ingress'', ''egress''.<br />
<br />
'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.<br />
<br />
'''policy''' is the default verdict statement to control the flow in the base chain. Possible values are: ''accept'' (default) and ''drop''. Warning: Setting the policy to ''drop'' discards all packets that<br />
have not been accepted by the ruleset.<br />
<br />
<source lang="bash"><br />
% nft (add | create) chain [<family>] <table> <name> [ \{ type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] \} ]<br />
% nft (delete | list | flush) chain [<family>] <table> <name><br />
% nft rename chain [<family>] <table> <name> <newname><br />
</source><br />
<br />
== Rules ==<br />
<br />
'''handle''' is an internal number that identifies a certain ''rule''.<br />
<br />
'''position''' is an internal number that is used to insert a ''rule'' before a certain ''handle''.<br />
<br />
<source lang="bash"><br />
% nft add rule [<family>] <table> <chain> <matches> <statements><br />
% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements><br />
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements><br />
% nft delete rule [<family>] <table> <chain> [handle <handle>]<br />
</source><br />
<br />
=== Matches ===<br />
<br />
'''matches''' are clues used to access to certain packet information and create filters according to them.<br />
<br />
==== Ip ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip match<br />
|-<br />
| | ''dscp <value>''<br />
|<br />
|<source lang="bash"><br />
ip dscp cs1<br />
ip dscp != cs1<br />
ip dscp 0x38<br />
ip dscp != 0x20<br />
ip dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, <br />
af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
ip length 232<br />
ip length != 233<br />
ip length 333-435<br />
ip length != 333-453<br />
ip length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''id <id>''<br />
| IP ID<br />
|<source lang="bash"><br />
ip id 22<br />
ip id != 233<br />
ip id 33-45<br />
ip id != 33-45<br />
ip id { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| Fragmentation offset<br />
|<source lang="bash"><br />
ip frag-off & 0x1fff != 0 # match fragments<br />
ip frag-off & 0x2000 != 0 # match MF flag <br />
ip frag-off & 0x4000 != 0 # match DF flag <br />
</source><br />
|-<br />
| ''ttl <ttl>''<br />
| Time to live<br />
|<source lang="bash"><br />
ip ttl 0<br />
ip ttl 233<br />
ip ttl 33-55<br />
ip ttl != 45-50<br />
ip ttl { 43, 53, 45 }<br />
ip ttl { 33-55 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| Upper layer protocol<br />
|<source lang="bash"><br />
ip protocol tcp<br />
ip protocol 6<br />
ip protocol != tcp<br />
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
ip checksum 13172<br />
ip checksum 22<br />
ip checksum != 233<br />
ip checksum 33-45<br />
ip checksum != 33-45<br />
ip checksum { 33, 55, 67, 88 }<br />
ip checksum { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source address<br />
|<source lang="bash"><br />
ip saddr 192.168.2.0/24<br />
ip saddr != 192.168.2.0/24<br />
ip saddr 192.168.3.1 ip daddr 192.168.3.100<br />
ip saddr != 1.1.1.1<br />
ip saddr 1.1.1.1<br />
ip saddr & 0xff == 1<br />
ip saddr & 0.0.0.255 < 0.0.0.127<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination address<br />
|<source lang="bash"><br />
ip daddr 192.168.0.1<br />
ip daddr != 192.168.0.1<br />
ip daddr 192.168.0.1-192.168.0.250<br />
ip daddr 10.0.0.0-10.255.255.255<br />
ip daddr 172.16.0.0-172.31.255.255<br />
ip daddr 192.168.3.1-192.168.4.250<br />
ip daddr != 192.168.0.1-192.168.0.250<br />
ip daddr { 192.168.0.1-192.168.0.250 }<br />
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }<br />
</source><br />
|-<br />
| ''version <version>''<br />
| Ip Header version<br />
|<source lang="bash"><br />
ip version 4<br />
</source><br />
|-<br />
| ''hdrlength <header length>''<br />
| IP header length<br />
|<source lang="bash"><br />
ip hdrlength 0<br />
ip hdrlength 15<br />
</source><br />
|}<br />
<br />
==== Ip6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip6 match<br />
|-<br />
| ''dscp <value>''<br />
| <br />
|<source lang="bash"><br />
ip6 dscp cs1<br />
ip6 dscp != cs1<br />
ip6 dscp 0x38<br />
ip6 dscp != 0x20<br />
ip6 dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''flowlabel <label>''<br />
| Flow label<br />
|<source lang="bash"><br />
ip6 flowlabel 22<br />
ip6 flowlabel != 233<br />
ip6 flowlabel { 33, 55, 67, 88 }<br />
ip6 flowlabel { 33-55 }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
ip6 length 232<br />
ip6 length != 233<br />
ip6 length 333-435<br />
ip6 length != 333-453<br />
ip6 length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''nexthdr <header>''<br />
| Next header type (Upper layer protocol number)<br />
|<source lang="bash"><br />
ip6 nexthdr { esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6 }<br />
ip6 nexthdr esp<br />
ip6 nexthdr != esp<br />
ip6 nexthdr { 33-44 }<br />
ip6 nexthdr 33-44<br />
ip6 nexthdr != 33-44<br />
</source><br />
|-<br />
| ''hoplimit <hoplimit>''<br />
| Hop limit<br />
|<source lang="bash"><br />
ip6 hoplimit 1<br />
ip6 hoplimit != 233<br />
ip6 hoplimit 33-45<br />
ip6 hoplimit != 33-45<br />
ip6 hoplimit { 33, 55, 67, 88 }<br />
ip6 hoplimit { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source Address<br />
|<source lang="bash"><br />
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::/64<br />
ip6 saddr ::1 ip6 daddr ::2<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination Address<br />
|<source lang="bash"><br />
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234<br />
</source><br />
|-<br />
| ''version <version>''<br />
| IP header version<br />
|<source lang="bash"><br />
ip6 version 6<br />
</source><br />
|}<br />
<br />
==== Tcp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|tcp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
tcp dport 22<br />
tcp dport != 33-45<br />
tcp dport { 33-55 }<br />
tcp dport { telnet, http, https }<br />
tcp dport vmap { 22 : accept, 23 : drop }<br />
tcp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
tcp sport 22<br />
tcp sport != 33-45<br />
tcp sport { 33, 55, 67, 88 }<br />
tcp sport { 33-55 }<br />
tcp sport vmap { 25:accept, 28:drop }<br />
tcp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| Sequence number<br />
|<source lang="bash"><br />
tcp sequence 22<br />
tcp sequence != 33-45<br />
</source><br />
|-<br />
| ''ackseq <value>''<br />
| Acknowledgement number<br />
|<source lang="bash"><br />
tcp ackseq 22<br />
tcp ackseq != 33-45<br />
tcp ackseq { 33, 55, 67, 88 }<br />
tcp ackseq { 33-55 }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| TCP flags<br />
|<source lang="bash"><br />
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr }<br />
tcp flags cwr<br />
tcp flags != cwr<br />
</source><br />
|-<br />
| ''window <value>''<br />
| Window<br />
|<source lang="bash"><br />
tcp window 22<br />
tcp window != 33-45<br />
tcp window { 33, 55, 67, 88 }<br />
tcp window { 33-55 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
tcp checksum 22<br />
tcp checksum != 33-45<br />
tcp checksum { 33, 55, 67, 88 }<br />
tcp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''urgptr <pointer>''<br />
| Urgent pointer<br />
|<source lang="bash"><br />
tcp urgptr 22<br />
tcp urgptr != 33-45<br />
tcp urgptr { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''doff <offset>''<br />
| Data offset<br />
|<source lang="bash"><br />
tcp doff 8<br />
</source><br />
|}<br />
<br />
==== Udp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udp dport 22<br />
udp dport != 33-45<br />
udp dport { 33-55 }<br />
udp dport { telnet, http, https }<br />
udp dport vmap { 22 : accept, 23 : drop }<br />
udp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udp sport 22<br />
udp sport != 33-45<br />
udp sport { 33, 55, 67, 88 }<br />
udp sport { 33-55 }<br />
udp sport vmap { 25:accept, 28:drop }<br />
udp sport 1024 udp dport 22<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
udp length 6666<br />
udp length != 50-65<br />
udp length { 50, 65 }<br />
udp length { 35-50 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| UDP checksum<br />
|<source lang="bash"><br />
udp checksum 22<br />
udp checksum != 33-45<br />
udp checksum { 33, 55, 67, 88 }<br />
udp checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
==== Udplite ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udplite match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udplite dport 22<br />
udplite dport != 33-45<br />
udplite dport { 33-55 }<br />
udplite dport {telnet, http, https }<br />
udplite dport vmap { 22 : accept, 23 : drop }<br />
udplite dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udplite sport 22<br />
udplite sport != 33-45<br />
udplite sport { 33, 55, 67, 88}<br />
udplite sport { 33-55}<br />
udplite sport vmap { 25:accept, 28:drop }<br />
udplite sport 1024 udplite dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
udplite checksum 22<br />
udplite checksum != 33-45<br />
udplite checksum { 33, 55, 67, 88 }<br />
udplite checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
<br />
==== Sctp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|sctp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
sctp dport 22<br />
sctp dport != 33-45<br />
sctp dport { 33-55 }<br />
sctp dport {telnet, http, https }<br />
sctp dport vmap { 22 : accept, 23 : drop }<br />
sctp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
sctp sport 22<br />
sctp sport != 33-45<br />
sctp sport { 33, 55, 67, 88}<br />
sctp sport { 33-55}<br />
sctp sport vmap { 25:accept, 28:drop }<br />
sctp sport 1024 sctp dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
sctp checksum 22<br />
sctp checksum != 33-45<br />
sctp checksum { 33, 55, 67, 88 }<br />
sctp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''vtag <tag>''<br />
| Verification tag<br />
|<source lang="bash"><br />
sctp vtag 22<br />
sctp vtag != 33-45<br />
sctp vtag { 33, 55, 67, 88 }<br />
sctp vtag { 33-55 }<br />
</source><br />
|-<br />
| ''chunk <type>''<br />
| Existence of a chunk with given type in packet<br />
|<source lang="bash"><br />
sctp chunk init exists<br />
sctp chunk error missing<br />
</source><br />
|-<br />
| ''chunk <type> <field>''<br />
| A chunk's field value (implies chunk existence)<br />
|<sourcex lang="bash"><br />
sctp chunk init flags 0x1<br />
sctp chunk data tsn 0x23<br />
</source><br />
|}<br />
<br />
==== Dccp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dccp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
dccp dport 22<br />
dccp dport != 33-45<br />
dccp dport { 33-55 }<br />
dccp dport {telnet, http, https }<br />
dccp dport vmap { 22 : accept, 23 : drop }<br />
dccp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
dccp sport 22<br />
dccp sport != 33-45<br />
dccp sport { 33, 55, 67, 88}<br />
dccp sport { 33-55}<br />
dccp sport vmap { 25:accept, 28:drop }<br />
dccp sport 1024 dccp dport 22<br />
</source><br />
|-<br />
| ''type <type>''<br />
| Type of packet<br />
|<source lang="bash"><br />
dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}<br />
dccp type request<br />
dccp type != request<br />
</source><br />
|}<br />
<br />
<br />
==== Ah ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ah match<br />
|-<br />
| ''hdrlength <length>''<br />
| AH header length<br />
|<source lang="bash"><br />
ah hdrlength 11-23<br />
ah hdrlength != 11-23<br />
ah hdrlength {11, 23, 44 }<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
ah reserved 22<br />
ah reserved != 33-45<br />
ah reserved {23, 100 }<br />
ah reserved { 33-55 }<br />
</source><br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
ah spi 111<br />
ah spi != 111-222<br />
ah spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
ah sequence 123<br />
ah sequence {23, 25, 33}<br />
ah sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Esp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|esp match<br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
esp spi 111<br />
esp spi != 111-222<br />
esp spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
esp sequence 123<br />
esp sequence {23, 25, 33}<br />
esp sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Comp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|comp match<br />
|-<br />
| ''nexthdr <protocol>''<br />
| Next header protocol (Upper layer protocol)<br />
|<source lang="bash"><br />
comp nexthdr != esp<br />
comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp}<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| Flags<br />
|<source lang="bash"><br />
comp flags 0x0<br />
comp flags != 0x33-0x45<br />
comp flags {0x33, 0x55, 0x67, 0x88}<br />
</source><br />
|-<br />
| ''cpi <value>''<br />
| Compression Parameter Index<br />
|<source lang="bash"><br />
comp cpi 22<br />
comp cpi != 33-45<br />
comp cpi {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Icmp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmp match<br />
|-<br />
| ''type <type>''<br />
| ICMP packet type<br />
|<source lang="bash"><br />
icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation}<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMP packet code<br />
|<source lang="bash"><br />
icmp code 111<br />
icmp code != 33-55<br />
icmp code { 2, 4, 54, 33, 56}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMP packet checksum<br />
|<source lang="bash"><br />
icmp checksum 12343<br />
icmp checksum != 11-343<br />
icmp checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMP packet id<br />
|<source lang="bash"><br />
icmp id 12343<br />
icmp id != 11-343<br />
icmp id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMP packet sequence<br />
|<source lang="bash"><br />
icmp sequence 12343<br />
icmp sequence != 11-343<br />
icmp sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMP packet mtu<br />
|<source lang="bash"><br />
icmp mtu 12343<br />
icmp mtu != 11-343<br />
icmp mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''gateway <value>''<br />
| ICMP packet gateway<br />
|<source lang="bash"><br />
icmp gateway 12343<br />
icmp gateway != 11-343<br />
icmp gateway { 1111, 222, 343 }<br />
</source><br />
|}<br />
<br />
<br />
==== Icmpv6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmpv6 match<br />
|-<br />
| ''type <type>''<br />
| ICMPv6 packet type<br />
|<source lang="bash"><br />
icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, parameter-problem, mld2-listener-report }<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMPv6 packet code<br />
|<source lang="bash"><br />
icmpv6 code 4<br />
icmpv6 code 3-66<br />
icmpv6 code {5, 6, 7}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMPv6 packet checksum<br />
|<source lang="bash"><br />
icmpv6 checksum 12343<br />
icmpv6 checksum != 11-343<br />
icmpv6 checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMPv6 packet id<br />
|<source lang="bash"><br />
icmpv6 id 12343<br />
icmpv6 id != 11-343<br />
icmpv6 id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMPv6 packet sequence<br />
|<source lang="bash"><br />
icmpv6 sequence 12343<br />
icmpv6 sequence != 11-343<br />
icmpv6 sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMPv6 packet mtu<br />
|<source lang="bash"><br />
icmpv6 mtu 12343<br />
icmpv6 mtu != 11-343<br />
icmpv6 mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''max-delay <value>''<br />
| ICMPv6 packet max delay<br />
|<source lang="bash"><br />
icmpv6 max-delay 33-45<br />
icmpv6 max-delay != 33-45<br />
icmpv6 max-delay {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Ether ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ether match<br />
|-<br />
| ''saddr <mac address>''<br />
| Source mac address<br />
|<source lang="bash"><br />
ether saddr 00:0f:54:0c:11:04<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
ether type vlan<br />
</source><br />
|}<br />
<br />
==== Dst ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dst match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}<br />
dst nexthdr 22<br />
dst nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
dst hdrlength 22<br />
dst hdrlength != 33-45<br />
dst hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Frag ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|frag match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp}<br />
frag nexthdr 6<br />
frag nexthdr != 50-51<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
frag reserved 22<br />
frag reserved != 33-45<br />
frag reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| <br />
|<source lang="bash"><br />
frag frag-off 22<br />
frag frag-off != 33-45<br />
frag frag-off { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''more-fragments <value>''<br />
| <br />
|<source lang="bash"><br />
frag more-fragments 0<br />
frag more-fragments 0<br />
</source><br />
|-<br />
| ''id <value>''<br />
| <br />
|<source lang="bash"><br />
frag id 1<br />
frag id 33-45<br />
</source><br />
|}<br />
<br />
<br />
==== Hbh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|hbh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6}<br />
hbh nexthdr 22<br />
hbh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
hbh hdrlength 22<br />
hbh hdrlength != 33-45<br />
hbh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Mh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|mh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
mh nexthdr 22<br />
mh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
mh hdrlength 22<br />
mh hdrlength != 33-45<br />
mh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}<br />
mh type home-agent-switch-message<br />
mh type != home-agent-switch-message<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
mh reserved 22<br />
mh reserved != 33-45<br />
mh reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| <br />
|<source lang="bash"><br />
mh checksum 22<br />
mh checksum != 33-45<br />
mh checksum { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Rt ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|rt match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
rt nexthdr 22<br />
rt nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
rt hdrlength 22<br />
rt hdrlength != 33-45<br />
rt hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
rt type 22<br />
rt type != 33-45<br />
rt type { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''seg-left <value>''<br />
| <br />
|<source lang="bash"><br />
rt seg-left 22<br />
rt seg-left != 33-45<br />
rt seg-left { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Vlan ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|vlan match<br />
|-<br />
| ''id <value>''<br />
| Vlan tag ID<br />
|<source lang="bash"><br />
vlan id 4094<br />
vlan id 0<br />
</source><br />
|-<br />
| ''cfi <value>''<br />
| <br />
|<source lang="bash"><br />
vlan cfi 0<br />
vlan cfi 1<br />
</source><br />
|-<br />
| ''pcp <value>''<br />
| <br />
|<source lang="bash"><br />
vlan pcp 7<br />
vlan pcp 3<br />
</source><br />
|}<br />
<br />
<br />
==== Arp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|arp match<br />
|-<br />
| ''ptype <value>''<br />
| Payload type<br />
|<source lang="bash"><br />
arp ptype 0x0800<br />
</source><br />
|-<br />
| ''htype <value>''<br />
| Header type<br />
|<source lang="bash"><br />
arp htype 1<br />
arp htype != 33-45<br />
arp htype { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''hlen <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
arp hlen 1<br />
arp hlen != 33-45<br />
arp hlen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''plen <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
arp plen 1<br />
arp plen != 33-45<br />
arp plen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''operation <value>''<br />
| <br />
|<source lang="bash"><br />
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}<br />
</source><br />
|}<br />
<br />
<br />
==== Ct ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ct match<br />
|-<br />
| ''state <state>''<br />
| State of the connection<br />
|<source lang="bash"><br />
ct state { new, established, related, untracked }<br />
ct state != related<br />
ct state established<br />
ct state 8<br />
</source><br />
|-<br />
| ''direction <value>''<br />
| Direction of the packet relative to the connection<br />
|<source lang="bash"><br />
ct direction original<br />
ct direction != original<br />
ct direction {reply, original}<br />
</source><br />
|-<br />
| ''status <status>''<br />
| Status of the connection<br />
|<source lang="bash"><br />
ct status expected<br />
(ct status & expected) != expected<br />
ct status {expected,seen-reply,assured,confirmed,snat,dnat,dying}<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Mark of the connection<br />
|<source lang="bash"><br />
ct mark 0<br />
ct mark or 0x23 == 0x11<br />
ct mark or 0x3 != 0x1<br />
ct mark and 0x23 == 0x11<br />
ct mark and 0x3 != 0x1<br />
ct mark xor 0x23 == 0x11<br />
ct mark xor 0x3 != 0x1<br />
ct mark 0x00000032<br />
ct mark != 0x00000032<br />
ct mark 0x00000032-0x00000045<br />
ct mark != 0x00000032-0x00000045<br />
ct mark {0x32, 0x2222, 0x42de3}<br />
ct mark {0x32-0x2222, 0x4444-0x42de3}<br />
ct mark set 0x11 xor 0x1331<br />
ct mark set 0x11333 and 0x11<br />
ct mark set 0x12 or 0x11<br />
ct mark set 0x11<br />
ct mark set mark<br />
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }<br />
</source><br />
|-<br />
| ''expiration <time>''<br />
| Connection expiration time<br />
|<source lang="bash"><br />
ct expiration 30<br />
ct expiration 30s<br />
ct expiration != 233<br />
ct expiration != 3m53s<br />
ct expiration 33-45<br />
ct expiration 33s-45s<br />
ct expiration != 33-45<br />
ct expiration != 33s-45s<br />
ct expiration {33, 55, 67, 88}<br />
ct expiration { 1m7s, 33s, 55s, 1m28s}<br />
</source><br />
|-<br />
| ''helper "<helper>"''<br />
| Helper associated with the connection<br />
|<source lang="bash"><br />
ct helper "ftp"<br />
</source><br />
|-<br />
| | ''[original | reply] bytes <value>''<br />
| <br />
|<source lang="bash"><br />
ct original bytes > 100000<br />
ct bytes > 100000<br />
</source><br />
|-<br />
| | ''[original | reply] packets <value>''<br />
| <br />
|<source lang="bash"><br />
ct reply packets < 100<br />
</source><br />
|-<br />
| | ''[original | reply] ip saddr <ip source address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip saddr 192.168.0.1<br />
ct reply ip saddr 192.168.0.1<br />
ct original ip saddr 192.168.1.0/24<br />
ct reply ip saddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] ip daddr <ip destination address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip daddr 192.168.0.1<br />
ct reply ip daddr 192.168.0.1<br />
ct original ip daddr 192.168.1.0/24<br />
ct reply ip daddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] l3proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original l3proto ipv4<br />
</source><br />
|-<br />
| | ''[original | reply] protocol <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original protocol 6<br />
</source><br />
|-<br />
| | ''[original | reply] proto-dst <port>''<br />
| <br />
|<source lang="bash"><br />
ct original proto-dst 22<br />
</source><br />
|-<br />
| | ''[original | reply] proto-src <port>''<br />
| <br />
|<source lang="bash"><br />
ct reply proto-src 53<br />
</source><br />
|-<br />
| | ''count [over] <number of connections>''<br />
| <br />
|<source lang="bash"><br />
ct count over 2<br />
<br />
tcp dport 22 add @ssh_flood { ip saddr ct count over 2 } reject<br />
[ which requires an existing ssh_flood set, ie. add set filter ssh_flood { type ipv4_addr; flags dynamic; } ]<br />
</source><br />
|}<br />
<br />
==== Meta ====<br />
<br />
[[Matching packet metainformation|''meta'']] matches packet by metainformation.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|meta match<br />
|-<br />
| ''iifname <input interface name>''<br />
| Input interface name<br />
|<source lang="bash"><br />
meta iifname "eth0"<br />
meta iifname != "eth0"<br />
meta iifname {"eth0", "lo"}<br />
meta iifname "eth*"<br />
</source><br />
|-<br />
| ''oifname <output interface name>''<br />
| Output interface name<br />
|<source lang="bash"><br />
meta oifname "eth0"<br />
meta oifname != "eth0"<br />
meta oifname {"eth0", "lo"}<br />
meta oifname "eth*"<br />
</source><br />
|-<br />
| ''iif <input interface index>''<br />
| Input interface index<br />
|<source lang="bash"><br />
meta iif eth0<br />
meta iif != eth0<br />
</source><br />
|-<br />
| ''oif <output interface index>''<br />
| Output interface index<br />
|<source lang="bash"><br />
meta oif lo<br />
meta oif != lo<br />
meta oif {eth0, lo}<br />
</source><br />
|-<br />
| ''iiftype <input interface type>''<br />
| Input interface type<br />
|<source lang="bash"><br />
meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta iiftype != ether<br />
meta iiftype ether<br />
</source><br />
|-<br />
| ''oiftype <output interface type>''<br />
| Output interface hardware type<br />
|<source lang="bash"><br />
meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta oiftype != ether<br />
meta oiftype ether<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Length of the packet in bytes<br />
|<source lang="bash"><br />
meta length 1000<br />
meta length != 1000<br />
meta length > 1000<br />
meta length 33-45<br />
meta length != 33-45<br />
meta length { 33, 55, 67, 88 }<br />
meta length { 33-55, 67-88 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| ethertype protocol<br />
|<source lang="bash"><br />
meta protocol ip<br />
meta protocol != ip<br />
meta protocol { ip, arp, ip6, vlan }<br />
</source><br />
|-<br />
| ''nfproto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta nfproto ipv4<br />
meta nfproto != ipv6<br />
meta nfproto { ipv4, ipv6 }<br />
</source><br />
|-<br />
| ''l4proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta l4proto 22<br />
meta l4proto != 233<br />
meta l4proto 33-45<br />
meta l4proto { 33, 55, 67, 88 }<br />
meta l4proto { 33-55 }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Packet mark<br />
|<source lang="bash"><br />
meta mark 0x4<br />
meta mark 0x00000032<br />
meta mark and 0x03 == 0x01<br />
meta mark and 0x03 != 0x01<br />
meta mark != 0x10<br />
meta mark or 0x03 == 0x01<br />
meta mark or 0x03 != 0x01<br />
meta mark xor 0x03 == 0x01<br />
meta mark xor 0x03 != 0x01<br />
meta mark set 0xffffffc8 xor 0x16<br />
meta mark set 0x16 and 0x16<br />
meta mark set 0xffffffe9 or 0x16<br />
meta mark set 0xffffffde and 0x16<br />
meta mark set 0x32 or 0xfffff<br />
meta mark set 0xfffe xor 0x16<br />
</source><br />
|-<br />
| ''priority [set] <priority>''<br />
| tc class id<br />
|<source lang="bash"><br />
meta priority none<br />
meta priority 0x1:0x1<br />
meta priority 0x1:0xffff<br />
meta priority 0xffff:0xffff<br />
meta priority set 0x1:0x1<br />
meta priority set 0x1:0xffff<br />
meta priority set 0xffff:0xffff<br />
</source><br />
|-<br />
| ''skuid <user id>''<br />
| UID associated with originating socket<br />
|<source lang="bash"><br />
meta skuid {bin, root, daemon}<br />
meta skuid root<br />
meta skuid != root<br />
meta skuid lt 3000<br />
meta skuid gt 3000<br />
meta skuid eq 3000<br />
meta skuid 3001-3005<br />
meta skuid != 2001-2005<br />
meta skuid { 2001-2005 }<br />
</source><br />
|-<br />
| ''skgid <group id>''<br />
| GID associated with originating socket<br />
|<source lang="bash"><br />
meta skgid {bin, root, daemon}<br />
meta skgid root<br />
meta skgid != root<br />
meta skgid lt 3000<br />
meta skgid gt 3000<br />
meta skgid eq 3000<br />
meta skgid 3001-3005<br />
meta skgid != 2001-2005<br />
meta skgid { 2001-2005 }<br />
</source><br />
|-<br />
| ''rtclassid <class>''<br />
| Routing realm<br />
|<source lang="bash"><br />
meta rtclassid cosmos<br />
</source><br />
|-<br />
| ''pkttype <type>''<br />
| Packet type<br />
|<source lang="bash"><br />
meta pkttype broadcast<br />
meta pkttype != broadcast<br />
meta pkttype { broadcast, unicast, multicast}<br />
</source><br />
|-<br />
| ''cpu <cpu index>''<br />
| CPU ID<br />
|<source lang="bash"><br />
meta cpu 1<br />
meta cpu != 1<br />
meta cpu 1-3<br />
meta cpu != 1-2<br />
meta cpu { 2,3 }<br />
meta cpu { 2-3, 5-7 }<br />
</source><br />
|-<br />
| ''iifgroup <input group>''<br />
| Input interface group<br />
|<source lang="bash"><br />
meta iifgroup 0<br />
meta iifgroup != 0<br />
meta iifgroup default<br />
meta iifgroup != default<br />
meta iifgroup {default}<br />
meta iifgroup { 11,33 }<br />
meta iifgroup {11-33}<br />
</source><br />
|-<br />
| ''oifgroup <group>''<br />
| Output interface group<br />
|<source lang="bash"><br />
meta oifgroup 0<br />
meta oifgroup != 0<br />
meta oifgroup default<br />
meta oifgroup != default<br />
meta oifgroup {default}<br />
meta oifgroup { 11,33 }<br />
meta oifgroup {11-33}<br />
</source><br />
|-<br />
| ''cgroup <group>''<br />
| <br />
|<source lang="bash"><br />
meta cgroup 1048577<br />
meta cgroup != 1048577<br />
meta cgroup { 1048577, 1048578 }<br />
meta cgroup 1048577-1048578<br />
meta cgroup != 1048577-1048578<br />
meta cgroup {1048577-1048578}<br />
</source><br />
|}<br />
<br />
=== Statements ===<br />
<br />
'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.<br />
<br />
==== Verdict statements ====<br />
<br />
The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:<br />
<br />
* ''accept'': Accept the packet and stop the remain rules evaluation.<br />
* ''drop'': Drop the packet and stop the remain rules evaluation.<br />
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.<br />
* ''continue'': Continue the ruleset evaluation with the next rule.<br />
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept<br />
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued<br />
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement<br />
<br />
==== Log ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|log statement<br />
|-<br />
| ''level [over] <value> <unit> [burst <value> <unit>]''<br />
| Log level<br />
|<source lang="bash"><br />
log<br />
log level emerg<br />
log level alert<br />
log level crit<br />
log level err<br />
log level warn<br />
log level notice<br />
log level info<br />
log level debug<br />
</source><br />
|-<br />
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''<br />
| <br />
|<source lang="bash"><br />
log prefix aaaaa-aaaaaa group 2 snaplen 33<br />
log group 2 queue-threshold 2<br />
log group 2 snaplen 33<br />
</source><br />
|}<br />
<br />
<br />
==== Reject ====<br />
<br />
The default '''reject''' will be the ICMP type '''port-unreachable'''. The '''icmpx''' is only used for inet family support.<br />
<br />
More information on the [[Rejecting_traffic]] page.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|reject statement<br />
|-<br />
| ''with <protocol> type <type>''<br />
| <br />
|<source lang="bash"><br />
reject<br />
reject with icmp type host-unreachable<br />
reject with icmp type net-unreachable<br />
reject with icmp type prot-unreachable<br />
reject with icmp type port-unreachable<br />
reject with icmp type net-prohibited<br />
reject with icmp type host-prohibited<br />
reject with icmp type admin-prohibited<br />
reject with icmpv6 type no-route<br />
reject with icmpv6 type admin-prohibited<br />
reject with icmpv6 type addr-unreachable<br />
reject with icmpv6 type port-unreachable<br />
reject with icmpx type host-unreachable<br />
reject with icmpx type no-route<br />
reject with icmpx type admin-prohibited<br />
reject with icmpx type port-unreachable<br />
ip protocol tcp reject with tcp reset<br />
</source><br />
|}<br />
<br />
==== Counter ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|counter statement<br />
|-<br />
| ''packets <packets> bytes <bytes>''<br />
| <br />
|<source lang="bash"><br />
counter<br />
counter packets 0 bytes 0<br />
</source><br />
|}<br />
<br />
<br />
==== Limit ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|limit statement<br />
|-<br />
| ''rate [over] <value> <unit> [burst <value> <unit>]''<br />
| Rate limit<br />
|<source lang="bash"><br />
limit rate 400/minute<br />
limit rate 400/hour<br />
limit rate over 40/day<br />
limit rate over 400/week<br />
limit rate over 1023/second burst 10 packets<br />
limit rate 1025 kbytes/second<br />
limit rate 1023000 mbytes/second<br />
limit rate 1025 bytes/second burst 512 bytes<br />
limit rate 1025 kbytes/second burst 1023 kbytes<br />
limit rate 1025 mbytes/second burst 1025 kbytes<br />
limit rate 1025000 mbytes/second burst 1023 mbytes<br />
</source><br />
|}<br />
<br />
==== Nat ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|nat statement<br />
|-<br />
| ''dnat to <destination address>''<br />
| Destination address translation<br />
|<source lang="bash"><br />
dnat to 192.168.3.2<br />
dnat to ct mark map { 0x00000014 : 1.2.3.4}<br />
</source><br />
|-<br />
| ''snat to <ip source address>''<br />
| Source address translation<br />
|<source lang="bash"><br />
snat to 192.168.3.2<br />
snat to 2001:838:35f:1::-2001:838:35f:2:::100<br />
</source><br />
|-<br />
| ''masquerade [<type>] [to :<port>]''<br />
| Masquerade<br />
|<source lang="bash"><br />
masquerade<br />
masquerade persistent,fully-random,random<br />
masquerade to :1024<br />
masquerade to :1024-2048<br />
</source><br />
|}<br />
<br />
==== Queue ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|queue statement<br />
|-<br />
| ''num <value> <scheduler>''<br />
| <br />
|<source lang="bash"><br />
queue<br />
queue num 2<br />
queue num 2-3<br />
queue num 4-5 fanout bypass<br />
queue num 4-5 fanout<br />
queue num 4-5 bypass<br />
</source><br />
|}<br />
<br />
== Extras ==<br />
<br />
=== Export Configuration ===<br />
<br />
<source lang="bash"><br />
% nft export (xml | json)<br />
</source><br />
<br />
=== Monitor Events ===<br />
<br />
Monitor events from Netlink creating filters.<br />
<br />
<source lang="bash"><br />
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]<br />
</source><br />
<br />
<br />
= Nft scripting =<br />
<br />
== List ruleset ==<br />
<br />
<source lang="bash"><br />
% nft list ruleset<br />
</source><br />
<br />
== Flush ruleset ==<br />
<br />
<source lang="bash"><br />
% nft flush ruleset<br />
</source><br />
<br />
== Load ruleset ==<br />
<br />
Create a command batch file and load it with the nft interpreter,<br />
<br />
<source lang="bash"><br />
% echo "flush ruleset" > /etc/nftables.rules<br />
% echo "add table filter" >> /etc/nftables.rules<br />
% echo "add chain filter input" >> /etc/nftables.rules<br />
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file,<br />
<br />
<source lang="bash"><br />
% cat << EOF > /etc/nftables.rules<br />
> #!/usr/local/sbin/nft -f<br />
> flush ruleset<br />
> add table filter<br />
> add chain filter input<br />
> add rule filter input meta iifname lo accept<br />
> EOF<br />
% chmod u+x /etc/nftables.rules<br />
% /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file from an already created ruleset,<br />
<br />
<source lang="bash"><br />
% nft list ruleset > /etc/nftables.rules<br />
% nft flush ruleset<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
<br />
= Examples =<br />
<br />
== Simple IP/IPv6 Firewall ==<br />
<br />
<source lang="bash"><br />
flush ruleset<br />
<br />
table firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
icmp type echo-request accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
<br />
table ip6 firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# invalid connections<br />
ct state invalid drop<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
# routers may also want: mld-listener-query, nd-router-solicit<br />
icmpv6 type {echo-request,nd-neighbor-solicit} accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
</source></div>
Aurelien
http://wiki.nftables.org/wiki-nftables/index.php?title=Quick_reference-nftables_in_10_minutes&diff=1122
Quick reference-nftables in 10 minutes
2024-04-21T06:19:15Z
<p>Aurelien: /* Tcp */ More consistent space after { and before }</p>
<hr />
<div>Find below some basic concepts to know before using nftables.<br />
<br />
'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.<br />
<br />
'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].<br />
<br />
'''rule''' refers to an action to be configured within a ''chain''.<br />
<br />
<br />
= nft command line =<br />
<br />
''nft'' is the command line tool in order to interact with nftables at userspace.<br />
<br />
== Tables ==<br />
<br />
'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''. It defaults to ''ip''.<br />
<br />
<source lang="bash"><br />
% nft list tables [<family>]<br />
% nft [-n] [-a] list table [<family>] <name><br />
% nft (add | delete | flush) table [<family>] <name><br />
</source><br />
<br />
The argument ''-n'' shows the addresses and other information that use names in numeric format. The ''-a'' argument is used to display each rule's ''handle'' (i.e., a numerical identifier).<br />
<br />
== Chains ==<br />
<br />
'''type''' refers to the kind of chain to be created. Possible types are:<br />
<br />
* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.<br />
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.<br />
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.<br />
<br />
'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].<br />
<br />
* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.<br />
* The hooks for ''arp'' family are: '' input'', ''output''.<br />
* The ''bridge'' family handles ethernet packets traversing bridge devices.<br />
* The hooks for ''netdev'' are: ''ingress'', ''egress''.<br />
<br />
'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.<br />
<br />
'''policy''' is the default verdict statement to control the flow in the base chain. Possible values are: ''accept'' (default) and ''drop''. Warning: Setting the policy to ''drop'' discards all packets that<br />
have not been accepted by the ruleset.<br />
<br />
<source lang="bash"><br />
% nft (add | create) chain [<family>] <table> <name> [ \{ type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] \} ]<br />
% nft (delete | list | flush) chain [<family>] <table> <name><br />
% nft rename chain [<family>] <table> <name> <newname><br />
</source><br />
<br />
== Rules ==<br />
<br />
'''handle''' is an internal number that identifies a certain ''rule''.<br />
<br />
'''position''' is an internal number that is used to insert a ''rule'' before a certain ''handle''.<br />
<br />
<source lang="bash"><br />
% nft add rule [<family>] <table> <chain> <matches> <statements><br />
% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements><br />
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements><br />
% nft delete rule [<family>] <table> <chain> [handle <handle>]<br />
</source><br />
<br />
=== Matches ===<br />
<br />
'''matches''' are clues used to access to certain packet information and create filters according to them.<br />
<br />
==== Ip ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip match<br />
|-<br />
| | ''dscp <value>''<br />
|<br />
|<source lang="bash"><br />
ip dscp cs1<br />
ip dscp != cs1<br />
ip dscp 0x38<br />
ip dscp != 0x20<br />
ip dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, <br />
af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
ip length 232<br />
ip length != 233<br />
ip length 333-435<br />
ip length != 333-453<br />
ip length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''id <id>''<br />
| IP ID<br />
|<source lang="bash"><br />
ip id 22<br />
ip id != 233<br />
ip id 33-45<br />
ip id != 33-45<br />
ip id { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| Fragmentation offset<br />
|<source lang="bash"><br />
ip frag-off & 0x1fff != 0 # match fragments<br />
ip frag-off & 0x2000 != 0 # match MF flag <br />
ip frag-off & 0x4000 != 0 # match DF flag <br />
</source><br />
|-<br />
| ''ttl <ttl>''<br />
| Time to live<br />
|<source lang="bash"><br />
ip ttl 0<br />
ip ttl 233<br />
ip ttl 33-55<br />
ip ttl != 45-50<br />
ip ttl { 43, 53, 45 }<br />
ip ttl { 33-55 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| Upper layer protocol<br />
|<source lang="bash"><br />
ip protocol tcp<br />
ip protocol 6<br />
ip protocol != tcp<br />
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
ip checksum 13172<br />
ip checksum 22<br />
ip checksum != 233<br />
ip checksum 33-45<br />
ip checksum != 33-45<br />
ip checksum { 33, 55, 67, 88 }<br />
ip checksum { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source address<br />
|<source lang="bash"><br />
ip saddr 192.168.2.0/24<br />
ip saddr != 192.168.2.0/24<br />
ip saddr 192.168.3.1 ip daddr 192.168.3.100<br />
ip saddr != 1.1.1.1<br />
ip saddr 1.1.1.1<br />
ip saddr & 0xff == 1<br />
ip saddr & 0.0.0.255 < 0.0.0.127<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination address<br />
|<source lang="bash"><br />
ip daddr 192.168.0.1<br />
ip daddr != 192.168.0.1<br />
ip daddr 192.168.0.1-192.168.0.250<br />
ip daddr 10.0.0.0-10.255.255.255<br />
ip daddr 172.16.0.0-172.31.255.255<br />
ip daddr 192.168.3.1-192.168.4.250<br />
ip daddr != 192.168.0.1-192.168.0.250<br />
ip daddr { 192.168.0.1-192.168.0.250 }<br />
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }<br />
</source><br />
|-<br />
| ''version <version>''<br />
| Ip Header version<br />
|<source lang="bash"><br />
ip version 4<br />
</source><br />
|-<br />
| ''hdrlength <header length>''<br />
| IP header length<br />
|<source lang="bash"><br />
ip hdrlength 0<br />
ip hdrlength 15<br />
</source><br />
|}<br />
<br />
==== Ip6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip6 match<br />
|-<br />
| ''dscp <value>''<br />
| <br />
|<source lang="bash"><br />
ip6 dscp cs1<br />
ip6 dscp != cs1<br />
ip6 dscp 0x38<br />
ip6 dscp != 0x20<br />
ip6 dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''flowlabel <label>''<br />
| Flow label<br />
|<source lang="bash"><br />
ip6 flowlabel 22<br />
ip6 flowlabel != 233<br />
ip6 flowlabel { 33, 55, 67, 88 }<br />
ip6 flowlabel { 33-55 }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
ip6 length 232<br />
ip6 length != 233<br />
