Data types

From nftables wiki
Revision as of 02:30, 17 February 2021 by Fmyhr (talk | contribs) (→‎Data types used in Netfilter: Added symbolic constants for ether_type and iface_type.)
Jump to navigation Jump to search

Data types used in Netfilter

The following data types are used in nft selectors:

Netfilter Data Types
Data Type Description nft Selector(s) Notes
day Either a day of week ("Monday", "Tuesday", etc.), or an integer between 0 and 6. Strings are matched case-insensitively, and a full match is not expected (e.g. "Mon" would match "Monday"). When an integer is given, 0 is Sunday and 6 is Saturday. meta
devgroup_type Device group (32 bit integer). meta Can be specified numerically or as symbolic name defined in /etc/iproute2/group.
ether_type EtherType (16 bit integer, with pre-defined symbolic constants):
  • arp
  • ip
  • ip6
  • vlan
meta ether.h has known types.

NOTE that ether.h lists EtherTypes in network order, while nft uses little-endian order on x86. (Check output of nft describe ether_type.)

gid Group ID (32 bit integer). meta Can be specified numerically or as group name.
hour A string representing an hour in 24-hour format. Seconds can optionally be specified. For example, 17:00 and 17:00:00 would be equivalent. meta
iface_index Interface index (32 bit integer). meta Can be specified numerically or as name of an existing interface.

Use ifname instead for interfaces whose name and/or index can change (i.e. those that appear / disappear dynamically).

iface_type Interface type (16 bit integer, with pre-defined symbolic constants):
  • ether
  • ppp
  • ipip
  • ipip6
  • loopback
  • sit
  • ipgre
meta
ifkind Interface kind (16 byte string). meta List of ifkinds is in man 8 ip-link TYPES section.
ifname Interface name (16 byte string). meta Does not have to exist.

Slower than iface_index but good for interfaces that can dynamically appear / disappear.

pkt_type Packet type (8 bit integer, with pre-defined symbolic constants):
  • host or unicast - addressed to local host
  • broadcast - to all
  • multicast - to group
  • other - addressed to another host
meta
realm Routing Realm (32 bit integer). meta Can be specified numerically or as symbolic name defined in /etc/iproute2/rt_realms.

Routing realm references:

time Either an integer or a date in ISO format. For example: "2019-06-06 17:00". Hour and seconds are optional and can be omitted if desired. If omitted, midnight will be assumed. The following three would be equivalent: "2019-06-06", "2019-06-06 00:00" and "2019-06-06 00:00:00". When an integer is given, it is assumed to be a UNIX timestamp. meta
uid User ID (32 bit integer). meta Can be specified numerically or as user name.

nft describe

You can use nft describe to get information about a data type, to find out the data type of a particular selector, and to list predefined symbolic constants for that selector. Some examples:

% nft describe iif
meta expression, datatype iface_index (network interface index) (basetype integer), 32 bits

% nft describe iifname
meta expression, datatype ifname (network interface name) (basetype string), 16 characters

% nft describe tcp flags
payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits

pre-defined symbolic constants (in hexadecimal):
        fin                             0x01
        syn                             0x02
        rst                             0x04
        psh                             0x08
        ack                             0x10
        urg                             0x20
        ecn                             0x40
        cwr                             0x80