Matching packet metainformation
nftables comes with the packet metainformation selectors that you can use to match information that is stored in the network packet.
The meta selectors
The meta selectors allows you to match (and in some cases, set) packet metainformation.
We have 2 types of meta statement, qualified and unqualified. Qualified ones require you use the meta keyword, and for unqualified ones it can be skipped.
- qualified meta statements:
- length -- packet lenght
- protocol -- packet protocol
- priority -- packet priority, tc handle. Can be set.
- random -- match against a single/simple random number
- secmark -- packet secmark. Can be set.
- unqualified meta statements:
- mark -- packet mark. Can be set.
- iif -- input interface index
- iifname -- input interface name
- iiftype -- input interface type
- oif -- output interface index
- oifname -- output interface name
- oiftype -- output interface type
- skuid -- socket uid
- skgid -- socket gid
- nftrace -- nftrace debugging bit. Can be set.
- rtclassid -- realm
- ibriport -- input bridge port
- obriport -- output bridge port
- ibridgename -- input bridge name
- obridgename -- output bridge name
- pkttype -- packet type. Can be set.
- cpu -- cpu number
- iifgroup -- input interface group
- oifgroup -- output interface group
- cgroup -- cgroup number
- ipsec -- ipsec packet or not
- time -- packet timestamp
- day -- packet timestamp
- hour -- packet timestamp
Matching packets by interface name
You can use one of the following selectors to match the interface name:
- iifname, to match the input network interface name.
- oifname, to match the output network interface name.
- iif, to match the interface index of the network interface name. This is faster than iifname as it only has to compare a 32-bits unsigned integer instead of a string. The interface index is dynamically allocated, so don't use this for interfaces that are dynamically created and destroyed, eg. ppp0.
- oif, like iif but it matches the output network interface index.
An example usage of the interface name is the following:
% nft add rule filter input meta oifname lo accept
This rule accepts all traffic for the loopback pseudodevice lo.
Matching packets by packet mark
You can match packets whose mark is 123 with the following rule:
nft add rule filter output meta mark 123 counter
Matching packets the socket UID
You can use your user name to match traffic, eg.
% nft add rule filter output meta skuid pablo counter
Or the 32-bits unsigned integer (UID) in case there is no entry in /etc/passwd for a given user.
% nft add rule filter output meta skuid 1000 counter
Let's just generate some HTTP traffic to test this rule:
% wget --spider http://www.google.com
Then, if you check the counters, you can verify that the packets are matching that rule.
% nft list table filter
table ip filter {
chain output {
type filter hook output priority 0;
skuid pablo counter packets 7 bytes 510
}
chain input {
type filter hook input priority 0;
}
}
Important: Beware if you test this with ping, it is usually installed with suid so that traffic will match the root user (uid=0).
Matching packet priority
- Since nftables v0.7 you can match the packet priority, the tc classid:
% nft add rule filter forward meta priority abcd:1234
- Packet without set priority can be matched using meta priority none
% nft add rule filter forward meta priority none