ip6 length 333-435<br />
ip6 length != 333-453<br />
ip6 length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''nexthdr <header>''<br />
| Next header type (Upper layer protocol number)<br />
|<source lang="bash"><br />
ip6 nexthdr { esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6 }<br />
ip6 nexthdr esp<br />
ip6 nexthdr != esp<br />
ip6 nexthdr { 33-44 }<br />
ip6 nexthdr 33-44<br />
ip6 nexthdr != 33-44<br />
</source><br />
|-<br />
| ''hoplimit <hoplimit>''<br />
| Hop limit<br />
|<source lang="bash"><br />
ip6 hoplimit 1<br />
ip6 hoplimit != 233<br />
ip6 hoplimit 33-45<br />
ip6 hoplimit != 33-45<br />
ip6 hoplimit { 33, 55, 67, 88 }<br />
ip6 hoplimit { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source Address<br />
|<source lang="bash"><br />
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::/64<br />
ip6 saddr ::1 ip6 daddr ::2<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination Address<br />
|<source lang="bash"><br />
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234<br />
</source><br />
|-<br />
| ''version <version>''<br />
| IP header version<br />
|<source lang="bash"><br />
ip6 version 6<br />
</source><br />
|}<br />
<br />
==== Tcp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|tcp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
tcp dport 22<br />
tcp dport != 33-45<br />
tcp dport { 33-55 }<br />
tcp dport { telnet, http, https }<br />
tcp dport vmap { 22 : accept, 23 : drop }<br />
tcp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
tcp sport 22<br />
tcp sport != 33-45<br />
tcp sport { 33, 55, 67, 88 }<br />
tcp sport { 33-55 }<br />
tcp sport vmap { 25:accept, 28:drop }<br />
tcp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| Sequence number<br />
|<source lang="bash"><br />
tcp sequence 22<br />
tcp sequence != 33-45<br />
</source><br />
|-<br />
| ''ackseq <value>''<br />
| Acknowledgement number<br />
|<source lang="bash"><br />
tcp ackseq 22<br />
tcp ackseq != 33-45<br />
tcp ackseq { 33, 55, 67, 88 }<br />
tcp ackseq { 33-55 }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| TCP flags<br />
|<source lang="bash"><br />
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr }<br />
tcp flags cwr<br />
tcp flags != cwr<br />
</source><br />
|-<br />
| ''window <value>''<br />
| Window<br />
|<source lang="bash"><br />
tcp window 22<br />
tcp window != 33-45<br />
tcp window { 33, 55, 67, 88 }<br />
tcp window { 33-55 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
tcp checksum 22<br />
tcp checksum != 33-45<br />
tcp checksum { 33, 55, 67, 88 }<br />
tcp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''urgptr <pointer>''<br />
| Urgent pointer<br />
|<source lang="bash"><br />
tcp urgptr 22<br />
tcp urgptr != 33-45<br />
tcp urgptr { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''doff <offset>''<br />
| Data offset<br />
|<source lang="bash"><br />
tcp doff 8<br />
</source><br />
|}<br />
<br />
==== Udp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udp dport 22<br />
udp dport != 33-45<br />
udp dport { 33-55 }<br />
udp dport {telnet, http, https }<br />
udp dport vmap { 22 : accept, 23 : drop }<br />
udp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udp sport 22<br />
udp sport != 33-45<br />
udp sport { 33, 55, 67, 88}<br />
udp sport { 33-55}<br />
udp sport vmap { 25:accept, 28:drop }<br />
udp sport 1024 udp dport 22<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
udp length 6666<br />
udp length != 50-65<br />
udp length { 50, 65 }<br />
udp length { 35-50 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| UDP checksum<br />
|<source lang="bash"><br />
udp checksum 22<br />
udp checksum != 33-45<br />
udp checksum { 33, 55, 67, 88 }<br />
udp checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
<br />
==== Udplite ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udplite match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udplite dport 22<br />
udplite dport != 33-45<br />
udplite dport { 33-55 }<br />
udplite dport {telnet, http, https }<br />
udplite dport vmap { 22 : accept, 23 : drop }<br />
udplite dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udplite sport 22<br />
udplite sport != 33-45<br />
udplite sport { 33, 55, 67, 88}<br />
udplite sport { 33-55}<br />
udplite sport vmap { 25:accept, 28:drop }<br />
udplite sport 1024 udplite dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
udplite checksum 22<br />
udplite checksum != 33-45<br />
udplite checksum { 33, 55, 67, 88 }<br />
udplite checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
<br />
==== Sctp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|sctp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
sctp dport 22<br />
sctp dport != 33-45<br />
sctp dport { 33-55 }<br />
sctp dport {telnet, http, https }<br />
sctp dport vmap { 22 : accept, 23 : drop }<br />
sctp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
sctp sport 22<br />
sctp sport != 33-45<br />
sctp sport { 33, 55, 67, 88}<br />
sctp sport { 33-55}<br />
sctp sport vmap { 25:accept, 28:drop }<br />
sctp sport 1024 sctp dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
sctp checksum 22<br />
sctp checksum != 33-45<br />
sctp checksum { 33, 55, 67, 88 }<br />
sctp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''vtag <tag>''<br />
| Verification tag<br />
|<source lang="bash"><br />
sctp vtag 22<br />
sctp vtag != 33-45<br />
sctp vtag { 33, 55, 67, 88 }<br />
sctp vtag { 33-55 }<br />
</source><br />
|-<br />
| ''chunk <type>''<br />
| Existence of a chunk with given type in packet<br />
|<source lang="bash"><br />
sctp chunk init exists<br />
sctp chunk error missing<br />
</source><br />
|-<br />
| ''chunk <type> <field>''<br />
| A chunk's field value (implies chunk existence)<br />
|<sourcex lang="bash"><br />
sctp chunk init flags 0x1<br />
sctp chunk data tsn 0x23<br />
</source><br />
|}<br />
<br />
==== Dccp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dccp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
dccp dport 22<br />
dccp dport != 33-45<br />
dccp dport { 33-55 }<br />
dccp dport {telnet, http, https }<br />
dccp dport vmap { 22 : accept, 23 : drop }<br />
dccp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
dccp sport 22<br />
dccp sport != 33-45<br />
dccp sport { 33, 55, 67, 88}<br />
dccp sport { 33-55}<br />
dccp sport vmap { 25:accept, 28:drop }<br />
dccp sport 1024 dccp dport 22<br />
</source><br />
|-<br />
| ''type <type>''<br />
| Type of packet<br />
|<source lang="bash"><br />
dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}<br />
dccp type request<br />
dccp type != request<br />
</source><br />
|}<br />
<br />
<br />
==== Ah ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ah match<br />
|-<br />
| ''hdrlength <length>''<br />
| AH header length<br />
|<source lang="bash"><br />
ah hdrlength 11-23<br />
ah hdrlength != 11-23<br />
ah hdrlength {11, 23, 44 }<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
ah reserved 22<br />
ah reserved != 33-45<br />
ah reserved {23, 100 }<br />
ah reserved { 33-55 }<br />
</source><br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
ah spi 111<br />
ah spi != 111-222<br />
ah spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
ah sequence 123<br />
ah sequence {23, 25, 33}<br />
ah sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Esp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|esp match<br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
esp spi 111<br />
esp spi != 111-222<br />
esp spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
esp sequence 123<br />
esp sequence {23, 25, 33}<br />
esp sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Comp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|comp match<br />
|-<br />
| ''nexthdr <protocol>''<br />
| Next header protocol (Upper layer protocol)<br />
|<source lang="bash"><br />
comp nexthdr != esp<br />
comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp}<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| Flags<br />
|<source lang="bash"><br />
comp flags 0x0<br />
comp flags != 0x33-0x45<br />
comp flags {0x33, 0x55, 0x67, 0x88}<br />
</source><br />
|-<br />
| ''cpi <value>''<br />
| Compression Parameter Index<br />
|<source lang="bash"><br />
comp cpi 22<br />
comp cpi != 33-45<br />
comp cpi {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Icmp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmp match<br />
|-<br />
| ''type <type>''<br />
| ICMP packet type<br />
|<source lang="bash"><br />
icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation}<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMP packet code<br />
|<source lang="bash"><br />
icmp code 111<br />
icmp code != 33-55<br />
icmp code { 2, 4, 54, 33, 56}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMP packet checksum<br />
|<source lang="bash"><br />
icmp checksum 12343<br />
icmp checksum != 11-343<br />
icmp checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMP packet id<br />
|<source lang="bash"><br />
icmp id 12343<br />
icmp id != 11-343<br />
icmp id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMP packet sequence<br />
|<source lang="bash"><br />
icmp sequence 12343<br />
icmp sequence != 11-343<br />
icmp sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMP packet mtu<br />
|<source lang="bash"><br />
icmp mtu 12343<br />
icmp mtu != 11-343<br />
icmp mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''gateway <value>''<br />
| ICMP packet gateway<br />
|<source lang="bash"><br />
icmp gateway 12343<br />
icmp gateway != 11-343<br />
icmp gateway { 1111, 222, 343 }<br />
</source><br />
|}<br />
<br />
<br />
==== Icmpv6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmpv6 match<br />
|-<br />
| ''type <type>''<br />
| ICMPv6 packet type<br />
|<source lang="bash"><br />
icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, parameter-problem, mld2-listener-report }<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMPv6 packet code<br />
|<source lang="bash"><br />
icmpv6 code 4<br />
icmpv6 code 3-66<br />
icmpv6 code {5, 6, 7}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMPv6 packet checksum<br />
|<source lang="bash"><br />
icmpv6 checksum 12343<br />
icmpv6 checksum != 11-343<br />
icmpv6 checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMPv6 packet id<br />
|<source lang="bash"><br />
icmpv6 id 12343<br />
icmpv6 id != 11-343<br />
icmpv6 id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMPv6 packet sequence<br />
|<source lang="bash"><br />
icmpv6 sequence 12343<br />
icmpv6 sequence != 11-343<br />
icmpv6 sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMPv6 packet mtu<br />
|<source lang="bash"><br />
icmpv6 mtu 12343<br />
icmpv6 mtu != 11-343<br />
icmpv6 mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''max-delay <value>''<br />
| ICMPv6 packet max delay<br />
|<source lang="bash"><br />
icmpv6 max-delay 33-45<br />
icmpv6 max-delay != 33-45<br />
icmpv6 max-delay {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Ether ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ether match<br />
|-<br />
| ''saddr <mac address>''<br />
| Source mac address<br />
|<source lang="bash"><br />
ether saddr 00:0f:54:0c:11:04<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
ether type vlan<br />
</source><br />
|}<br />
<br />
==== Dst ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dst match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}<br />
dst nexthdr 22<br />
dst nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
dst hdrlength 22<br />
dst hdrlength != 33-45<br />
dst hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Frag ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|frag match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp}<br />
frag nexthdr 6<br />
frag nexthdr != 50-51<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
frag reserved 22<br />
frag reserved != 33-45<br />
frag reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| <br />
|<source lang="bash"><br />
frag frag-off 22<br />
frag frag-off != 33-45<br />
frag frag-off { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''more-fragments <value>''<br />
| <br />
|<source lang="bash"><br />
frag more-fragments 0<br />
frag more-fragments 0<br />
</source><br />
|-<br />
| ''id <value>''<br />
| <br />
|<source lang="bash"><br />
frag id 1<br />
frag id 33-45<br />
</source><br />
|}<br />
<br />
<br />
==== Hbh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|hbh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6}<br />
hbh nexthdr 22<br />
hbh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
hbh hdrlength 22<br />
hbh hdrlength != 33-45<br />
hbh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Mh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|mh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
mh nexthdr 22<br />
mh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
mh hdrlength 22<br />
mh hdrlength != 33-45<br />
mh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}<br />
mh type home-agent-switch-message<br />
mh type != home-agent-switch-message<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
mh reserved 22<br />
mh reserved != 33-45<br />
mh reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| <br />
|<source lang="bash"><br />
mh checksum 22<br />
mh checksum != 33-45<br />
mh checksum { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Rt ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|rt match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
rt nexthdr 22<br />
rt nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
rt hdrlength 22<br />
rt hdrlength != 33-45<br />
rt hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
rt type 22<br />
rt type != 33-45<br />
rt type { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''seg-left <value>''<br />
| <br />
|<source lang="bash"><br />
rt seg-left 22<br />
rt seg-left != 33-45<br />
rt seg-left { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Vlan ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|vlan match<br />
|-<br />
| ''id <value>''<br />
| Vlan tag ID<br />
|<source lang="bash"><br />
vlan id 4094<br />
vlan id 0<br />
</source><br />
|-<br />
| ''cfi <value>''<br />
| <br />
|<source lang="bash"><br />
vlan cfi 0<br />
vlan cfi 1<br />
</source><br />
|-<br />
| ''pcp <value>''<br />
| <br />
|<source lang="bash"><br />
vlan pcp 7<br />
vlan pcp 3<br />
</source><br />
|}<br />
<br />
<br />
==== Arp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|arp match<br />
|-<br />
| ''ptype <value>''<br />
| Payload type<br />
|<source lang="bash"><br />
arp ptype 0x0800<br />
</source><br />
|-<br />
| ''htype <value>''<br />
| Header type<br />
|<source lang="bash"><br />
arp htype 1<br />
arp htype != 33-45<br />
arp htype { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''hlen <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
arp hlen 1<br />
arp hlen != 33-45<br />
arp hlen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''plen <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
arp plen 1<br />
arp plen != 33-45<br />
arp plen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''operation <value>''<br />
| <br />
|<source lang="bash"><br />
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}<br />
</source><br />
|}<br />
<br />
<br />
==== Ct ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ct match<br />
|-<br />
| ''state <state>''<br />
| State of the connection<br />
|<source lang="bash"><br />
ct state { new, established, related, untracked }<br />
ct state != related<br />
ct state established<br />
ct state 8<br />
</source><br />
|-<br />
| ''direction <value>''<br />
| Direction of the packet relative to the connection<br />
|<source lang="bash"><br />
ct direction original<br />
ct direction != original<br />
ct direction {reply, original}<br />
</source><br />
|-<br />
| ''status <status>''<br />
| Status of the connection<br />
|<source lang="bash"><br />
ct status expected<br />
(ct status & expected) != expected<br />
ct status {expected,seen-reply,assured,confirmed,snat,dnat,dying}<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Mark of the connection<br />
|<source lang="bash"><br />
ct mark 0<br />
ct mark or 0x23 == 0x11<br />
ct mark or 0x3 != 0x1<br />
ct mark and 0x23 == 0x11<br />
ct mark and 0x3 != 0x1<br />
ct mark xor 0x23 == 0x11<br />
ct mark xor 0x3 != 0x1<br />
ct mark 0x00000032<br />
ct mark != 0x00000032<br />
ct mark 0x00000032-0x00000045<br />
ct mark != 0x00000032-0x00000045<br />
ct mark {0x32, 0x2222, 0x42de3}<br />
ct mark {0x32-0x2222, 0x4444-0x42de3}<br />
ct mark set 0x11 xor 0x1331<br />
ct mark set 0x11333 and 0x11<br />
ct mark set 0x12 or 0x11<br />
ct mark set 0x11<br />
ct mark set mark<br />
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }<br />
</source><br />
|-<br />
| ''expiration <time>''<br />
| Connection expiration time<br />
|<source lang="bash"><br />
ct expiration 30<br />
ct expiration 30s<br />
ct expiration != 233<br />
ct expiration != 3m53s<br />
ct expiration 33-45<br />
ct expiration 33s-45s<br />
ct expiration != 33-45<br />
ct expiration != 33s-45s<br />
ct expiration {33, 55, 67, 88}<br />
ct expiration { 1m7s, 33s, 55s, 1m28s}<br />
</source><br />
|-<br />
| ''helper "<helper>"''<br />
| Helper associated with the connection<br />
|<source lang="bash"><br />
ct helper "ftp"<br />
</source><br />
|-<br />
| | ''[original | reply] bytes <value>''<br />
| <br />
|<source lang="bash"><br />
ct original bytes > 100000<br />
ct bytes > 100000<br />
</source><br />
|-<br />
| | ''[original | reply] packets <value>''<br />
| <br />
|<source lang="bash"><br />
ct reply packets < 100<br />
</source><br />
|-<br />
| | ''[original | reply] ip saddr <ip source address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip saddr 192.168.0.1<br />
ct reply ip saddr 192.168.0.1<br />
ct original ip saddr 192.168.1.0/24<br />
ct reply ip saddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] ip daddr <ip destination address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip daddr 192.168.0.1<br />
ct reply ip daddr 192.168.0.1<br />
ct original ip daddr 192.168.1.0/24<br />
ct reply ip daddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] l3proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original l3proto ipv4<br />
</source><br />
|-<br />
| | ''[original | reply] protocol <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original protocol 6<br />
</source><br />
|-<br />
| | ''[original | reply] proto-dst <port>''<br />
| <br />
|<source lang="bash"><br />
ct original proto-dst 22<br />
</source><br />
|-<br />
| | ''[original | reply] proto-src <port>''<br />
| <br />
|<source lang="bash"><br />
ct reply proto-src 53<br />
</source><br />
|-<br />
| | ''count [over] <number of connections>''<br />
| <br />
|<source lang="bash"><br />
ct count over 2<br />
<br />
tcp dport 22 add @ssh_flood { ip saddr ct count over 2 } reject<br />
[ which requires an existing ssh_flood set, ie. add set filter ssh_flood { type ipv4_addr; flags dynamic; } ]<br />
</source><br />
|}<br />
<br />
==== Meta ====<br />
<br />
[[Matching packet metainformation|''meta'']] matches packet by metainformation.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|meta match<br />
|-<br />
| ''iifname <input interface name>''<br />
| Input interface name<br />
|<source lang="bash"><br />
meta iifname "eth0"<br />
meta iifname != "eth0"<br />
meta iifname {"eth0", "lo"}<br />
meta iifname "eth*"<br />
</source><br />
|-<br />
| ''oifname <output interface name>''<br />
| Output interface name<br />
|<source lang="bash"><br />
meta oifname "eth0"<br />
meta oifname != "eth0"<br />
meta oifname {"eth0", "lo"}<br />
meta oifname "eth*"<br />
</source><br />
|-<br />
| ''iif <input interface index>''<br />
| Input interface index<br />
|<source lang="bash"><br />
meta iif eth0<br />
meta iif != eth0<br />
</source><br />
|-<br />
| ''oif <output interface index>''<br />
| Output interface index<br />
|<source lang="bash"><br />
meta oif lo<br />
meta oif != lo<br />
meta oif {eth0, lo}<br />
</source><br />
|-<br />
| ''iiftype <input interface type>''<br />
| Input interface type<br />
|<source lang="bash"><br />
meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta iiftype != ether<br />
meta iiftype ether<br />
</source><br />
|-<br />
| ''oiftype <output interface type>''<br />
| Output interface hardware type<br />
|<source lang="bash"><br />
meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta oiftype != ether<br />
meta oiftype ether<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Length of the packet in bytes<br />
|<source lang="bash"><br />
meta length 1000<br />
meta length != 1000<br />
meta length > 1000<br />
meta length 33-45<br />
meta length != 33-45<br />
meta length { 33, 55, 67, 88 }<br />
meta length { 33-55, 67-88 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| ethertype protocol<br />
|<source lang="bash"><br />
meta protocol ip<br />
meta protocol != ip<br />
meta protocol { ip, arp, ip6, vlan }<br />
</source><br />
|-<br />
| ''nfproto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta nfproto ipv4<br />
meta nfproto != ipv6<br />
meta nfproto { ipv4, ipv6 }<br />
</source><br />
|-<br />
| ''l4proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta l4proto 22<br />
meta l4proto != 233<br />
meta l4proto 33-45<br />
meta l4proto { 33, 55, 67, 88 }<br />
meta l4proto { 33-55 }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Packet mark<br />
|<source lang="bash"><br />
meta mark 0x4<br />
meta mark 0x00000032<br />
meta mark and 0x03 == 0x01<br />
meta mark and 0x03 != 0x01<br />
meta mark != 0x10<br />
meta mark or 0x03 == 0x01<br />
meta mark or 0x03 != 0x01<br />
meta mark xor 0x03 == 0x01<br />
meta mark xor 0x03 != 0x01<br />
meta mark set 0xffffffc8 xor 0x16<br />
meta mark set 0x16 and 0x16<br />
meta mark set 0xffffffe9 or 0x16<br />
meta mark set 0xffffffde and 0x16<br />
meta mark set 0x32 or 0xfffff<br />
meta mark set 0xfffe xor 0x16<br />
</source><br />
|-<br />
| ''priority [set] <priority>''<br />
| tc class id<br />
|<source lang="bash"><br />
meta priority none<br />
meta priority 0x1:0x1<br />
meta priority 0x1:0xffff<br />
meta priority 0xffff:0xffff<br />
meta priority set 0x1:0x1<br />
meta priority set 0x1:0xffff<br />
meta priority set 0xffff:0xffff<br />
</source><br />
|-<br />
| ''skuid <user id>''<br />
| UID associated with originating socket<br />
|<source lang="bash"><br />
meta skuid {bin, root, daemon}<br />
meta skuid root<br />
meta skuid != root<br />
meta skuid lt 3000<br />
meta skuid gt 3000<br />
meta skuid eq 3000<br />
meta skuid 3001-3005<br />
meta skuid != 2001-2005<br />
meta skuid { 2001-2005 }<br />
</source><br />
|-<br />
| ''skgid <group id>''<br />
| GID associated with originating socket<br />
|<source lang="bash"><br />
meta skgid {bin, root, daemon}<br />
meta skgid root<br />
meta skgid != root<br />
meta skgid lt 3000<br />
meta skgid gt 3000<br />
meta skgid eq 3000<br />
meta skgid 3001-3005<br />
meta skgid != 2001-2005<br />
meta skgid { 2001-2005 }<br />
</source><br />
|-<br />
| ''rtclassid <class>''<br />
| Routing realm<br />
|<source lang="bash"><br />
meta rtclassid cosmos<br />
</source><br />
|-<br />
| ''pkttype <type>''<br />
| Packet type<br />
|<source lang="bash"><br />
meta pkttype broadcast<br />
meta pkttype != broadcast<br />
meta pkttype { broadcast, unicast, multicast}<br />
</source><br />
|-<br />
| ''cpu <cpu index>''<br />
| CPU ID<br />
|<source lang="bash"><br />
meta cpu 1<br />
meta cpu != 1<br />
meta cpu 1-3<br />
meta cpu != 1-2<br />
meta cpu { 2,3 }<br />
meta cpu { 2-3, 5-7 }<br />
</source><br />
|-<br />
| ''iifgroup <input group>''<br />
| Input interface group<br />
|<source lang="bash"><br />
meta iifgroup 0<br />
meta iifgroup != 0<br />
meta iifgroup default<br />
meta iifgroup != default<br />
meta iifgroup {default}<br />
meta iifgroup { 11,33 }<br />
meta iifgroup {11-33}<br />
</source><br />
|-<br />
| ''oifgroup <group>''<br />
| Output interface group<br />
|<source lang="bash"><br />
meta oifgroup 0<br />
meta oifgroup != 0<br />
meta oifgroup default<br />
meta oifgroup != default<br />
meta oifgroup {default}<br />
meta oifgroup { 11,33 }<br />
meta oifgroup {11-33}<br />
</source><br />
|-<br />
| ''cgroup <group>''<br />
| <br />
|<source lang="bash"><br />
meta cgroup 1048577<br />
meta cgroup != 1048577<br />
meta cgroup { 1048577, 1048578 }<br />
meta cgroup 1048577-1048578<br />
meta cgroup != 1048577-1048578<br />
meta cgroup {1048577-1048578}<br />
</source><br />
|}<br />
<br />
=== Statements ===<br />
<br />
'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.<br />
<br />
==== Verdict statements ====<br />
<br />
The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:<br />
<br />
* ''accept'': Accept the packet and stop the remain rules evaluation.<br />
* ''drop'': Drop the packet and stop the remain rules evaluation.<br />
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.<br />
* ''continue'': Continue the ruleset evaluation with the next rule.<br />
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept<br />
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued<br />
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement<br />
<br />
==== Log ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|log statement<br />
|-<br />
| ''level [over] <value> <unit> [burst <value> <unit>]''<br />
| Log level<br />
|<source lang="bash"><br />
log<br />
log level emerg<br />
log level alert<br />
log level crit<br />
log level err<br />
log level warn<br />
log level notice<br />
log level info<br />
log level debug<br />
</source><br />
|-<br />
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''<br />
| <br />
|<source lang="bash"><br />
log prefix aaaaa-aaaaaa group 2 snaplen 33<br />
log group 2 queue-threshold 2<br />
log group 2 snaplen 33<br />
</source><br />
|}<br />
<br />
<br />
==== Reject ====<br />
<br />
The default '''reject''' will be the ICMP type '''port-unreachable'''. The '''icmpx''' is only used for inet family support.<br />
<br />
More information on the [[Rejecting_traffic]] page.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|reject statement<br />
|-<br />
| ''with <protocol> type <type>''<br />
| <br />
|<source lang="bash"><br />
reject<br />
reject with icmp type host-unreachable<br />
reject with icmp type net-unreachable<br />
reject with icmp type prot-unreachable<br />
reject with icmp type port-unreachable<br />
reject with icmp type net-prohibited<br />
reject with icmp type host-prohibited<br />
reject with icmp type admin-prohibited<br />
reject with icmpv6 type no-route<br />
reject with icmpv6 type admin-prohibited<br />
reject with icmpv6 type addr-unreachable<br />
reject with icmpv6 type port-unreachable<br />
reject with icmpx type host-unreachable<br />
reject with icmpx type no-route<br />
reject with icmpx type admin-prohibited<br />
reject with icmpx type port-unreachable<br />
ip protocol tcp reject with tcp reset<br />
</source><br />
|}<br />
<br />
==== Counter ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|counter statement<br />
|-<br />
| ''packets <packets> bytes <bytes>''<br />
| <br />
|<source lang="bash"><br />
counter<br />
counter packets 0 bytes 0<br />
</source><br />
|}<br />
<br />
<br />
==== Limit ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|limit statement<br />
|-<br />
| ''rate [over] <value> <unit> [burst <value> <unit>]''<br />
| Rate limit<br />
|<source lang="bash"><br />
limit rate 400/minute<br />
limit rate 400/hour<br />
limit rate over 40/day<br />
limit rate over 400/week<br />
limit rate over 1023/second burst 10 packets<br />
limit rate 1025 kbytes/second<br />
limit rate 1023000 mbytes/second<br />
limit rate 1025 bytes/second burst 512 bytes<br />
limit rate 1025 kbytes/second burst 1023 kbytes<br />
limit rate 1025 mbytes/second burst 1025 kbytes<br />
limit rate 1025000 mbytes/second burst 1023 mbytes<br />
</source><br />
|}<br />
<br />
==== Nat ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|nat statement<br />
|-<br />
| ''dnat to <destination address>''<br />
| Destination address translation<br />
|<source lang="bash"><br />
dnat to 192.168.3.2<br />
dnat to ct mark map { 0x00000014 : 1.2.3.4}<br />
</source><br />
|-<br />
| ''snat to <ip source address>''<br />
| Source address translation<br />
|<source lang="bash"><br />
snat to 192.168.3.2<br />
snat to 2001:838:35f:1::-2001:838:35f:2:::100<br />
</source><br />
|-<br />
| ''masquerade [<type>] [to :<port>]''<br />
| Masquerade<br />
|<source lang="bash"><br />
masquerade<br />
masquerade persistent,fully-random,random<br />
masquerade to :1024<br />
masquerade to :1024-2048<br />
</source><br />
|}<br />
<br />
==== Queue ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|queue statement<br />
|-<br />
| ''num <value> <scheduler>''<br />
| <br />
|<source lang="bash"><br />
queue<br />
queue num 2<br />
queue num 2-3<br />
queue num 4-5 fanout bypass<br />
queue num 4-5 fanout<br />
queue num 4-5 bypass<br />
</source><br />
|}<br />
<br />
== Extras ==<br />
<br />
=== Export Configuration ===<br />
<br />
<source lang="bash"><br />
% nft export (xml | json)<br />
</source><br />
<br />
=== Monitor Events ===<br />
<br />
Monitor events from Netlink creating filters.<br />
<br />
<source lang="bash"><br />
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]<br />
</source><br />
<br />
<br />
= Nft scripting =<br />
<br />
== List ruleset ==<br />
<br />
<source lang="bash"><br />
% nft list ruleset<br />
</source><br />
<br />
== Flush ruleset ==<br />
<br />
<source lang="bash"><br />
% nft flush ruleset<br />
</source><br />
<br />
== Load ruleset ==<br />
<br />
Create a command batch file and load it with the nft interpreter,<br />
<br />
<source lang="bash"><br />
% echo "flush ruleset" > /etc/nftables.rules<br />
% echo "add table filter" >> /etc/nftables.rules<br />
% echo "add chain filter input" >> /etc/nftables.rules<br />
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file,<br />
<br />
<source lang="bash"><br />
% cat << EOF > /etc/nftables.rules<br />
> #!/usr/local/sbin/nft -f<br />
> flush ruleset<br />
> add table filter<br />
> add chain filter input<br />
> add rule filter input meta iifname lo accept<br />
> EOF<br />
% chmod u+x /etc/nftables.rules<br />
% /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file from an already created ruleset,<br />
<br />
<source lang="bash"><br />
% nft list ruleset > /etc/nftables.rules<br />
% nft flush ruleset<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
<br />
= Examples =<br />
<br />
== Simple IP/IPv6 Firewall ==<br />
<br />
<source lang="bash"><br />
flush ruleset<br />
<br />
table firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
icmp type echo-request accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
<br />
table ip6 firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# invalid connections<br />
ct state invalid drop<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
# routers may also want: mld-listener-query, nd-router-solicit<br />
icmpv6 type {echo-request,nd-neighbor-solicit} accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
</source></div>
Aurelien
http://wiki.nftables.org/wiki-nftables/index.php?title=Quick_reference-nftables_in_10_minutes&diff=1121
Quick reference-nftables in 10 minutes
2024-04-21T06:18:28Z
<p>Aurelien: /* Ip6 */ More consistent space after { and before }</p>
<hr />
<div>Find below some basic concepts to know before using nftables.<br />
<br />
'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.<br />
<br />
'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].<br />
<br />
'''rule''' refers to an action to be configured within a ''chain''.<br />
<br />
<br />
= nft command line =<br />
<br />
''nft'' is the command line tool in order to interact with nftables at userspace.<br />
<br />
== Tables ==<br />
<br />
'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''. It defaults to ''ip''.<br />
<br />
<source lang="bash"><br />
% nft list tables [<family>]<br />
% nft [-n] [-a] list table [<family>] <name><br />
% nft (add | delete | flush) table [<family>] <name><br />
</source><br />
<br />
The argument ''-n'' shows the addresses and other information that use names in numeric format. The ''-a'' argument is used to display each rule's ''handle'' (i.e., a numerical identifier).<br />
<br />
== Chains ==<br />
<br />
'''type''' refers to the kind of chain to be created. Possible types are:<br />
<br />
* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.<br />
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.<br />
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.<br />
<br />
'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].<br />
<br />
* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.<br />
* The hooks for ''arp'' family are: '' input'', ''output''.<br />
* The ''bridge'' family handles ethernet packets traversing bridge devices.<br />
* The hooks for ''netdev'' are: ''ingress'', ''egress''.<br />
<br />
'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.<br />
<br />
'''policy''' is the default verdict statement to control the flow in the base chain. Possible values are: ''accept'' (default) and ''drop''. Warning: Setting the policy to ''drop'' discards all packets that<br />
have not been accepted by the ruleset.<br />
<br />
<source lang="bash"><br />
% nft (add | create) chain [<family>] <table> <name> [ \{ type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] \} ]<br />
% nft (delete | list | flush) chain [<family>] <table> <name><br />
% nft rename chain [<family>] <table> <name> <newname><br />
</source><br />
<br />
== Rules ==<br />
<br />
'''handle''' is an internal number that identifies a certain ''rule''.<br />
<br />
'''position''' is an internal number that is used to insert a ''rule'' before a certain ''handle''.<br />
<br />
<source lang="bash"><br />
% nft add rule [<family>] <table> <chain> <matches> <statements><br />
% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements><br />
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements><br />
% nft delete rule [<family>] <table> <chain> [handle <handle>]<br />
</source><br />
<br />
=== Matches ===<br />
<br />
'''matches''' are clues used to access to certain packet information and create filters according to them.<br />
<br />
==== Ip ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip match<br />
|-<br />
| | ''dscp <value>''<br />
|<br />
|<source lang="bash"><br />
ip dscp cs1<br />
ip dscp != cs1<br />
ip dscp 0x38<br />
ip dscp != 0x20<br />
ip dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, <br />
af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
ip length 232<br />
ip length != 233<br />
ip length 333-435<br />
ip length != 333-453<br />
ip length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''id <id>''<br />
| IP ID<br />
|<source lang="bash"><br />
ip id 22<br />
ip id != 233<br />
ip id 33-45<br />
ip id != 33-45<br />
ip id { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| Fragmentation offset<br />
|<source lang="bash"><br />
ip frag-off & 0x1fff != 0 # match fragments<br />
ip frag-off & 0x2000 != 0 # match MF flag <br />
ip frag-off & 0x4000 != 0 # match DF flag <br />
</source><br />
|-<br />
| ''ttl <ttl>''<br />
| Time to live<br />
|<source lang="bash"><br />
ip ttl 0<br />
ip ttl 233<br />
ip ttl 33-55<br />
ip ttl != 45-50<br />
ip ttl { 43, 53, 45 }<br />
ip ttl { 33-55 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| Upper layer protocol<br />
|<source lang="bash"><br />
ip protocol tcp<br />
ip protocol 6<br />
ip protocol != tcp<br />
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
ip checksum 13172<br />
ip checksum 22<br />
ip checksum != 233<br />
ip checksum 33-45<br />
ip checksum != 33-45<br />
ip checksum { 33, 55, 67, 88 }<br />
ip checksum { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source address<br />
|<source lang="bash"><br />
ip saddr 192.168.2.0/24<br />
ip saddr != 192.168.2.0/24<br />
ip saddr 192.168.3.1 ip daddr 192.168.3.100<br />
ip saddr != 1.1.1.1<br />
ip saddr 1.1.1.1<br />
ip saddr & 0xff == 1<br />
ip saddr & 0.0.0.255 < 0.0.0.127<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination address<br />
|<source lang="bash"><br />
ip daddr 192.168.0.1<br />
ip daddr != 192.168.0.1<br />
ip daddr 192.168.0.1-192.168.0.250<br />
ip daddr 10.0.0.0-10.255.255.255<br />
ip daddr 172.16.0.0-172.31.255.255<br />
ip daddr 192.168.3.1-192.168.4.250<br />
ip daddr != 192.168.0.1-192.168.0.250<br />
ip daddr { 192.168.0.1-192.168.0.250 }<br />
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }<br />
</source><br />
|-<br />
| ''version <version>''<br />
| Ip Header version<br />
|<source lang="bash"><br />
ip version 4<br />
</source><br />
|-<br />
| ''hdrlength <header length>''<br />
| IP header length<br />
|<source lang="bash"><br />
ip hdrlength 0<br />
ip hdrlength 15<br />
</source><br />
|}<br />
<br />
==== Ip6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip6 match<br />
|-<br />
| ''dscp <value>''<br />
| <br />
|<source lang="bash"><br />
ip6 dscp cs1<br />
ip6 dscp != cs1<br />
ip6 dscp 0x38<br />
ip6 dscp != 0x20<br />
ip6 dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''flowlabel <label>''<br />
| Flow label<br />
|<source lang="bash"><br />
ip6 flowlabel 22<br />
ip6 flowlabel != 233<br />
ip6 flowlabel { 33, 55, 67, 88 }<br />
ip6 flowlabel { 33-55 }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
ip6 length 232<br />
ip6 length != 233<br />
ip6 length 333-435<br />
ip6 length != 333-453<br />
ip6 length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''nexthdr <header>''<br />
| Next header type (Upper layer protocol number)<br />
|<source lang="bash"><br />
ip6 nexthdr { esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6 }<br />
ip6 nexthdr esp<br />
ip6 nexthdr != esp<br />
ip6 nexthdr { 33-44 }<br />
ip6 nexthdr 33-44<br />
ip6 nexthdr != 33-44<br />
</source><br />
|-<br />
| ''hoplimit <hoplimit>''<br />
| Hop limit<br />
|<source lang="bash"><br />
ip6 hoplimit 1<br />
ip6 hoplimit != 233<br />
ip6 hoplimit 33-45<br />
ip6 hoplimit != 33-45<br />
ip6 hoplimit { 33, 55, 67, 88 }<br />
ip6 hoplimit { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source Address<br />
|<source lang="bash"><br />
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::/64<br />
ip6 saddr ::1 ip6 daddr ::2<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination Address<br />
|<source lang="bash"><br />
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234<br />
</source><br />
|-<br />
| ''version <version>''<br />
| IP header version<br />
|<source lang="bash"><br />
ip6 version 6<br />
</source><br />
|}<br />
<br />
==== Tcp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|tcp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
tcp dport 22<br />
tcp dport != 33-45<br />
tcp dport { 33-55 }<br />
tcp dport {telnet, http, https }<br />
tcp dport vmap { 22 : accept, 23 : drop }<br />
tcp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
tcp sport 22<br />
tcp sport != 33-45<br />
tcp sport { 33, 55, 67, 88}<br />
tcp sport { 33-55}<br />
tcp sport vmap { 25:accept, 28:drop }<br />
tcp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| Sequence number<br />
|<source lang="bash"><br />
tcp sequence 22<br />
tcp sequence != 33-45<br />
</source><br />
|-<br />
| ''ackseq <value>''<br />
| Acknowledgement number<br />
|<source lang="bash"><br />
tcp ackseq 22<br />
tcp ackseq != 33-45<br />
tcp ackseq { 33, 55, 67, 88 }<br />
tcp ackseq { 33-55 }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| TCP flags<br />
|<source lang="bash"><br />
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr}<br />
tcp flags cwr<br />
tcp flags != cwr<br />
</source><br />
|-<br />
| ''window <value>''<br />
| Window<br />
|<source lang="bash"><br />
tcp window 22<br />
tcp window != 33-45<br />
tcp window { 33, 55, 67, 88 }<br />
tcp window { 33-55 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
tcp checksum 22<br />
tcp checksum != 33-45<br />
tcp checksum { 33, 55, 67, 88 }<br />
tcp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''urgptr <pointer>''<br />
| Urgent pointer<br />
|<source lang="bash"><br />
tcp urgptr 22<br />
tcp urgptr != 33-45<br />
tcp urgptr { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''doff <offset>''<br />
| Data offset<br />
|<source lang="bash"><br />
tcp doff 8<br />
</source><br />
|}<br />
<br />
<br />
==== Udp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udp dport 22<br />
udp dport != 33-45<br />
udp dport { 33-55 }<br />
udp dport {telnet, http, https }<br />
udp dport vmap { 22 : accept, 23 : drop }<br />
udp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udp sport 22<br />
udp sport != 33-45<br />
udp sport { 33, 55, 67, 88}<br />
udp sport { 33-55}<br />
udp sport vmap { 25:accept, 28:drop }<br />
udp sport 1024 udp dport 22<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
udp length 6666<br />
udp length != 50-65<br />
udp length { 50, 65 }<br />
udp length { 35-50 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| UDP checksum<br />
|<source lang="bash"><br />
udp checksum 22<br />
udp checksum != 33-45<br />
udp checksum { 33, 55, 67, 88 }<br />
udp checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
<br />
==== Udplite ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udplite match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udplite dport 22<br />
udplite dport != 33-45<br />
udplite dport { 33-55 }<br />
udplite dport {telnet, http, https }<br />
udplite dport vmap { 22 : accept, 23 : drop }<br />
udplite dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udplite sport 22<br />
udplite sport != 33-45<br />
udplite sport { 33, 55, 67, 88}<br />
udplite sport { 33-55}<br />
udplite sport vmap { 25:accept, 28:drop }<br />
udplite sport 1024 udplite dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
udplite checksum 22<br />
udplite checksum != 33-45<br />
udplite checksum { 33, 55, 67, 88 }<br />
udplite checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
