Data types
nft describe
You can use nft describe to get information about a data type, to find out the data type of a particular selector, and to list predefined symbolic constants for that selector. Some examples:
% nft describe iif
meta expression, datatype iface_index (network interface index) (basetype integer), 32 bits
% nft describe iifname
meta expression, datatype ifname (network interface name) (basetype string), 16 characters
% nft describe tcp flags
payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits
pre-defined symbolic constants (in hexadecimal):
fin 0x01
syn 0x02
rst 0x04
psh 0x08
ack 0x10
urg 0x20
ecn 0x40
cwr 0x80
List of data types
The following data types are used in nft expressions to select matching packets:
| Netfilter Data Types | |||
|---|---|---|---|
| Data Type | Description | nft Expressions | Notes |
| day | Day of week of packet reception (8 bit integer, with pre-defined symbolic constants):
|
meta day | Sunday = 0, Saturday = 6.
Symbolic constants are case insensitive, and unique abbreviations are accepted: Sun = sun = Sunday = 0. |
| devgroup | Device group (32 bit integer). | meta {iifgroup | oifgroup} | Can be specified numerically or as symbolic name defined in /etc/iproute2/group. |
| ether_addr | Ethernet address (48 bit integer). |
|
|
| ether_type | EtherType (16 bit integer, with pre-defined symbolic constants):
|
meta protocol | ether.h has known types.
NOTE that ether.h lists EtherTypes in network order, while nft uses little-endian order on x86. (Check output of nft describe ether_type.) |
| gid | Group ID (32 bit integer). | meta skgid | Can be specified numerically or as group name. |
| hour | Hour of day of packet reception (32 bit integer).
Specify as string in 24-hour format, hh:mm[:ss]. |
meta hour | Seconds are optional: 17:00 = 17:00:00. |
| iface_index | Interface index (32 bit integer). | meta {iif | oif} | Can be specified numerically or as name of an existing interface.
Use ifname instead for interfaces whose name and/or index can change (i.e. those that appear / disappear dynamically). |
| iface_type | Interface type (16 bit integer, with pre-defined symbolic constants):
|
meta {iiftype | oiftype} | |
| ifkind | Interface kind name (16 byte string). | meta {iifkind | oifkind} | dev->rtnl_link_ops->kind
The man 8 ip-link TYPES section lists valid ifkinds. It's missing at least one: tun. |
| ifname | Interface name (16 byte string). | meta {iifname | oifname} | Does not have to exist.
Slower than iface_index but good for interfaces that can dynamically appear / disappear. |
| inet_proto | Internet protocol (8 bit integer, with pre-defined symbolic constants):
|
|
in.h has known types. |
| inet_service | Network service port number (16 bit integer). | ||
| ipv4_addr | IPv4 address (32 bit integer). |
|
|
| ipv6_addr | IPv6 address (128 bit integer). |
|
|
| mark | Packet mark (32 bit integer). | ||
| pkt_type | Packet type (8 bit integer, with pre-defined symbolic constants):
|
meta pkttype | |
| realm | Routing Realm (32 bit integer). | meta rtclassid | Can be specified numerically or as symbolic name defined in /etc/iproute2/rt_realms.
Routing realm references: |
| time | Relative time of packet reception (64 bit integer). | meta time | Can be specified as a date in ISO format, i.e. "2019-06-06 17:00". Hour and seconds are optional and can be omitted if desired. If omitted, midnight will be assumed. The following three are equivalent: "2019-06-06" = "2019-06-06 00:00" = "2019-06-06 00:00:00".
When an integer is specified, it is assumed to be a UNIX timestamp. |
| uid | User ID (32 bit integer). | meta skuid | Can be specified numerically or as user name. |