Matching packet metainformation: Difference between revisions

From nftables wiki
Jump to navigation Jump to search
(→‎The meta selectors: Put meta selectors into a table)
Line 3: Line 3:
= The meta selectors =
= The meta selectors =


We have the following meta statements for matching on packet metainformation:
The following meta selectors match -- and in some cases set -- packet metainformation:


* mark -- packet mark. [[Setting_packet_metainformation |Can be set]].
{| class="wikitable"
* iif -- input interface index
!colspan="4"|Meta Selectors
* iifname -- input interface name
|- style="vertical-align:bottom;"
* iiftype -- input interface type
! Keyword
* oif -- output interface index
! [[Setting_packet_metainformation |Settable]]
* oifname -- output interface name
! style="text-align:left;" | Description
* oiftype -- output interface type
! style="text-align:left;" | Notes
* skuid -- socket uid
 
* skgid -- socket gid
|- style="vertical-align:top;"
* nftrace -- [[Ruleset_debug/tracing|nftrace debugging]] bit. [[Setting_packet_metainformation |Can be set]].
| ''mark''
* rtclassid -- realm
| [[Setting_packet_metainformation |Y]]
* ibriport -- input bridge port
| packet mark
* obriport -- output bridge port
|
* ibrname -- input bridge name
 
* obrname -- output bridge name
|- style="vertical-align:top;"
* pkttype -- packet type. [[Setting_packet_metainformation |Can be set]].
| ''iif''
* cpu -- cpu number
|
* iifgroup -- input interface group
| input interface index
* oifgroup -- output interface group
|
* cgroup -- cgroup number
 
* ipsec -- ipsec (secpath) packet or not
|- style="vertical-align:top;"
* time -- packet timestamp
| ''iifname''
* day -- packet timestamp
|
* hour -- packet timestamp
| input interface name
* length -- packet lenght
|
* protocol -- packet protocol (as in skb->protocol)
 
* nfproto -- netfilter packet protocol family (like ipv4, ipv6, etc..).
|- style="vertical-align:top;"
* l4proto -- layer 4 protocol (tcp, udp, etc..)
| ''iiftype''
* priority -- packet priority, tc handle. [[Setting_packet_metainformation |Can be set]].
|
* random -- match against a single/simple random number
| input interface type
* secmark -- packet secmark. [[Setting_packet_metainformation |Can be set]].
|
* ibrvproto -- match the bridge protocol
 
* ibrpvid -- match the bridge pvid
|- style="vertical-align:top;"
| ''oif''
|
| output interface index
|
 
|- style="vertical-align:top;"
| ''oifname''
|
| output interface name
|
 
|- style="vertical-align:top;"
| ''oiftype''
|
| output interface type
|
 
|- style="vertical-align:top;"
| ''skuid''
|
| socket uid
|
 
|- style="vertical-align:top;"
| ''skgid''
|
| socket gid
|
 
|- style="vertical-align:top;"
| ''nftrace''
| [[Setting_packet_metainformation |Y]]
| [[Ruleset_debug/tracing|nftrace debugging]] bit
|
 
|- style="vertical-align:top;"
| ''rtclassid''
|
| realm
|
 
|- style="vertical-align:top;"
| ''ibriport''
|
| input bridge port
|
 
|- style="vertical-align:top;"
| ''obriport''
|
| output bridge port
|
 
|- style="vertical-align:top;"
| ''ibrname''
|
| input bridge name
|
 
|- style="vertical-align:top;"
| ''obrname''
|
| output bridge name
|
 
|- style="vertical-align:top;"
| ''pkttype''
| [[Setting_packet_metainformation |Y]]
| packet type
|
 
|- style="vertical-align:top;"
| ''cpu''
|
| cpu number
|
 
|- style="vertical-align:top;"
| ''iifgroup''
|
| input interface group
|
 
|- style="vertical-align:top;"
| ''oifgroup''
|
| output interface group
|
 
|- style="vertical-align:top;"
| ''cgroup''
|
| cgroup number
|
 
|- style="vertical-align:top;"
| ''ipsec''
|
| ipsec (secpath) packet or not
|
 
|- style="vertical-align:top;"
| ''time''
|
| packet timestamp
|
 
|- style="vertical-align:top;"
| ''day''
|
| packet timestamp
|
 
|- style="vertical-align:top;"
| ''hour''
|
| packet timestamp
|
 
|- style="vertical-align:top;"
| ''length''
|
| packet length
|
 
|- style="vertical-align:top;"
| ''protocol''
|
| packet protocol
| as in skb->protocol
 
|- style="vertical-align:top;"
| ''nfproto''
|
| netfilter packet protocol family
| like ipv4, ipv6, etc...
 