<br />
==== Sctp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|sctp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
sctp dport 22<br />
sctp dport != 33-45<br />
sctp dport { 33-55 }<br />
sctp dport {telnet, http, https }<br />
sctp dport vmap { 22 : accept, 23 : drop }<br />
sctp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
sctp sport 22<br />
sctp sport != 33-45<br />
sctp sport { 33, 55, 67, 88}<br />
sctp sport { 33-55}<br />
sctp sport vmap { 25:accept, 28:drop }<br />
sctp sport 1024 sctp dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
sctp checksum 22<br />
sctp checksum != 33-45<br />
sctp checksum { 33, 55, 67, 88 }<br />
sctp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''vtag <tag>''<br />
| Verification tag<br />
|<source lang="bash"><br />
sctp vtag 22<br />
sctp vtag != 33-45<br />
sctp vtag { 33, 55, 67, 88 }<br />
sctp vtag { 33-55 }<br />
</source><br />
|-<br />
| ''chunk <type>''<br />
| Existence of a chunk with given type in packet<br />
|<source lang="bash"><br />
sctp chunk init exists<br />
sctp chunk error missing<br />
</source><br />
|-<br />
| ''chunk <type> <field>''<br />
| A chunk's field value (implies chunk existence)<br />
|<sourcex lang="bash"><br />
sctp chunk init flags 0x1<br />
sctp chunk data tsn 0x23<br />
</source><br />
|}<br />
<br />
==== Dccp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dccp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
dccp dport 22<br />
dccp dport != 33-45<br />
dccp dport { 33-55 }<br />
dccp dport {telnet, http, https }<br />
dccp dport vmap { 22 : accept, 23 : drop }<br />
dccp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
dccp sport 22<br />
dccp sport != 33-45<br />
dccp sport { 33, 55, 67, 88}<br />
dccp sport { 33-55}<br />
dccp sport vmap { 25:accept, 28:drop }<br />
dccp sport 1024 dccp dport 22<br />
</source><br />
|-<br />
| ''type <type>''<br />
| Type of packet<br />
|<source lang="bash"><br />
dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}<br />
dccp type request<br />
dccp type != request<br />
</source><br />
|}<br />
<br />
<br />
==== Ah ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ah match<br />
|-<br />
| ''hdrlength <length>''<br />
| AH header length<br />
|<source lang="bash"><br />
ah hdrlength 11-23<br />
ah hdrlength != 11-23<br />
ah hdrlength {11, 23, 44 }<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
ah reserved 22<br />
ah reserved != 33-45<br />
ah reserved {23, 100 }<br />
ah reserved { 33-55 }<br />
</source><br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
ah spi 111<br />
ah spi != 111-222<br />
ah spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
ah sequence 123<br />
ah sequence {23, 25, 33}<br />
ah sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Esp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|esp match<br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
esp spi 111<br />
esp spi != 111-222<br />
esp spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
esp sequence 123<br />
esp sequence {23, 25, 33}<br />
esp sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Comp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|comp match<br />
|-<br />
| ''nexthdr <protocol>''<br />
| Next header protocol (Upper layer protocol)<br />
|<source lang="bash"><br />
comp nexthdr != esp<br />
comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp}<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| Flags<br />
|<source lang="bash"><br />
comp flags 0x0<br />
comp flags != 0x33-0x45<br />
comp flags {0x33, 0x55, 0x67, 0x88}<br />
</source><br />
|-<br />
| ''cpi <value>''<br />
| Compression Parameter Index<br />
|<source lang="bash"><br />
comp cpi 22<br />
comp cpi != 33-45<br />
comp cpi {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Icmp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmp match<br />
|-<br />
| ''type <type>''<br />
| ICMP packet type<br />
|<source lang="bash"><br />
icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation}<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMP packet code<br />
|<source lang="bash"><br />
icmp code 111<br />
icmp code != 33-55<br />
icmp code { 2, 4, 54, 33, 56}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMP packet checksum<br />
|<source lang="bash"><br />
icmp checksum 12343<br />
icmp checksum != 11-343<br />
icmp checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMP packet id<br />
|<source lang="bash"><br />
icmp id 12343<br />
icmp id != 11-343<br />
icmp id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMP packet sequence<br />
|<source lang="bash"><br />
icmp sequence 12343<br />
icmp sequence != 11-343<br />
icmp sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMP packet mtu<br />
|<source lang="bash"><br />
icmp mtu 12343<br />
icmp mtu != 11-343<br />
icmp mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''gateway <value>''<br />
| ICMP packet gateway<br />
|<source lang="bash"><br />
icmp gateway 12343<br />
icmp gateway != 11-343<br />
icmp gateway { 1111, 222, 343 }<br />
</source><br />
|}<br />
<br />
<br />
==== Icmpv6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmpv6 match<br />
|-<br />
| ''type <type>''<br />
| ICMPv6 packet type<br />
|<source lang="bash"><br />
icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, parameter-problem, mld2-listener-report }<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMPv6 packet code<br />
|<source lang="bash"><br />
icmpv6 code 4<br />
icmpv6 code 3-66<br />
icmpv6 code {5, 6, 7}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMPv6 packet checksum<br />
|<source lang="bash"><br />
icmpv6 checksum 12343<br />
icmpv6 checksum != 11-343<br />
icmpv6 checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMPv6 packet id<br />
|<source lang="bash"><br />
icmpv6 id 12343<br />
icmpv6 id != 11-343<br />
icmpv6 id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMPv6 packet sequence<br />
|<source lang="bash"><br />
icmpv6 sequence 12343<br />
icmpv6 sequence != 11-343<br />
icmpv6 sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMPv6 packet mtu<br />
|<source lang="bash"><br />
icmpv6 mtu 12343<br />
icmpv6 mtu != 11-343<br />
icmpv6 mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''max-delay <value>''<br />
| ICMPv6 packet max delay<br />
|<source lang="bash"><br />
icmpv6 max-delay 33-45<br />
icmpv6 max-delay != 33-45<br />
icmpv6 max-delay {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Ether ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ether match<br />
|-<br />
| ''saddr <mac address>''<br />
| Source mac address<br />
|<source lang="bash"><br />
ether saddr 00:0f:54:0c:11:04<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
ether type vlan<br />
</source><br />
|}<br />
<br />
==== Dst ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dst match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}<br />
dst nexthdr 22<br />
dst nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
dst hdrlength 22<br />
dst hdrlength != 33-45<br />
dst hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Frag ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|frag match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp}<br />
frag nexthdr 6<br />
frag nexthdr != 50-51<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
frag reserved 22<br />
frag reserved != 33-45<br />
frag reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| <br />
|<source lang="bash"><br />
frag frag-off 22<br />
frag frag-off != 33-45<br />
frag frag-off { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''more-fragments <value>''<br />
| <br />
|<source lang="bash"><br />
frag more-fragments 0<br />
frag more-fragments 0<br />
</source><br />
|-<br />
| ''id <value>''<br />
| <br />
|<source lang="bash"><br />
frag id 1<br />
frag id 33-45<br />
</source><br />
|}<br />
<br />
<br />
==== Hbh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|hbh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6}<br />
hbh nexthdr 22<br />
hbh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
hbh hdrlength 22<br />
hbh hdrlength != 33-45<br />
hbh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Mh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|mh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
mh nexthdr 22<br />
mh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
mh hdrlength 22<br />
mh hdrlength != 33-45<br />
mh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}<br />
mh type home-agent-switch-message<br />
mh type != home-agent-switch-message<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
mh reserved 22<br />
mh reserved != 33-45<br />
mh reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| <br />
|<source lang="bash"><br />
mh checksum 22<br />
mh checksum != 33-45<br />
mh checksum { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Rt ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|rt match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
rt nexthdr 22<br />
rt nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
rt hdrlength 22<br />
rt hdrlength != 33-45<br />
rt hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
rt type 22<br />
rt type != 33-45<br />
rt type { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''seg-left <value>''<br />
| <br />
|<source lang="bash"><br />
rt seg-left 22<br />
rt seg-left != 33-45<br />
rt seg-left { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Vlan ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|vlan match<br />
|-<br />
| ''id <value>''<br />
| Vlan tag ID<br />
|<source lang="bash"><br />
vlan id 4094<br />
vlan id 0<br />
</source><br />
|-<br />
| ''cfi <value>''<br />
| <br />
|<source lang="bash"><br />
vlan cfi 0<br />
vlan cfi 1<br />
</source><br />
|-<br />
| ''pcp <value>''<br />
| <br />
|<source lang="bash"><br />
vlan pcp 7<br />
vlan pcp 3<br />
</source><br />
|}<br />
<br />
<br />
==== Arp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|arp match<br />
|-<br />
| ''ptype <value>''<br />
| Payload type<br />
|<source lang="bash"><br />
arp ptype 0x0800<br />
</source><br />
|-<br />
| ''htype <value>''<br />
| Header type<br />
|<source lang="bash"><br />
arp htype 1<br />
arp htype != 33-45<br />
arp htype { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''hlen <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
arp hlen 1<br />
arp hlen != 33-45<br />
arp hlen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''plen <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
arp plen 1<br />
arp plen != 33-45<br />
arp plen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''operation <value>''<br />
| <br />
|<source lang="bash"><br />
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}<br />
</source><br />
|}<br />
<br />
<br />
==== Ct ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ct match<br />
|-<br />
| ''state <state>''<br />
| State of the connection<br />
|<source lang="bash"><br />
ct state { new, established, related, untracked }<br />
ct state != related<br />
ct state established<br />
ct state 8<br />
</source><br />
|-<br />
| ''direction <value>''<br />
| Direction of the packet relative to the connection<br />
|<source lang="bash"><br />
ct direction original<br />
ct direction != original<br />
ct direction {reply, original}<br />
</source><br />
|-<br />
| ''status <status>''<br />
| Status of the connection<br />
|<source lang="bash"><br />
ct status expected<br />
(ct status & expected) != expected<br />
ct status {expected,seen-reply,assured,confirmed,snat,dnat,dying}<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Mark of the connection<br />
|<source lang="bash"><br />
ct mark 0<br />
ct mark or 0x23 == 0x11<br />
ct mark or 0x3 != 0x1<br />
ct mark and 0x23 == 0x11<br />
ct mark and 0x3 != 0x1<br />
ct mark xor 0x23 == 0x11<br />
ct mark xor 0x3 != 0x1<br />
ct mark 0x00000032<br />
ct mark != 0x00000032<br />
ct mark 0x00000032-0x00000045<br />
ct mark != 0x00000032-0x00000045<br />
ct mark {0x32, 0x2222, 0x42de3}<br />
ct mark {0x32-0x2222, 0x4444-0x42de3}<br />
ct mark set 0x11 xor 0x1331<br />
ct mark set 0x11333 and 0x11<br />
ct mark set 0x12 or 0x11<br />
ct mark set 0x11<br />
ct mark set mark<br />
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }<br />
</source><br />
|-<br />
| ''expiration <time>''<br />
| Connection expiration time<br />
|<source lang="bash"><br />
ct expiration 30<br />
ct expiration 30s<br />
ct expiration != 233<br />
ct expiration != 3m53s<br />
ct expiration 33-45<br />
ct expiration 33s-45s<br />
ct expiration != 33-45<br />
ct expiration != 33s-45s<br />
ct expiration {33, 55, 67, 88}<br />
ct expiration { 1m7s, 33s, 55s, 1m28s}<br />
</source><br />
|-<br />
| ''helper "<helper>"''<br />
| Helper associated with the connection<br />
|<source lang="bash"><br />
ct helper "ftp"<br />
</source><br />
|-<br />
| | ''[original | reply] bytes <value>''<br />
| <br />
|<source lang="bash"><br />
ct original bytes > 100000<br />
ct bytes > 100000<br />
</source><br />
|-<br />
| | ''[original | reply] packets <value>''<br />
| <br />
|<source lang="bash"><br />
ct reply packets < 100<br />
</source><br />
|-<br />
| | ''[original | reply] ip saddr <ip source address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip saddr 192.168.0.1<br />
ct reply ip saddr 192.168.0.1<br />
ct original ip saddr 192.168.1.0/24<br />
ct reply ip saddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] ip daddr <ip destination address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip daddr 192.168.0.1<br />
ct reply ip daddr 192.168.0.1<br />
ct original ip daddr 192.168.1.0/24<br />
ct reply ip daddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] l3proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original l3proto ipv4<br />
</source><br />
|-<br />
| | ''[original | reply] protocol <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original protocol 6<br />
</source><br />
|-<br />
| | ''[original | reply] proto-dst <port>''<br />
| <br />
|<source lang="bash"><br />
ct original proto-dst 22<br />
</source><br />
|-<br />
| | ''[original | reply] proto-src <port>''<br />
| <br />
|<source lang="bash"><br />
ct reply proto-src 53<br />
</source><br />
|-<br />
| | ''count [over] <number of connections>''<br />
| <br />
|<source lang="bash"><br />
ct count over 2<br />
<br />
tcp dport 22 add @ssh_flood { ip saddr ct count over 2 } reject<br />
[ which requires an existing ssh_flood set, ie. add set filter ssh_flood { type ipv4_addr; flags dynamic; } ]<br />
</source><br />
|}<br />
<br />
==== Meta ====<br />
<br />
[[Matching packet metainformation|''meta'']] matches packet by metainformation.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|meta match<br />
|-<br />
| ''iifname <input interface name>''<br />
| Input interface name<br />
|<source lang="bash"><br />
meta iifname "eth0"<br />
meta iifname != "eth0"<br />
meta iifname {"eth0", "lo"}<br />
meta iifname "eth*"<br />
</source><br />
|-<br />
| ''oifname <output interface name>''<br />
| Output interface name<br />
|<source lang="bash"><br />
meta oifname "eth0"<br />
meta oifname != "eth0"<br />
meta oifname {"eth0", "lo"}<br />
meta oifname "eth*"<br />
</source><br />
|-<br />
| ''iif <input interface index>''<br />
| Input interface index<br />
|<source lang="bash"><br />
meta iif eth0<br />
meta iif != eth0<br />
</source><br />
|-<br />
| ''oif <output interface index>''<br />
| Output interface index<br />
|<source lang="bash"><br />
meta oif lo<br />
meta oif != lo<br />
meta oif {eth0, lo}<br />
</source><br />
|-<br />
| ''iiftype <input interface type>''<br />
| Input interface type<br />
|<source lang="bash"><br />
meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta iiftype != ether<br />
meta iiftype ether<br />
</source><br />
|-<br />
| ''oiftype <output interface type>''<br />
| Output interface hardware type<br />
|<source lang="bash"><br />
meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta oiftype != ether<br />
meta oiftype ether<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Length of the packet in bytes<br />
|<source lang="bash"><br />
meta length 1000<br />
meta length != 1000<br />
meta length > 1000<br />
meta length 33-45<br />
meta length != 33-45<br />
meta length { 33, 55, 67, 88 }<br />
meta length { 33-55, 67-88 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| ethertype protocol<br />
|<source lang="bash"><br />
meta protocol ip<br />
meta protocol != ip<br />
meta protocol { ip, arp, ip6, vlan }<br />
</source><br />
|-<br />
| ''nfproto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta nfproto ipv4<br />
meta nfproto != ipv6<br />
meta nfproto { ipv4, ipv6 }<br />
</source><br />
|-<br />
| ''l4proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta l4proto 22<br />
meta l4proto != 233<br />
meta l4proto 33-45<br />
meta l4proto { 33, 55, 67, 88 }<br />
meta l4proto { 33-55 }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Packet mark<br />
|<source lang="bash"><br />
meta mark 0x4<br />
meta mark 0x00000032<br />
meta mark and 0x03 == 0x01<br />
meta mark and 0x03 != 0x01<br />
meta mark != 0x10<br />
meta mark or 0x03 == 0x01<br />
meta mark or 0x03 != 0x01<br />
meta mark xor 0x03 == 0x01<br />
meta mark xor 0x03 != 0x01<br />
meta mark set 0xffffffc8 xor 0x16<br />
meta mark set 0x16 and 0x16<br />
meta mark set 0xffffffe9 or 0x16<br />
meta mark set 0xffffffde and 0x16<br />
meta mark set 0x32 or 0xfffff<br />
meta mark set 0xfffe xor 0x16<br />
</source><br />
|-<br />
| ''priority [set] <priority>''<br />
| tc class id<br />
|<source lang="bash"><br />
meta priority none<br />
meta priority 0x1:0x1<br />
meta priority 0x1:0xffff<br />
meta priority 0xffff:0xffff<br />
meta priority set 0x1:0x1<br />
meta priority set 0x1:0xffff<br />
meta priority set 0xffff:0xffff<br />
</source><br />
|-<br />
| ''skuid <user id>''<br />
| UID associated with originating socket<br />
|<source lang="bash"><br />
meta skuid {bin, root, daemon}<br />
meta skuid root<br />
meta skuid != root<br />
meta skuid lt 3000<br />
meta skuid gt 3000<br />
meta skuid eq 3000<br />
meta skuid 3001-3005<br />
meta skuid != 2001-2005<br />
meta skuid { 2001-2005 }<br />
</source><br />
|-<br />
| ''skgid <group id>''<br />
| GID associated with originating socket<br />
|<source lang="bash"><br />
meta skgid {bin, root, daemon}<br />
meta skgid root<br />
meta skgid != root<br />
meta skgid lt 3000<br />
meta skgid gt 3000<br />
meta skgid eq 3000<br />
meta skgid 3001-3005<br />
meta skgid != 2001-2005<br />
meta skgid { 2001-2005 }<br />
</source><br />
|-<br />
| ''rtclassid <class>''<br />
| Routing realm<br />
|<source lang="bash"><br />
meta rtclassid cosmos<br />
</source><br />
|-<br />
| ''pkttype <type>''<br />
| Packet type<br />
|<source lang="bash"><br />
meta pkttype broadcast<br />
meta pkttype != broadcast<br />
meta pkttype { broadcast, unicast, multicast}<br />
</source><br />
|-<br />
| ''cpu <cpu index>''<br />
| CPU ID<br />
|<source lang="bash"><br />
meta cpu 1<br />
meta cpu != 1<br />
meta cpu 1-3<br />
meta cpu != 1-2<br />
meta cpu { 2,3 }<br />
meta cpu { 2-3, 5-7 }<br />
</source><br />
|-<br />
| ''iifgroup <input group>''<br />
| Input interface group<br />
|<source lang="bash"><br />
meta iifgroup 0<br />
meta iifgroup != 0<br />
meta iifgroup default<br />
meta iifgroup != default<br />
meta iifgroup {default}<br />
meta iifgroup { 11,33 }<br />
meta iifgroup {11-33}<br />
</source><br />
|-<br />
| ''oifgroup <group>''<br />
| Output interface group<br />
|<source lang="bash"><br />
meta oifgroup 0<br />
meta oifgroup != 0<br />
meta oifgroup default<br />
meta oifgroup != default<br />
meta oifgroup {default}<br />
meta oifgroup { 11,33 }<br />
meta oifgroup {11-33}<br />
</source><br />
|-<br />
| ''cgroup <group>''<br />
| <br />
|<source lang="bash"><br />
meta cgroup 1048577<br />
meta cgroup != 1048577<br />
meta cgroup { 1048577, 1048578 }<br />
meta cgroup 1048577-1048578<br />
meta cgroup != 1048577-1048578<br />
meta cgroup {1048577-1048578}<br />
</source><br />
|}<br />
<br />
=== Statements ===<br />
<br />
'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.<br />
<br />
==== Verdict statements ====<br />
<br />
The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:<br />
<br />
* ''accept'': Accept the packet and stop the remain rules evaluation.<br />
* ''drop'': Drop the packet and stop the remain rules evaluation.<br />
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.<br />
* ''continue'': Continue the ruleset evaluation with the next rule.<br />
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept<br />
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued<br />
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement<br />
<br />
==== Log ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|log statement<br />
|-<br />
| ''level [over] <value> <unit> [burst <value> <unit>]''<br />
| Log level<br />
|<source lang="bash"><br />
log<br />
log level emerg<br />
log level alert<br />
log level crit<br />
log level err<br />
log level warn<br />
log level notice<br />
log level info<br />
log level debug<br />
</source><br />
|-<br />
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''<br />
| <br />
|<source lang="bash"><br />
log prefix aaaaa-aaaaaa group 2 snaplen 33<br />
log group 2 queue-threshold 2<br />
log group 2 snaplen 33<br />
</source><br />
|}<br />
<br />
<br />
==== Reject ====<br />
<br />
The default '''reject''' will be the ICMP type '''port-unreachable'''. The '''icmpx''' is only used for inet family support.<br />
<br />
More information on the [[Rejecting_traffic]] page.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|reject statement<br />
|-<br />
| ''with <protocol> type <type>''<br />
| <br />
|<source lang="bash"><br />
reject<br />
reject with icmp type host-unreachable<br />
reject with icmp type net-unreachable<br />
reject with icmp type prot-unreachable<br />
reject with icmp type port-unreachable<br />
reject with icmp type net-prohibited<br />
reject with icmp type host-prohibited<br />
reject with icmp type admin-prohibited<br />
reject with icmpv6 type no-route<br />
reject with icmpv6 type admin-prohibited<br />
reject with icmpv6 type addr-unreachable<br />
reject with icmpv6 type port-unreachable<br />
reject with icmpx type host-unreachable<br />
reject with icmpx type no-route<br />
reject with icmpx type admin-prohibited<br />
reject with icmpx type port-unreachable<br />
ip protocol tcp reject with tcp reset<br />
</source><br />
|}<br />
<br />
==== Counter ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|counter statement<br />
|-<br />
| ''packets <packets> bytes <bytes>''<br />
| <br />
|<source lang="bash"><br />
counter<br />
counter packets 0 bytes 0<br />
</source><br />
|}<br />
<br />
<br />
==== Limit ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|limit statement<br />
|-<br />
| ''rate [over] <value> <unit> [burst <value> <unit>]''<br />
| Rate limit<br />
|<source lang="bash"><br />
limit rate 400/minute<br />
limit rate 400/hour<br />
limit rate over 40/day<br />
limit rate over 400/week<br />
limit rate over 1023/second burst 10 packets<br />
limit rate 1025 kbytes/second<br />
limit rate 1023000 mbytes/second<br />
limit rate 1025 bytes/second burst 512 bytes<br />
limit rate 1025 kbytes/second burst 1023 kbytes<br />
limit rate 1025 mbytes/second burst 1025 kbytes<br />
limit rate 1025000 mbytes/second burst 1023 mbytes<br />
</source><br />
|}<br />
<br />
==== Nat ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|nat statement<br />
|-<br />
| ''dnat to <destination address>''<br />
| Destination address translation<br />
|<source lang="bash"><br />
dnat to 192.168.3.2<br />
dnat to ct mark map { 0x00000014 : 1.2.3.4}<br />
</source><br />
|-<br />
| ''snat to <ip source address>''<br />
| Source address translation<br />
|<source lang="bash"><br />
snat to 192.168.3.2<br />
snat to 2001:838:35f:1::-2001:838:35f:2:::100<br />
</source><br />
|-<br />
| ''masquerade [<type>] [to :<port>]''<br />
| Masquerade<br />
|<source lang="bash"><br />
masquerade<br />
masquerade persistent,fully-random,random<br />
masquerade to :1024<br />
masquerade to :1024-2048<br />
</source><br />
|}<br />
<br />
==== Queue ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|queue statement<br />
|-<br />
| ''num <value> <scheduler>''<br />
| <br />
|<source lang="bash"><br />
queue<br />
queue num 2<br />
queue num 2-3<br />
queue num 4-5 fanout bypass<br />
queue num 4-5 fanout<br />
queue num 4-5 bypass<br />
</source><br />
|}<br />
<br />
== Extras ==<br />
<br />
=== Export Configuration ===<br />
<br />
<source lang="bash"><br />
% nft export (xml | json)<br />
</source><br />
<br />
=== Monitor Events ===<br />
<br />
Monitor events from Netlink creating filters.<br />
<br />
<source lang="bash"><br />
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]<br />
</source><br />
<br />
<br />
= Nft scripting =<br />
<br />
== List ruleset ==<br />
<br />
<source lang="bash"><br />
% nft list ruleset<br />
</source><br />
<br />
== Flush ruleset ==<br />
<br />
<source lang="bash"><br />
% nft flush ruleset<br />
</source><br />
<br />
== Load ruleset ==<br />
<br />
Create a command batch file and load it with the nft interpreter,<br />
<br />
<source lang="bash"><br />
% echo "flush ruleset" > /etc/nftables.rules<br />
% echo "add table filter" >> /etc/nftables.rules<br />
% echo "add chain filter input" >> /etc/nftables.rules<br />
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file,<br />
<br />
<source lang="bash"><br />
% cat << EOF > /etc/nftables.rules<br />
> #!/usr/local/sbin/nft -f<br />
> flush ruleset<br />
> add table filter<br />
> add chain filter input<br />
> add rule filter input meta iifname lo accept<br />
> EOF<br />
% chmod u+x /etc/nftables.rules<br />
% /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file from an already created ruleset,<br />
<br />
<source lang="bash"><br />
% nft list ruleset > /etc/nftables.rules<br />
% nft flush ruleset<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
<br />
= Examples =<br />
<br />
== Simple IP/IPv6 Firewall ==<br />
<br />
<source lang="bash"><br />
flush ruleset<br />
<br />
table firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
icmp type echo-request accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
<br />
table ip6 firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# invalid connections<br />
ct state invalid drop<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
# routers may also want: mld-listener-query, nd-router-solicit<br />
icmpv6 type {echo-request,nd-neighbor-solicit} accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
</source></div>
Aurelien
http://wiki.nftables.org/wiki-nftables/index.php?title=Quick_reference-nftables_in_10_minutes&diff=1120
Quick reference-nftables in 10 minutes
2024-04-21T06:05:55Z
<p>Aurelien: /* Ip */ More consistent spacing after { and before }</p>
<hr />
<div>Find below some basic concepts to know before using nftables.<br />
<br />
'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.<br />
<br />
'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].<br />
<br />
'''rule''' refers to an action to be configured within a ''chain''.<br />
<br />
<br />
= nft command line =<br />
<br />
''nft'' is the command line tool in order to interact with nftables at userspace.<br />
<br />
== Tables ==<br />
<br />
'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''. It defaults to ''ip''.<br />
<br />
<source lang="bash"><br />
% nft list tables [<family>]<br />
% nft [-n] [-a] list table [<family>] <name><br />
% nft (add | delete | flush) table [<family>] <name><br />
</source><br />
<br />
The argument ''-n'' shows the addresses and other information that use names in numeric format. The ''-a'' argument is used to display each rule's ''handle'' (i.e., a numerical identifier).<br />
<br />
== Chains ==<br />
<br />
'''type''' refers to the kind of chain to be created. Possible types are:<br />
<br />
* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.<br />
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.<br />
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.<br />
<br />
'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].<br />
<br />
* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.<br />
* The hooks for ''arp'' family are: '' input'', ''output''.<br />
* The ''bridge'' family handles ethernet packets traversing bridge devices.<br />
* The hooks for ''netdev'' are: ''ingress'', ''egress''.<br />
<br />
'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.<br />
<br />
'''policy''' is the default verdict statement to control the flow in the base chain. Possible values are: ''accept'' (default) and ''drop''. Warning: Setting the policy to ''drop'' discards all packets that<br />
have not been accepted by the ruleset.<br />
<br />
<source lang="bash"><br />
% nft (add | create) chain [<family>] <table> <name> [ \{ type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] \} ]<br />
% nft (delete | list | flush) chain [<family>] <table> <name><br />
% nft rename chain [<family>] <table> <name> <newname><br />
</source><br />
<br />
== Rules ==<br />
<br />
'''handle''' is an internal number that identifies a certain ''rule''.<br />
<br />
'''position''' is an internal number that is used to insert a ''rule'' before a certain ''handle''.<br />
<br />
<source lang="bash"><br />
% nft add rule [<family>] <table> <chain> <matches> <statements><br />
% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements><br />
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements><br />
% nft delete rule [<family>] <table> <chain> [handle <handle>]<br />
</source><br />
<br />
=== Matches ===<br />
<br />
'''matches''' are clues used to access to certain packet information and create filters according to them.<br />
<br />
==== Ip ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip match<br />
|-<br />
| | ''dscp <value>''<br />
|<br />
|<source lang="bash"><br />
ip dscp cs1<br />
ip dscp != cs1<br />
ip dscp 0x38<br />
ip dscp != 0x20<br />
ip dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, <br />
af22, af23, af31, af32, af33, af41, af42, af43, ef }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
ip length 232<br />
ip length != 233<br />
ip length 333-435<br />
ip length != 333-453<br />
ip length { 333, 553, 673, 838 }<br />
</source><br />
|-<br />
| ''id <id>''<br />
| IP ID<br />
|<source lang="bash"><br />
ip id 22<br />
ip id != 233<br />
ip id 33-45<br />
ip id != 33-45<br />
ip id { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| Fragmentation offset<br />
|<source lang="bash"><br />
ip frag-off & 0x1fff != 0 # match fragments<br />
ip frag-off & 0x2000 != 0 # match MF flag <br />
ip frag-off & 0x4000 != 0 # match DF flag <br />
</source><br />
|-<br />
| ''ttl <ttl>''<br />
| Time to live<br />
|<source lang="bash"><br />
ip ttl 0<br />
ip ttl 233<br />
ip ttl 33-55<br />
ip ttl != 45-50<br />
ip ttl { 43, 53, 45 }<br />
ip ttl { 33-55 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| Upper layer protocol<br />
|<source lang="bash"><br />
ip protocol tcp<br />
ip protocol 6<br />
ip protocol != tcp<br />
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
ip checksum 13172<br />
ip checksum 22<br />
ip checksum != 233<br />
ip checksum 33-45<br />
ip checksum != 33-45<br />
ip checksum { 33, 55, 67, 88 }<br />
ip checksum { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source address<br />
|<source lang="bash"><br />
ip saddr 192.168.2.0/24<br />
ip saddr != 192.168.2.0/24<br />
ip saddr 192.168.3.1 ip daddr 192.168.3.100<br />
ip saddr != 1.1.1.1<br />
ip saddr 1.1.1.1<br />
ip saddr & 0xff == 1<br />
ip saddr & 0.0.0.255 < 0.0.0.127<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination address<br />
|<source lang="bash"><br />
ip daddr 192.168.0.1<br />
ip daddr != 192.168.0.1<br />
ip daddr 192.168.0.1-192.168.0.250<br />
ip daddr 10.0.0.0-10.255.255.255<br />
ip daddr 172.16.0.0-172.31.255.255<br />
ip daddr 192.168.3.1-192.168.4.250<br />
ip daddr != 192.168.0.1-192.168.0.250<br />
ip daddr { 192.168.0.1-192.168.0.250 }<br />
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }<br />
</source><br />
|-<br />
| ''version <version>''<br />
| Ip Header version<br />
|<source lang="bash"><br />
ip version 4<br />
</source><br />
|-<br />
| ''hdrlength <header length>''<br />
| IP header length<br />
|<source lang="bash"><br />
ip hdrlength 0<br />
ip hdrlength 15<br />
</source><br />
|}<br />
<br />
==== Ip6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip6 match<br />
|-<br />
| ''dscp <value>''<br />
| <br />
|<source lang="bash"><br />
ip6 dscp cs1<br />
ip6 dscp != cs1<br />
ip6 dscp 0x38<br />
ip6 dscp != 0x20<br />
ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}<br />
</source><br />
|-<br />
| ''flowlabel <label>''<br />
| Flow label<br />
|<source lang="bash"><br />
ip6 flowlabel 22<br />
ip6 flowlabel != 233<br />
ip6 flowlabel { 33, 55, 67, 88 }<br />
ip6 flowlabel { 33-55 }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
ip6 length 232<br />
ip6 length != 233<br />
ip6 length 333-435<br />
ip6 length != 333-453<br />
ip6 length { 333, 553, 673, 838}<br />
</source><br />
|-<br />
| ''nexthdr <header>''<br />
| Next header type (Upper layer protocol number)<br />
|<source lang="bash"><br />
ip6 nexthdr {esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6}<br />
ip6 nexthdr esp<br />
ip6 nexthdr != esp<br />
ip6 nexthdr { 33-44 }<br />
ip6 nexthdr 33-44<br />
ip6 nexthdr != 33-44<br />
</source><br />
|-<br />
| ''hoplimit <hoplimit>''<br />
| Hop limit<br />
|<source lang="bash"><br />
ip6 hoplimit 1<br />
ip6 hoplimit != 233<br />
ip6 hoplimit 33-45<br />
ip6 hoplimit != 33-45<br />
ip6 hoplimit {33, 55, 67, 88}<br />
ip6 hoplimit {33-55}<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source Address<br />
|<source lang="bash"><br />
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::/64<br />
ip6 saddr ::1 ip6 daddr ::2<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination Address<br />
|<source lang="bash"><br />
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234<br />
</source><br />
|-<br />
| ''version <version>''<br />
| IP header version<br />
|<source lang="bash"><br />
ip6 version 6<br />
</source><br />
|}<br />
<br />
<br />
==== Tcp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|tcp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
tcp dport 22<br />
tcp dport != 33-45<br />
tcp dport { 33-55 }<br />
tcp dport {telnet, http, https }<br />
tcp dport vmap { 22 : accept, 23 : drop }<br />
tcp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
tcp sport 22<br />
tcp sport != 33-45<br />
tcp sport { 33, 55, 67, 88}<br />
tcp sport { 33-55}<br />
tcp sport vmap { 25:accept, 28:drop }<br />
tcp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| Sequence number<br />
|<source lang="bash"><br />
tcp sequence 22<br />
tcp sequence != 33-45<br />
</source><br />
|-<br />
| ''ackseq <value>''<br />
| Acknowledgement number<br />
|<source lang="bash"><br />
tcp ackseq 22<br />
tcp ackseq != 33-45<br />
tcp ackseq { 33, 55, 67, 88 }<br />
tcp ackseq { 33-55 }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| TCP flags<br />
|<source lang="bash"><br />
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr}<br />
tcp flags cwr<br />
tcp flags != cwr<br />
</source><br />
|-<br />
| ''window <value>''<br />
| Window<br />
|<source lang="bash"><br />
tcp window 22<br />
tcp window != 33-45<br />
tcp window { 33, 55, 67, 88 }<br />
tcp window { 33-55 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
tcp checksum 22<br />
tcp checksum != 33-45<br />
tcp checksum { 33, 55, 67, 88 }<br />
tcp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''urgptr <pointer>''<br />
| Urgent pointer<br />
|<source lang="bash"><br />
tcp urgptr 22<br />
tcp urgptr != 33-45<br />
tcp urgptr { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''doff <offset>''<br />
| Data offset<br />
|<source lang="bash"><br />
tcp doff 8<br />
</source><br />
|}<br />
<br />
<br />
==== Udp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udp dport 22<br />
udp dport != 33-45<br />
udp dport { 33-55 }<br />
udp dport {telnet, http, https }<br />
udp dport vmap { 22 : accept, 23 : drop }<br />
udp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udp sport 22<br />
udp sport != 33-45<br />
udp sport { 33, 55, 67, 88}<br />
udp sport { 33-55}<br />
udp sport vmap { 25:accept, 28:drop }<br />
udp sport 1024 udp dport 22<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
udp length 6666<br />
udp length != 50-65<br />
udp length { 50, 65 }<br />
udp length { 35-50 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| UDP checksum<br />
|<source lang="bash"><br />
udp checksum 22<br />
udp checksum != 33-45<br />
udp checksum { 33, 55, 67, 88 }<br />
udp checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
<br />
==== Udplite ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udplite match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udplite dport 22<br />
udplite dport != 33-45<br />
udplite dport { 33-55 }<br />
udplite dport {telnet, http, https }<br />
udplite dport vmap { 22 : accept, 23 : drop }<br />
udplite dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udplite sport 22<br />
udplite sport != 33-45<br />
udplite sport { 33, 55, 67, 88}<br />
udplite sport { 33-55}<br />
udplite sport vmap { 25:accept, 28:drop }<br />
udplite sport 1024 udplite dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
udplite checksum 22<br />
udplite checksum != 33-45<br />
udplite checksum { 33, 55, 67, 88 }<br />
udplite checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
<br />
==== Sctp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|sctp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
sctp dport 22<br />
sctp dport != 33-45<br />
sctp dport { 33-55 }<br />
sctp dport {telnet, http, https }<br />
sctp dport vmap { 22 : accept, 23 : drop }<br />
sctp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
sctp sport 22<br />
sctp sport != 33-45<br />
sctp sport { 33, 55, 67, 88}<br />
sctp sport { 33-55}<br />
sctp sport vmap { 25:accept, 28:drop }<br />
sctp sport 1024 sctp dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
sctp checksum 22<br />
sctp checksum != 33-45<br />
sctp checksum { 33, 55, 67, 88 }<br />
sctp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''vtag <tag>''<br />
| Verification tag<br />
|<source lang="bash"><br />
sctp vtag 22<br />
sctp vtag != 33-45<br />
sctp vtag { 33, 55, 67, 88 }<br />
sctp vtag { 33-55 }<br />
</source><br />
|-<br />
| ''chunk <type>''<br />
| Existence of a chunk with given type in packet<br />
|<source lang="bash"><br />
sctp chunk init exists<br />
sctp chunk error missing<br />
</source><br />
|-<br />
| ''chunk <type> <field>''<br />
| A chunk's field value (implies chunk existence)<br />
|<sourcex lang="bash"><br />
sctp chunk init flags 0x1<br />
sctp chunk data tsn 0x23<br />
</source><br />
|}<br />
<br />
==== Dccp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dccp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
dccp dport 22<br />
dccp dport != 33-45<br />
dccp dport { 33-55 }<br />
dccp dport {telnet, http, https }<br />
dccp dport vmap { 22 : accept, 23 : drop }<br />
dccp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
dccp sport 22<br />
dccp sport != 33-45<br />
dccp sport { 33, 55, 67, 88}<br />
dccp sport { 33-55}<br />
dccp sport vmap { 25:accept, 28:drop }<br />
dccp sport 1024 dccp dport 22<br />
</source><br />
|-<br />
| ''type <type>''<br />
| Type of packet<br />
|<source lang="bash"><br />
dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}<br />
dccp type request<br />
dccp type != request<br />
</source><br />
|}<br />
<br />
<br />
==== Ah ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ah match<br />
|-<br />
| ''hdrlength <length>''<br />
| AH header length<br />
|<source lang="bash"><br />
ah hdrlength 11-23<br />
ah hdrlength != 11-23<br />
ah hdrlength {11, 23, 44 }<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
ah reserved 22<br />
ah reserved != 33-45<br />
ah reserved {23, 100 }<br />
ah reserved { 33-55 }<br />
</source><br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
ah spi 111<br />
ah spi != 111-222<br />
ah spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
ah sequence 123<br />
ah sequence {23, 25, 33}<br />
ah sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Esp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|esp match<br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
esp spi 111<br />
esp spi != 111-222<br />
esp spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
esp sequence 123<br />
esp sequence {23, 25, 33}<br />
esp sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Comp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|comp match<br />
|-<br />
| ''nexthdr <protocol>''<br />
| Next header protocol (Upper layer protocol)<br />
|<source lang="bash"><br />
comp nexthdr != esp<br />
comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp}<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| Flags<br />
|<source lang="bash"><br />
comp flags 0x0<br />
comp flags != 0x33-0x45<br />
comp flags {0x33, 0x55, 0x67, 0x88}<br />
</source><br />
|-<br />
| ''cpi <value>''<br />
| Compression Parameter Index<br />
|<source lang="bash"><br />
comp cpi 22<br />
comp cpi != 33-45<br />
comp cpi {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Icmp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmp match<br />
|-<br />
| ''type <type>''<br />
| ICMP packet type<br />
|<source lang="bash"><br />
icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation}<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMP packet code<br />
|<source lang="bash"><br />
icmp code 111<br />
icmp code != 33-55<br />
icmp code { 2, 4, 54, 33, 56}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMP packet checksum<br />
|<source lang="bash"><br />
icmp checksum 12343<br />
icmp checksum != 11-343<br />
icmp checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMP packet id<br />
