Matching packet metainformation

From nftables wiki
Revision as of 18:46, 13 July 2016 by Pablo (talk | contribs) (Created page with "''nftables'' comes with the packet metainformation selectors that you can use to match information that is stored in the network packet. = The meta selectors = The current...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

nftables comes with the packet metainformation selectors that you can use to match information that is stored in the network packet.

The meta selectors

The current metainformation that you can match is:

  • interface device name and interface device index: iifname, oifname, iif and oif.
  • interface type: iiftyte and oiftype.
  • tc handle: priority.
  • socket user and group identifier: skuid and skgid.
  • packet length: length.

Matching packets by interface name

You can use the following selectors to match the interface name:

  • iifname, to match the input network interface name.
  • oifname, to match the output network interface name.
  • iif, to match the interface index of the network interface name. This faster than iifname as it only has to compare a 32-bits unsigned integer instead of a string. The interface index is dynamically allocated, so don't use this for interfaces that are dynamically created and destroyed, eg. ppp0.
  • oif, like iif but it matches the output network interface index.

An example usage of the interface name is the following:

% nft add rule filter input meta oifname lo accept

This rule accepts all traffic for the loopback pseudodevice lo.

Matching packets by packet mark

You can match packets whose mark is 123 with the following rule:

nft add rule filter output meta mark 123 counter

Matching packets the socket UID

You can use your user name to match traffic, eg.

% nft add rule filter output meta skuid pablo counter

Or the 32-bits unsigned integer (UID) in case there is no entry in /etc/passwd for a given user.

% nft add rule filter output meta skuid 1000 counter

Let's just generate some HTTP traffic to test this rule:

% wget --spider http://www.google.com

Then, if you check the counters, you can verify that the packets are matching that rule.

% nft list table filter
table ip filter {
        chain output {
                 type filter hook output priority 0;
                 skuid pablo counter packets 7 bytes 510
        }

        chain input {
                 type filter hook input priority 0;
        }
}

Important: Beware if you test this with ping, it is usually installed with suid so that traffic will match the root user (uid=0).