|- style="vertical-align:top;"
| ''l4proto''
|
| layer 4 protocol
| like tcp, udp, etc...
 
|- style="vertical-align:top;"
| ''priority''
| [[Setting_packet_metainformation |Y]]
| packet priority, tc handle
|
 
|- style="vertical-align:top;"
| ''random''
|
| match against a single / simple random number
|
 
|- style="vertical-align:top;"
| ''secmark''
| [[Setting_packet_metainformation |Y]]
| packet secmark
|
 
|- style="vertical-align:top;"
| ''ibrvproto''
|
| bridge protocol
|
 
|- style="vertical-align:top;"
| ''ibrpvid''
|
| bridge pvid
|
 
|}


= Matching packets by interface name =
= Matching packets by interface name =

Revision as of 14:19, 4 February 2021

The meta selectors allows you to match (and in some cases, set) packet metainformation.

The meta selectors

The following meta selectors match -- and in some cases set -- packet metainformation:

Meta Selectors
Keyword Settable Description Notes
mark Y packet mark
iif input interface index
iifname input interface name
iiftype input interface type
oif output interface index
oifname output interface name
oiftype output interface type
skuid socket uid
skgid socket gid
nftrace Y nftrace debugging bit
rtclassid realm
ibriport input bridge port
obriport output bridge port
ibrname input bridge name
obrname output bridge name
pkttype Y packet type
cpu cpu number
iifgroup input interface group
oifgroup output interface group
cgroup cgroup number
ipsec ipsec (secpath) packet or not
time packet timestamp
day packet timestamp
hour packet timestamp
length packet length
protocol packet protocol as in skb->protocol
nfproto netfilter packet protocol family like ipv4, ipv6, etc...
l4proto layer 4 protocol like tcp, udp, etc...
priority Y packet priority, tc handle
random match against a single / simple random number
secmark Y packet secmark
ibrvproto bridge protocol
ibrpvid bridge pvid

Matching packets by interface name

You can use one of the following selectors to match the interface name:

  • iifname, to match the input network interface name.
  • oifname, to match the output network interface name.
  • iif, to match the interface index of the network interface name. This is faster than iifname as it only has to compare a 32-bits unsigned integer instead of a string. The interface index is dynamically allocated, so don't use this for interfaces that are dynamically created and destroyed, eg. ppp0.
  • oif, like iif but it matches the output network interface index.

An example usage of the interface name is the following:

% nft add rule filter input meta oifname lo accept

This rule accepts all traffic for the loopback pseudodevice lo.

Matching packets by packet mark

You can match packets whose mark is 123 with the following rule:

nft add rule filter output meta mark 123 counter

Matching packets the socket UID

You can use your user name to match traffic, eg.

% nft add rule filter output meta skuid pablo counter

Or the 32-bits unsigned integer (UID) in case there is no entry in /etc/passwd for a given user.

% nft add rule filter output meta skuid 1000 counter

Let's just generate some HTTP traffic to test this rule:

% wget --spider http://www.google.com

Then, if you check the counters, you can verify that the packets are matching that rule.

% nft list table filter
table ip filter {
        chain output {
                 type filter hook output priority 0;
                 skuid pablo counter packets 7 bytes 510
        }

        chain input {
                 type filter hook input priority 0;
        }
}

Important: Beware if you test this with ping, it is usually installed with suid so that traffic will match the root user (uid=0).

Matching packet priority

  • Since nftables v0.7 you can match the packet priority, the tc classid:
% nft add rule filter forward meta priority abcd:1234
  • Packet without set priority can be matched using meta priority none
% nft add rule filter forward meta priority none