|<source lang="bash"><br />
icmp id 12343<br />
icmp id != 11-343<br />
icmp id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMP packet sequence<br />
|<source lang="bash"><br />
icmp sequence 12343<br />
icmp sequence != 11-343<br />
icmp sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMP packet mtu<br />
|<source lang="bash"><br />
icmp mtu 12343<br />
icmp mtu != 11-343<br />
icmp mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''gateway <value>''<br />
| ICMP packet gateway<br />
|<source lang="bash"><br />
icmp gateway 12343<br />
icmp gateway != 11-343<br />
icmp gateway { 1111, 222, 343 }<br />
</source><br />
|}<br />
<br />
<br />
==== Icmpv6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmpv6 match<br />
|-<br />
| ''type <type>''<br />
| ICMPv6 packet type<br />
|<source lang="bash"><br />
icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, parameter-problem, mld2-listener-report }<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMPv6 packet code<br />
|<source lang="bash"><br />
icmpv6 code 4<br />
icmpv6 code 3-66<br />
icmpv6 code {5, 6, 7}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMPv6 packet checksum<br />
|<source lang="bash"><br />
icmpv6 checksum 12343<br />
icmpv6 checksum != 11-343<br />
icmpv6 checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMPv6 packet id<br />
|<source lang="bash"><br />
icmpv6 id 12343<br />
icmpv6 id != 11-343<br />
icmpv6 id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMPv6 packet sequence<br />
|<source lang="bash"><br />
icmpv6 sequence 12343<br />
icmpv6 sequence != 11-343<br />
icmpv6 sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMPv6 packet mtu<br />
|<source lang="bash"><br />
icmpv6 mtu 12343<br />
icmpv6 mtu != 11-343<br />
icmpv6 mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''max-delay <value>''<br />
| ICMPv6 packet max delay<br />
|<source lang="bash"><br />
icmpv6 max-delay 33-45<br />
icmpv6 max-delay != 33-45<br />
icmpv6 max-delay {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Ether ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ether match<br />
|-<br />
| ''saddr <mac address>''<br />
| Source mac address<br />
|<source lang="bash"><br />
ether saddr 00:0f:54:0c:11:04<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
ether type vlan<br />
</source><br />
|}<br />
<br />
==== Dst ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dst match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}<br />
dst nexthdr 22<br />
dst nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
dst hdrlength 22<br />
dst hdrlength != 33-45<br />
dst hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Frag ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|frag match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp}<br />
frag nexthdr 6<br />
frag nexthdr != 50-51<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
frag reserved 22<br />
frag reserved != 33-45<br />
frag reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| <br />
|<source lang="bash"><br />
frag frag-off 22<br />
frag frag-off != 33-45<br />
frag frag-off { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''more-fragments <value>''<br />
| <br />
|<source lang="bash"><br />
frag more-fragments 0<br />
frag more-fragments 0<br />
</source><br />
|-<br />
| ''id <value>''<br />
| <br />
|<source lang="bash"><br />
frag id 1<br />
frag id 33-45<br />
</source><br />
|}<br />
<br />
<br />
==== Hbh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|hbh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6}<br />
hbh nexthdr 22<br />
hbh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
hbh hdrlength 22<br />
hbh hdrlength != 33-45<br />
hbh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Mh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|mh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
mh nexthdr 22<br />
mh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
mh hdrlength 22<br />
mh hdrlength != 33-45<br />
mh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}<br />
mh type home-agent-switch-message<br />
mh type != home-agent-switch-message<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
mh reserved 22<br />
mh reserved != 33-45<br />
mh reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| <br />
|<source lang="bash"><br />
mh checksum 22<br />
mh checksum != 33-45<br />
mh checksum { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Rt ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|rt match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
rt nexthdr 22<br />
rt nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
rt hdrlength 22<br />
rt hdrlength != 33-45<br />
rt hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
rt type 22<br />
rt type != 33-45<br />
rt type { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''seg-left <value>''<br />
| <br />
|<source lang="bash"><br />
rt seg-left 22<br />
rt seg-left != 33-45<br />
rt seg-left { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Vlan ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|vlan match<br />
|-<br />
| ''id <value>''<br />
| Vlan tag ID<br />
|<source lang="bash"><br />
vlan id 4094<br />
vlan id 0<br />
</source><br />
|-<br />
| ''cfi <value>''<br />
| <br />
|<source lang="bash"><br />
vlan cfi 0<br />
vlan cfi 1<br />
</source><br />
|-<br />
| ''pcp <value>''<br />
| <br />
|<source lang="bash"><br />
vlan pcp 7<br />
vlan pcp 3<br />
</source><br />
|}<br />
<br />
<br />
==== Arp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|arp match<br />
|-<br />
| ''ptype <value>''<br />
| Payload type<br />
|<source lang="bash"><br />
arp ptype 0x0800<br />
</source><br />
|-<br />
| ''htype <value>''<br />
| Header type<br />
|<source lang="bash"><br />
arp htype 1<br />
arp htype != 33-45<br />
arp htype { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''hlen <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
arp hlen 1<br />
arp hlen != 33-45<br />
arp hlen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''plen <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
arp plen 1<br />
arp plen != 33-45<br />
arp plen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''operation <value>''<br />
| <br />
|<source lang="bash"><br />
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}<br />
</source><br />
|}<br />
<br />
<br />
==== Ct ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ct match<br />
|-<br />
| ''state <state>''<br />
| State of the connection<br />
|<source lang="bash"><br />
ct state { new, established, related, untracked }<br />
ct state != related<br />
ct state established<br />
ct state 8<br />
</source><br />
|-<br />
| ''direction <value>''<br />
| Direction of the packet relative to the connection<br />
|<source lang="bash"><br />
ct direction original<br />
ct direction != original<br />
ct direction {reply, original}<br />
</source><br />
|-<br />
| ''status <status>''<br />
| Status of the connection<br />
|<source lang="bash"><br />
ct status expected<br />
(ct status & expected) != expected<br />
ct status {expected,seen-reply,assured,confirmed,snat,dnat,dying}<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Mark of the connection<br />
|<source lang="bash"><br />
ct mark 0<br />
ct mark or 0x23 == 0x11<br />
ct mark or 0x3 != 0x1<br />
ct mark and 0x23 == 0x11<br />
ct mark and 0x3 != 0x1<br />
ct mark xor 0x23 == 0x11<br />
ct mark xor 0x3 != 0x1<br />
ct mark 0x00000032<br />
ct mark != 0x00000032<br />
ct mark 0x00000032-0x00000045<br />
ct mark != 0x00000032-0x00000045<br />
ct mark {0x32, 0x2222, 0x42de3}<br />
ct mark {0x32-0x2222, 0x4444-0x42de3}<br />
ct mark set 0x11 xor 0x1331<br />
ct mark set 0x11333 and 0x11<br />
ct mark set 0x12 or 0x11<br />
ct mark set 0x11<br />
ct mark set mark<br />
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }<br />
</source><br />
|-<br />
| ''expiration <time>''<br />
| Connection expiration time<br />
|<source lang="bash"><br />
ct expiration 30<br />
ct expiration 30s<br />
ct expiration != 233<br />
ct expiration != 3m53s<br />
ct expiration 33-45<br />
ct expiration 33s-45s<br />
ct expiration != 33-45<br />
ct expiration != 33s-45s<br />
ct expiration {33, 55, 67, 88}<br />
ct expiration { 1m7s, 33s, 55s, 1m28s}<br />
</source><br />
|-<br />
| ''helper "<helper>"''<br />
| Helper associated with the connection<br />
|<source lang="bash"><br />
ct helper "ftp"<br />
</source><br />
|-<br />
| | ''[original | reply] bytes <value>''<br />
| <br />
|<source lang="bash"><br />
ct original bytes > 100000<br />
ct bytes > 100000<br />
</source><br />
|-<br />
| | ''[original | reply] packets <value>''<br />
| <br />
|<source lang="bash"><br />
ct reply packets < 100<br />
</source><br />
|-<br />
| | ''[original | reply] ip saddr <ip source address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip saddr 192.168.0.1<br />
ct reply ip saddr 192.168.0.1<br />
ct original ip saddr 192.168.1.0/24<br />
ct reply ip saddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] ip daddr <ip destination address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip daddr 192.168.0.1<br />
ct reply ip daddr 192.168.0.1<br />
ct original ip daddr 192.168.1.0/24<br />
ct reply ip daddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] l3proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original l3proto ipv4<br />
</source><br />
|-<br />
| | ''[original | reply] protocol <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original protocol 6<br />
</source><br />
|-<br />
| | ''[original | reply] proto-dst <port>''<br />
| <br />
|<source lang="bash"><br />
ct original proto-dst 22<br />
</source><br />
|-<br />
| | ''[original | reply] proto-src <port>''<br />
| <br />
|<source lang="bash"><br />
ct reply proto-src 53<br />
</source><br />
|-<br />
| | ''count [over] <number of connections>''<br />
| <br />
|<source lang="bash"><br />
ct count over 2<br />
<br />
tcp dport 22 add @ssh_flood { ip saddr ct count over 2 } reject<br />
[ which requires an existing ssh_flood set, ie. add set filter ssh_flood { type ipv4_addr; flags dynamic; } ]<br />
</source><br />
|}<br />
<br />
==== Meta ====<br />
<br />
[[Matching packet metainformation|''meta'']] matches packet by metainformation.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|meta match<br />
|-<br />
| ''iifname <input interface name>''<br />
| Input interface name<br />
|<source lang="bash"><br />
meta iifname "eth0"<br />
meta iifname != "eth0"<br />
meta iifname {"eth0", "lo"}<br />
meta iifname "eth*"<br />
</source><br />
|-<br />
| ''oifname <output interface name>''<br />
| Output interface name<br />
|<source lang="bash"><br />
meta oifname "eth0"<br />
meta oifname != "eth0"<br />
meta oifname {"eth0", "lo"}<br />
meta oifname "eth*"<br />
</source><br />
|-<br />
| ''iif <input interface index>''<br />
| Input interface index<br />
|<source lang="bash"><br />
meta iif eth0<br />
meta iif != eth0<br />
</source><br />
|-<br />
| ''oif <output interface index>''<br />
| Output interface index<br />
|<source lang="bash"><br />
meta oif lo<br />
meta oif != lo<br />
meta oif {eth0, lo}<br />
</source><br />
|-<br />
| ''iiftype <input interface type>''<br />
| Input interface type<br />
|<source lang="bash"><br />
meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta iiftype != ether<br />
meta iiftype ether<br />
</source><br />
|-<br />
| ''oiftype <output interface type>''<br />
| Output interface hardware type<br />
|<source lang="bash"><br />
meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta oiftype != ether<br />
meta oiftype ether<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Length of the packet in bytes<br />
|<source lang="bash"><br />
meta length 1000<br />
meta length != 1000<br />
meta length > 1000<br />
meta length 33-45<br />
meta length != 33-45<br />
meta length { 33, 55, 67, 88 }<br />
meta length { 33-55, 67-88 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| ethertype protocol<br />
|<source lang="bash"><br />
meta protocol ip<br />
meta protocol != ip<br />
meta protocol { ip, arp, ip6, vlan }<br />
</source><br />
|-<br />
| ''nfproto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta nfproto ipv4<br />
meta nfproto != ipv6<br />
meta nfproto { ipv4, ipv6 }<br />
</source><br />
|-<br />
| ''l4proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta l4proto 22<br />
meta l4proto != 233<br />
meta l4proto 33-45<br />
meta l4proto { 33, 55, 67, 88 }<br />
meta l4proto { 33-55 }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Packet mark<br />
|<source lang="bash"><br />
meta mark 0x4<br />
meta mark 0x00000032<br />
meta mark and 0x03 == 0x01<br />
meta mark and 0x03 != 0x01<br />
meta mark != 0x10<br />
meta mark or 0x03 == 0x01<br />
meta mark or 0x03 != 0x01<br />
meta mark xor 0x03 == 0x01<br />
meta mark xor 0x03 != 0x01<br />
meta mark set 0xffffffc8 xor 0x16<br />
meta mark set 0x16 and 0x16<br />
meta mark set 0xffffffe9 or 0x16<br />
meta mark set 0xffffffde and 0x16<br />
meta mark set 0x32 or 0xfffff<br />
meta mark set 0xfffe xor 0x16<br />
</source><br />
|-<br />
| ''priority [set] <priority>''<br />
| tc class id<br />
|<source lang="bash"><br />
meta priority none<br />
meta priority 0x1:0x1<br />
meta priority 0x1:0xffff<br />
meta priority 0xffff:0xffff<br />
meta priority set 0x1:0x1<br />
meta priority set 0x1:0xffff<br />
meta priority set 0xffff:0xffff<br />
</source><br />
|-<br />
| ''skuid <user id>''<br />
| UID associated with originating socket<br />
|<source lang="bash"><br />
meta skuid {bin, root, daemon}<br />
meta skuid root<br />
meta skuid != root<br />
meta skuid lt 3000<br />
meta skuid gt 3000<br />
meta skuid eq 3000<br />
meta skuid 3001-3005<br />
meta skuid != 2001-2005<br />
meta skuid { 2001-2005 }<br />
</source><br />
|-<br />
| ''skgid <group id>''<br />
| GID associated with originating socket<br />
|<source lang="bash"><br />
meta skgid {bin, root, daemon}<br />
meta skgid root<br />
meta skgid != root<br />
meta skgid lt 3000<br />
meta skgid gt 3000<br />
meta skgid eq 3000<br />
meta skgid 3001-3005<br />
meta skgid != 2001-2005<br />
meta skgid { 2001-2005 }<br />
</source><br />
|-<br />
| ''rtclassid <class>''<br />
| Routing realm<br />
|<source lang="bash"><br />
meta rtclassid cosmos<br />
</source><br />
|-<br />
| ''pkttype <type>''<br />
| Packet type<br />
|<source lang="bash"><br />
meta pkttype broadcast<br />
meta pkttype != broadcast<br />
meta pkttype { broadcast, unicast, multicast}<br />
</source><br />
|-<br />
| ''cpu <cpu index>''<br />
| CPU ID<br />
|<source lang="bash"><br />
meta cpu 1<br />
meta cpu != 1<br />
meta cpu 1-3<br />
meta cpu != 1-2<br />
meta cpu { 2,3 }<br />
meta cpu { 2-3, 5-7 }<br />
</source><br />
|-<br />
| ''iifgroup <input group>''<br />
| Input interface group<br />
|<source lang="bash"><br />
meta iifgroup 0<br />
meta iifgroup != 0<br />
meta iifgroup default<br />
meta iifgroup != default<br />
meta iifgroup {default}<br />
meta iifgroup { 11,33 }<br />
meta iifgroup {11-33}<br />
</source><br />
|-<br />
| ''oifgroup <group>''<br />
| Output interface group<br />
|<source lang="bash"><br />
meta oifgroup 0<br />
meta oifgroup != 0<br />
meta oifgroup default<br />
meta oifgroup != default<br />
meta oifgroup {default}<br />
meta oifgroup { 11,33 }<br />
meta oifgroup {11-33}<br />
</source><br />
|-<br />
| ''cgroup <group>''<br />
| <br />
|<source lang="bash"><br />
meta cgroup 1048577<br />
meta cgroup != 1048577<br />
meta cgroup { 1048577, 1048578 }<br />
meta cgroup 1048577-1048578<br />
meta cgroup != 1048577-1048578<br />
meta cgroup {1048577-1048578}<br />
</source><br />
|}<br />
<br />
=== Statements ===<br />
<br />
'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.<br />
<br />
==== Verdict statements ====<br />
<br />
The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:<br />
<br />
* ''accept'': Accept the packet and stop the remain rules evaluation.<br />
* ''drop'': Drop the packet and stop the remain rules evaluation.<br />
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.<br />
* ''continue'': Continue the ruleset evaluation with the next rule.<br />
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept<br />
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued<br />
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement<br />
<br />
==== Log ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|log statement<br />
|-<br />
| ''level [over] <value> <unit> [burst <value> <unit>]''<br />
| Log level<br />
|<source lang="bash"><br />
log<br />
log level emerg<br />
log level alert<br />
log level crit<br />
log level err<br />
log level warn<br />
log level notice<br />
log level info<br />
log level debug<br />
</source><br />
|-<br />
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''<br />
| <br />
|<source lang="bash"><br />
log prefix aaaaa-aaaaaa group 2 snaplen 33<br />
log group 2 queue-threshold 2<br />
log group 2 snaplen 33<br />
</source><br />
|}<br />
<br />
<br />
==== Reject ====<br />
<br />
The default '''reject''' will be the ICMP type '''port-unreachable'''. The '''icmpx''' is only used for inet family support.<br />
<br />
More information on the [[Rejecting_traffic]] page.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|reject statement<br />
|-<br />
| ''with <protocol> type <type>''<br />
| <br />
|<source lang="bash"><br />
reject<br />
reject with icmp type host-unreachable<br />
reject with icmp type net-unreachable<br />
reject with icmp type prot-unreachable<br />
reject with icmp type port-unreachable<br />
reject with icmp type net-prohibited<br />
reject with icmp type host-prohibited<br />
reject with icmp type admin-prohibited<br />
reject with icmpv6 type no-route<br />
reject with icmpv6 type admin-prohibited<br />
reject with icmpv6 type addr-unreachable<br />
reject with icmpv6 type port-unreachable<br />
reject with icmpx type host-unreachable<br />
reject with icmpx type no-route<br />
reject with icmpx type admin-prohibited<br />
reject with icmpx type port-unreachable<br />
ip protocol tcp reject with tcp reset<br />
</source><br />
|}<br />
<br />
==== Counter ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|counter statement<br />
|-<br />
| ''packets <packets> bytes <bytes>''<br />
| <br />
|<source lang="bash"><br />
counter<br />
counter packets 0 bytes 0<br />
</source><br />
|}<br />
<br />
<br />
==== Limit ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|limit statement<br />
|-<br />
| ''rate [over] <value> <unit> [burst <value> <unit>]''<br />
| Rate limit<br />
|<source lang="bash"><br />
limit rate 400/minute<br />
limit rate 400/hour<br />
limit rate over 40/day<br />
limit rate over 400/week<br />
limit rate over 1023/second burst 10 packets<br />
limit rate 1025 kbytes/second<br />
limit rate 1023000 mbytes/second<br />
limit rate 1025 bytes/second burst 512 bytes<br />
limit rate 1025 kbytes/second burst 1023 kbytes<br />
limit rate 1025 mbytes/second burst 1025 kbytes<br />
limit rate 1025000 mbytes/second burst 1023 mbytes<br />
</source><br />
|}<br />
<br />
==== Nat ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|nat statement<br />
|-<br />
| ''dnat to <destination address>''<br />
| Destination address translation<br />
|<source lang="bash"><br />
dnat to 192.168.3.2<br />
dnat to ct mark map { 0x00000014 : 1.2.3.4}<br />
</source><br />
|-<br />
| ''snat to <ip source address>''<br />
| Source address translation<br />
|<source lang="bash"><br />
snat to 192.168.3.2<br />
snat to 2001:838:35f:1::-2001:838:35f:2:::100<br />
</source><br />
|-<br />
| ''masquerade [<type>] [to :<port>]''<br />
| Masquerade<br />
|<source lang="bash"><br />
masquerade<br />
masquerade persistent,fully-random,random<br />
masquerade to :1024<br />
masquerade to :1024-2048<br />
</source><br />
|}<br />
<br />
==== Queue ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|queue statement<br />
|-<br />
| ''num <value> <scheduler>''<br />
| <br />
|<source lang="bash"><br />
queue<br />
queue num 2<br />
queue num 2-3<br />
queue num 4-5 fanout bypass<br />
queue num 4-5 fanout<br />
queue num 4-5 bypass<br />
</source><br />
|}<br />
<br />
== Extras ==<br />
<br />
=== Export Configuration ===<br />
<br />
<source lang="bash"><br />
% nft export (xml | json)<br />
</source><br />
<br />
=== Monitor Events ===<br />
<br />
Monitor events from Netlink creating filters.<br />
<br />
<source lang="bash"><br />
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]<br />
</source><br />
<br />
<br />
= Nft scripting =<br />
<br />
== List ruleset ==<br />
<br />
<source lang="bash"><br />
% nft list ruleset<br />
</source><br />
<br />
== Flush ruleset ==<br />
<br />
<source lang="bash"><br />
% nft flush ruleset<br />
</source><br />
<br />
== Load ruleset ==<br />
<br />
Create a command batch file and load it with the nft interpreter,<br />
<br />
<source lang="bash"><br />
% echo "flush ruleset" > /etc/nftables.rules<br />
% echo "add table filter" >> /etc/nftables.rules<br />
% echo "add chain filter input" >> /etc/nftables.rules<br />
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file,<br />
<br />
<source lang="bash"><br />
% cat << EOF > /etc/nftables.rules<br />
> #!/usr/local/sbin/nft -f<br />
> flush ruleset<br />
> add table filter<br />
> add chain filter input<br />
> add rule filter input meta iifname lo accept<br />
> EOF<br />
% chmod u+x /etc/nftables.rules<br />
% /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file from an already created ruleset,<br />
<br />
<source lang="bash"><br />
% nft list ruleset > /etc/nftables.rules<br />
% nft flush ruleset<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
<br />
= Examples =<br />
<br />
== Simple IP/IPv6 Firewall ==<br />
<br />
<source lang="bash"><br />
flush ruleset<br />
<br />
table firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
icmp type echo-request accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
<br />
table ip6 firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# invalid connections<br />
ct state invalid drop<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
# routers may also want: mld-listener-query, nd-router-solicit<br />
icmpv6 type {echo-request,nd-neighbor-solicit} accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
</source></div>
Aurelien
http://wiki.nftables.org/wiki-nftables/index.php?title=Quick_reference-nftables_in_10_minutes&diff=1119
Quick reference-nftables in 10 minutes
2024-04-21T06:01:32Z
<p>Aurelien: /* Chains */ Escape curly brackets to avoid errors in bash, zsh and many other shells</p>
<hr />
<div>Find below some basic concepts to know before using nftables.<br />
<br />
'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.<br />
<br />
'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].<br />
<br />
'''rule''' refers to an action to be configured within a ''chain''.<br />
<br />
<br />
= nft command line =<br />
<br />
''nft'' is the command line tool in order to interact with nftables at userspace.<br />
<br />
== Tables ==<br />
<br />
'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''. It defaults to ''ip''.<br />
<br />
<source lang="bash"><br />
% nft list tables [<family>]<br />
% nft [-n] [-a] list table [<family>] <name><br />
% nft (add | delete | flush) table [<family>] <name><br />
</source><br />
<br />
The argument ''-n'' shows the addresses and other information that use names in numeric format. The ''-a'' argument is used to display each rule's ''handle'' (i.e., a numerical identifier).<br />
<br />
== Chains ==<br />
<br />
'''type''' refers to the kind of chain to be created. Possible types are:<br />
<br />
* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.<br />
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.<br />
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.<br />
<br />
'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].<br />
<br />
* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.<br />
* The hooks for ''arp'' family are: '' input'', ''output''.<br />
* The ''bridge'' family handles ethernet packets traversing bridge devices.<br />
* The hooks for ''netdev'' are: ''ingress'', ''egress''.<br />
<br />
'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.<br />
<br />
'''policy''' is the default verdict statement to control the flow in the base chain. Possible values are: ''accept'' (default) and ''drop''. Warning: Setting the policy to ''drop'' discards all packets that<br />
have not been accepted by the ruleset.<br />
<br />
<source lang="bash"><br />
% nft (add | create) chain [<family>] <table> <name> [ \{ type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] \} ]<br />
% nft (delete | list | flush) chain [<family>] <table> <name><br />
% nft rename chain [<family>] <table> <name> <newname><br />
</source><br />
<br />
== Rules ==<br />
<br />
'''handle''' is an internal number that identifies a certain ''rule''.<br />
<br />
'''position''' is an internal number that is used to insert a ''rule'' before a certain ''handle''.<br />
<br />
<source lang="bash"><br />
% nft add rule [<family>] <table> <chain> <matches> <statements><br />
% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements><br />
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements><br />
% nft delete rule [<family>] <table> <chain> [handle <handle>]<br />
</source><br />
<br />
=== Matches ===<br />
<br />
'''matches''' are clues used to access to certain packet information and create filters according to them.<br />
<br />
==== Ip ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip match<br />
|-<br />
| | ''dscp <value>''<br />
|<br />
|<source lang="bash"><br />
ip dscp cs1<br />
ip dscp != cs1<br />
ip dscp 0x38<br />
ip dscp != 0x20<br />
ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, <br />
af22, af23, af31, af32, af33, af41, af42, af43, ef}<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
ip length 232<br />
ip length != 233<br />
ip length 333-435<br />
ip length != 333-453<br />
ip length { 333, 553, 673, 838}<br />
</source><br />
|-<br />
| ''id <id>''<br />
| IP ID<br />
|<source lang="bash"><br />
ip id 22<br />
ip id != 233<br />
ip id 33-45<br />
ip id != 33-45<br />
ip id { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| Fragmentation offset<br />
|<source lang="bash"><br />
ip frag-off & 0x1fff != 0 # match fragments<br />
ip frag-off & 0x2000 != 0 # match MF flag <br />
ip frag-off & 0x4000 != 0 # match DF flag <br />
</source><br />
|-<br />
| ''ttl <ttl>''<br />
| Time to live<br />
|<source lang="bash"><br />
ip ttl 0<br />
ip ttl 233<br />
ip ttl 33-55<br />
ip ttl != 45-50<br />
ip ttl { 43, 53, 45 }<br />
ip ttl { 33-55 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| Upper layer protocol<br />
|<source lang="bash"><br />
ip protocol tcp<br />
ip protocol 6<br />
ip protocol != tcp<br />
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
ip checksum 13172<br />
ip checksum 22<br />
ip checksum != 233<br />
ip checksum 33-45<br />
ip checksum != 33-45<br />
ip checksum { 33, 55, 67, 88 }<br />
ip checksum { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source address<br />
|<source lang="bash"><br />
ip saddr 192.168.2.0/24<br />
ip saddr != 192.168.2.0/24<br />
ip saddr 192.168.3.1 ip daddr 192.168.3.100<br />
ip saddr != 1.1.1.1<br />
ip saddr 1.1.1.1<br />
ip saddr & 0xff == 1<br />
ip saddr & 0.0.0.255 < 0.0.0.127<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination address<br />
|<source lang="bash"><br />
ip daddr 192.168.0.1<br />
ip daddr != 192.168.0.1<br />
ip daddr 192.168.0.1-192.168.0.250<br />
ip daddr 10.0.0.0-10.255.255.255<br />
ip daddr 172.16.0.0-172.31.255.255<br />
ip daddr 192.168.3.1-192.168.4.250<br />
ip daddr != 192.168.0.1-192.168.0.250<br />
ip daddr { 192.168.0.1-192.168.0.250 }<br />
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }<br />
</source><br />
|-<br />
| ''version <version>''<br />
| Ip Header version<br />
|<source lang="bash"><br />
ip version 4<br />
</source><br />
|-<br />
| ''hdrlength <header length>''<br />
| IP header length<br />
|<source lang="bash"><br />
ip hdrlength 0<br />
ip hdrlength 15<br />
</source><br />
|}<br />
<br />
==== Ip6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip6 match<br />
|-<br />
| ''dscp <value>''<br />
| <br />
|<source lang="bash"><br />
ip6 dscp cs1<br />
ip6 dscp != cs1<br />
ip6 dscp 0x38<br />
ip6 dscp != 0x20<br />
ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}<br />
</source><br />
|-<br />
| ''flowlabel <label>''<br />
| Flow label<br />
|<source lang="bash"><br />
ip6 flowlabel 22<br />
ip6 flowlabel != 233<br />
ip6 flowlabel { 33, 55, 67, 88 }<br />
ip6 flowlabel { 33-55 }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
ip6 length 232<br />
ip6 length != 233<br />
ip6 length 333-435<br />
ip6 length != 333-453<br />
ip6 length { 333, 553, 673, 838}<br />
</source><br />
|-<br />
| ''nexthdr <header>''<br />
| Next header type (Upper layer protocol number)<br />
|<source lang="bash"><br />
ip6 nexthdr {esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6}<br />
ip6 nexthdr esp<br />
ip6 nexthdr != esp<br />
ip6 nexthdr { 33-44 }<br />
ip6 nexthdr 33-44<br />
ip6 nexthdr != 33-44<br />
</source><br />
|-<br />
| ''hoplimit <hoplimit>''<br />
| Hop limit<br />
|<source lang="bash"><br />
ip6 hoplimit 1<br />
ip6 hoplimit != 233<br />
ip6 hoplimit 33-45<br />
ip6 hoplimit != 33-45<br />
ip6 hoplimit {33, 55, 67, 88}<br />
ip6 hoplimit {33-55}<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source Address<br />
|<source lang="bash"><br />
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::/64<br />
ip6 saddr ::1 ip6 daddr ::2<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination Address<br />
|<source lang="bash"><br />
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234<br />
</source><br />
|-<br />
| ''version <version>''<br />
| IP header version<br />
|<source lang="bash"><br />
ip6 version 6<br />
</source><br />
|}<br />
<br />
<br />
==== Tcp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|tcp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
tcp dport 22<br />
tcp dport != 33-45<br />
tcp dport { 33-55 }<br />
tcp dport {telnet, http, https }<br />
tcp dport vmap { 22 : accept, 23 : drop }<br />
tcp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
tcp sport 22<br />
tcp sport != 33-45<br />
tcp sport { 33, 55, 67, 88}<br />
tcp sport { 33-55}<br />
tcp sport vmap { 25:accept, 28:drop }<br />
tcp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| Sequence number<br />
|<source lang="bash"><br />
tcp sequence 22<br />
tcp sequence != 33-45<br />
</source><br />
|-<br />
| ''ackseq <value>''<br />
| Acknowledgement number<br />
|<source lang="bash"><br />
tcp ackseq 22<br />
tcp ackseq != 33-45<br />
tcp ackseq { 33, 55, 67, 88 }<br />
tcp ackseq { 33-55 }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| TCP flags<br />
|<source lang="bash"><br />
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr}<br />
tcp flags cwr<br />
tcp flags != cwr<br />
</source><br />
|-<br />
| ''window <value>''<br />
| Window<br />
|<source lang="bash"><br />
tcp window 22<br />
tcp window != 33-45<br />
tcp window { 33, 55, 67, 88 }<br />
tcp window { 33-55 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
tcp checksum 22<br />
tcp checksum != 33-45<br />
tcp checksum { 33, 55, 67, 88 }<br />
tcp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''urgptr <pointer>''<br />
| Urgent pointer<br />
|<source lang="bash"><br />
tcp urgptr 22<br />
tcp urgptr != 33-45<br />
tcp urgptr { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''doff <offset>''<br />
| Data offset<br />
|<source lang="bash"><br />
tcp doff 8<br />
</source><br />
|}<br />
<br />
<br />
==== Udp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udp dport 22<br />
udp dport != 33-45<br />
udp dport { 33-55 }<br />
udp dport {telnet, http, https }<br />
udp dport vmap { 22 : accept, 23 : drop }<br />
udp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udp sport 22<br />
udp sport != 33-45<br />
udp sport { 33, 55, 67, 88}<br />
udp sport { 33-55}<br />
udp sport vmap { 25:accept, 28:drop }<br />
udp sport 1024 udp dport 22<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
udp length 6666<br />
udp length != 50-65<br />
udp length { 50, 65 }<br />
udp length { 35-50 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| UDP checksum<br />
|<source lang="bash"><br />
udp checksum 22<br />
udp checksum != 33-45<br />
udp checksum { 33, 55, 67, 88 }<br />
udp checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
<br />
==== Udplite ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udplite match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udplite dport 22<br />
udplite dport != 33-45<br />
udplite dport { 33-55 }<br />
udplite dport {telnet, http, https }<br />
udplite dport vmap { 22 : accept, 23 : drop }<br />
udplite dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udplite sport 22<br />
udplite sport != 33-45<br />
udplite sport { 33, 55, 67, 88}<br />
udplite sport { 33-55}<br />
udplite sport vmap { 25:accept, 28:drop }<br />
udplite sport 1024 udplite dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
udplite checksum 22<br />
udplite checksum != 33-45<br />
udplite checksum { 33, 55, 67, 88 }<br />
udplite checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
<br />
==== Sctp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|sctp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
sctp dport 22<br />
sctp dport != 33-45<br />
sctp dport { 33-55 }<br />
sctp dport {telnet, http, https }<br />
sctp dport vmap { 22 : accept, 23 : drop }<br />
sctp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
sctp sport 22<br />
sctp sport != 33-45<br />
sctp sport { 33, 55, 67, 88}<br />
sctp sport { 33-55}<br />
sctp sport vmap { 25:accept, 28:drop }<br />
sctp sport 1024 sctp dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
sctp checksum 22<br />
sctp checksum != 33-45<br />
sctp checksum { 33, 55, 67, 88 }<br />
sctp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''vtag <tag>''<br />
| Verification tag<br />
|<source lang="bash"><br />
sctp vtag 22<br />
sctp vtag != 33-45<br />
sctp vtag { 33, 55, 67, 88 }<br />
sctp vtag { 33-55 }<br />
</source><br />
|-<br />
| ''chunk <type>''<br />
| Existence of a chunk with given type in packet<br />
|<source lang="bash"><br />
sctp chunk init exists<br />
sctp chunk error missing<br />
</source><br />
|-<br />
| ''chunk <type> <field>''<br />
| A chunk's field value (implies chunk existence)<br />
|<sourcex lang="bash"><br />
sctp chunk init flags 0x1<br />
sctp chunk data tsn 0x23<br />
</source><br />
|}<br />
<br />
==== Dccp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dccp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
dccp dport 22<br />
dccp dport != 33-45<br />
dccp dport { 33-55 }<br />
dccp dport {telnet, http, https }<br />
dccp dport vmap { 22 : accept, 23 : drop }<br />
dccp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
dccp sport 22<br />
dccp sport != 33-45<br />
dccp sport { 33, 55, 67, 88}<br />
dccp sport { 33-55}<br />
dccp sport vmap { 25:accept, 28:drop }<br />
dccp sport 1024 dccp dport 22<br />
</source><br />
|-<br />
| ''type <type>''<br />
| Type of packet<br />
|<source lang="bash"><br />
dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}<br />
dccp type request<br />
dccp type != request<br />
</source><br />
|}<br />
<br />
<br />
==== Ah ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ah match<br />
|-<br />
| ''hdrlength <length>''<br />
| AH header length<br />
|<source lang="bash"><br />
ah hdrlength 11-23<br />
ah hdrlength != 11-23<br />
ah hdrlength {11, 23, 44 }<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
ah reserved 22<br />
ah reserved != 33-45<br />
ah reserved {23, 100 }<br />
ah reserved { 33-55 }<br />
</source><br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
ah spi 111<br />
ah spi != 111-222<br />
ah spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
ah sequence 123<br />
ah sequence {23, 25, 33}<br />
ah sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Esp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|esp match<br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
esp spi 111<br />
esp spi != 111-222<br />
esp spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
esp sequence 123<br />
esp sequence {23, 25, 33}<br />
esp sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Comp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|comp match<br />
|-<br />
| ''nexthdr <protocol>''<br />
| Next header protocol (Upper layer protocol)<br />
|<source lang="bash"><br />
comp nexthdr != esp<br />
comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp}<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| Flags<br />
|<source lang="bash"><br />
comp flags 0x0<br />
comp flags != 0x33-0x45<br />
comp flags {0x33, 0x55, 0x67, 0x88}<br />
</source><br />
|-<br />
| ''cpi <value>''<br />
| Compression Parameter Index<br />
|<source lang="bash"><br />
comp cpi 22<br />
comp cpi != 33-45<br />
comp cpi {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Icmp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmp match<br />
|-<br />
| ''type <type>''<br />
| ICMP packet type<br />
|<source lang="bash"><br />
icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation}<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMP packet code<br />
|<source lang="bash"><br />
icmp code 111<br />
icmp code != 33-55<br />
icmp code { 2, 4, 54, 33, 56}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMP packet checksum<br />
|<source lang="bash"><br />
icmp checksum 12343<br />
icmp checksum != 11-343<br />
icmp checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMP packet id<br />
|<source lang="bash"><br />
icmp id 12343<br />
icmp id != 11-343<br />
icmp id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMP packet sequence<br />
|<source lang="bash"><br />
icmp sequence 12343<br />
icmp sequence != 11-343<br />
icmp sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMP packet mtu<br />
|<source lang="bash"><br />
icmp mtu 12343<br />
icmp mtu != 11-343<br />
icmp mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''gateway <value>''<br />
| ICMP packet gateway<br />
|<source lang="bash"><br />
icmp gateway 12343<br />
icmp gateway != 11-343<br />
icmp gateway { 1111, 222, 343 }<br />
</source><br />
|}<br />
<br />
<br />
==== Icmpv6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmpv6 match<br />
|-<br />
| ''type <type>''<br />
| ICMPv6 packet type<br />
|<source lang="bash"><br />
icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, parameter-problem, mld2-listener-report }<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMPv6 packet code<br />
|<source lang="bash"><br />
icmpv6 code 4<br />
icmpv6 code 3-66<br />
icmpv6 code {5, 6, 7}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMPv6 packet checksum<br />
|<source lang="bash"><br />
icmpv6 checksum 12343<br />
icmpv6 checksum != 11-343<br />
icmpv6 checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMPv6 packet id<br />
|<source lang="bash"><br />
icmpv6 id 12343<br />
icmpv6 id != 11-343<br />
icmpv6 id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMPv6 packet sequence<br />
|<source lang="bash"><br />
icmpv6 sequence 12343<br />
icmpv6 sequence != 11-343<br />
icmpv6 sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMPv6 packet mtu<br />
|<source lang="bash"><br />
icmpv6 mtu 12343<br />
icmpv6 mtu != 11-343<br />
icmpv6 mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''max-delay <value>''<br />
| ICMPv6 packet max delay<br />
|<source lang="bash"><br />
icmpv6 max-delay 33-45<br />
icmpv6 max-delay != 33-45<br />
icmpv6 max-delay {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Ether ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ether match<br />
|-<br />
| ''saddr <mac address>''<br />
| Source mac address<br />
|<source lang="bash"><br />
ether saddr 00:0f:54:0c:11:04<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
ether type vlan<br />
</source><br />
|}<br />
<br />
==== Dst ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dst match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}<br />
dst nexthdr 22<br />
dst nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
dst hdrlength 22<br />
dst hdrlength != 33-45<br />
dst hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Frag ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|frag match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp}<br />
frag nexthdr 6<br />
frag nexthdr != 50-51<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
frag reserved 22<br />
frag reserved != 33-45<br />
frag reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| <br />
|<source lang="bash"><br />
frag frag-off 22<br />
frag frag-off != 33-45<br />
frag frag-off { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''more-fragments <value>''<br />
| <br />
|<source lang="bash"><br />
frag more-fragments 0<br />
frag more-fragments 0<br />
</source><br />
|-<br />
| ''id <value>''<br />
| <br />
|<source lang="bash"><br />
frag id 1<br />
frag id 33-45<br />
</source><br />
|}<br />
<br />
<br />
==== Hbh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|hbh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6}<br />
hbh nexthdr 22<br />
hbh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
hbh hdrlength 22<br />
hbh hdrlength != 33-45<br />
hbh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Mh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|mh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
mh nexthdr 22<br />
mh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
mh hdrlength 22<br />
mh hdrlength != 33-45<br />
mh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}<br />
mh type home-agent-switch-message<br />
mh type != home-agent-switch-message<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
mh reserved 22<br />
mh reserved != 33-45<br />
mh reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| <br />
|<source lang="bash"><br />
mh checksum 22<br />
mh checksum != 33-45<br />
mh checksum { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Rt ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|rt match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
rt nexthdr 22<br />
rt nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
rt hdrlength 22<br />
rt hdrlength != 33-45<br />
rt hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
rt type 22<br />
rt type != 33-45<br />
rt type { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''seg-left <value>''<br />
| <br />
|<source lang="bash"><br />
rt seg-left 22<br />
rt seg-left != 33-45<br />
rt seg-left { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Vlan ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|vlan match<br />
|-<br />
| ''id <value>''<br />
| Vlan tag ID<br />
|<source lang="bash"><br />
vlan id 4094<br />
vlan id 0<br />
</source><br />
|-<br />
| ''cfi <value>''<br />
| <br />
|<source lang="bash"><br />
vlan cfi 0<br />
vlan cfi 1<br />
</source><br />
|-<br />
| ''pcp <value>''<br />
| <br />
|<source lang="bash"><br />
vlan pcp 7<br />
vlan pcp 3<br />
</source><br />
|}<br />
<br />
<br />
==== Arp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|arp match<br />
|-<br />
| ''ptype <value>''<br />
| Payload type<br />
|<source lang="bash"><br />
arp ptype 0x0800<br />
</source><br />
|-<br />
| ''htype <value>''<br />
| Header type<br />
|<source lang="bash"><br />
arp htype 1<br />
arp htype != 33-45<br />
arp htype { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''hlen <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
arp hlen 1<br />
arp hlen != 33-45<br />
arp hlen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''plen <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
arp plen 1<br />
arp plen != 33-45<br />
arp plen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''operation <value>''<br />
| <br />
|<source lang="bash"><br />
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}<br />
</source><br />
|}<br />
<br />
<br />
==== Ct ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ct match<br />
|-<br />
| ''state <state>''<br />
| State of the connection<br />
|<source lang="bash"><br />
ct state { new, established, related, untracked }<br />
ct state != related<br />
ct state established<br />
ct state 8<br />
</source><br />
|-<br />
| ''direction <value>''<br />
| Direction of the packet relative to the connection<br />
|<source lang="bash"><br />
ct direction original<br />
ct direction != original<br />
ct direction {reply, original}<br />
</source><br />
|-<br />
| ''status <status>''<br />
| Status of the connection<br />
|<source lang="bash"><br />
ct status expected<br />
(ct status & expected) != expected<br />
ct status {expected,seen-reply,assured,confirmed,snat,dnat,dying}<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Mark of the connection<br />
|<source lang="bash"><br />
ct mark 0<br />
ct mark or 0x23 == 0x11<br />
ct mark or 0x3 != 0x1<br />
ct mark and 0x23 == 0x11<br />
ct mark and 0x3 != 0x1<br />
ct mark xor 0x23 == 0x11<br />
ct mark xor 0x3 != 0x1<br />
ct mark 0x00000032<br />
ct mark != 0x00000032<br />
ct mark 0x00000032-0x00000045<br />
ct mark != 0x00000032-0x00000045<br />
ct mark {0x32, 0x2222, 0x42de3}<br />
ct mark {0x32-0x2222, 0x4444-0x42de3}<br />
ct mark set 0x11 xor 0x1331<br />
ct mark set 0x11333 and 0x11<br />
ct mark set 0x12 or 0x11<br />
ct mark set 0x11<br />
ct mark set mark<br />
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }<br />
</source><br />
|-<br />
| ''expiration <time>''<br />
| Connection expiration time<br />
|<source lang="bash"><br />
ct expiration 30<br />
ct expiration 30s<br />
ct expiration != 233<br />
ct expiration != 3m53s<br />
ct expiration 33-45<br />
ct expiration 33s-45s<br />
ct expiration != 33-45<br />
ct expiration != 33s-45s<br />
ct expiration {33, 55, 67, 88}<br />
ct expiration { 1m7s, 33s, 55s, 1m28s}<br />
</source><br />
|-<br />
| ''helper "<helper>"''<br />
| Helper associated with the connection<br />
|<source lang="bash"><br />
ct helper "ftp"<br />
</source><br />
|-<br />
| | ''[original | reply] bytes <value>''<br />
| <br />
|<source lang="bash"><br />
ct original bytes > 100000<br />
ct bytes > 100000<br />
</source><br />
|-<br />
| | ''[original | reply] packets <value>''<br />
| <br />
|<source lang="bash"><br />
ct reply packets < 100<br />
</source><br />
|-<br />
| | ''[original | reply] ip saddr <ip source address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip saddr 192.168.0.1<br />
ct reply ip saddr 192.168.0.1<br />
ct original ip saddr 192.168.1.0/24<br />
ct reply ip saddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] ip daddr <ip destination address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip daddr 192.168.0.1<br />
ct reply ip daddr 192.168.0.1<br />
ct original ip daddr 192.168.1.0/24<br />
ct reply ip daddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] l3proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original l3proto ipv4<br />
</source><br />
|-<br />
| | ''[original | reply] protocol <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original protocol 6<br />
</source><br />
|-<br />
| | ''[original | reply] proto-dst <port>''<br />
| <br />
|<source lang="bash"><br />
ct original proto-dst 22<br />
</source><br />
|-<br />
| | ''[original | reply] proto-src <port>''<br />
| <br />
|<source lang="bash"><br />
ct reply proto-src 53<br />
</source><br />
|-<br />
| | ''count [over] <number of connections>''<br />
| <br />
|<source lang="bash"><br />
ct count over 2<br />
<br />
tcp dport 22 add @ssh_flood { ip saddr ct count over 2 } reject<br />
[ which requires an existing ssh_flood set, ie. add set filter ssh_flood { type ipv4_addr; flags dynamic; } ]<br />
</source><br />
|}<br />
<br />
==== Meta ====<br />
<br />
[[Matching packet metainformation|''meta'']] matches packet by metainformation.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|meta match<br />
|-<br />
| ''iifname <input interface name>''<br />
| Input interface name<br />
|<source lang="bash"><br />
meta iifname "eth0"<br />
meta iifname != "eth0"<br />
meta iifname {"eth0", "lo"}<br />
meta iifname "eth*"<br />
</source><br />
|-<br />
| ''oifname <output interface name>''<br />
| Output interface name<br />
|<source lang="bash"><br />
meta oifname "eth0"<br />
meta oifname != "eth0"<br />
meta oifname {"eth0", "lo"}<br />
meta oifname "eth*"<br />
</source><br />
|-<br />
| ''iif <input interface index>''<br />
| Input interface index<br />
|<source lang="bash"><br />
meta iif eth0<br />
meta iif != eth0<br />
</source><br />
|-<br />
| ''oif <output interface index>''<br />
| Output interface index<br />
|<source lang="bash"><br />
meta oif lo<br />
meta oif != lo<br />
meta oif {eth0, lo}<br />
</source><br />
|-<br />
| ''iiftype <input interface type>''<br />
| Input interface type<br />
|<source lang="bash"><br />
meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta iiftype != ether<br />
meta iiftype ether<br />
</source><br />
|-<br />
| ''oiftype <output interface type>''<br />
| Output interface hardware type<br />
|<source lang="bash"><br />
meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta oiftype != ether<br />
meta oiftype ether<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Length of the packet in bytes<br />
|<source lang="bash"><br />
meta length 1000<br />
meta length != 1000<br />
meta length > 1000<br />
meta length 33-45<br />
meta length != 33-45<br />
meta length { 33, 55, 67, 88 }<br />
meta length { 33-55, 67-88 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| ethertype protocol<br />
|<source lang="bash"><br />
meta protocol ip<br />
meta protocol != ip<br />
meta protocol { ip, arp, ip6, vlan }<br />
</source><br />
|-<br />
| ''nfproto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta nfproto ipv4<br />
meta nfproto != ipv6<br />
meta nfproto { ipv4, ipv6 }<br />
</source><br />
|-<br />
| ''l4proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta l4proto 22<br />
meta l4proto != 233<br />
meta l4proto 33-45<br />
meta l4proto { 33, 55, 67, 88 }<br />
meta l4proto { 33-55 }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Packet mark<br />
|<source lang="bash"><br />
meta mark 0x4<br />
meta mark 0x00000032<br />
meta mark and 0x03 == 0x01<br />
meta mark and 0x03 != 0x01<br />
meta mark != 0x10<br />
meta mark or 0x03 == 0x01<br />
meta mark or 0x03 != 0x01<br />
meta mark xor 0x03 == 0x01<br />
meta mark xor 0x03 != 0x01<br />
meta mark set 0xffffffc8 xor 0x16<br />
meta mark set 0x16 and 0x16<br />
meta mark set 0xffffffe9 or 0x16<br />
meta mark set 0xffffffde and 0x16<br />
meta mark set 0x32 or 0xfffff<br />
meta mark set 0xfffe xor 0x16<br />
</source><br />
|-<br />
| ''priority [set] <priority>''<br />
| tc class id<br />
|<source lang="bash"><br />
meta priority none<br />
meta priority 0x1:0x1<br />
meta priority 0x1:0xffff<br />
meta priority 0xffff:0xffff<br />
meta priority set 0x1:0x1<br />
meta priority set 0x1:0xffff<br />
meta priority set 0xffff:0xffff<br />
</source><br />
|-<br />
| ''skuid <user id>''<br />
| UID associated with originating socket<br />
|<source lang="bash"><br />
meta skuid {bin, root, daemon}<br />
meta skuid root<br />
meta skuid != root<br />
meta skuid lt 3000<br />
meta skuid gt 3000<br />
meta skuid eq 3000<br />
meta skuid 3001-3005<br />
meta skuid != 2001-2005<br />
meta skuid { 2001-2005 }<br />
</source><br />
|-<br />
| ''skgid <group id>''<br />
| GID associated with originating socket<br />
|<source lang="bash"><br />
meta skgid {bin, root, daemon}<br />
meta skgid root<br />
meta skgid != root<br />
meta skgid lt 3000<br />
meta skgid gt 3000<br />
meta skgid eq 3000<br />
meta skgid 3001-3005<br />
meta skgid != 2001-2005<br />
meta skgid { 2001-2005 }<br />
</source><br />
|-<br />
| ''rtclassid <class>''<br />
| Routing realm<br />
|<source lang="bash"><br />
meta rtclassid cosmos<br />
</source><br />
|-<br />
| ''pkttype <type>''<br />
| Packet type<br />
|<source lang="bash"><br />
meta pkttype broadcast<br />
meta pkttype != broadcast<br />
meta pkttype { broadcast, unicast, multicast}<br />
</source><br />
|-<br />
| ''cpu <cpu index>''<br />
| CPU ID<br />
|<source lang="bash"><br />
meta cpu 1<br />
meta cpu != 1<br />
meta cpu 1-3<br />
meta cpu != 1-2<br />
meta cpu { 2,3 }<br />
meta cpu { 2-3, 5-7 }<br />
</source><br />
|-<br />
| ''iifgroup <input group>''<br />
| Input interface group<br />
|<source lang="bash"><br />
meta iifgroup 0<br />
meta iifgroup != 0<br />
meta iifgroup default<br />
meta iifgroup != default<br />
meta iifgroup {default}<br />
meta iifgroup { 11,33 }<br />
meta iifgroup {11-33}<br />
</source><br />
|-<br />
| ''oifgroup <group>''<br />
| Output interface group<br />
|<source lang="bash"><br />
meta oifgroup 0<br />
meta oifgroup != 0<br />
meta oifgroup default<br />
meta oifgroup != default<br />
meta oifgroup {default}<br />
meta oifgroup { 11,33 }<br />
meta oifgroup {11-33}<br />
</source><br />
|-<br />
| ''cgroup <group>''<br />
| <br />
|<source lang="bash"><br />
meta cgroup 1048577<br />
meta cgroup != 1048577<br />
meta cgroup { 1048577, 1048578 }<br />
meta cgroup 1048577-1048578<br />
meta cgroup != 1048577-1048578<br />
meta cgroup {1048577-1048578}<br />
</source><br />
|}<br />
<br />
=== Statements ===<br />
<br />
'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.<br />
<br />
==== Verdict statements ====<br />
<br />
The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:<br />
<br />
* ''accept'': Accept the packet and stop the remain rules evaluation.<br />
* ''drop'': Drop the packet and stop the remain rules evaluation.<br />
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.<br />
* ''continue'': Continue the ruleset evaluation with the next rule.<br />
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept<br />
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued<br />
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement<br />
<br />
==== Log ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|log statement<br />
|-<br />
| ''level [over] <value> <unit> [burst <value> <unit>]''<br />
| Log level<br />
|<source lang="bash"><br />
log<br />
log level emerg<br />
log level alert<br />
log level crit<br />
log level err<br />
log level warn<br />
log level notice<br />
log level info<br />
log level debug<br />
</source><br />
|-<br />
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''<br />
| <br />
|<source lang="bash"><br />
log prefix aaaaa-aaaaaa group 2 snaplen 33<br />
log group 2 queue-threshold 2<br />
log group 2 snaplen 33<br />
</source><br />
|}<br />
<br />
<br />
==== Reject ====<br />
<br />
The default '''reject''' will be the ICMP type '''port-unreachable'''. The '''icmpx''' is only used for inet family support.<br />
<br />
More information on the [[Rejecting_traffic]] page.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|reject statement<br />
|-<br />
| ''with <protocol> type <type>''<br />
| <br />
|<source lang="bash"><br />
reject<br />
reject with icmp type host-unreachable<br />
reject with icmp type net-unreachable<br />
reject with icmp type prot-unreachable<br />
reject with icmp type port-unreachable<br />
reject with icmp type net-prohibited<br />
reject with icmp type host-prohibited<br />
reject with icmp type admin-prohibited<br />
reject with icmpv6 type no-route<br />
reject with icmpv6 type admin-prohibited<br />
reject with icmpv6 type addr-unreachable<br />
reject with icmpv6 type port-unreachable<br />
reject with icmpx type host-unreachable<br />
reject with icmpx type no-route<br />
reject with icmpx type admin-prohibited<br />
reject with icmpx type port-unreachable<br />
ip protocol tcp reject with tcp reset<br />
</source><br />
|}<br />
<br />
==== Counter ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|counter statement<br />
|-<br />
| ''packets <packets> bytes <bytes>''<br />
| <br />
|<source lang="bash"><br />
counter<br />
counter packets 0 bytes 0<br />
</source><br />
|}<br />
<br />
<br />
==== Limit ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|limit statement<br />
|-<br />
| ''rate [over] <value> <unit> [burst <value> <unit>]''<br />
| Rate limit<br />
|<source lang="bash"><br />
limit rate 400/minute<br />
limit rate 400/hour<br />
limit rate over 40/day<br />
limit rate over 400/week<br />
limit rate over 1023/second burst 10 packets<br />
limit rate 1025 kbytes/second<br />
limit rate 1023000 mbytes/second<br />
limit rate 1025 bytes/second burst 512 bytes<br />
limit rate 1025 kbytes/second burst 1023 kbytes<br />
limit rate 1025 mbytes/second burst 1025 kbytes<br />
limit rate 1025000 mbytes/second burst 1023 mbytes<br />
</source><br />
|}<br />
<br />
==== Nat ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|nat statement<br />
|-<br />
| ''dnat to <destination address>''<br />
| Destination address translation<br />
|<source lang="bash"><br />
dnat to 192.168.3.2<br />
dnat to ct mark map { 0x00000014 : 1.2.3.4}<br />
</source><br />
|-<br />
| ''snat to <ip source address>''<br />
| Source address translation<br />
|<source lang="bash"><br />
snat to 192.168.3.2<br />
snat to 2001:838:35f:1::-2001:838:35f:2:::100<br />
</source><br />
|-<br />
| ''masquerade [<type>] [to :<port>]''<br />
| Masquerade<br />
|<source lang="bash"><br />
masquerade<br />
masquerade persistent,fully-random,random<br />
masquerade to :1024<br />
masquerade to :1024-2048<br />
</source><br />
|}<br />
<br />
==== Queue ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|queue statement<br />
|-<br />
| ''num <value> <scheduler>''<br />
| <br />
|<source lang="bash"><br />
queue<br />
queue num 2<br />
queue num 2-3<br />
queue num 4-5 fanout bypass<br />
queue num 4-5 fanout<br />
queue num 4-5 bypass<br />
</source><br />
|}<br />
<br />
== Extras ==<br />
<br />
=== Export Configuration ===<br />
<br />
<source lang="bash"><br />
% nft export (xml | json)<br />
</source><br />
<br />
=== Monitor Events ===<br />
<br />
Monitor events from Netlink creating filters.<br />
<br />
<source lang="bash"><br />
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]<br />
</source><br />
<br />
<br />
= Nft scripting =<br />
<br />
== List ruleset ==<br />
<br />
<source lang="bash"><br />
% nft list ruleset<br />
</source><br />
<br />
== Flush ruleset ==<br />
<br />
<source lang="bash"><br />
% nft flush ruleset<br />
</source><br />
<br />
== Load ruleset ==<br />
<br />
Create a command batch file and load it with the nft interpreter,<br />
<br />
<source lang="bash"><br />
% echo "flush ruleset" > /etc/nftables.rules<br />
% echo "add table filter" >> /etc/nftables.rules<br />
% echo "add chain filter input" >> /etc/nftables.rules<br />
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file,<br />
<br />
<source lang="bash"><br />
% cat << EOF > /etc/nftables.rules<br />
> #!/usr/local/sbin/nft -f<br />
> flush ruleset<br />
> add table filter<br />
> add chain filter input<br />
> add rule filter input meta iifname lo accept<br />
> EOF<br />
% chmod u+x /etc/nftables.rules<br />
% /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file from an already created ruleset,<br />
<br />
<source lang="bash"><br />
% nft list ruleset > /etc/nftables.rules<br />
% nft flush ruleset<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
<br />
= Examples =<br />
<br />
== Simple IP/IPv6 Firewall ==<br />
<br />
<source lang="bash"><br />
flush ruleset<br />
<br />
table firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
icmp type echo-request accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
<br />
table ip6 firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# invalid connections<br />
ct state invalid drop<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
# routers may also want: mld-listener-query, nd-router-solicit<br />
icmpv6 type {echo-request,nd-neighbor-solicit} accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
</source></div>
Aurelien
http://wiki.nftables.org/wiki-nftables/index.php?title=Quick_reference-nftables_in_10_minutes&diff=1118
Quick reference-nftables in 10 minutes
2024-04-21T05:47:01Z
<p>Aurelien: /* Tables */ Mention that the default family is 'ip'.</p>
<hr />
<div>Find below some basic concepts to know before using nftables.<br />
<br />
'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.<br />
<br />
'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].<br />
<br />
'''rule''' refers to an action to be configured within a ''chain''.<br />
<br />
<br />
= nft command line =<br />
<br />
''nft'' is the command line tool in order to interact with nftables at userspace.<br />
<br />
== Tables ==<br />
<br />
'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''. It defaults to ''ip''.<br />
<br />
<source lang="bash"><br />
% nft list tables [<family>]<br />
% nft [-n] [-a] list table [<family>] <name><br />
% nft (add | delete | flush) table [<family>] <name><br />
</source><br />
<br />
The argument ''-n'' shows the addresses and other information that use names in numeric format. The ''-a'' argument is used to display each rule's ''handle'' (i.e., a numerical identifier).<br />
<br />
== Chains ==<br />
<br />
'''type''' refers to the kind of chain to be created. Possible types are:<br />
<br />
* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.<br />
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.<br />
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.<br />
<br />
'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].<br />
<br />
* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.<br />
* The hooks for ''arp'' family are: '' input'', ''output''.<br />
* The ''bridge'' family handles ethernet packets traversing bridge devices.<br />
* The hooks for ''netdev'' are: ''ingress'', ''egress''.<br />
<br />
'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.<br />
<br />
'''policy''' is the default verdict statement to control the flow in the base chain. Possible values are: ''accept'' (default) and ''drop''. Warning: Setting the policy to ''drop'' discards all packets that<br />
have not been accepted by the ruleset.<br />
<br />
<source lang="bash"><br />
% nft (add | create) chain [<family>] <table> <name> [ { type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] } ]<br />
% nft (delete | list | flush) chain [<family>] <table> <name><br />
% nft rename chain [<family>] <table> <name> <newname><br />
</source><br />
<br />
== Rules ==<br />
<br />
'''handle''' is an internal number that identifies a certain ''rule''.<br />
<br />
'''position''' is an internal number that is used to insert a ''rule'' before a certain ''handle''.<br />
<br />
<source lang="bash"><br />
% nft add rule [<family>] <table> <chain> <matches> <statements><br />
% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements><br />
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements><br />
% nft delete rule [<family>] <table> <chain> [handle <handle>]<br />
</source><br />
<br />
=== Matches ===<br />
<br />
'''matches''' are clues used to access to certain packet information and create filters according to them.<br />
<br />
==== Ip ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip match<br />
|-<br />
| | ''dscp <value>''<br />
|<br />
|<source lang="bash"><br />
ip dscp cs1<br />
ip dscp != cs1<br />
ip dscp 0x38<br />
ip dscp != 0x20<br />
ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, <br />
af22, af23, af31, af32, af33, af41, af42, af43, ef}<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
ip length 232<br />
ip length != 233<br />
ip length 333-435<br />
ip length != 333-453<br />
ip length { 333, 553, 673, 838}<br />
</source><br />
|-<br />
| ''id <id>''<br />
| IP ID<br />
|<source lang="bash"><br />
ip id 22<br />
ip id != 233<br />
ip id 33-45<br />
ip id != 33-45<br />
ip id { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| Fragmentation offset<br />
|<source lang="bash"><br />
ip frag-off & 0x1fff != 0 # match fragments<br />
ip frag-off & 0x2000 != 0 # match MF flag <br />
ip frag-off & 0x4000 != 0 # match DF flag <br />
</source><br />
|-<br />
| ''ttl <ttl>''<br />
| Time to live<br />
|<source lang="bash"><br />
ip ttl 0<br />
ip ttl 233<br />
ip ttl 33-55<br />
ip ttl != 45-50<br />
ip ttl { 43, 53, 45 }<br />
ip ttl { 33-55 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| Upper layer protocol<br />
|<source lang="bash"><br />
ip protocol tcp<br />
ip protocol 6<br />
ip protocol != tcp<br />
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
ip checksum 13172<br />
ip checksum 22<br />
ip checksum != 233<br />
ip checksum 33-45<br />
ip checksum != 33-45<br />
ip checksum { 33, 55, 67, 88 }<br />
ip checksum { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source address<br />
|<source lang="bash"><br />
ip saddr 192.168.2.0/24<br />
ip saddr != 192.168.2.0/24<br />
ip saddr 192.168.3.1 ip daddr 192.168.3.100<br />
ip saddr != 1.1.1.1<br />
ip saddr 1.1.1.1<br />
ip saddr & 0xff == 1<br />
ip saddr & 0.0.0.255 < 0.0.0.127<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination address<br />
|<source lang="bash"><br />
ip daddr 192.168.0.1<br />
ip daddr != 192.168.0.1<br />
ip daddr 192.168.0.1-192.168.0.250<br />
ip daddr 10.0.0.0-10.255.255.255<br />
ip daddr 172.16.0.0-172.31.255.255<br />
ip daddr 192.168.3.1-192.168.4.250<br />
ip daddr != 192.168.0.1-192.168.0.250<br />
ip daddr { 192.168.0.1-192.168.0.250 }<br />
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }<br />
</source><br />
|-<br />
| ''version <version>''<br />
| Ip Header version<br />
|<source lang="bash"><br />
ip version 4<br />
</source><br />
|-<br />
| ''hdrlength <header length>''<br />
| IP header length<br />
|<source lang="bash"><br />
ip hdrlength 0<br />
ip hdrlength 15<br />
</source><br />
|}<br />
<br />
==== Ip6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip6 match<br />
|-<br />
| ''dscp <value>''<br />
| <br />
|<source lang="bash"><br />
ip6 dscp cs1<br />
ip6 dscp != cs1<br />
ip6 dscp 0x38<br />
ip6 dscp != 0x20<br />
ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}<br />
</source><br />
|-<br />
| ''flowlabel <label>''<br />
| Flow label<br />
|<source lang="bash"><br />
ip6 flowlabel 22<br />
ip6 flowlabel != 233<br />
ip6 flowlabel { 33, 55, 67, 88 }<br />
ip6 flowlabel { 33-55 }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
ip6 length 232<br />
ip6 length != 233<br />
ip6 length 333-435<br />
ip6 length != 333-453<br />
ip6 length { 333, 553, 673, 838}<br />
</source><br />
|-<br />
| ''nexthdr <header>''<br />
| Next header type (Upper layer protocol number)<br />
|<source lang="bash"><br />
ip6 nexthdr {esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6}<br />
ip6 nexthdr esp<br />
ip6 nexthdr != esp<br />
ip6 nexthdr { 33-44 }<br />
ip6 nexthdr 33-44<br />
ip6 nexthdr != 33-44<br />
</source><br />
|-<br />
| ''hoplimit <hoplimit>''<br />
| Hop limit<br />
|<source lang="bash"><br />
ip6 hoplimit 1<br />
ip6 hoplimit != 233<br />
ip6 hoplimit 33-45<br />
ip6 hoplimit != 33-45<br />
ip6 hoplimit {33, 55, 67, 88}<br />
ip6 hoplimit {33-55}<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source Address<br />
|<source lang="bash"><br />
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::/64<br />
ip6 saddr ::1 ip6 daddr ::2<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination Address<br />
|<source lang="bash"><br />
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234<br />
</source><br />
|-<br />
| ''version <version>''<br />
| IP header version<br />
|<source lang="bash"><br />
ip6 version 6<br />
</source><br />
|}<br />
<br />
<br />
==== Tcp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|tcp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
tcp dport 22<br />
tcp dport != 33-45<br />
tcp dport { 33-55 }<br />
tcp dport {telnet, http, https }<br />
tcp dport vmap { 22 : accept, 23 : drop }<br />
tcp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
tcp sport 22<br />
tcp sport != 33-45<br />
tcp sport { 33, 55, 67, 88}<br />
tcp sport { 33-55}<br />
tcp sport vmap { 25:accept, 28:drop }<br />
tcp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| Sequence number<br />
|<source lang="bash"><br />
tcp sequence 22<br />
tcp sequence != 33-45<br />
</source><br />
|-<br />
| ''ackseq <value>''<br />
| Acknowledgement number<br />
|<source lang="bash"><br />
tcp ackseq 22<br />
tcp ackseq != 33-45<br />
tcp ackseq { 33, 55, 67, 88 }<br />
tcp ackseq { 33-55 }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| TCP flags<br />
|<source lang="bash"><br />
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr}<br />
tcp flags cwr<br />
tcp flags != cwr<br />
</source><br />
|-<br />
| ''window <value>''<br />
| Window<br />
|<source lang="bash"><br />
tcp window 22<br />
tcp window != 33-45<br />
tcp window { 33, 55, 67, 88 }<br />
tcp window { 33-55 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
tcp checksum 22<br />
tcp checksum != 33-45<br />
tcp checksum { 33, 55, 67, 88 }<br />
tcp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''urgptr <pointer>''<br />
| Urgent pointer<br />
|<source lang="bash"><br />
tcp urgptr 22<br />
tcp urgptr != 33-45<br />
tcp urgptr { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''doff <offset>''<br />
| Data offset<br />
|<source lang="bash"><br />
tcp doff 8<br />
</source><br />
|}<br />
<br />
<br />
==== Udp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udp dport 22<br />
udp dport != 33-45<br />
udp dport { 33-55 }<br />
udp dport {telnet, http, https }<br />
udp dport vmap { 22 : accept, 23 : drop }<br />
udp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udp sport 22<br />
udp sport != 33-45<br />
udp sport { 33, 55, 67, 88}<br />
udp sport { 33-55}<br />
udp sport vmap { 25:accept, 28:drop }<br />
udp sport 1024 udp dport 22<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
udp length 6666<br />
udp length != 50-65<br />
udp length { 50, 65 }<br />
udp length { 35-50 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| UDP checksum<br />
|<source lang="bash"><br />
udp checksum 22<br />
udp checksum != 33-45<br />
udp checksum { 33, 55, 67, 88 }<br />
udp checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
<br />
==== Udplite ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udplite match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udplite dport 22<br />
udplite dport != 33-45<br />
udplite dport { 33-55 }<br />
udplite dport {telnet, http, https }<br />
udplite dport vmap { 22 : accept, 23 : drop }<br />
udplite dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udplite sport 22<br />
udplite sport != 33-45<br />
udplite sport { 33, 55, 67, 88}<br />
udplite sport { 33-55}<br />
udplite sport vmap { 25:accept, 28:drop }<br />
udplite sport 1024 udplite dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
udplite checksum 22<br />
udplite checksum != 33-45<br />
udplite checksum { 33, 55, 67, 88 }<br />
udplite checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
<br />
==== Sctp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|sctp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
sctp dport 22<br />
sctp dport != 33-45<br />
sctp dport { 33-55 }<br />
sctp dport {telnet, http, https }<br />
sctp dport vmap { 22 : accept, 23 : drop }<br />
sctp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
sctp sport 22<br />
sctp sport != 33-45<br />
sctp sport { 33, 55, 67, 88}<br />
sctp sport { 33-55}<br />
sctp sport vmap { 25:accept, 28:drop }<br />
sctp sport 1024 sctp dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
sctp checksum 22<br />
sctp checksum != 33-45<br />
sctp checksum { 33, 55, 67, 88 }<br />
sctp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''vtag <tag>''<br />
| Verification tag<br />
|<source lang="bash"><br />
sctp vtag 22<br />
sctp vtag != 33-45<br />
sctp vtag { 33, 55, 67, 88 }<br />
sctp vtag { 33-55 }<br />
</source><br />
|-<br />
| ''chunk <type>''<br />
| Existence of a chunk with given type in packet<br />
|<source lang="bash"><br />
sctp chunk init exists<br />
sctp chunk error missing<br />
</source><br />
|-<br />
| ''chunk <type> <field>''<br />
| A chunk's field value (implies chunk existence)<br />
|<sourcex lang="bash"><br />
sctp chunk init flags 0x1<br />
sctp chunk data tsn 0x23<br />
</source><br />
|}<br />
<br />
==== Dccp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dccp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
dccp dport 22<br />
dccp dport != 33-45<br />
dccp dport { 33-55 }<br />
dccp dport {telnet, http, https }<br />
dccp dport vmap { 22 : accept, 23 : drop }<br />
dccp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
dccp sport 22<br />
dccp sport != 33-45<br />
dccp sport { 33, 55, 67, 88}<br />
dccp sport { 33-55}<br />
dccp sport vmap { 25:accept, 28:drop }<br />
dccp sport 1024 dccp dport 22<br />
</source><br />
|-<br />
| ''type <type>''<br />
| Type of packet<br />
|<source lang="bash"><br />
dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}<br />
dccp type request<br />
dccp type != request<br />
</source><br />
|}<br />
<br />
<br />
==== Ah ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ah match<br />
|-<br />
| ''hdrlength <length>''<br />
| AH header length<br />
|<source lang="bash"><br />
ah hdrlength 11-23<br />
ah hdrlength != 11-23<br />
ah hdrlength {11, 23, 44 }<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
ah reserved 22<br />
ah reserved != 33-45<br />
ah reserved {23, 100 }<br />
ah reserved { 33-55 }<br />
</source><br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
ah spi 111<br />
ah spi != 111-222<br />
ah spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
ah sequence 123<br />
ah sequence {23, 25, 33}<br />
ah sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Esp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|esp match<br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
esp spi 111<br />
esp spi != 111-222<br />
esp spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
esp sequence 123<br />
esp sequence {23, 25, 33}<br />
esp sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Comp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|comp match<br />
|-<br />
| ''nexthdr <protocol>''<br />
| Next header protocol (Upper layer protocol)<br />
|<source lang="bash"><br />
comp nexthdr != esp<br />
comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp}<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| Flags<br />
|<source lang="bash"><br />
comp flags 0x0<br />
comp flags != 0x33-0x45<br />
comp flags {0x33, 0x55, 0x67, 0x88}<br />
</source><br />
|-<br />
| ''cpi <value>''<br />
| Compression Parameter Index<br />
|<source lang="bash"><br />
comp cpi 22<br />
comp cpi != 33-45<br />
comp cpi {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Icmp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmp match<br />
|-<br />
| ''type <type>''<br />
| ICMP packet type<br />
|<source lang="bash"><br />
icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation}<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMP packet code<br />
|<source lang="bash"><br />
icmp code 111<br />
icmp code != 33-55<br />
icmp code { 2, 4, 54, 33, 56}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMP packet checksum<br />
|<source lang="bash"><br />
icmp checksum 12343<br />
icmp checksum != 11-343<br />
icmp checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMP packet id<br />
|<source lang="bash"><br />
icmp id 12343<br />
icmp id != 11-343<br />
icmp id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMP packet sequence<br />
|<source lang="bash"><br />
icmp sequence 12343<br />
icmp sequence != 11-343<br />
icmp sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMP packet mtu<br />
|<source lang="bash"><br />
icmp mtu 12343<br />
icmp mtu != 11-343<br />
icmp mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''gateway <value>''<br />
| ICMP packet gateway<br />
|<source lang="bash"><br />
icmp gateway 12343<br />
icmp gateway != 11-343<br />
icmp gateway { 1111, 222, 343 }<br />
</source><br />
|}<br />
<br />
<br />
==== Icmpv6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmpv6 match<br />
|-<br />
| ''type <type>''<br />
| ICMPv6 packet type<br />
|<source lang="bash"><br />
icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, parameter-problem, mld2-listener-report }<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMPv6 packet code<br />
|<source lang="bash"><br />
icmpv6 code 4<br />
icmpv6 code 3-66<br />
icmpv6 code {5, 6, 7}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMPv6 packet checksum<br />
|<source lang="bash"><br />
icmpv6 checksum 12343<br />
icmpv6 checksum != 11-343<br />
icmpv6 checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMPv6 packet id<br />
|<source lang="bash"><br />
icmpv6 id 12343<br />
icmpv6 id != 11-343<br />
icmpv6 id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMPv6 packet sequence<br />
|<source lang="bash"><br />
icmpv6 sequence 12343<br />
icmpv6 sequence != 11-343<br />
icmpv6 sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMPv6 packet mtu<br />
|<source lang="bash"><br />
icmpv6 mtu 12343<br />
icmpv6 mtu != 11-343<br />
icmpv6 mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''max-delay <value>''<br />
| ICMPv6 packet max delay<br />
|<source lang="bash"><br />
icmpv6 max-delay 33-45<br />
icmpv6 max-delay != 33-45<br />
icmpv6 max-delay {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Ether ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ether match<br />
|-<br />
| ''saddr <mac address>''<br />
| Source mac address<br />
|<source lang="bash"><br />
ether saddr 00:0f:54:0c:11:04<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
ether type vlan<br />
</source><br />
|}<br />
<br />
==== Dst ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dst match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}<br />
dst nexthdr 22<br />
dst nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
dst hdrlength 22<br />
dst hdrlength != 33-45<br />
dst hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Frag ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|frag match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp}<br />
frag nexthdr 6<br />
frag nexthdr != 50-51<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
frag reserved 22<br />
frag reserved != 33-45<br />
frag reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| <br />
|<source lang="bash"><br />
frag frag-off 22<br />
frag frag-off != 33-45<br />
frag frag-off { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''more-fragments <value>''<br />
| <br />
|<source lang="bash"><br />
frag more-fragments 0<br />
frag more-fragments 0<br />
</source><br />
|-<br />
| ''id <value>''<br />
| <br />
|<source lang="bash"><br />
frag id 1<br />
frag id 33-45<br />
</source><br />
|}<br />
<br />
<br />
==== Hbh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|hbh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6}<br />
hbh nexthdr 22<br />
hbh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
hbh hdrlength 22<br />
hbh hdrlength != 33-45<br />
hbh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Mh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|mh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
mh nexthdr 22<br />
mh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
mh hdrlength 22<br />
mh hdrlength != 33-45<br />
mh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}<br />
mh type home-agent-switch-message<br />
mh type != home-agent-switch-message<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
mh reserved 22<br />
mh reserved != 33-45<br />
mh reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| <br />
|<source lang="bash"><br />
mh checksum 22<br />
mh checksum != 33-45<br />
mh checksum { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Rt ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|rt match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
rt nexthdr 22<br />
rt nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
rt hdrlength 22<br />
rt hdrlength != 33-45<br />
rt hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
rt type 22<br />
rt type != 33-45<br />
rt type { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''seg-left <value>''<br />
| <br />
|<source lang="bash"><br />
rt seg-left 22<br />
rt seg-left != 33-45<br />
rt seg-left { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Vlan ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|vlan match<br />
|-<br />
| ''id <value>''<br />
| Vlan tag ID<br />
|<source lang="bash"><br />
vlan id 4094<br />
vlan id 0<br />
</source><br />
|-<br />
| ''cfi <value>''<br />
| <br />
|<source lang="bash"><br />
vlan cfi 0<br />
vlan cfi 1<br />
</source><br />
|-<br />
| ''pcp <value>''<br />
| <br />
|<source lang="bash"><br />
vlan pcp 7<br />
vlan pcp 3<br />
</source><br />
|}<br />
<br />
<br />
==== Arp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|arp match<br />
|-<br />
| ''ptype <value>''<br />
| Payload type<br />
|<source lang="bash"><br />
arp ptype 0x0800<br />
</source><br />
|-<br />
| ''htype <value>''<br />
| Header type<br />
|<source lang="bash"><br />
arp htype 1<br />
arp htype != 33-45<br />
arp htype { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''hlen <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
arp hlen 1<br />
arp hlen != 33-45<br />
arp hlen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''plen <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
arp plen 1<br />
arp plen != 33-45<br />
arp plen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''operation <value>''<br />
| <br />
|<source lang="bash"><br />
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}<br />
</source><br />
|}<br />
<br />
<br />
==== Ct ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ct match<br />
|-<br />
| ''state <state>''<br />
| State of the connection<br />
|<source lang="bash"><br />
ct state { new, established, related, untracked }<br />
ct state != related<br />
ct state established<br />
ct state 8<br />
</source><br />
|-<br />
| ''direction <value>''<br />
| Direction of the packet relative to the connection<br />
|<source lang="bash"><br />
ct direction original<br />
ct direction != original<br />
ct direction {reply, original}<br />
</source><br />
|-<br />
| ''status <status>''<br />
| Status of the connection<br />
|<source lang="bash"><br />
ct status expected<br />
(ct status & expected) != expected<br />
ct status {expected,seen-reply,assured,confirmed,snat,dnat,dying}<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Mark of the connection<br />
|<source lang="bash"><br />
ct mark 0<br />
ct mark or 0x23 == 0x11<br />
ct mark or 0x3 != 0x1<br />
ct mark and 0x23 == 0x11<br />
ct mark and 0x3 != 0x1<br />
ct mark xor 0x23 == 0x11<br />
ct mark xor 0x3 != 0x1<br />
ct mark 0x00000032<br />
ct mark != 0x00000032<br />
ct mark 0x00000032-0x00000045<br />
ct mark != 0x00000032-0x00000045<br />
ct mark {0x32, 0x2222, 0x42de3}<br />
ct mark {0x32-0x2222, 0x4444-0x42de3}<br />
ct mark set 0x11 xor 0x1331<br />
ct mark set 0x11333 and 0x11<br />
ct mark set 0x12 or 0x11<br />
ct mark set 0x11<br />
ct mark set mark<br />
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }<br />
</source><br />
|-<br />
| ''expiration <time>''<br />
| Connection expiration time<br />
|<source lang="bash"><br />
ct expiration 30<br />
ct expiration 30s<br />
ct expiration != 233<br />
ct expiration != 3m53s<br />
ct expiration 33-45<br />
ct expiration 33s-45s<br />
ct expiration != 33-45<br />
ct expiration != 33s-45s<br />
ct expiration {33, 55, 67, 88}<br />
ct expiration { 1m7s, 33s, 55s, 1m28s}<br />
</source><br />
|-<br />
| ''helper "<helper>"''<br />
| Helper associated with the connection<br />
|<source lang="bash"><br />
ct helper "ftp"<br />
</source><br />
|-<br />
| | ''[original | reply] bytes <value>''<br />
| <br />
|<source lang="bash"><br />
ct original bytes > 100000<br />
ct bytes > 100000<br />
</source><br />
|-<br />
| | ''[original | reply] packets <value>''<br />
| <br />
|<source lang="bash"><br />
ct reply packets < 100<br />
</source><br />
|-<br />
| | ''[original | reply] ip saddr <ip source address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip saddr 192.168.0.1<br />
ct reply ip saddr 192.168.0.1<br />
ct original ip saddr 192.168.1.0/24<br />
ct reply ip saddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] ip daddr <ip destination address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip daddr 192.168.0.1<br />
ct reply ip daddr 192.168.0.1<br />
ct original ip daddr 192.168.1.0/24<br />
ct reply ip daddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] l3proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original l3proto ipv4<br />
</source><br />
|-<br />
| | ''[original | reply] protocol <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original protocol 6<br />
</source><br />
|-<br />
| | ''[original | reply] proto-dst <port>''<br />
| <br />
|<source lang="bash"><br />
ct original proto-dst 22<br />
</source><br />
|-<br />
| | ''[original | reply] proto-src <port>''<br />
| <br />
|<source lang="bash"><br />
ct reply proto-src 53<br />
</source><br />
|-<br />
| | ''count [over] <number of connections>''<br />
| <br />
|<source lang="bash"><br />
ct count over 2<br />
<br />
tcp dport 22 add @ssh_flood { ip saddr ct count over 2 } reject<br />
[ which requires an existing ssh_flood set, ie. add set filter ssh_flood { type ipv4_addr; flags dynamic; } ]<br />
</source><br />
|}<br />
<br />
==== Meta ====<br />
<br />
[[Matching packet metainformation|''meta'']] matches packet by metainformation.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|meta match<br />
|-<br />
| ''iifname <input interface name>''<br />
| Input interface name<br />
|<source lang="bash"><br />
meta iifname "eth0"<br />
meta iifname != "eth0"<br />
meta iifname {"eth0", "lo"}<br />
meta iifname "eth*"<br />
</source><br />
|-<br />
| ''oifname <output interface name>''<br />
| Output interface name<br />
|<source lang="bash"><br />
meta oifname "eth0"<br />
meta oifname != "eth0"<br />
meta oifname {"eth0", "lo"}<br />
meta oifname "eth*"<br />
</source><br />
|-<br />
| ''iif <input interface index>''<br />
| Input interface index<br />
|<source lang="bash"><br />
meta iif eth0<br />
meta iif != eth0<br />
</source><br />
|-<br />
| ''oif <output interface index>''<br />
| Output interface index<br />
|<source lang="bash"><br />
meta oif lo<br />
meta oif != lo<br />
meta oif {eth0, lo}<br />
</source><br />
|-<br />
| ''iiftype <input interface type>''<br />
| Input interface type<br />
|<source lang="bash"><br />
meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta iiftype != ether<br />
meta iiftype ether<br />
</source><br />
|-<br />
| ''oiftype <output interface type>''<br />
| Output interface hardware type<br />
|<source lang="bash"><br />
meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta oiftype != ether<br />
meta oiftype ether<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Length of the packet in bytes<br />
|<source lang="bash"><br />
meta length 1000<br />
meta length != 1000<br />
meta length > 1000<br />
meta length 33-45<br />
meta length != 33-45<br />
meta length { 33, 55, 67, 88 }<br />
meta length { 33-55, 67-88 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| ethertype protocol<br />
|<source lang="bash"><br />
meta protocol ip<br />
meta protocol != ip<br />
meta protocol { ip, arp, ip6, vlan }<br />
</source><br />
|-<br />
| ''nfproto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta nfproto ipv4<br />
meta nfproto != ipv6<br />
meta nfproto { ipv4, ipv6 }<br />
</source><br />
|-<br />
| ''l4proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta l4proto 22<br />
meta l4proto != 233<br />
meta l4proto 33-45<br />
meta l4proto { 33, 55, 67, 88 }<br />
meta l4proto { 33-55 }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Packet mark<br />
|<source lang="bash"><br />
meta mark 0x4<br />
meta mark 0x00000032<br />
meta mark and 0x03 == 0x01<br />
meta mark and 0x03 != 0x01<br />
meta mark != 0x10<br />
meta mark or 0x03 == 0x01<br />
meta mark or 0x03 != 0x01<br />
meta mark xor 0x03 == 0x01<br />
meta mark xor 0x03 != 0x01<br />
meta mark set 0xffffffc8 xor 0x16<br />
meta mark set 0x16 and 0x16<br />
meta mark set 0xffffffe9 or 0x16<br />
meta mark set 0xffffffde and 0x16<br />
meta mark set 0x32 or 0xfffff<br />
meta mark set 0xfffe xor 0x16<br />
</source><br />
|-<br />
| ''priority [set] <priority>''<br />
| tc class id<br />
|<source lang="bash"><br />
meta priority none<br />
meta priority 0x1:0x1<br />
meta priority 0x1:0xffff<br />
meta priority 0xffff:0xffff<br />
meta priority set 0x1:0x1<br />
meta priority set 0x1:0xffff<br />
meta priority set 0xffff:0xffff<br />
</source><br />
|-<br />
| ''skuid <user id>''<br />
| UID associated with originating socket<br />
|<source lang="bash"><br />
meta skuid {bin, root, daemon}<br />
meta skuid root<br />
meta skuid != root<br />
meta skuid lt 3000<br />
meta skuid gt 3000<br />
meta skuid eq 3000<br />
meta skuid 3001-3005<br />
meta skuid != 2001-2005<br />
meta skuid { 2001-2005 }<br />
</source><br />
|-<br />
| ''skgid <group id>''<br />
| GID associated with originating socket<br />
|<source lang="bash"><br />
meta skgid {bin, root, daemon}<br />
meta skgid root<br />
meta skgid != root<br />
meta skgid lt 3000<br />
meta skgid gt 3000<br />
meta skgid eq 3000<br />
meta skgid 3001-3005<br />
meta skgid != 2001-2005<br />
meta skgid { 2001-2005 }<br />
</source><br />
|-<br />
| ''rtclassid <class>''<br />
| Routing realm<br />
|<source lang="bash"><br />
meta rtclassid cosmos<br />
</source><br />
|-<br />
| ''pkttype <type>''<br />
| Packet type<br />
|<source lang="bash"><br />
meta pkttype broadcast<br />
meta pkttype != broadcast<br />
meta pkttype { broadcast, unicast, multicast}<br />
</source><br />
|-<br />
| ''cpu <cpu index>''<br />
| CPU ID<br />
|<source lang="bash"><br />
meta cpu 1<br />
meta cpu != 1<br />
meta cpu 1-3<br />
meta cpu != 1-2<br />
meta cpu { 2,3 }<br />
meta cpu { 2-3, 5-7 }<br />
</source><br />
|-<br />
| ''iifgroup <input group>''<br />
| Input interface group<br />
|<source lang="bash"><br />
meta iifgroup 0<br />
meta iifgroup != 0<br />
meta iifgroup default<br />
meta iifgroup != default<br />
meta iifgroup {default}<br />
meta iifgroup { 11,33 }<br />
meta iifgroup {11-33}<br />
</source><br />
|-<br />
| ''oifgroup <group>''<br />
| Output interface group<br />
|<source lang="bash"><br />
meta oifgroup 0<br />
meta oifgroup != 0<br />
meta oifgroup default<br />
meta oifgroup != default<br />
meta oifgroup {default}<br />
meta oifgroup { 11,33 }<br />
meta oifgroup {11-33}<br />
</source><br />
|-<br />
| ''cgroup <group>''<br />
| <br />
|<source lang="bash"><br />
meta cgroup 1048577<br />
meta cgroup != 1048577<br />
meta cgroup { 1048577, 1048578 }<br />
meta cgroup 1048577-1048578<br />
meta cgroup != 1048577-1048578<br />
meta cgroup {1048577-1048578}<br />
</source><br />
|}<br />
<br />
=== Statements ===<br />
<br />
'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.<br />
<br />
==== Verdict statements ====<br />
<br />
The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:<br />
<br />
* ''accept'': Accept the packet and stop the remain rules evaluation.<br />
* ''drop'': Drop the packet and stop the remain rules evaluation.<br />
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.<br />
* ''continue'': Continue the ruleset evaluation with the next rule.<br />
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept<br />
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued<br />
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement<br />
<br />
==== Log ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|log statement<br />
|-<br />
| ''level [over] <value> <unit> [burst <value> <unit>]''<br />
| Log level<br />
|<source lang="bash"><br />
log<br />
log level emerg<br />
log level alert<br />
log level crit<br />
log level err<br />
log level warn<br />
log level notice<br />
log level info<br />
log level debug<br />
</source><br />
|-<br />
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''<br />
| <br />
|<source lang="bash"><br />
log prefix aaaaa-aaaaaa group 2 snaplen 33<br />
log group 2 queue-threshold 2<br />
log group 2 snaplen 33<br />
</source><br />
|}<br />
<br />
<br />
==== Reject ====<br />
<br />
The default '''reject''' will be the ICMP type '''port-unreachable'''. The '''icmpx''' is only used for inet family support.<br />
<br />
More information on the [[Rejecting_traffic]] page.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|reject statement<br />
|-<br />
| ''with <protocol> type <type>''<br />
| <br />
|<source lang="bash"><br />
reject<br />
reject with icmp type host-unreachable<br />
reject with icmp type net-unreachable<br />
reject with icmp type prot-unreachable<br />
reject with icmp type port-unreachable<br />
reject with icmp type net-prohibited<br />
reject with icmp type host-prohibited<br />
reject with icmp type admin-prohibited<br />
reject with icmpv6 type no-route<br />
reject with icmpv6 type admin-prohibited<br />
reject with icmpv6 type addr-unreachable<br />
reject with icmpv6 type port-unreachable<br />
reject with icmpx type host-unreachable<br />
reject with icmpx type no-route<br />
reject with icmpx type admin-prohibited<br />
reject with icmpx type port-unreachable<br />
ip protocol tcp reject with tcp reset<br />
</source><br />
|}<br />
<br />
==== Counter ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|counter statement<br />
|-<br />
| ''packets <packets> bytes <bytes>''<br />
| <br />
|<source lang="bash"><br />
counter<br />
counter packets 0 bytes 0<br />
</source><br />
|}<br />
<br />
<br />
==== Limit ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|limit statement<br />
|-<br />
| ''rate [over] <value> <unit> [burst <value> <unit>]''<br />
| Rate limit<br />
|<source lang="bash"><br />
limit rate 400/minute<br />
limit rate 400/hour<br />
limit rate over 40/day<br />
limit rate over 400/week<br />
limit rate over 1023/second burst 10 packets<br />
limit rate 1025 kbytes/second<br />
limit rate 1023000 mbytes/second<br />
limit rate 1025 bytes/second burst 512 bytes<br />
limit rate 1025 kbytes/second burst 1023 kbytes<br />
limit rate 1025 mbytes/second burst 1025 kbytes<br />
limit rate 1025000 mbytes/second burst 1023 mbytes<br />
</source><br />
|}<br />
<br />
==== Nat ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|nat statement<br />
|-<br />
| ''dnat to <destination address>''<br />
| Destination address translation<br />
|<source lang="bash"><br />
dnat to 192.168.3.2<br />
dnat to ct mark map { 0x00000014 : 1.2.3.4}<br />
</source><br />
|-<br />
| ''snat to <ip source address>''<br />
| Source address translation<br />
|<source lang="bash"><br />
snat to 192.168.3.2<br />
snat to 2001:838:35f:1::-2001:838:35f:2:::100<br />
</source><br />
|-<br />
| ''masquerade [<type>] [to :<port>]''<br />
| Masquerade<br />
|<source lang="bash"><br />
masquerade<br />
masquerade persistent,fully-random,random<br />
masquerade to :1024<br />
masquerade to :1024-2048<br />
</source><br />
|}<br />
<br />
==== Queue ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|queue statement<br />
|-<br />
| ''num <value> <scheduler>''<br />
| <br />
|<source lang="bash"><br />
queue<br />
queue num 2<br />
queue num 2-3<br />
queue num 4-5 fanout bypass<br />
queue num 4-5 fanout<br />
queue num 4-5 bypass<br />
</source><br />
|}<br />
<br />
== Extras ==<br />
<br />
=== Export Configuration ===<br />
<br />
<source lang="bash"><br />
% nft export (xml | json)<br />
</source><br />
<br />
=== Monitor Events ===<br />
<br />
Monitor events from Netlink creating filters.<br />
<br />
<source lang="bash"><br />
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]<br />
</source><br />
<br />
<br />
= Nft scripting =<br />
<br />
== List ruleset ==<br />
<br />
<source lang="bash"><br />
% nft list ruleset<br />
</source><br />
<br />
== Flush ruleset ==<br />
<br />
<source lang="bash"><br />
% nft flush ruleset<br />
</source><br />
<br />
== Load ruleset ==<br />
<br />
Create a command batch file and load it with the nft interpreter,<br />
<br />
<source lang="bash"><br />
% echo "flush ruleset" > /etc/nftables.rules<br />
% echo "add table filter" >> /etc/nftables.rules<br />
% echo "add chain filter input" >> /etc/nftables.rules<br />
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file,<br />
<br />
<source lang="bash"><br />
% cat << EOF > /etc/nftables.rules<br />
> #!/usr/local/sbin/nft -f<br />
> flush ruleset<br />
> add table filter<br />
> add chain filter input<br />
> add rule filter input meta iifname lo accept<br />
> EOF<br />
% chmod u+x /etc/nftables.rules<br />
% /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file from an already created ruleset,<br />
<br />
<source lang="bash"><br />
% nft list ruleset > /etc/nftables.rules<br />
% nft flush ruleset<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
<br />
= Examples =<br />
<br />
== Simple IP/IPv6 Firewall ==<br />
<br />
<source lang="bash"><br />
flush ruleset<br />
<br />
table firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
icmp type echo-request accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
<br />
table ip6 firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# invalid connections<br />
ct state invalid drop<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
# routers may also want: mld-listener-query, nd-router-solicit<br />
icmpv6 type {echo-request,nd-neighbor-solicit} accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
</source></div>
Aurelien
http://wiki.nftables.org/wiki-nftables/index.php?title=Quick_reference-nftables_in_10_minutes&diff=1117
Quick reference-nftables in 10 minutes
2024-04-21T05:45:14Z
<p>Aurelien: /* Chains */ Since nftables 1.0.1, Linux kernel 5.16, netdev supports egress.</p>
<hr />
<div>Find below some basic concepts to know before using nftables.<br />
<br />
'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.<br />
<br />
'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].<br />
<br />
'''rule''' refers to an action to be configured within a ''chain''.<br />
<br />
<br />
= nft command line =<br />
<br />
''nft'' is the command line tool in order to interact with nftables at userspace.<br />
<br />
== Tables ==<br />
<br />
'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''.<br />
<br />
<source lang="bash"><br />
% nft list tables [<family>]<br />
% nft [-n] [-a] list table [<family>] <name><br />
% nft (add | delete | flush) table [<family>] <name><br />
</source><br />
<br />
The argument ''-n'' shows the addresses and other information that use names in numeric format. The ''-a'' argument is used to display each rule's ''handle'' (i.e., a numerical identifier).<br />
<br />
== Chains ==<br />
<br />
'''type''' refers to the kind of chain to be created. Possible types are:<br />
<br />
* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.<br />
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.<br />
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.<br />
<br />
'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].<br />
<br />
* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.<br />
* The hooks for ''arp'' family are: '' input'', ''output''.<br />
* The ''bridge'' family handles ethernet packets traversing bridge devices.<br />
* The hooks for ''netdev'' are: ''ingress'', ''egress''.<br />
<br />
'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.<br />
<br />
'''policy''' is the default verdict statement to control the flow in the base chain. Possible values are: ''accept'' (default) and ''drop''. Warning: Setting the policy to ''drop'' discards all packets that<br />
have not been accepted by the ruleset.<br />
<br />
<source lang="bash"><br />
% nft (add | create) chain [<family>] <table> <name> [ { type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] } ]<br />
% nft (delete | list | flush) chain [<family>] <table> <name><br />
% nft rename chain [<family>] <table> <name> <newname><br />
</source><br />
<br />
== Rules ==<br />
<br />
'''handle''' is an internal number that identifies a certain ''rule''.<br />
<br />
'''position''' is an internal number that is used to insert a ''rule'' before a certain ''handle''.<br />
<br />
<source lang="bash"><br />
% nft add rule [<family>] <table> <chain> <matches> <statements><br />
% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements><br />
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements><br />
% nft delete rule [<family>] <table> <chain> [handle <handle>]<br />
</source><br />
<br />
=== Matches ===<br />
<br />
'''matches''' are clues used to access to certain packet information and create filters according to them.<br />
<br />
==== Ip ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip match<br />
|-<br />
| | ''dscp <value>''<br />
|<br />
|<source lang="bash"><br />
ip dscp cs1<br />
ip dscp != cs1<br />
ip dscp 0x38<br />
ip dscp != 0x20<br />
ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, <br />
af22, af23, af31, af32, af33, af41, af42, af43, ef}<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
ip length 232<br />
ip length != 233<br />
ip length 333-435<br />
ip length != 333-453<br />
ip length { 333, 553, 673, 838}<br />
</source><br />
|-<br />
| ''id <id>''<br />
| IP ID<br />
|<source lang="bash"><br />
ip id 22<br />
ip id != 233<br />
ip id 33-45<br />
ip id != 33-45<br />
ip id { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| Fragmentation offset<br />
|<source lang="bash"><br />
ip frag-off & 0x1fff != 0 # match fragments<br />
ip frag-off & 0x2000 != 0 # match MF flag <br />
ip frag-off & 0x4000 != 0 # match DF flag <br />
</source><br />
|-<br />
| ''ttl <ttl>''<br />
| Time to live<br />
|<source lang="bash"><br />
ip ttl 0<br />
ip ttl 233<br />
ip ttl 33-55<br />
ip ttl != 45-50<br />
ip ttl { 43, 53, 45 }<br />
ip ttl { 33-55 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| Upper layer protocol<br />
|<source lang="bash"><br />
ip protocol tcp<br />
ip protocol 6<br />
ip protocol != tcp<br />
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
ip checksum 13172<br />
ip checksum 22<br />
ip checksum != 233<br />
ip checksum 33-45<br />
ip checksum != 33-45<br />
ip checksum { 33, 55, 67, 88 }<br />
ip checksum { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source address<br />
|<source lang="bash"><br />
ip saddr 192.168.2.0/24<br />
ip saddr != 192.168.2.0/24<br />
ip saddr 192.168.3.1 ip daddr 192.168.3.100<br />
ip saddr != 1.1.1.1<br />
ip saddr 1.1.1.1<br />
ip saddr & 0xff == 1<br />
ip saddr & 0.0.0.255 < 0.0.0.127<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination address<br />
|<source lang="bash"><br />
ip daddr 192.168.0.1<br />
ip daddr != 192.168.0.1<br />
ip daddr 192.168.0.1-192.168.0.250<br />
ip daddr 10.0.0.0-10.255.255.255<br />
ip daddr 172.16.0.0-172.31.255.255<br />
ip daddr 192.168.3.1-192.168.4.250<br />
ip daddr != 192.168.0.1-192.168.0.250<br />
ip daddr { 192.168.0.1-192.168.0.250 }<br />
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }<br />
</source><br />
|-<br />
| ''version <version>''<br />
| Ip Header version<br />
|<source lang="bash"><br />
ip version 4<br />
</source><br />
|-<br />
| ''hdrlength <header length>''<br />
| IP header length<br />
|<source lang="bash"><br />
ip hdrlength 0<br />
ip hdrlength 15<br />
</source><br />
|}<br />
<br />
==== Ip6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip6 match<br />
|-<br />
| ''dscp <value>''<br />
| <br />
|<source lang="bash"><br />
ip6 dscp cs1<br />
ip6 dscp != cs1<br />
ip6 dscp 0x38<br />
ip6 dscp != 0x20<br />
ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}<br />
</source><br />
|-<br />
| ''flowlabel <label>''<br />
| Flow label<br />
|<source lang="bash"><br />
ip6 flowlabel 22<br />
ip6 flowlabel != 233<br />
ip6 flowlabel { 33, 55, 67, 88 }<br />
ip6 flowlabel { 33-55 }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
ip6 length 232<br />
ip6 length != 233<br />
ip6 length 333-435<br />
ip6 length != 333-453<br />
ip6 length { 333, 553, 673, 838}<br />
</source><br />
|-<br />
| ''nexthdr <header>''<br />
| Next header type (Upper layer protocol number)<br />
|<source lang="bash"><br />
ip6 nexthdr {esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6}<br />
ip6 nexthdr esp<br />
ip6 nexthdr != esp<br />
ip6 nexthdr { 33-44 }<br />
ip6 nexthdr 33-44<br />
ip6 nexthdr != 33-44<br />
</source><br />
|-<br />
| ''hoplimit <hoplimit>''<br />
| Hop limit<br />
|<source lang="bash"><br />
ip6 hoplimit 1<br />
ip6 hoplimit != 233<br />
ip6 hoplimit 33-45<br />
ip6 hoplimit != 33-45<br />
ip6 hoplimit {33, 55, 67, 88}<br />
ip6 hoplimit {33-55}<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source Address<br />
|<source lang="bash"><br />
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::/64<br />
ip6 saddr ::1 ip6 daddr ::2<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination Address<br />
|<source lang="bash"><br />
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234<br />
</source><br />
|-<br />
| ''version <version>''<br />
| IP header version<br />
|<source lang="bash"><br />
ip6 version 6<br />
</source><br />
|}<br />
<br />
<br />
==== Tcp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|tcp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
tcp dport 22<br />
tcp dport != 33-45<br />
tcp dport { 33-55 }<br />
tcp dport {telnet, http, https }<br />
tcp dport vmap { 22 : accept, 23 : drop }<br />
tcp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
tcp sport 22<br />
tcp sport != 33-45<br />
tcp sport { 33, 55, 67, 88}<br />
tcp sport { 33-55}<br />
tcp sport vmap { 25:accept, 28:drop }<br />
tcp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| Sequence number<br />
|<source lang="bash"><br />
tcp sequence 22<br />
tcp sequence != 33-45<br />
</source><br />
|-<br />
| ''ackseq <value>''<br />
| Acknowledgement number<br />
|<source lang="bash"><br />
tcp ackseq 22<br />
tcp ackseq != 33-45<br />
tcp ackseq { 33, 55, 67, 88 }<br />
tcp ackseq { 33-55 }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| TCP flags<br />
|<source lang="bash"><br />
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr}<br />
tcp flags cwr<br />
tcp flags != cwr<br />
</source><br />
|-<br />
| ''window <value>''<br />
| Window<br />
|<source lang="bash"><br />
tcp window 22<br />
tcp window != 33-45<br />
tcp window { 33, 55, 67, 88 }<br />
tcp window { 33-55 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
tcp checksum 22<br />
tcp checksum != 33-45<br />
tcp checksum { 33, 55, 67, 88 }<br />
tcp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''urgptr <pointer>''<br />
| Urgent pointer<br />
|<source lang="bash"><br />
tcp urgptr 22<br />
tcp urgptr != 33-45<br />
tcp urgptr { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''doff <offset>''<br />
| Data offset<br />
|<source lang="bash"><br />
tcp doff 8<br />
</source><br />
|}<br />
<br />
<br />
==== Udp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udp dport 22<br />
udp dport != 33-45<br />
udp dport { 33-55 }<br />
udp dport {telnet, http, https }<br />
udp dport vmap { 22 : accept, 23 : drop }<br />
udp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udp sport 22<br />
udp sport != 33-45<br />
udp sport { 33, 55, 67, 88}<br />
udp sport { 33-55}<br />
udp sport vmap { 25:accept, 28:drop }<br />
udp sport 1024 udp dport 22<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
udp length 6666<br />
udp length != 50-65<br />
udp length { 50, 65 }<br />
udp length { 35-50 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| UDP checksum<br />
|<source lang="bash"><br />
udp checksum 22<br />
udp checksum != 33-45<br />
udp checksum { 33, 55, 67, 88 }<br />
udp checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
<br />
==== Udplite ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udplite match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udplite dport 22<br />
udplite dport != 33-45<br />
udplite dport { 33-55 }<br />
udplite dport {telnet, http, https }<br />
udplite dport vmap { 22 : accept, 23 : drop }<br />
udplite dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udplite sport 22<br />
udplite sport != 33-45<br />
udplite sport { 33, 55, 67, 88}<br />
udplite sport { 33-55}<br />
udplite sport vmap { 25:accept, 28:drop }<br />
udplite sport 1024 udplite dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
udplite checksum 22<br />
udplite checksum != 33-45<br />
udplite checksum { 33, 55, 67, 88 }<br />
udplite checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
<br />
==== Sctp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|sctp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
sctp dport 22<br />
sctp dport != 33-45<br />
sctp dport { 33-55 }<br />
sctp dport {telnet, http, https }<br />
sctp dport vmap { 22 : accept, 23 : drop }<br />
sctp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
sctp sport 22<br />
sctp sport != 33-45<br />
sctp sport { 33, 55, 67, 88}<br />
sctp sport { 33-55}<br />
sctp sport vmap { 25:accept, 28:drop }<br />
sctp sport 1024 sctp dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
sctp checksum 22<br />
sctp checksum != 33-45<br />
sctp checksum { 33, 55, 67, 88 }<br />
sctp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''vtag <tag>''<br />
| Verification tag<br />
|<source lang="bash"><br />
sctp vtag 22<br />
sctp vtag != 33-45<br />
sctp vtag { 33, 55, 67, 88 }<br />
sctp vtag { 33-55 }<br />
</source><br />
|-<br />
| ''chunk <type>''<br />
| Existence of a chunk with given type in packet<br />
|<source lang="bash"><br />
sctp chunk init exists<br />
sctp chunk error missing<br />
</source><br />
|-<br />
| ''chunk <type> <field>''<br />
| A chunk's field value (implies chunk existence)<br />
|<sourcex lang="bash"><br />
sctp chunk init flags 0x1<br />
sctp chunk data tsn 0x23<br />
</source><br />
|}<br />
<br />
==== Dccp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dccp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
dccp dport 22<br />
dccp dport != 33-45<br />
dccp dport { 33-55 }<br />
dccp dport {telnet, http, https }<br />
dccp dport vmap { 22 : accept, 23 : drop }<br />
dccp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
dccp sport 22<br />
dccp sport != 33-45<br />
dccp sport { 33, 55, 67, 88}<br />
dccp sport { 33-55}<br />
dccp sport vmap { 25:accept, 28:drop }<br />
dccp sport 1024 dccp dport 22<br />
</source><br />
|-<br />
| ''type <type>''<br />
| Type of packet<br />
|<source lang="bash"><br />
dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}<br />
dccp type request<br />
dccp type != request<br />
</source><br />
|}<br />
<br />
<br />
==== Ah ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ah match<br />
|-<br />
| ''hdrlength <length>''<br />
| AH header length<br />
|<source lang="bash"><br />
ah hdrlength 11-23<br />
ah hdrlength != 11-23<br />
ah hdrlength {11, 23, 44 }<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
ah reserved 22<br />
ah reserved != 33-45<br />
ah reserved {23, 100 }<br />
ah reserved { 33-55 }<br />
</source><br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
ah spi 111<br />
ah spi != 111-222<br />
ah spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
ah sequence 123<br />
ah sequence {23, 25, 33}<br />
ah sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Esp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|esp match<br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
esp spi 111<br />
esp spi != 111-222<br />
esp spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
esp sequence 123<br />
esp sequence {23, 25, 33}<br />
esp sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Comp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|comp match<br />
|-<br />
| ''nexthdr <protocol>''<br />
| Next header protocol (Upper layer protocol)<br />
|<source lang="bash"><br />
comp nexthdr != esp<br />
comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp}<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| Flags<br />
|<source lang="bash"><br />
comp flags 0x0<br />
comp flags != 0x33-0x45<br />
comp flags {0x33, 0x55, 0x67, 0x88}<br />
</source><br />
|-<br />
| ''cpi <value>''<br />
| Compression Parameter Index<br />
|<source lang="bash"><br />
comp cpi 22<br />
comp cpi != 33-45<br />
comp cpi {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Icmp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmp match<br />
|-<br />
| ''type <type>''<br />
| ICMP packet type<br />
|<source lang="bash"><br />
icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation}<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMP packet code<br />
|<source lang="bash"><br />
icmp code 111<br />
icmp code != 33-55<br />
icmp code { 2, 4, 54, 33, 56}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMP packet checksum<br />
|<source lang="bash"><br />
icmp checksum 12343<br />
icmp checksum != 11-343<br />
icmp checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMP packet id<br />
|<source lang="bash"><br />
icmp id 12343<br />
icmp id != 11-343<br />
icmp id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMP packet sequence<br />
|<source lang="bash"><br />
icmp sequence 12343<br />
icmp sequence != 11-343<br />
icmp sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMP packet mtu<br />
|<source lang="bash"><br />
icmp mtu 12343<br />
icmp mtu != 11-343<br />
icmp mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''gateway <value>''<br />
| ICMP packet gateway<br />
|<source lang="bash"><br />
icmp gateway 12343<br />
icmp gateway != 11-343<br />
icmp gateway { 1111, 222, 343 }<br />
</source><br />
|}<br />
<br />
<br />
==== Icmpv6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmpv6 match<br />
|-<br />
| ''type <type>''<br />
| ICMPv6 packet type<br />
|<source lang="bash"><br />
icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, parameter-problem, mld2-listener-report }<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMPv6 packet code<br />
|<source lang="bash"><br />
icmpv6 code 4<br />
icmpv6 code 3-66<br />
icmpv6 code {5, 6, 7}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMPv6 packet checksum<br />
|<source lang="bash"><br />
icmpv6 checksum 12343<br />
icmpv6 checksum != 11-343<br />
icmpv6 checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMPv6 packet id<br />
|<source lang="bash"><br />
icmpv6 id 12343<br />
icmpv6 id != 11-343<br />
icmpv6 id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMPv6 packet sequence<br />
|<source lang="bash"><br />
icmpv6 sequence 12343<br />
icmpv6 sequence != 11-343<br />
icmpv6 sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMPv6 packet mtu<br />
|<source lang="bash"><br />
icmpv6 mtu 12343<br />
icmpv6 mtu != 11-343<br />
icmpv6 mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''max-delay <value>''<br />
| ICMPv6 packet max delay<br />
|<source lang="bash"><br />
icmpv6 max-delay 33-45<br />
icmpv6 max-delay != 33-45<br />
icmpv6 max-delay {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Ether ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ether match<br />
|-<br />
| ''saddr <mac address>''<br />
| Source mac address<br />
|<source lang="bash"><br />
ether saddr 00:0f:54:0c:11:04<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
ether type vlan<br />
</source><br />
|}<br />
<br />
==== Dst ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dst match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}<br />
dst nexthdr 22<br />
dst nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
dst hdrlength 22<br />
dst hdrlength != 33-45<br />
dst hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Frag ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|frag match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp}<br />
frag nexthdr 6<br />
frag nexthdr != 50-51<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
frag reserved 22<br />
frag reserved != 33-45<br />
frag reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| <br />
|<source lang="bash"><br />
frag frag-off 22<br />
frag frag-off != 33-45<br />
frag frag-off { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''more-fragments <value>''<br />
| <br />
|<source lang="bash"><br />
frag more-fragments 0<br />
frag more-fragments 0<br />
</source><br />
|-<br />
| ''id <value>''<br />
| <br />
|<source lang="bash"><br />
frag id 1<br />
frag id 33-45<br />
</source><br />
|}<br />
<br />
<br />
==== Hbh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|hbh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6}<br />
hbh nexthdr 22<br />
hbh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
hbh hdrlength 22<br />
hbh hdrlength != 33-45<br />
hbh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Mh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|mh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
mh nexthdr 22<br />
mh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
mh hdrlength 22<br />
mh hdrlength != 33-45<br />
mh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}<br />
mh type home-agent-switch-message<br />
mh type != home-agent-switch-message<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
mh reserved 22<br />
mh reserved != 33-45<br />
mh reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| <br />
|<source lang="bash"><br />
mh checksum 22<br />
mh checksum != 33-45<br />
mh checksum { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Rt ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|rt match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
rt nexthdr 22<br />
rt nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
rt hdrlength 22<br />
rt hdrlength != 33-45<br />
rt hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
rt type 22<br />
rt type != 33-45<br />
rt type { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''seg-left <value>''<br />
| <br />
|<source lang="bash"><br />
rt seg-left 22<br />
rt seg-left != 33-45<br />
rt seg-left { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Vlan ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|vlan match<br />
|-<br />
| ''id <value>''<br />
| Vlan tag ID<br />
|<source lang="bash"><br />
vlan id 4094<br />
vlan id 0<br />
</source><br />
|-<br />
| ''cfi <value>''<br />
| <br />
|<source lang="bash"><br />
vlan cfi 0<br />
vlan cfi 1<br />
</source><br />
|-<br />
| ''pcp <value>''<br />
| <br />
|<source lang="bash"><br />
vlan pcp 7<br />
vlan pcp 3<br />
</source><br />
|}<br />
<br />
<br />
==== Arp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|arp match<br />
|-<br />
| ''ptype <value>''<br />
| Payload type<br />
|<source lang="bash"><br />
arp ptype 0x0800<br />
</source><br />
|-<br />
| ''htype <value>''<br />
| Header type<br />
|<source lang="bash"><br />
arp htype 1<br />
arp htype != 33-45<br />
arp htype { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''hlen <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
arp hlen 1<br />
arp hlen != 33-45<br />
arp hlen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''plen <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
arp plen 1<br />
arp plen != 33-45<br />
arp plen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''operation <value>''<br />
| <br />
|<source lang="bash"><br />
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}<br />
</source><br />
|}<br />
<br />
<br />
==== Ct ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ct match<br />
|-<br />
| ''state <state>''<br />
| State of the connection<br />
|<source lang="bash"><br />
ct state { new, established, related, untracked }<br />
ct state != related<br />
ct state established<br />
ct state 8<br />
</source><br />
|-<br />
| ''direction <value>''<br />
| Direction of the packet relative to the connection<br />
|<source lang="bash"><br />
ct direction original<br />
ct direction != original<br />
ct direction {reply, original}<br />
</source><br />
|-<br />
| ''status <status>''<br />
| Status of the connection<br />
|<source lang="bash"><br />
ct status expected<br />
(ct status & expected) != expected<br />
ct status {expected,seen-reply,assured,confirmed,snat,dnat,dying}<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Mark of the connection<br />
|<source lang="bash"><br />
ct mark 0<br />
ct mark or 0x23 == 0x11<br />
ct mark or 0x3 != 0x1<br />
ct mark and 0x23 == 0x11<br />
ct mark and 0x3 != 0x1<br />
ct mark xor 0x23 == 0x11<br />
ct mark xor 0x3 != 0x1<br />
ct mark 0x00000032<br />
ct mark != 0x00000032<br />
ct mark 0x00000032-0x00000045<br />
ct mark != 0x00000032-0x00000045<br />
ct mark {0x32, 0x2222, 0x42de3}<br />
ct mark {0x32-0x2222, 0x4444-0x42de3}<br />
ct mark set 0x11 xor 0x1331<br />
ct mark set 0x11333 and 0x11<br />
ct mark set 0x12 or 0x11<br />
ct mark set 0x11<br />
ct mark set mark<br />
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }<br />
</source><br />
|-<br />
| ''expiration <time>''<br />
| Connection expiration time<br />
|<source lang="bash"><br />
ct expiration 30<br />
ct expiration 30s<br />
ct expiration != 233<br />
ct expiration != 3m53s<br />
ct expiration 33-45<br />
ct expiration 33s-45s<br />
ct expiration != 33-45<br />
ct expiration != 33s-45s<br />
ct expiration {33, 55, 67, 88}<br />
ct expiration { 1m7s, 33s, 55s, 1m28s}<br />
</source><br />
|-<br />
| ''helper "<helper>"''<br />
| Helper associated with the connection<br />
|<source lang="bash"><br />
ct helper "ftp"<br />
</source><br />
|-<br />
| | ''[original | reply] bytes <value>''<br />
| <br />
|<source lang="bash"><br />
ct original bytes > 100000<br />
ct bytes > 100000<br />
</source><br />
|-<br />
| | ''[original | reply] packets <value>''<br />
| <br />
|<source lang="bash"><br />
ct reply packets < 100<br />
</source><br />
|-<br />
| | ''[original | reply] ip saddr <ip source address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip saddr 192.168.0.1<br />
ct reply ip saddr 192.168.0.1<br />
ct original ip saddr 192.168.1.0/24<br />
ct reply ip saddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] ip daddr <ip destination address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip daddr 192.168.0.1<br />
ct reply ip daddr 192.168.0.1<br />
ct original ip daddr 192.168.1.0/24<br />
ct reply ip daddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] l3proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original l3proto ipv4<br />
</source><br />
|-<br />
| | ''[original | reply] protocol <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original protocol 6<br />
</source><br />
|-<br />
| | ''[original | reply] proto-dst <port>''<br />
| <br />
|<source lang="bash"><br />
ct original proto-dst 22<br />
</source><br />
|-<br />
| | ''[original | reply] proto-src <port>''<br />
| <br />
|<source lang="bash"><br />
ct reply proto-src 53<br />
</source><br />
|-<br />
| | ''count [over] <number of connections>''<br />
| <br />
|<source lang="bash"><br />
ct count over 2<br />
<br />
tcp dport 22 add @ssh_flood { ip saddr ct count over 2 } reject<br />
[ which requires an existing ssh_flood set, ie. add set filter ssh_flood { type ipv4_addr; flags dynamic; } ]<br />
</source><br />
|}<br />
<br />
==== Meta ====<br />
<br />
[[Matching packet metainformation|''meta'']] matches packet by metainformation.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|meta match<br />
|-<br />
| ''iifname <input interface name>''<br />
| Input interface name<br />
|<source lang="bash"><br />
meta iifname "eth0"<br />
meta iifname != "eth0"<br />
meta iifname {"eth0", "lo"}<br />
meta iifname "eth*"<br />
</source><br />
|-<br />
| ''oifname <output interface name>''<br />
| Output interface name<br />
|<source lang="bash"><br />
meta oifname "eth0"<br />
meta oifname != "eth0"<br />
meta oifname {"eth0", "lo"}<br />
meta oifname "eth*"<br />
</source><br />
|-<br />
| ''iif <input interface index>''<br />
| Input interface index<br />
|<source lang="bash"><br />
meta iif eth0<br />
meta iif != eth0<br />
</source><br />
|-<br />
| ''oif <output interface index>''<br />
| Output interface index<br />
|<source lang="bash"><br />
meta oif lo<br />
meta oif != lo<br />
meta oif {eth0, lo}<br />
</source><br />
|-<br />
| ''iiftype <input interface type>''<br />
| Input interface type<br />
|<source lang="bash"><br />
meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta iiftype != ether<br />
meta iiftype ether<br />
</source><br />
|-<br />
| ''oiftype <output interface type>''<br />
| Output interface hardware type<br />
|<source lang="bash"><br />
meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta oiftype != ether<br />
meta oiftype ether<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Length of the packet in bytes<br />
|<source lang="bash"><br />
meta length 1000<br />
meta length != 1000<br />
meta length > 1000<br />
meta length 33-45<br />
meta length != 33-45<br />
meta length { 33, 55, 67, 88 }<br />
meta length { 33-55, 67-88 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| ethertype protocol<br />
|<source lang="bash"><br />
meta protocol ip<br />
meta protocol != ip<br />
meta protocol { ip, arp, ip6, vlan }<br />
</source><br />
|-<br />
| ''nfproto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta nfproto ipv4<br />
meta nfproto != ipv6<br />
meta nfproto { ipv4, ipv6 }<br />
</source><br />
|-<br />
| ''l4proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta l4proto 22<br />
meta l4proto != 233<br />
meta l4proto 33-45<br />
meta l4proto { 33, 55, 67, 88 }<br />
meta l4proto { 33-55 }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Packet mark<br />
|<source lang="bash"><br />
meta mark 0x4<br />
meta mark 0x00000032<br />
meta mark and 0x03 == 0x01<br />
meta mark and 0x03 != 0x01<br />
meta mark != 0x10<br />
meta mark or 0x03 == 0x01<br />
meta mark or 0x03 != 0x01<br />
meta mark xor 0x03 == 0x01<br />
meta mark xor 0x03 != 0x01<br />
meta mark set 0xffffffc8 xor 0x16<br />
meta mark set 0x16 and 0x16<br />
meta mark set 0xffffffe9 or 0x16<br />
meta mark set 0xffffffde and 0x16<br />
meta mark set 0x32 or 0xfffff<br />
meta mark set 0xfffe xor 0x16<br />
</source><br />
|-<br />
| ''priority [set] <priority>''<br />
| tc class id<br />
|<source lang="bash"><br />
meta priority none<br />
meta priority 0x1:0x1<br />
meta priority 0x1:0xffff<br />
meta priority 0xffff:0xffff<br />
meta priority set 0x1:0x1<br />
meta priority set 0x1:0xffff<br />
meta priority set 0xffff:0xffff<br />
</source><br />
|-<br />
| ''skuid <user id>''<br />
| UID associated with originating socket<br />
|<source lang="bash"><br />
meta skuid {bin, root, daemon}<br />
meta skuid root<br />
meta skuid != root<br />
meta skuid lt 3000<br />
meta skuid gt 3000<br />
meta skuid eq 3000<br />
meta skuid 3001-3005<br />
meta skuid != 2001-2005<br />
meta skuid { 2001-2005 }<br />
</source><br />
|-<br />
| ''skgid <group id>''<br />
| GID associated with originating socket<br />
|<source lang="bash"><br />
meta skgid {bin, root, daemon}<br />
meta skgid root<br />
meta skgid != root<br />
meta skgid lt 3000<br />
meta skgid gt 3000<br />
meta skgid eq 3000<br />
meta skgid 3001-3005<br />
meta skgid != 2001-2005<br />
meta skgid { 2001-2005 }<br />
</source><br />
|-<br />
| ''rtclassid <class>''<br />
| Routing realm<br />
|<source lang="bash"><br />
meta rtclassid cosmos<br />
</source><br />
|-<br />
| ''pkttype <type>''<br />
| Packet type<br />
|<source lang="bash"><br />
meta pkttype broadcast<br />
meta pkttype != broadcast<br />
meta pkttype { broadcast, unicast, multicast}<br />
</source><br />
|-<br />
| ''cpu <cpu index>''<br />
| CPU ID<br />
|<source lang="bash"><br />
meta cpu 1<br />
meta cpu != 1<br />
meta cpu 1-3<br />
meta cpu != 1-2<br />
meta cpu { 2,3 }<br />
meta cpu { 2-3, 5-7 }<br />
</source><br />
|-<br />
| ''iifgroup <input group>''<br />
| Input interface group<br />
|<source lang="bash"><br />
meta iifgroup 0<br />
meta iifgroup != 0<br />
meta iifgroup default<br />
meta iifgroup != default<br />
meta iifgroup {default}<br />
meta iifgroup { 11,33 }<br />
meta iifgroup {11-33}<br />
</source><br />
|-<br />
| ''oifgroup <group>''<br />
| Output interface group<br />
|<source lang="bash"><br />
meta oifgroup 0<br />
meta oifgroup != 0<br />
meta oifgroup default<br />
meta oifgroup != default<br />
meta oifgroup {default}<br />
meta oifgroup { 11,33 }<br />
meta oifgroup {11-33}<br />
</source><br />
|-<br />
| ''cgroup <group>''<br />
| <br />
|<source lang="bash"><br />
meta cgroup 1048577<br />
meta cgroup != 1048577<br />
meta cgroup { 1048577, 1048578 }<br />
meta cgroup 1048577-1048578<br />
meta cgroup != 1048577-1048578<br />
meta cgroup {1048577-1048578}<br />
</source><br />
|}<br />
<br />
=== Statements ===<br />
<br />
'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.<br />
<br />
==== Verdict statements ====<br />
<br />
The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:<br />
<br />
* ''accept'': Accept the packet and stop the remain rules evaluation.<br />
* ''drop'': Drop the packet and stop the remain rules evaluation.<br />
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.<br />
* ''continue'': Continue the ruleset evaluation with the next rule.<br />
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept<br />
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued<br />
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement<br />
<br />
==== Log ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|log statement<br />
|-<br />
| ''level [over] <value> <unit> [burst <value> <unit>]''<br />
| Log level<br />
|<source lang="bash"><br />
log<br />
log level emerg<br />
log level alert<br />
log level crit<br />
log level err<br />
log level warn<br />
log level notice<br />
log level info<br />
log level debug<br />
</source><br />
|-<br />
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''<br />
| <br />
|<source lang="bash"><br />
log prefix aaaaa-aaaaaa group 2 snaplen 33<br />
log group 2 queue-threshold 2<br />
log group 2 snaplen 33<br />
</source><br />
|}<br />
<br />
<br />
==== Reject ====<br />
<br />
The default '''reject''' will be the ICMP type '''port-unreachable'''. The '''icmpx''' is only used for inet family support.<br />
<br />
More information on the [[Rejecting_traffic]] page.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|reject statement<br />
|-<br />
| ''with <protocol> type <type>''<br />
| <br />
|<source lang="bash"><br />
reject<br />
reject with icmp type host-unreachable<br />
reject with icmp type net-unreachable<br />
reject with icmp type prot-unreachable<br />
reject with icmp type port-unreachable<br />
reject with icmp type net-prohibited<br />
reject with icmp type host-prohibited<br />
reject with icmp type admin-prohibited<br />
reject with icmpv6 type no-route<br />
reject with icmpv6 type admin-prohibited<br />
reject with icmpv6 type addr-unreachable<br />
reject with icmpv6 type port-unreachable<br />
reject with icmpx type host-unreachable<br />
reject with icmpx type no-route<br />
reject with icmpx type admin-prohibited<br />
reject with icmpx type port-unreachable<br />
ip protocol tcp reject with tcp reset<br />
</source><br />
|}<br />
<br />
==== Counter ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|counter statement<br />
|-<br />
| ''packets <packets> bytes <bytes>''<br />
| <br />
|<source lang="bash"><br />
counter<br />
counter packets 0 bytes 0<br />
</source><br />
|}<br />
<br />
<br />
==== Limit ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|limit statement<br />
|-<br />
| ''rate [over] <value> <unit> [burst <value> <unit>]''<br />
| Rate limit<br />
|<source lang="bash"><br />
limit rate 400/minute<br />
limit rate 400/hour<br />
limit rate over 40/day<br />
limit rate over 400/week<br />
limit rate over 1023/second burst 10 packets<br />
limit rate 1025 kbytes/second<br />
limit rate 1023000 mbytes/second<br />
limit rate 1025 bytes/second burst 512 bytes<br />
limit rate 1025 kbytes/second burst 1023 kbytes<br />
limit rate 1025 mbytes/second burst 1025 kbytes<br />
limit rate 1025000 mbytes/second burst 1023 mbytes<br />
</source><br />
|}<br />
<br />
==== Nat ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|nat statement<br />
|-<br />
| ''dnat to <destination address>''<br />
| Destination address translation<br />
|<source lang="bash"><br />
dnat to 192.168.3.2<br />
dnat to ct mark map { 0x00000014 : 1.2.3.4}<br />
</source><br />
|-<br />
| ''snat to <ip source address>''<br />
| Source address translation<br />
|<source lang="bash"><br />
snat to 192.168.3.2<br />
snat to 2001:838:35f:1::-2001:838:35f:2:::100<br />
</source><br />
|-<br />
| ''masquerade [<type>] [to :<port>]''<br />
| Masquerade<br />
|<source lang="bash"><br />
masquerade<br />
masquerade persistent,fully-random,random<br />
masquerade to :1024<br />
masquerade to :1024-2048<br />
</source><br />
|}<br />
<br />
==== Queue ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|queue statement<br />
|-<br />
| ''num <value> <scheduler>''<br />
| <br />
|<source lang="bash"><br />
queue<br />
queue num 2<br />
queue num 2-3<br />
queue num 4-5 fanout bypass<br />
queue num 4-5 fanout<br />
queue num 4-5 bypass<br />
</source><br />
|}<br />
<br />
== Extras ==<br />
<br />
=== Export Configuration ===<br />
<br />
<source lang="bash"><br />
% nft export (xml | json)<br />
</source><br />
<br />
=== Monitor Events ===<br />
<br />
Monitor events from Netlink creating filters.<br />
<br />
<source lang="bash"><br />
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]<br />
</source><br />
<br />
<br />
= Nft scripting =<br />
<br />
== List ruleset ==<br />
<br />
<source lang="bash"><br />
% nft list ruleset<br />
</source><br />
<br />
== Flush ruleset ==<br />
<br />
<source lang="bash"><br />
% nft flush ruleset<br />
</source><br />
<br />
== Load ruleset ==<br />
<br />
Create a command batch file and load it with the nft interpreter,<br />
<br />
<source lang="bash"><br />
% echo "flush ruleset" > /etc/nftables.rules<br />
% echo "add table filter" >> /etc/nftables.rules<br />
% echo "add chain filter input" >> /etc/nftables.rules<br />
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file,<br />
<br />
<source lang="bash"><br />
% cat << EOF > /etc/nftables.rules<br />
> #!/usr/local/sbin/nft -f<br />
> flush ruleset<br />
> add table filter<br />
> add chain filter input<br />
> add rule filter input meta iifname lo accept<br />
> EOF<br />
% chmod u+x /etc/nftables.rules<br />
% /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file from an already created ruleset,<br />
<br />
<source lang="bash"><br />
% nft list ruleset > /etc/nftables.rules<br />
% nft flush ruleset<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
<br />
= Examples =<br />
<br />
== Simple IP/IPv6 Firewall ==<br />
<br />
<source lang="bash"><br />
flush ruleset<br />
<br />
table firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
icmp type echo-request accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
<br />
table ip6 firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# invalid connections<br />
ct state invalid drop<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
# routers may also want: mld-listener-query, nd-router-solicit<br />
icmpv6 type {echo-request,nd-neighbor-solicit} accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
</source></div>
Aurelien
http://wiki.nftables.org/wiki-nftables/index.php?title=Quick_reference-nftables_in_10_minutes&diff=1116
Quick reference-nftables in 10 minutes
2024-04-21T05:40:31Z
<p>Aurelien: /* Tables */ Briefly explain what a handle is</p>
<hr />
<div>Find below some basic concepts to know before using nftables.<br />
<br />
'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.<br />
<br />
'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].<br />
<br />
'''rule''' refers to an action to be configured within a ''chain''.<br />
<br />
<br />
= nft command line =<br />
<br />
''nft'' is the command line tool in order to interact with nftables at userspace.<br />
<br />
== Tables ==<br />
<br />
'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''.<br />
<br />
<source lang="bash"><br />
% nft list tables [<family>]<br />
% nft [-n] [-a] list table [<family>] <name><br />
% nft (add | delete | flush) table [<family>] <name><br />
</source><br />
<br />
The argument ''-n'' shows the addresses and other information that use names in numeric format. The ''-a'' argument is used to display each rule's ''handle'' (i.e., a numerical identifier).<br />
<br />
== Chains ==<br />
<br />
'''type''' refers to the kind of chain to be created. Possible types are:<br />
<br />
* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.<br />
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.<br />
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.<br />
<br />
'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].<br />
<br />
* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.<br />
* The hooks for ''arp'' family are: '' input'', ''output''.<br />
* The ''bridge'' family handles ethernet packets traversing bridge devices.<br />
* The hook for ''netdev'' is: ''ingress''.<br />
<br />
'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.<br />
<br />
'''policy''' is the default verdict statement to control the flow in the base chain. Possible values are: ''accept'' (default) and ''drop''. Warning: Setting the policy to ''drop'' discards all packets that<br />
have not been accepted by the ruleset.<br />
<br />
<source lang="bash"><br />
% nft (add | create) chain [<family>] <table> <name> [ { type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] } ]<br />
% nft (delete | list | flush) chain [<family>] <table> <name><br />
% nft rename chain [<family>] <table> <name> <newname><br />
</source><br />
<br />
== Rules ==<br />
<br />
'''handle''' is an internal number that identifies a certain ''rule''.<br />
<br />
'''position''' is an internal number that is used to insert a ''rule'' before a certain ''handle''.<br />
<br />
<source lang="bash"><br />
% nft add rule [<family>] <table> <chain> <matches> <statements><br />
% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements><br />
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements><br />
% nft delete rule [<family>] <table> <chain> [handle <handle>]<br />
</source><br />
<br />
=== Matches ===<br />
<br />
'''matches''' are clues used to access to certain packet information and create filters according to them.<br />
<br />
==== Ip ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip match<br />
|-<br />
| | ''dscp <value>''<br />
|<br />
|<source lang="bash"><br />
ip dscp cs1<br />
ip dscp != cs1<br />
ip dscp 0x38<br />
ip dscp != 0x20<br />
ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, <br />
af22, af23, af31, af32, af33, af41, af42, af43, ef}<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
ip length 232<br />
ip length != 233<br />
ip length 333-435<br />
ip length != 333-453<br />
ip length { 333, 553, 673, 838}<br />
</source><br />
|-<br />
| ''id <id>''<br />
| IP ID<br />
|<source lang="bash"><br />
ip id 22<br />
ip id != 233<br />
ip id 33-45<br />
ip id != 33-45<br />
ip id { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| Fragmentation offset<br />
|<source lang="bash"><br />
ip frag-off & 0x1fff != 0 # match fragments<br />
ip frag-off & 0x2000 != 0 # match MF flag <br />
ip frag-off & 0x4000 != 0 # match DF flag <br />
</source><br />
|-<br />
| ''ttl <ttl>''<br />
| Time to live<br />
|<source lang="bash"><br />
ip ttl 0<br />
ip ttl 233<br />
ip ttl 33-55<br />
ip ttl != 45-50<br />
ip ttl { 43, 53, 45 }<br />
ip ttl { 33-55 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| Upper layer protocol<br />
|<source lang="bash"><br />
ip protocol tcp<br />
ip protocol 6<br />
ip protocol != tcp<br />
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
ip checksum 13172<br />
ip checksum 22<br />
ip checksum != 233<br />
ip checksum 33-45<br />
ip checksum != 33-45<br />
ip checksum { 33, 55, 67, 88 }<br />
ip checksum { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source address<br />
|<source lang="bash"><br />
ip saddr 192.168.2.0/24<br />
ip saddr != 192.168.2.0/24<br />
ip saddr 192.168.3.1 ip daddr 192.168.3.100<br />
ip saddr != 1.1.1.1<br />
ip saddr 1.1.1.1<br />
ip saddr & 0xff == 1<br />
ip saddr & 0.0.0.255 < 0.0.0.127<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination address<br />
|<source lang="bash"><br />
ip daddr 192.168.0.1<br />
ip daddr != 192.168.0.1<br />
ip daddr 192.168.0.1-192.168.0.250<br />
ip daddr 10.0.0.0-10.255.255.255<br />
ip daddr 172.16.0.0-172.31.255.255<br />
ip daddr 192.168.3.1-192.168.4.250<br />
ip daddr != 192.168.0.1-192.168.0.250<br />
ip daddr { 192.168.0.1-192.168.0.250 }<br />
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }<br />
</source><br />
|-<br />
| ''version <version>''<br />
| Ip Header version<br />
|<source lang="bash"><br />
ip version 4<br />
</source><br />
|-<br />
| ''hdrlength <header length>''<br />
| IP header length<br />
|<source lang="bash"><br />
ip hdrlength 0<br />
ip hdrlength 15<br />
</source><br />
|}<br />
<br />
==== Ip6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip6 match<br />
|-<br />
| ''dscp <value>''<br />
| <br />
|<source lang="bash"><br />
ip6 dscp cs1<br />
ip6 dscp != cs1<br />
ip6 dscp 0x38<br />
ip6 dscp != 0x20<br />
ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}<br />
</source><br />
|-<br />
| ''flowlabel <label>''<br />
| Flow label<br />
|<source lang="bash"><br />
ip6 flowlabel 22<br />
ip6 flowlabel != 233<br />
ip6 flowlabel { 33, 55, 67, 88 }<br />
ip6 flowlabel { 33-55 }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
ip6 length 232<br />
ip6 length != 233<br />
ip6 length 333-435<br />
ip6 length != 333-453<br />
ip6 length { 333, 553, 673, 838}<br />
</source><br />
|-<br />
| ''nexthdr <header>''<br />
| Next header type (Upper layer protocol number)<br />
|<source lang="bash"><br />
ip6 nexthdr {esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6}<br />
ip6 nexthdr esp<br />
ip6 nexthdr != esp<br />
ip6 nexthdr { 33-44 }<br />
ip6 nexthdr 33-44<br />
ip6 nexthdr != 33-44<br />
</source><br />
|-<br />
| ''hoplimit <hoplimit>''<br />
| Hop limit<br />
|<source lang="bash"><br />
ip6 hoplimit 1<br />
ip6 hoplimit != 233<br />
ip6 hoplimit 33-45<br />
ip6 hoplimit != 33-45<br />
ip6 hoplimit {33, 55, 67, 88}<br />
ip6 hoplimit {33-55}<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source Address<br />
|<source lang="bash"><br />
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::/64<br />
ip6 saddr ::1 ip6 daddr ::2<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination Address<br />
|<source lang="bash"><br />
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234<br />
</source><br />
|-<br />
| ''version <version>''<br />
| IP header version<br />
|<source lang="bash"><br />
ip6 version 6<br />
</source><br />
|}<br />
<br />
<br />
==== Tcp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|tcp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
tcp dport 22<br />
tcp dport != 33-45<br />
tcp dport { 33-55 }<br />
tcp dport {telnet, http, https }<br />
tcp dport vmap { 22 : accept, 23 : drop }<br />
tcp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
tcp sport 22<br />
tcp sport != 33-45<br />
tcp sport { 33, 55, 67, 88}<br />
tcp sport { 33-55}<br />
tcp sport vmap { 25:accept, 28:drop }<br />
tcp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| Sequence number<br />
|<source lang="bash"><br />
tcp sequence 22<br />
tcp sequence != 33-45<br />
</source><br />
|-<br />
| ''ackseq <value>''<br />
| Acknowledgement number<br />
|<source lang="bash"><br />
tcp ackseq 22<br />
tcp ackseq != 33-45<br />
tcp ackseq { 33, 55, 67, 88 }<br />
tcp ackseq { 33-55 }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| TCP flags<br />
|<source lang="bash"><br />
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr}<br />
tcp flags cwr<br />
tcp flags != cwr<br />
</source><br />
|-<br />
| ''window <value>''<br />
| Window<br />
|<source lang="bash"><br />
tcp window 22<br />
tcp window != 33-45<br />
tcp window { 33, 55, 67, 88 }<br />
tcp window { 33-55 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
tcp checksum 22<br />
tcp checksum != 33-45<br />
tcp checksum { 33, 55, 67, 88 }<br />
tcp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''urgptr <pointer>''<br />
| Urgent pointer<br />
|<source lang="bash"><br />
tcp urgptr 22<br />
tcp urgptr != 33-45<br />
tcp urgptr { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''doff <offset>''<br />
| Data offset<br />
|<source lang="bash"><br />
tcp doff 8<br />
</source><br />
|}<br />
<br />
<br />
==== Udp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udp dport 22<br />
udp dport != 33-45<br />
udp dport { 33-55 }<br />
udp dport {telnet, http, https }<br />
udp dport vmap { 22 : accept, 23 : drop }<br />
udp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udp sport 22<br />
udp sport != 33-45<br />
udp sport { 33, 55, 67, 88}<br />
udp sport { 33-55}<br />
udp sport vmap { 25:accept, 28:drop }<br />
udp sport 1024 udp dport 22<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
udp length 6666<br />
udp length != 50-65<br />
udp length { 50, 65 }<br />
udp length { 35-50 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| UDP checksum<br />
|<source lang="bash"><br />
udp checksum 22<br />
udp checksum != 33-45<br />
udp checksum { 33, 55, 67, 88 }<br />
udp checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
<br />
==== Udplite ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udplite match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udplite dport 22<br />
udplite dport != 33-45<br />
udplite dport { 33-55 }<br />
udplite dport {telnet, http, https }<br />
udplite dport vmap { 22 : accept, 23 : drop }<br />
udplite dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udplite sport 22<br />
udplite sport != 33-45<br />
udplite sport { 33, 55, 67, 88}<br />
udplite sport { 33-55}<br />
udplite sport vmap { 25:accept, 28:drop }<br />
udplite sport 1024 udplite dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
udplite checksum 22<br />
udplite checksum != 33-45<br />
udplite checksum { 33, 55, 67, 88 }<br />
udplite checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
<br />
==== Sctp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|sctp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
sctp dport 22<br />
sctp dport != 33-45<br />
sctp dport { 33-55 }<br />
sctp dport {telnet, http, https }<br />
sctp dport vmap { 22 : accept, 23 : drop }<br />
sctp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
sctp sport 22<br />
sctp sport != 33-45<br />
sctp sport { 33, 55, 67, 88}<br />
sctp sport { 33-55}<br />
sctp sport vmap { 25:accept, 28:drop }<br />
sctp sport 1024 sctp dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
sctp checksum 22<br />
sctp checksum != 33-45<br />
sctp checksum { 33, 55, 67, 88 }<br />
sctp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''vtag <tag>''<br />
| Verification tag<br />
|<source lang="bash"><br />
sctp vtag 22<br />
sctp vtag != 33-45<br />
sctp vtag { 33, 55, 67, 88 }<br />
sctp vtag { 33-55 }<br />
</source><br />
|-<br />
| ''chunk <type>''<br />
| Existence of a chunk with given type in packet<br />
|<source lang="bash"><br />
sctp chunk init exists<br />
sctp chunk error missing<br />
</source><br />
|-<br />
| ''chunk <type> <field>''<br />
| A chunk's field value (implies chunk existence)<br />
|<sourcex lang="bash"><br />
sctp chunk init flags 0x1<br />
sctp chunk data tsn 0x23<br />
</source><br />
|}<br />
<br />
==== Dccp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dccp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
dccp dport 22<br />
dccp dport != 33-45<br />
dccp dport { 33-55 }<br />
dccp dport {telnet, http, https }<br />
dccp dport vmap { 22 : accept, 23 : drop }<br />
dccp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
dccp sport 22<br />
dccp sport != 33-45<br />
dccp sport { 33, 55, 67, 88}<br />
dccp sport { 33-55}<br />
dccp sport vmap { 25:accept, 28:drop }<br />
dccp sport 1024 dccp dport 22<br />
</source><br />
|-<br />
| ''type <type>''<br />
| Type of packet<br />
|<source lang="bash"><br />
dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}<br />
dccp type request<br />
dccp type != request<br />
</source><br />
|}<br />
<br />
<br />
==== Ah ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ah match<br />
|-<br />
| ''hdrlength <length>''<br />
| AH header length<br />
|<source lang="bash"><br />
ah hdrlength 11-23<br />
ah hdrlength != 11-23<br />
ah hdrlength {11, 23, 44 }<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
ah reserved 22<br />
ah reserved != 33-45<br />
ah reserved {23, 100 }<br />
ah reserved { 33-55 }<br />
</source><br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
ah spi 111<br />
ah spi != 111-222<br />
ah spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
ah sequence 123<br />
ah sequence {23, 25, 33}<br />
ah sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Esp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|esp match<br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
esp spi 111<br />
esp spi != 111-222<br />
esp spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
esp sequence 123<br />
esp sequence {23, 25, 33}<br />
esp sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Comp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|comp match<br />
|-<br />
| ''nexthdr <protocol>''<br />
| Next header protocol (Upper layer protocol)<br />
|<source lang="bash"><br />
comp nexthdr != esp<br />
comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp}<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| Flags<br />
|<source lang="bash"><br />
comp flags 0x0<br />
comp flags != 0x33-0x45<br />
comp flags {0x33, 0x55, 0x67, 0x88}<br />
</source><br />
|-<br />
| ''cpi <value>''<br />
| Compression Parameter Index<br />
|<source lang="bash"><br />
comp cpi 22<br />
comp cpi != 33-45<br />
comp cpi {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Icmp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmp match<br />
|-<br />
| ''type <type>''<br />
| ICMP packet type<br />
|<source lang="bash"><br />
icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation}<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMP packet code<br />
|<source lang="bash"><br />
icmp code 111<br />
icmp code != 33-55<br />
icmp code { 2, 4, 54, 33, 56}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMP packet checksum<br />
|<source lang="bash"><br />
icmp checksum 12343<br />
icmp checksum != 11-343<br />
icmp checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMP packet id<br />
|<source lang="bash"><br />
icmp id 12343<br />
icmp id != 11-343<br />
icmp id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMP packet sequence<br />
|<source lang="bash"><br />
icmp sequence 12343<br />
icmp sequence != 11-343<br />
icmp sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMP packet mtu<br />
|<source lang="bash"><br />
icmp mtu 12343<br />
icmp mtu != 11-343<br />
icmp mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''gateway <value>''<br />
| ICMP packet gateway<br />
|<source lang="bash"><br />
icmp gateway 12343<br />
icmp gateway != 11-343<br />
icmp gateway { 1111, 222, 343 }<br />
</source><br />
|}<br />
<br />
<br />
==== Icmpv6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmpv6 match<br />
|-<br />
| ''type <type>''<br />
| ICMPv6 packet type<br />
|<source lang="bash"><br />
icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, parameter-problem, mld2-listener-report }<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMPv6 packet code<br />
|<source lang="bash"><br />
icmpv6 code 4<br />
icmpv6 code 3-66<br />
icmpv6 code {5, 6, 7}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMPv6 packet checksum<br />
|<source lang="bash"><br />
icmpv6 checksum 12343<br />
icmpv6 checksum != 11-343<br />
icmpv6 checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMPv6 packet id<br />
|<source lang="bash"><br />
icmpv6 id 12343<br />
icmpv6 id != 11-343<br />
icmpv6 id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMPv6 packet sequence<br />
|<source lang="bash"><br />
icmpv6 sequence 12343<br />
icmpv6 sequence != 11-343<br />
icmpv6 sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMPv6 packet mtu<br />
|<source lang="bash"><br />
icmpv6 mtu 12343<br />
icmpv6 mtu != 11-343<br />
icmpv6 mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''max-delay <value>''<br />
| ICMPv6 packet max delay<br />
|<source lang="bash"><br />
icmpv6 max-delay 33-45<br />
icmpv6 max-delay != 33-45<br />
icmpv6 max-delay {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Ether ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ether match<br />
|-<br />
| ''saddr <mac address>''<br />
| Source mac address<br />
|<source lang="bash"><br />
ether saddr 00:0f:54:0c:11:04<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
ether type vlan<br />
</source><br />
|}<br />
<br />
==== Dst ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dst match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}<br />
dst nexthdr 22<br />
dst nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
dst hdrlength 22<br />
dst hdrlength != 33-45<br />
dst hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Frag ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|frag match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp}<br />
frag nexthdr 6<br />
frag nexthdr != 50-51<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
frag reserved 22<br />
frag reserved != 33-45<br />
frag reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| <br />
|<source lang="bash"><br />
frag frag-off 22<br />
frag frag-off != 33-45<br />
frag frag-off { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''more-fragments <value>''<br />
| <br />
|<source lang="bash"><br />
frag more-fragments 0<br />
frag more-fragments 0<br />
</source><br />
|-<br />
| ''id <value>''<br />
| <br />
|<source lang="bash"><br />
frag id 1<br />
frag id 33-45<br />
</source><br />
|}<br />
<br />
<br />
==== Hbh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|hbh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6}<br />
hbh nexthdr 22<br />
hbh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
hbh hdrlength 22<br />
hbh hdrlength != 33-45<br />
hbh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Mh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|mh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
mh nexthdr 22<br />
mh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
mh hdrlength 22<br />
mh hdrlength != 33-45<br />
mh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}<br />
mh type home-agent-switch-message<br />
mh type != home-agent-switch-message<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
mh reserved 22<br />
mh reserved != 33-45<br />
mh reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| <br />
|<source lang="bash"><br />
mh checksum 22<br />
mh checksum != 33-45<br />
mh checksum { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Rt ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|rt match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
rt nexthdr 22<br />
rt nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
rt hdrlength 22<br />
rt hdrlength != 33-45<br />
rt hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
rt type 22<br />
rt type != 33-45<br />
rt type { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''seg-left <value>''<br />
| <br />
|<source lang="bash"><br />
rt seg-left 22<br />
rt seg-left != 33-45<br />
rt seg-left { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Vlan ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|vlan match<br />
|-<br />
| ''id <value>''<br />
| Vlan tag ID<br />
|<source lang="bash"><br />
vlan id 4094<br />
vlan id 0<br />
</source><br />
|-<br />
| ''cfi <value>''<br />
| <br />
|<source lang="bash"><br />
vlan cfi 0<br />
vlan cfi 1<br />
</source><br />
|-<br />
| ''pcp <value>''<br />
| <br />
|<source lang="bash"><br />
vlan pcp 7<br />
vlan pcp 3<br />
</source><br />
|}<br />
<br />
<br />
==== Arp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|arp match<br />
|-<br />
| ''ptype <value>''<br />
| Payload type<br />
|<source lang="bash"><br />
arp ptype 0x0800<br />
</source><br />
|-<br />
| ''htype <value>''<br />
| Header type<br />
|<source lang="bash"><br />
arp htype 1<br />
arp htype != 33-45<br />
arp htype { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''hlen <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
arp hlen 1<br />
arp hlen != 33-45<br />
arp hlen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''plen <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
arp plen 1<br />
arp plen != 33-45<br />
arp plen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''operation <value>''<br />
| <br />
|<source lang="bash"><br />
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}<br />
</source><br />
|}<br />
<br />
<br />
==== Ct ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ct match<br />
|-<br />
| ''state <state>''<br />
| State of the connection<br />
|<source lang="bash"><br />
ct state { new, established, related, untracked }<br />
ct state != related<br />
ct state established<br />
ct state 8<br />
</source><br />
|-<br />
| ''direction <value>''<br />
| Direction of the packet relative to the connection<br />
|<source lang="bash"><br />
ct direction original<br />
ct direction != original<br />
ct direction {reply, original}<br />
</source><br />
|-<br />
| ''status <status>''<br />
| Status of the connection<br />
|<source lang="bash"><br />
ct status expected<br />
(ct status & expected) != expected<br />
ct status {expected,seen-reply,assured,confirmed,snat,dnat,dying}<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Mark of the connection<br />
|<source lang="bash"><br />
ct mark 0<br />
ct mark or 0x23 == 0x11<br />
ct mark or 0x3 != 0x1<br />
ct mark and 0x23 == 0x11<br />
ct mark and 0x3 != 0x1<br />
ct mark xor 0x23 == 0x11<br />
ct mark xor 0x3 != 0x1<br />
ct mark 0x00000032<br />
ct mark != 0x00000032<br />
ct mark 0x00000032-0x00000045<br />
ct mark != 0x00000032-0x00000045<br />
ct mark {0x32, 0x2222, 0x42de3}<br />
ct mark {0x32-0x2222, 0x4444-0x42de3}<br />
ct mark set 0x11 xor 0x1331<br />
ct mark set 0x11333 and 0x11<br />
ct mark set 0x12 or 0x11<br />
ct mark set 0x11<br />
ct mark set mark<br />
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }<br />
</source><br />
|-<br />
| ''expiration <time>''<br />
| Connection expiration time<br />
|<source lang="bash"><br />
ct expiration 30<br />
ct expiration 30s<br />
ct expiration != 233<br />
ct expiration != 3m53s<br />
ct expiration 33-45<br />
ct expiration 33s-45s<br />
ct expiration != 33-45<br />
ct expiration != 33s-45s<br />
ct expiration {33, 55, 67, 88}<br />
ct expiration { 1m7s, 33s, 55s, 1m28s}<br />
</source><br />
|-<br />
| ''helper "<helper>"''<br />
| Helper associated with the connection<br />
|<source lang="bash"><br />
ct helper "ftp"<br />
</source><br />
|-<br />
| | ''[original | reply] bytes <value>''<br />
| <br />
|<source lang="bash"><br />
ct original bytes > 100000<br />
ct bytes > 100000<br />
</source><br />
|-<br />
| | ''[original | reply] packets <value>''<br />
| <br />
|<source lang="bash"><br />
ct reply packets < 100<br />
</source><br />
|-<br />
| | ''[original | reply] ip saddr <ip source address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip saddr 192.168.0.1<br />
ct reply ip saddr 192.168.0.1<br />
ct original ip saddr 192.168.1.0/24<br />
ct reply ip saddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] ip daddr <ip destination address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip daddr 192.168.0.1<br />
ct reply ip daddr 192.168.0.1<br />
ct original ip daddr 192.168.1.0/24<br />
ct reply ip daddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] l3proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original l3proto ipv4<br />
</source><br />
|-<br />
| | ''[original | reply] protocol <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original protocol 6<br />
</source><br />
|-<br />
| | ''[original | reply] proto-dst <port>''<br />
| <br />
|<source lang="bash"><br />
ct original proto-dst 22<br />
</source><br />
|-<br />
| | ''[original | reply] proto-src <port>''<br />
| <br />
|<source lang="bash"><br />
ct reply proto-src 53<br />
</source><br />
|-<br />
| | ''count [over] <number of connections>''<br />
| <br />
|<source lang="bash"><br />
ct count over 2<br />
<br />
tcp dport 22 add @ssh_flood { ip saddr ct count over 2 } reject<br />
[ which requires an existing ssh_flood set, ie. add set filter ssh_flood { type ipv4_addr; flags dynamic; } ]<br />
</source><br />
|}<br />
<br />
==== Meta ====<br />
<br />
[[Matching packet metainformation|''meta'']] matches packet by metainformation.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|meta match<br />
|-<br />
| ''iifname <input interface name>''<br />
| Input interface name<br />
|<source lang="bash"><br />
meta iifname "eth0"<br />
meta iifname != "eth0"<br />
meta iifname {"eth0", "lo"}<br />
meta iifname "eth*"<br />
</source><br />
|-<br />
| ''oifname <output interface name>''<br />
| Output interface name<br />
|<source lang="bash"><br />
meta oifname "eth0"<br />
meta oifname != "eth0"<br />
meta oifname {"eth0", "lo"}<br />
meta oifname "eth*"<br />
</source><br />
|-<br />
| ''iif <input interface index>''<br />
| Input interface index<br />
|<source lang="bash"><br />
meta iif eth0<br />
meta iif != eth0<br />
</source><br />
|-<br />
| ''oif <output interface index>''<br />
| Output interface index<br />
|<source lang="bash"><br />
meta oif lo<br />
meta oif != lo<br />
meta oif {eth0, lo}<br />
</source><br />
|-<br />
| ''iiftype <input interface type>''<br />
| Input interface type<br />
|<source lang="bash"><br />
meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta iiftype != ether<br />
meta iiftype ether<br />
</source><br />
|-<br />
| ''oiftype <output interface type>''<br />
| Output interface hardware type<br />
|<source lang="bash"><br />
meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta oiftype != ether<br />
meta oiftype ether<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Length of the packet in bytes<br />
|<source lang="bash"><br />
meta length 1000<br />
meta length != 1000<br />
meta length > 1000<br />
meta length 33-45<br />
meta length != 33-45<br />
meta length { 33, 55, 67, 88 }<br />
meta length { 33-55, 67-88 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| ethertype protocol<br />
|<source lang="bash"><br />
meta protocol ip<br />
meta protocol != ip<br />
meta protocol { ip, arp, ip6, vlan }<br />
</source><br />
|-<br />
| ''nfproto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta nfproto ipv4<br />
meta nfproto != ipv6<br />
meta nfproto { ipv4, ipv6 }<br />
</source><br />
|-<br />
| ''l4proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta l4proto 22<br />
meta l4proto != 233<br />
meta l4proto 33-45<br />
meta l4proto { 33, 55, 67, 88 }<br />
meta l4proto { 33-55 }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Packet mark<br />
|<source lang="bash"><br />
meta mark 0x4<br />
meta mark 0x00000032<br />
meta mark and 0x03 == 0x01<br />
meta mark and 0x03 != 0x01<br />
meta mark != 0x10<br />
meta mark or 0x03 == 0x01<br />
meta mark or 0x03 != 0x01<br />
meta mark xor 0x03 == 0x01<br />
meta mark xor 0x03 != 0x01<br />
meta mark set 0xffffffc8 xor 0x16<br />
meta mark set 0x16 and 0x16<br />
meta mark set 0xffffffe9 or 0x16<br />
meta mark set 0xffffffde and 0x16<br />
meta mark set 0x32 or 0xfffff<br />
meta mark set 0xfffe xor 0x16<br />
</source><br />
|-<br />
| ''priority [set] <priority>''<br />
| tc class id<br />
|<source lang="bash"><br />
meta priority none<br />
meta priority 0x1:0x1<br />
meta priority 0x1:0xffff<br />
meta priority 0xffff:0xffff<br />
meta priority set 0x1:0x1<br />
meta priority set 0x1:0xffff<br />
meta priority set 0xffff:0xffff<br />
</source><br />
|-<br />
| ''skuid <user id>''<br />
| UID associated with originating socket<br />
|<source lang="bash"><br />
meta skuid {bin, root, daemon}<br />
meta skuid root<br />
meta skuid != root<br />
meta skuid lt 3000<br />
meta skuid gt 3000<br />
meta skuid eq 3000<br />
meta skuid 3001-3005<br />
meta skuid != 2001-2005<br />
meta skuid { 2001-2005 }<br />
</source><br />
|-<br />
| ''skgid <group id>''<br />
| GID associated with originating socket<br />
|<source lang="bash"><br />
meta skgid {bin, root, daemon}<br />
meta skgid root<br />
meta skgid != root<br />
meta skgid lt 3000<br />
meta skgid gt 3000<br />
meta skgid eq 3000<br />
meta skgid 3001-3005<br />
meta skgid != 2001-2005<br />
meta skgid { 2001-2005 }<br />
</source><br />
|-<br />
| ''rtclassid <class>''<br />
| Routing realm<br />
|<source lang="bash"><br />
meta rtclassid cosmos<br />
</source><br />
|-<br />
| ''pkttype <type>''<br />
| Packet type<br />
|<source lang="bash"><br />
meta pkttype broadcast<br />
meta pkttype != broadcast<br />
meta pkttype { broadcast, unicast, multicast}<br />
</source><br />
|-<br />
| ''cpu <cpu index>''<br />
| CPU ID<br />
|<source lang="bash"><br />
meta cpu 1<br />
meta cpu != 1<br />
meta cpu 1-3<br />
meta cpu != 1-2<br />
meta cpu { 2,3 }<br />
meta cpu { 2-3, 5-7 }<br />
</source><br />
|-<br />
| ''iifgroup <input group>''<br />
| Input interface group<br />
|<source lang="bash"><br />
meta iifgroup 0<br />
meta iifgroup != 0<br />
meta iifgroup default<br />
meta iifgroup != default<br />
meta iifgroup {default}<br />
meta iifgroup { 11,33 }<br />
meta iifgroup {11-33}<br />
</source><br />
|-<br />
| ''oifgroup <group>''<br />
| Output interface group<br />
|<source lang="bash"><br />
meta oifgroup 0<br />
meta oifgroup != 0<br />
meta oifgroup default<br />
meta oifgroup != default<br />
meta oifgroup {default}<br />
meta oifgroup { 11,33 }<br />
meta oifgroup {11-33}<br />
</source><br />
|-<br />
| ''cgroup <group>''<br />
| <br />
|<source lang="bash"><br />
meta cgroup 1048577<br />
meta cgroup != 1048577<br />
meta cgroup { 1048577, 1048578 }<br />
meta cgroup 1048577-1048578<br />
meta cgroup != 1048577-1048578<br />
meta cgroup {1048577-1048578}<br />
</source><br />
|}<br />
<br />
=== Statements ===<br />
<br />
'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.<br />
<br />
==== Verdict statements ====<br />
<br />
The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:<br />
<br />
* ''accept'': Accept the packet and stop the remain rules evaluation.<br />
* ''drop'': Drop the packet and stop the remain rules evaluation.<br />
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.<br />
* ''continue'': Continue the ruleset evaluation with the next rule.<br />
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept<br />
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued<br />
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement<br />
<br />
==== Log ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|log statement<br />
|-<br />
| ''level [over] <value> <unit> [burst <value> <unit>]''<br />
| Log level<br />
|<source lang="bash"><br />
log<br />
log level emerg<br />
log level alert<br />
log level crit<br />
log level err<br />
log level warn<br />
log level notice<br />
log level info<br />
log level debug<br />
</source><br />
|-<br />
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''<br />
| <br />
|<source lang="bash"><br />
log prefix aaaaa-aaaaaa group 2 snaplen 33<br />
log group 2 queue-threshold 2<br />
log group 2 snaplen 33<br />
</source><br />
|}<br />
<br />
<br />
==== Reject ====<br />
<br />
The default '''reject''' will be the ICMP type '''port-unreachable'''. The '''icmpx''' is only used for inet family support.<br />
<br />
More information on the [[Rejecting_traffic]] page.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|reject statement<br />
|-<br />
| ''with <protocol> type <type>''<br />
| <br />
|<source lang="bash"><br />
reject<br />
reject with icmp type host-unreachable<br />
reject with icmp type net-unreachable<br />
reject with icmp type prot-unreachable<br />
reject with icmp type port-unreachable<br />
reject with icmp type net-prohibited<br />
reject with icmp type host-prohibited<br />
reject with icmp type admin-prohibited<br />
reject with icmpv6 type no-route<br />
reject with icmpv6 type admin-prohibited<br />
reject with icmpv6 type addr-unreachable<br />
reject with icmpv6 type port-unreachable<br />
reject with icmpx type host-unreachable<br />
reject with icmpx type no-route<br />
reject with icmpx type admin-prohibited<br />
reject with icmpx type port-unreachable<br />
ip protocol tcp reject with tcp reset<br />
</source><br />
|}<br />
<br />
==== Counter ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|counter statement<br />
|-<br />
| ''packets <packets> bytes <bytes>''<br />
| <br />
|<source lang="bash"><br />
counter<br />
counter packets 0 bytes 0<br />
</source><br />
|}<br />
<br />
<br />
==== Limit ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|limit statement<br />
|-<br />
| ''rate [over] <value> <unit> [burst <value> <unit>]''<br />
| Rate limit<br />
|<source lang="bash"><br />
limit rate 400/minute<br />
limit rate 400/hour<br />
limit rate over 40/day<br />
limit rate over 400/week<br />
limit rate over 1023/second burst 10 packets<br />
limit rate 1025 kbytes/second<br />
limit rate 1023000 mbytes/second<br />
limit rate 1025 bytes/second burst 512 bytes<br />
limit rate 1025 kbytes/second burst 1023 kbytes<br />
limit rate 1025 mbytes/second burst 1025 kbytes<br />
limit rate 1025000 mbytes/second burst 1023 mbytes<br />
</source><br />
|}<br />
<br />
==== Nat ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|nat statement<br />
|-<br />
| ''dnat to <destination address>''<br />
| Destination address translation<br />
|<source lang="bash"><br />
dnat to 192.168.3.2<br />
dnat to ct mark map { 0x00000014 : 1.2.3.4}<br />
</source><br />
|-<br />
| ''snat to <ip source address>''<br />
| Source address translation<br />
|<source lang="bash"><br />
snat to 192.168.3.2<br />
snat to 2001:838:35f:1::-2001:838:35f:2:::100<br />
</source><br />
|-<br />
| ''masquerade [<type>] [to :<port>]''<br />
| Masquerade<br />
|<source lang="bash"><br />
masquerade<br />
masquerade persistent,fully-random,random<br />
masquerade to :1024<br />
masquerade to :1024-2048<br />
</source><br />
|}<br />
<br />
==== Queue ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|queue statement<br />
|-<br />
| ''num <value> <scheduler>''<br />
| <br />
|<source lang="bash"><br />
queue<br />
queue num 2<br />
queue num 2-3<br />
queue num 4-5 fanout bypass<br />
queue num 4-5 fanout<br />
queue num 4-5 bypass<br />
</source><br />
|}<br />
<br />
== Extras ==<br />
<br />
=== Export Configuration ===<br />
<br />
<source lang="bash"><br />
% nft export (xml | json)<br />
</source><br />
<br />
=== Monitor Events ===<br />
<br />
Monitor events from Netlink creating filters.<br />
<br />
<source lang="bash"><br />
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]<br />
</source><br />
<br />
<br />
= Nft scripting =<br />
<br />
== List ruleset ==<br />
<br />
<source lang="bash"><br />
% nft list ruleset<br />
</source><br />
<br />
== Flush ruleset ==<br />
<br />
<source lang="bash"><br />
% nft flush ruleset<br />
</source><br />
<br />
== Load ruleset ==<br />
<br />
Create a command batch file and load it with the nft interpreter,<br />
<br />
<source lang="bash"><br />
% echo "flush ruleset" > /etc/nftables.rules<br />
% echo "add table filter" >> /etc/nftables.rules<br />
% echo "add chain filter input" >> /etc/nftables.rules<br />
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file,<br />
<br />
<source lang="bash"><br />
% cat << EOF > /etc/nftables.rules<br />
> #!/usr/local/sbin/nft -f<br />
> flush ruleset<br />
> add table filter<br />
> add chain filter input<br />
> add rule filter input meta iifname lo accept<br />
> EOF<br />
% chmod u+x /etc/nftables.rules<br />
% /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file from an already created ruleset,<br />
<br />
<source lang="bash"><br />
% nft list ruleset > /etc/nftables.rules<br />
% nft flush ruleset<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
<br />
= Examples =<br />
<br />
== Simple IP/IPv6 Firewall ==<br />
<br />
<source lang="bash"><br />
flush ruleset<br />
<br />
table firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
icmp type echo-request accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
<br />
table ip6 firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# invalid connections<br />
ct state invalid drop<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
# routers may also want: mld-listener-query, nd-router-solicit<br />
icmpv6 type {echo-request,nd-neighbor-solicit} accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
</source></div>
Aurelien
http://wiki.nftables.org/wiki-nftables/index.php?title=Quick_reference-nftables_in_10_minutes&diff=1115
Quick reference-nftables in 10 minutes
2024-04-21T05:34:33Z
<p>Aurelien: /* Tables */ Options like -n and -a must be placed before the command</p>
<hr />
<div>Find below some basic concepts to know before using nftables.<br />
<br />
'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.<br />
<br />
'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].<br />
<br />
'''rule''' refers to an action to be configured within a ''chain''.<br />
<br />
<br />
= nft command line =<br />
<br />
''nft'' is the command line tool in order to interact with nftables at userspace.<br />
<br />
== Tables ==<br />
<br />
'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''.<br />
<br />
<source lang="bash"><br />
% nft list tables [<family>]<br />
% nft [-n] [-a] list table [<family>] <name><br />
% nft (add | delete | flush) table [<family>] <name><br />
</source><br />
<br />
The argument ''-n'' shows the addresses and other information that uses names in numeric format. The ''-a'' argument is used to display the ''handle''.<br />
<br />
== Chains ==<br />
<br />
'''type''' refers to the kind of chain to be created. Possible types are:<br />
<br />
* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.<br />
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.<br />
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.<br />
<br />
'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].<br />
<br />
* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.<br />
* The hooks for ''arp'' family are: '' input'', ''output''.<br />
* The ''bridge'' family handles ethernet packets traversing bridge devices.<br />
* The hook for ''netdev'' is: ''ingress''.<br />
<br />
'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.<br />
<br />
'''policy''' is the default verdict statement to control the flow in the base chain. Possible values are: ''accept'' (default) and ''drop''. Warning: Setting the policy to ''drop'' discards all packets that<br />
have not been accepted by the ruleset.<br />
<br />
<source lang="bash"><br />
% nft (add | create) chain [<family>] <table> <name> [ { type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] } ]<br />
% nft (delete | list | flush) chain [<family>] <table> <name><br />
% nft rename chain [<family>] <table> <name> <newname><br />
</source><br />
<br />
== Rules ==<br />
<br />
'''handle''' is an internal number that identifies a certain ''rule''.<br />
<br />
'''position''' is an internal number that is used to insert a ''rule'' before a certain ''handle''.<br />
<br />
<source lang="bash"><br />
% nft add rule [<family>] <table> <chain> <matches> <statements><br />
% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements><br />
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements><br />
% nft delete rule [<family>] <table> <chain> [handle <handle>]<br />
</source><br />
<br />
=== Matches ===<br />
<br />
'''matches''' are clues used to access to certain packet information and create filters according to them.<br />
<br />
==== Ip ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip match<br />
|-<br />
| | ''dscp <value>''<br />
|<br />
|<source lang="bash"><br />
ip dscp cs1<br />
ip dscp != cs1<br />
ip dscp 0x38<br />
ip dscp != 0x20<br />
ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, <br />
af22, af23, af31, af32, af33, af41, af42, af43, ef}<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
ip length 232<br />
ip length != 233<br />
ip length 333-435<br />
ip length != 333-453<br />
ip length { 333, 553, 673, 838}<br />
</source><br />
|-<br />
| ''id <id>''<br />
| IP ID<br />
|<source lang="bash"><br />
ip id 22<br />
ip id != 233<br />
ip id 33-45<br />
ip id != 33-45<br />
ip id { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| Fragmentation offset<br />
|<source lang="bash"><br />
ip frag-off & 0x1fff != 0 # match fragments<br />
ip frag-off & 0x2000 != 0 # match MF flag <br />
ip frag-off & 0x4000 != 0 # match DF flag <br />
</source><br />
|-<br />
| ''ttl <ttl>''<br />
| Time to live<br />
|<source lang="bash"><br />
ip ttl 0<br />
ip ttl 233<br />
ip ttl 33-55<br />
ip ttl != 45-50<br />
ip ttl { 43, 53, 45 }<br />
ip ttl { 33-55 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| Upper layer protocol<br />
|<source lang="bash"><br />
ip protocol tcp<br />
ip protocol 6<br />
ip protocol != tcp<br />
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
ip checksum 13172<br />
ip checksum 22<br />
ip checksum != 233<br />
ip checksum 33-45<br />
ip checksum != 33-45<br />
ip checksum { 33, 55, 67, 88 }<br />
ip checksum { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source address<br />
|<source lang="bash"><br />
ip saddr 192.168.2.0/24<br />
ip saddr != 192.168.2.0/24<br />
ip saddr 192.168.3.1 ip daddr 192.168.3.100<br />
ip saddr != 1.1.1.1<br />
ip saddr 1.1.1.1<br />
ip saddr & 0xff == 1<br />
ip saddr & 0.0.0.255 < 0.0.0.127<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination address<br />
|<source lang="bash"><br />
ip daddr 192.168.0.1<br />
ip daddr != 192.168.0.1<br />
ip daddr 192.168.0.1-192.168.0.250<br />
ip daddr 10.0.0.0-10.255.255.255<br />
ip daddr 172.16.0.0-172.31.255.255<br />
ip daddr 192.168.3.1-192.168.4.250<br />
ip daddr != 192.168.0.1-192.168.0.250<br />
ip daddr { 192.168.0.1-192.168.0.250 }<br />
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }<br />
</source><br />
|-<br />
| ''version <version>''<br />
| Ip Header version<br />
|<source lang="bash"><br />
ip version 4<br />
</source><br />
|-<br />
| ''hdrlength <header length>''<br />
| IP header length<br />
|<source lang="bash"><br />
ip hdrlength 0<br />
ip hdrlength 15<br />
</source><br />
|}<br />
<br />
==== Ip6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip6 match<br />
|-<br />
| ''dscp <value>''<br />
| <br />
|<source lang="bash"><br />
ip6 dscp cs1<br />
ip6 dscp != cs1<br />
ip6 dscp 0x38<br />
ip6 dscp != 0x20<br />
ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}<br />
</source><br />
|-<br />
| ''flowlabel <label>''<br />
| Flow label<br />
|<source lang="bash"><br />
ip6 flowlabel 22<br />
ip6 flowlabel != 233<br />
ip6 flowlabel { 33, 55, 67, 88 }<br />
ip6 flowlabel { 33-55 }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
ip6 length 232<br />
ip6 length != 233<br />
ip6 length 333-435<br />
ip6 length != 333-453<br />
ip6 length { 333, 553, 673, 838}<br />
</source><br />
|-<br />
| ''nexthdr <header>''<br />
| Next header type (Upper layer protocol number)<br />
|<source lang="bash"><br />
ip6 nexthdr {esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6}<br />
ip6 nexthdr esp<br />
ip6 nexthdr != esp<br />
ip6 nexthdr { 33-44 }<br />
ip6 nexthdr 33-44<br />
ip6 nexthdr != 33-44<br />
</source><br />
|-<br />
| ''hoplimit <hoplimit>''<br />
| Hop limit<br />
|<source lang="bash"><br />
ip6 hoplimit 1<br />
ip6 hoplimit != 233<br />
ip6 hoplimit 33-45<br />
ip6 hoplimit != 33-45<br />
ip6 hoplimit {33, 55, 67, 88}<br />
ip6 hoplimit {33-55}<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source Address<br />
|<source lang="bash"><br />
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::/64<br />
ip6 saddr ::1 ip6 daddr ::2<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination Address<br />
|<source lang="bash"><br />
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234<br />
</source><br />
|-<br />
| ''version <version>''<br />
| IP header version<br />
|<source lang="bash"><br />
ip6 version 6<br />
</source><br />
|}<br />
<br />
<br />
==== Tcp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|tcp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
tcp dport 22<br />
tcp dport != 33-45<br />
tcp dport { 33-55 }<br />
tcp dport {telnet, http, https }<br />
tcp dport vmap { 22 : accept, 23 : drop }<br />
tcp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
tcp sport 22<br />
tcp sport != 33-45<br />
tcp sport { 33, 55, 67, 88}<br />
tcp sport { 33-55}<br />
tcp sport vmap { 25:accept, 28:drop }<br />
tcp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| Sequence number<br />
|<source lang="bash"><br />
tcp sequence 22<br />
tcp sequence != 33-45<br />
</source><br />
|-<br />
| ''ackseq <value>''<br />
| Acknowledgement number<br />
|<source lang="bash"><br />
tcp ackseq 22<br />
tcp ackseq != 33-45<br />
tcp ackseq { 33, 55, 67, 88 }<br />
tcp ackseq { 33-55 }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| TCP flags<br />
|<source lang="bash"><br />
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr}<br />
tcp flags cwr<br />
tcp flags != cwr<br />
</source><br />
|-<br />
| ''window <value>''<br />
| Window<br />
|<source lang="bash"><br />
tcp window 22<br />
tcp window != 33-45<br />
tcp window { 33, 55, 67, 88 }<br />
tcp window { 33-55 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
tcp checksum 22<br />
tcp checksum != 33-45<br />
tcp checksum { 33, 55, 67, 88 }<br />
tcp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''urgptr <pointer>''<br />
| Urgent pointer<br />
|<source lang="bash"><br />
tcp urgptr 22<br />
tcp urgptr != 33-45<br />
tcp urgptr { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''doff <offset>''<br />
| Data offset<br />
|<source lang="bash"><br />
tcp doff 8<br />
</source><br />
|}<br />
<br />
<br />
==== Udp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udp dport 22<br />
udp dport != 33-45<br />
udp dport { 33-55 }<br />
udp dport {telnet, http, https }<br />
udp dport vmap { 22 : accept, 23 : drop }<br />
udp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udp sport 22<br />
udp sport != 33-45<br />
udp sport { 33, 55, 67, 88}<br />
udp sport { 33-55}<br />
udp sport vmap { 25:accept, 28:drop }<br />
udp sport 1024 udp dport 22<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
udp length 6666<br />
udp length != 50-65<br />
udp length { 50, 65 }<br />
udp length { 35-50 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| UDP checksum<br />
|<source lang="bash"><br />
udp checksum 22<br />
udp checksum != 33-45<br />
udp checksum { 33, 55, 67, 88 }<br />
udp checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
<br />
==== Udplite ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udplite match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udplite dport 22<br />
udplite dport != 33-45<br />
udplite dport { 33-55 }<br />
udplite dport {telnet, http, https }<br />
udplite dport vmap { 22 : accept, 23 : drop }<br />
udplite dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udplite sport 22<br />
udplite sport != 33-45<br />
udplite sport { 33, 55, 67, 88}<br />
udplite sport { 33-55}<br />
udplite sport vmap { 25:accept, 28:drop }<br />
udplite sport 1024 udplite dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
udplite checksum 22<br />
udplite checksum != 33-45<br />
udplite checksum { 33, 55, 67, 88 }<br />
udplite checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
<br />
==== Sctp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|sctp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
sctp dport 22<br />
sctp dport != 33-45<br />
sctp dport { 33-55 }<br />
sctp dport {telnet, http, https }<br />
sctp dport vmap { 22 : accept, 23 : drop }<br />
sctp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
sctp sport 22<br />
sctp sport != 33-45<br />
sctp sport { 33, 55, 67, 88}<br />
sctp sport { 33-55}<br />
sctp sport vmap { 25:accept, 28:drop }<br />
sctp sport 1024 sctp dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
sctp checksum 22<br />
sctp checksum != 33-45<br />
sctp checksum { 33, 55, 67, 88 }<br />
sctp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''vtag <tag>''<br />
| Verification tag<br />
|<source lang="bash"><br />
sctp vtag 22<br />
sctp vtag != 33-45<br />
sctp vtag { 33, 55, 67, 88 }<br />
sctp vtag { 33-55 }<br />
</source><br />
|-<br />
| ''chunk <type>''<br />
| Existence of a chunk with given type in packet<br />
|<source lang="bash"><br />
sctp chunk init exists<br />
sctp chunk error missing<br />
</source><br />
|-<br />
| ''chunk <type> <field>''<br />
| A chunk's field value (implies chunk existence)<br />
|<sourcex lang="bash"><br />
sctp chunk init flags 0x1<br />
sctp chunk data tsn 0x23<br />
</source><br />
|}<br />
<br />
==== Dccp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dccp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
dccp dport 22<br />
dccp dport != 33-45<br />
dccp dport { 33-55 }<br />
dccp dport {telnet, http, https }<br />
dccp dport vmap { 22 : accept, 23 : drop }<br />
dccp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
dccp sport 22<br />
dccp sport != 33-45<br />
dccp sport { 33, 55, 67, 88}<br />
dccp sport { 33-55}<br />
dccp sport vmap { 25:accept, 28:drop }<br />
dccp sport 1024 dccp dport 22<br />
</source><br />
|-<br />
| ''type <type>''<br />
| Type of packet<br />
|<source lang="bash"><br />
dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}<br />
dccp type request<br />
dccp type != request<br />
</source><br />
|}<br />
<br />
<br />
==== Ah ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ah match<br />
|-<br />
| ''hdrlength <length>''<br />
| AH header length<br />
|<source lang="bash"><br />
ah hdrlength 11-23<br />
ah hdrlength != 11-23<br />
ah hdrlength {11, 23, 44 }<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
ah reserved 22<br />
ah reserved != 33-45<br />
ah reserved {23, 100 }<br />
ah reserved { 33-55 }<br />
</source><br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
ah spi 111<br />
ah spi != 111-222<br />
ah spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
ah sequence 123<br />
ah sequence {23, 25, 33}<br />
ah sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Esp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|esp match<br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
esp spi 111<br />
esp spi != 111-222<br />
esp spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
esp sequence 123<br />
esp sequence {23, 25, 33}<br />
esp sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Comp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|comp match<br />
|-<br />
| ''nexthdr <protocol>''<br />
| Next header protocol (Upper layer protocol)<br />
|<source lang="bash"><br />
comp nexthdr != esp<br />
comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp}<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| Flags<br />
|<source lang="bash"><br />
comp flags 0x0<br />
comp flags != 0x33-0x45<br />
comp flags {0x33, 0x55, 0x67, 0x88}<br />
</source><br />
|-<br />
| ''cpi <value>''<br />
| Compression Parameter Index<br />
|<source lang="bash"><br />
comp cpi 22<br />
comp cpi != 33-45<br />
comp cpi {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Icmp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmp match<br />
|-<br />
| ''type <type>''<br />
| ICMP packet type<br />
|<source lang="bash"><br />
icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation}<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMP packet code<br />
|<source lang="bash"><br />
icmp code 111<br />
icmp code != 33-55<br />
icmp code { 2, 4, 54, 33, 56}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMP packet checksum<br />
|<source lang="bash"><br />
icmp checksum 12343<br />
icmp checksum != 11-343<br />
icmp checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMP packet id<br />
|<source lang="bash"><br />
icmp id 12343<br />
icmp id != 11-343<br />
icmp id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMP packet sequence<br />
|<source lang="bash"><br />
icmp sequence 12343<br />
icmp sequence != 11-343<br />
icmp sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMP packet mtu<br />
|<source lang="bash"><br />
icmp mtu 12343<br />
icmp mtu != 11-343<br />
icmp mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''gateway <value>''<br />
| ICMP packet gateway<br />
|<source lang="bash"><br />
icmp gateway 12343<br />
icmp gateway != 11-343<br />
icmp gateway { 1111, 222, 343 }<br />
</source><br />
|}<br />
<br />
<br />
==== Icmpv6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmpv6 match<br />
|-<br />
| ''type <type>''<br />
| ICMPv6 packet type<br />
|<source lang="bash"><br />
icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, parameter-problem, mld2-listener-report }<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMPv6 packet code<br />
|<source lang="bash"><br />
icmpv6 code 4<br />
icmpv6 code 3-66<br />
icmpv6 code {5, 6, 7}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMPv6 packet checksum<br />
|<source lang="bash"><br />
icmpv6 checksum 12343<br />
icmpv6 checksum != 11-343<br />
icmpv6 checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMPv6 packet id<br />
|<source lang="bash"><br />
icmpv6 id 12343<br />
icmpv6 id != 11-343<br />
icmpv6 id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMPv6 packet sequence<br />
|<source lang="bash"><br />
icmpv6 sequence 12343<br />
icmpv6 sequence != 11-343<br />
icmpv6 sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMPv6 packet mtu<br />
|<source lang="bash"><br />
icmpv6 mtu 12343<br />
icmpv6 mtu != 11-343<br />
icmpv6 mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''max-delay <value>''<br />
| ICMPv6 packet max delay<br />
|<source lang="bash"><br />
icmpv6 max-delay 33-45<br />
icmpv6 max-delay != 33-45<br />
icmpv6 max-delay {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Ether ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ether match<br />
|-<br />
| ''saddr <mac address>''<br />
| Source mac address<br />
|<source lang="bash"><br />
ether saddr 00:0f:54:0c:11:04<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
ether type vlan<br />
</source><br />
|}<br />
<br />
==== Dst ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dst match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}<br />
dst nexthdr 22<br />
dst nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
dst hdrlength 22<br />
dst hdrlength != 33-45<br />
dst hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Frag ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|frag match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp}<br />
frag nexthdr 6<br />
frag nexthdr != 50-51<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
frag reserved 22<br />
frag reserved != 33-45<br />
frag reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| <br />
|<source lang="bash"><br />
frag frag-off 22<br />
frag frag-off != 33-45<br />
frag frag-off { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''more-fragments <value>''<br />
| <br />
|<source lang="bash"><br />
frag more-fragments 0<br />
frag more-fragments 0<br />
</source><br />
|-<br />
| ''id <value>''<br />
| <br />
|<source lang="bash"><br />
frag id 1<br />
frag id 33-45<br />
</source><br />
|}<br />
<br />
<br />
==== Hbh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|hbh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6}<br />
hbh nexthdr 22<br />
hbh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
hbh hdrlength 22<br />
hbh hdrlength != 33-45<br />
hbh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Mh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|mh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
mh nexthdr 22<br />
mh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
mh hdrlength 22<br />
mh hdrlength != 33-45<br />
mh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}<br />
mh type home-agent-switch-message<br />
mh type != home-agent-switch-message<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
mh reserved 22<br />
mh reserved != 33-45<br />
mh reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| <br />
|<source lang="bash"><br />
mh checksum 22<br />
mh checksum != 33-45<br />
mh checksum { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Rt ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|rt match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
rt nexthdr 22<br />
rt nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
rt hdrlength 22<br />
rt hdrlength != 33-45<br />
rt hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
rt type 22<br />
rt type != 33-45<br />
rt type { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''seg-left <value>''<br />
| <br />
|<source lang="bash"><br />
rt seg-left 22<br />
rt seg-left != 33-45<br />
rt seg-left { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Vlan ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|vlan match<br />
|-<br />
| ''id <value>''<br />
| Vlan tag ID<br />
|<source lang="bash"><br />
vlan id 4094<br />
vlan id 0<br />
</source><br />
|-<br />
| ''cfi <value>''<br />
| <br />
|<source lang="bash"><br />
vlan cfi 0<br />
vlan cfi 1<br />
</source><br />
|-<br />
| ''pcp <value>''<br />
| <br />
|<source lang="bash"><br />
vlan pcp 7<br />
vlan pcp 3<br />
</source><br />
|}<br />
<br />
<br />
==== Arp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|arp match<br />
|-<br />
| ''ptype <value>''<br />
| Payload type<br />
|<source lang="bash"><br />
arp ptype 0x0800<br />
</source><br />
|-<br />
| ''htype <value>''<br />
| Header type<br />
|<source lang="bash"><br />
arp htype 1<br />
arp htype != 33-45<br />
arp htype { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''hlen <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
arp hlen 1<br />
arp hlen != 33-45<br />
arp hlen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''plen <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
arp plen 1<br />
arp plen != 33-45<br />
arp plen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''operation <value>''<br />
| <br />
|<source lang="bash"><br />
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}<br />
</source><br />
|}<br />
<br />
<br />
==== Ct ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ct match<br />
|-<br />
| ''state <state>''<br />
| State of the connection<br />
|<source lang="bash"><br />
ct state { new, established, related, untracked }<br />
ct state != related<br />
ct state established<br />
ct state 8<br />
</source><br />
|-<br />
| ''direction <value>''<br />
| Direction of the packet relative to the connection<br />
|<source lang="bash"><br />
ct direction original<br />
ct direction != original<br />
ct direction {reply, original}<br />
</source><br />
|-<br />
| ''status <status>''<br />
| Status of the connection<br />
|<source lang="bash"><br />
ct status expected<br />
(ct status & expected) != expected<br />
ct status {expected,seen-reply,assured,confirmed,snat,dnat,dying}<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Mark of the connection<br />
|<source lang="bash"><br />
ct mark 0<br />
ct mark or 0x23 == 0x11<br />
ct mark or 0x3 != 0x1<br />
ct mark and 0x23 == 0x11<br />
ct mark and 0x3 != 0x1<br />
ct mark xor 0x23 == 0x11<br />
ct mark xor 0x3 != 0x1<br />
ct mark 0x00000032<br />
ct mark != 0x00000032<br />
ct mark 0x00000032-0x00000045<br />
ct mark != 0x00000032-0x00000045<br />
ct mark {0x32, 0x2222, 0x42de3}<br />
ct mark {0x32-0x2222, 0x4444-0x42de3}<br />
ct mark set 0x11 xor 0x1331<br />
ct mark set 0x11333 and 0x11<br />
ct mark set 0x12 or 0x11<br />
ct mark set 0x11<br />
ct mark set mark<br />
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }<br />
</source><br />
|-<br />
| ''expiration <time>''<br />
| Connection expiration time<br />
|<source lang="bash"><br />
ct expiration 30<br />
ct expiration 30s<br />
ct expiration != 233<br />
ct expiration != 3m53s<br />
ct expiration 33-45<br />
ct expiration 33s-45s<br />
ct expiration != 33-45<br />
ct expiration != 33s-45s<br />
ct expiration {33, 55, 67, 88}<br />
ct expiration { 1m7s, 33s, 55s, 1m28s}<br />
</source><br />
|-<br />
| ''helper "<helper>"''<br />
| Helper associated with the connection<br />
|<source lang="bash"><br />
ct helper "ftp"<br />
</source><br />
|-<br />
| | ''[original | reply] bytes <value>''<br />
| <br />
|<source lang="bash"><br />
ct original bytes > 100000<br />
ct bytes > 100000<br />
</source><br />
|-<br />
| | ''[original | reply] packets <value>''<br />
| <br />
|<source lang="bash"><br />
ct reply packets < 100<br />
</source><br />
|-<br />
| | ''[original | reply] ip saddr <ip source address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip saddr 192.168.0.1<br />
ct reply ip saddr 192.168.0.1<br />
ct original ip saddr 192.168.1.0/24<br />
ct reply ip saddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] ip daddr <ip destination address>''<br />
| <br />
|<source lang="bash"><br />
ct original ip daddr 192.168.0.1<br />
ct reply ip daddr 192.168.0.1<br />
ct original ip daddr 192.168.1.0/24<br />
ct reply ip daddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] l3proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original l3proto ipv4<br />
</source><br />
|-<br />
| | ''[original | reply] protocol <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original protocol 6<br />
</source><br />
|-<br />
| | ''[original | reply] proto-dst <port>''<br />
| <br />
|<source lang="bash"><br />
ct original proto-dst 22<br />
</source><br />
|-<br />
| | ''[original | reply] proto-src <port>''<br />
| <br />
|<source lang="bash"><br />
ct reply proto-src 53<br />
</source><br />
|-<br />
| | ''count [over] <number of connections>''<br />
| <br />
|<source lang="bash"><br />
ct count over 2<br />
<br />
tcp dport 22 add @ssh_flood { ip saddr ct count over 2 } reject<br />
[ which requires an existing ssh_flood set, ie. add set filter ssh_flood { type ipv4_addr; flags dynamic; } ]<br />
</source><br />
|}<br />
<br />
==== Meta ====<br />
<br />
[[Matching packet metainformation|''meta'']] matches packet by metainformation.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|meta match<br />
|-<br />
| ''iifname <input interface name>''<br />
| Input interface name<br />
|<source lang="bash"><br />
meta iifname "eth0"<br />
meta iifname != "eth0"<br />
meta iifname {"eth0", "lo"}<br />
meta iifname "eth*"<br />
</source><br />
|-<br />
| ''oifname <output interface name>''<br />
| Output interface name<br />
|<source lang="bash"><br />
meta oifname "eth0"<br />
meta oifname != "eth0"<br />
meta oifname {"eth0", "lo"}<br />
meta oifname "eth*"<br />
</source><br />
|-<br />
| ''iif <input interface index>''<br />
| Input interface index<br />
|<source lang="bash"><br />
meta iif eth0<br />
meta iif != eth0<br />
</source><br />
|-<br />
| ''oif <output interface index>''<br />
| Output interface index<br />
|<source lang="bash"><br />
meta oif lo<br />
meta oif != lo<br />
meta oif {eth0, lo}<br />
</source><br />
|-<br />
| ''iiftype <input interface type>''<br />
| Input interface type<br />
|<source lang="bash"><br />
meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta iiftype != ether<br />
meta iiftype ether<br />
</source><br />
|-<br />
| ''oiftype <output interface type>''<br />
| Output interface hardware type<br />
|<source lang="bash"><br />
meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta oiftype != ether<br />
meta oiftype ether<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Length of the packet in bytes<br />
|<source lang="bash"><br />
meta length 1000<br />
meta length != 1000<br />
meta length > 1000<br />
meta length 33-45<br />
meta length != 33-45<br />
meta length { 33, 55, 67, 88 }<br />
meta length { 33-55, 67-88 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| ethertype protocol<br />
|<source lang="bash"><br />
meta protocol ip<br />
meta protocol != ip<br />
meta protocol { ip, arp, ip6, vlan }<br />
</source><br />
|-<br />
| ''nfproto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta nfproto ipv4<br />
meta nfproto != ipv6<br />
meta nfproto { ipv4, ipv6 }<br />
</source><br />
|-<br />
| ''l4proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta l4proto 22<br />
meta l4proto != 233<br />
meta l4proto 33-45<br />
meta l4proto { 33, 55, 67, 88 }<br />
meta l4proto { 33-55 }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Packet mark<br />
|<source lang="bash"><br />
meta mark 0x4<br />
meta mark 0x00000032<br />
meta mark and 0x03 == 0x01<br />
meta mark and 0x03 != 0x01<br />
meta mark != 0x10<br />
meta mark or 0x03 == 0x01<br />
meta mark or 0x03 != 0x01<br />
meta mark xor 0x03 == 0x01<br />
meta mark xor 0x03 != 0x01<br />
meta mark set 0xffffffc8 xor 0x16<br />
meta mark set 0x16 and 0x16<br />
meta mark set 0xffffffe9 or 0x16<br />
meta mark set 0xffffffde and 0x16<br />
meta mark set 0x32 or 0xfffff<br />
meta mark set 0xfffe xor 0x16<br />
</source><br />
|-<br />
| ''priority [set] <priority>''<br />
| tc class id<br />
|<source lang="bash"><br />
meta priority none<br />
meta priority 0x1:0x1<br />
meta priority 0x1:0xffff<br />
meta priority 0xffff:0xffff<br />
meta priority set 0x1:0x1<br />
meta priority set 0x1:0xffff<br />
meta priority set 0xffff:0xffff<br />
</source><br />
|-<br />
| ''skuid <user id>''<br />
| UID associated with originating socket<br />
|<source lang="bash"><br />
meta skuid {bin, root, daemon}<br />
meta skuid root<br />
meta skuid != root<br />
meta skuid lt 3000<br />
meta skuid gt 3000<br />
meta skuid eq 3000<br />
meta skuid 3001-3005<br />
meta skuid != 2001-2005<br />
meta skuid { 2001-2005 }<br />
</source><br />
|-<br />
| ''skgid <group id>''<br />
| GID associated with originating socket<br />
|<source lang="bash"><br />
meta skgid {bin, root, daemon}<br />
meta skgid root<br />
meta skgid != root<br />
meta skgid lt 3000<br />
meta skgid gt 3000<br />
meta skgid eq 3000<br />
meta skgid 3001-3005<br />
meta skgid != 2001-2005<br />
meta skgid { 2001-2005 }<br />
</source><br />
|-<br />
| ''rtclassid <class>''<br />
| Routing realm<br />
|<source lang="bash"><br />
meta rtclassid cosmos<br />
</source><br />
|-<br />
| ''pkttype <type>''<br />
| Packet type<br />
|<source lang="bash"><br />
meta pkttype broadcast<br />
meta pkttype != broadcast<br />
meta pkttype { broadcast, unicast, multicast}<br />
</source><br />
|-<br />
| ''cpu <cpu index>''<br />
| CPU ID<br />
|<source lang="bash"><br />
meta cpu 1<br />
meta cpu != 1<br />
meta cpu 1-3<br />
meta cpu != 1-2<br />
meta cpu { 2,3 }<br />
meta cpu { 2-3, 5-7 }<br />
</source><br />
|-<br />
| ''iifgroup <input group>''<br />
| Input interface group<br />
|<source lang="bash"><br />
meta iifgroup 0<br />
meta iifgroup != 0<br />
meta iifgroup default<br />
meta iifgroup != default<br />
meta iifgroup {default}<br />
meta iifgroup { 11,33 }<br />
meta iifgroup {11-33}<br />
</source><br />
|-<br />
| ''oifgroup <group>''<br />
| Output interface group<br />
|<source lang="bash"><br />
meta oifgroup 0<br />
meta oifgroup != 0<br />
meta oifgroup default<br />
meta oifgroup != default<br />
meta oifgroup {default}<br />
meta oifgroup { 11,33 }<br />
meta oifgroup {11-33}<br />
</source><br />
|-<br />
| ''cgroup <group>''<br />
| <br />
|<source lang="bash"><br />
meta cgroup 1048577<br />
meta cgroup != 1048577<br />
meta cgroup { 1048577, 1048578 }<br />
meta cgroup 1048577-1048578<br />
meta cgroup != 1048577-1048578<br />
meta cgroup {1048577-1048578}<br />
</source><br />
|}<br />
<br />
=== Statements ===<br />
<br />
'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.<br />
<br />
==== Verdict statements ====<br />
<br />
The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:<br />
<br />
* ''accept'': Accept the packet and stop the remain rules evaluation.<br />
* ''drop'': Drop the packet and stop the remain rules evaluation.<br />
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.<br />
* ''continue'': Continue the ruleset evaluation with the next rule.<br />
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept<br />
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued<br />
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement<br />
<br />
==== Log ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|log statement<br />
|-<br />
| ''level [over] <value> <unit> [burst <value> <unit>]''<br />
| Log level<br />
|<source lang="bash"><br />
log<br />
log level emerg<br />
log level alert<br />
log level crit<br />
log level err<br />
log level warn<br />
log level notice<br />
log level info<br />
log level debug<br />
</source><br />
|-<br />
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''<br />
| <br />
|<source lang="bash"><br />
log prefix aaaaa-aaaaaa group 2 snaplen 33<br />
log group 2 queue-threshold 2<br />
log group 2 snaplen 33<br />
</source><br />
|}<br />
<br />
<br />
==== Reject ====<br />
<br />
The default '''reject''' will be the ICMP type '''port-unreachable'''. The '''icmpx''' is only used for inet family support.<br />
<br />
More information on the [[Rejecting_traffic]] page.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|reject statement<br />
|-<br />
| ''with <protocol> type <type>''<br />
| <br />
|<source lang="bash"><br />
reject<br />
reject with icmp type host-unreachable<br />
reject with icmp type net-unreachable<br />
reject with icmp type prot-unreachable<br />
reject with icmp type port-unreachable<br />
reject with icmp type net-prohibited<br />
reject with icmp type host-prohibited<br />
reject with icmp type admin-prohibited<br />
reject with icmpv6 type no-route<br />
reject with icmpv6 type admin-prohibited<br />
reject with icmpv6 type addr-unreachable<br />
reject with icmpv6 type port-unreachable<br />
reject with icmpx type host-unreachable<br />
reject with icmpx type no-route<br />
reject with icmpx type admin-prohibited<br />
reject with icmpx type port-unreachable<br />
ip protocol tcp reject with tcp reset<br />
</source><br />
|}<br />
<br />
==== Counter ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|counter statement<br />
|-<br />
| ''packets <packets> bytes <bytes>''<br />
| <br />
|<source lang="bash"><br />
counter<br />
counter packets 0 bytes 0<br />
</source><br />
|}<br />
<br />
<br />
==== Limit ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|limit statement<br />
|-<br />
| ''rate [over] <value> <unit> [burst <value> <unit>]''<br />
| Rate limit<br />
|<source lang="bash"><br />
limit rate 400/minute<br />
limit rate 400/hour<br />
limit rate over 40/day<br />
limit rate over 400/week<br />
limit rate over 1023/second burst 10 packets<br />
limit rate 1025 kbytes/second<br />
limit rate 1023000 mbytes/second<br />
limit rate 1025 bytes/second burst 512 bytes<br />
limit rate 1025 kbytes/second burst 1023 kbytes<br />
limit rate 1025 mbytes/second burst 1025 kbytes<br />
limit rate 1025000 mbytes/second burst 1023 mbytes<br />
</source><br />
|}<br />
<br />
==== Nat ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|nat statement<br />
|-<br />
| ''dnat to <destination address>''<br />
| Destination address translation<br />
|<source lang="bash"><br />
dnat to 192.168.3.2<br />
dnat to ct mark map { 0x00000014 : 1.2.3.4}<br />
</source><br />
|-<br />
| ''snat to <ip source address>''<br />
| Source address translation<br />
|<source lang="bash"><br />
snat to 192.168.3.2<br />
snat to 2001:838:35f:1::-2001:838:35f:2:::100<br />
</source><br />
|-<br />
| ''masquerade [<type>] [to :<port>]''<br />
| Masquerade<br />
|<source lang="bash"><br />
masquerade<br />
masquerade persistent,fully-random,random<br />
masquerade to :1024<br />
masquerade to :1024-2048<br />
</source><br />
|}<br />
<br />
==== Queue ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|queue statement<br />
|-<br />
| ''num <value> <scheduler>''<br />
| <br />
|<source lang="bash"><br />
queue<br />
queue num 2<br />
queue num 2-3<br />
queue num 4-5 fanout bypass<br />
queue num 4-5 fanout<br />
queue num 4-5 bypass<br />
</source><br />
|}<br />
<br />
== Extras ==<br />
<br />
=== Export Configuration ===<br />
<br />
<source lang="bash"><br />
% nft export (xml | json)<br />
</source><br />
<br />
=== Monitor Events ===<br />
<br />
Monitor events from Netlink creating filters.<br />
<br />
<source lang="bash"><br />
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]<br />
</source><br />
<br />
<br />
= Nft scripting =<br />
<br />
== List ruleset ==<br />
<br />
<source lang="bash"><br />
% nft list ruleset<br />
</source><br />
<br />
== Flush ruleset ==<br />
<br />
<source lang="bash"><br />
% nft flush ruleset<br />
</source><br />
<br />
== Load ruleset ==<br />
<br />
Create a command batch file and load it with the nft interpreter,<br />
<br />
<source lang="bash"><br />
% echo "flush ruleset" > /etc/nftables.rules<br />
% echo "add table filter" >> /etc/nftables.rules<br />
% echo "add chain filter input" >> /etc/nftables.rules<br />
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file,<br />
<br />
<source lang="bash"><br />
% cat << EOF > /etc/nftables.rules<br />
> #!/usr/local/sbin/nft -f<br />
> flush ruleset<br />
> add table filter<br />
> add chain filter input<br />
> add rule filter input meta iifname lo accept<br />
> EOF<br />
% chmod u+x /etc/nftables.rules<br />
% /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file from an already created ruleset,<br />
<br />
<source lang="bash"><br />
% nft list ruleset > /etc/nftables.rules<br />
% nft flush ruleset<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
<br />
= Examples =<br />
<br />
== Simple IP/IPv6 Firewall ==<br />
<br />
<source lang="bash"><br />
flush ruleset<br />
<br />
table firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
icmp type echo-request accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
<br />
table ip6 firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# invalid connections<br />
ct state invalid drop<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
# routers may also want: mld-listener-query, nd-router-solicit<br />
icmpv6 type {echo-request,nd-neighbor-solicit} accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
</source></div>
Aurelien