Difference between revisions of "Data types"

From nftables wiki
Jump to navigation Jump to search
(→‎Data types used in Netfilter: Added symbolic constants for ether_type and iface_type.)
Line 25: Line 25:
|- style="vertical-align:top;"
|- style="vertical-align:top;"
| ether_type
| ether_type
| [https://en.wikipedia.org/wiki/EtherType EtherType] (16 bit integer).
| [https://en.wikipedia.org/wiki/EtherType EtherType] (16 bit integer, with pre-defined symbolic constants):
* ''arp''
* ''ip''
* ''ip6''
* ''vlan''
| [[Matching_packet_metainformation |meta]]
| [[Matching_packet_metainformation |meta]]
| [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/if_ether.h ether.h] has known types.
| [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/if_ether.h ether.h] has known types.
Line 51: Line 55:
|- style="vertical-align:top;"
|- style="vertical-align:top;"
| iface_type
| iface_type
| Interface type (16 bit integer).
| Interface type (16 bit integer, with pre-defined symbolic constants):
* ''ether''
* ''ppp''
* ''ipip''
* ''ipip6''
* ''loopback''
* ''sit''
* ''ipgre''
| [[Matching_packet_metainformation |meta]]
| [[Matching_packet_metainformation |meta]]
|  
|  
Line 71: Line 82:
| pkt_type
| pkt_type
| Packet type (8 bit integer, with pre-defined symbolic constants):
| Packet type (8 bit integer, with pre-defined symbolic constants):
<ul>
* ''host'' or ''unicast'' - addressed to local host
<li>''host'' or ''unicast'' - addressed to local host
* ''broadcast'' - to all
<li>''broadcast'' - to all
* ''multicast'' - to group
<li>''multicast'' - to group
* ''other'' - addressed to another host
<li>''other'' - addressed to another host
</ul>
| [[Matching_packet_metainformation |meta]]
| [[Matching_packet_metainformation |meta]]
|  
|  

Revision as of 03:30, 17 February 2021

Data types used in Netfilter

The following data types are used in nft selectors:

Netfilter Data Types
Data Type Description nft Selector(s) Notes
day Either a day of week ("Monday", "Tuesday", etc.), or an integer between 0 and 6. Strings are matched case-insensitively, and a full match is not expected (e.g. "Mon" would match "Monday"). When an integer is given, 0 is Sunday and 6 is Saturday. meta
devgroup_type Device group (32 bit integer). meta Can be specified numerically or as symbolic name defined in /etc/iproute2/group.
ether_type EtherType (16 bit integer, with pre-defined symbolic constants):
  • arp
  • ip
  • ip6
  • vlan
 meta ether.h has known types.

NOTE that ether.h lists EtherTypes in network order, while nft uses little-endian order on x86. (Check output of nft describe ether_type.)

gid Group ID (32 bit integer). meta Can be specified numerically or as group name.
hour A string representing an hour in 24-hour format. Seconds can optionally be specified. For example, 17:00 and 17:00:00 would be equivalent. meta
iface_index Interface index (32 bit integer). meta Can be specified numerically or as name of an existing interface.

Use ifname instead for interfaces whose name and/or index can change (i.e. those that appear / disappear dynamically).

iface_type Interface type (16 bit integer, with pre-defined symbolic constants):
  • ether
  • ppp
  • ipip
  • ipip6
  • loopback
  • sit
  • ipgre
 meta
ifkind Interface kind (16 byte string). meta List of ifkinds is in man 8 ip-link TYPES section.
ifname Interface name (16 byte string). meta Does not have to exist.

Slower than iface_index but good for interfaces that can dynamically appear / disappear.

pkt_type Packet type (8 bit integer, with pre-defined symbolic constants):
  • host or unicast - addressed to local host
  • broadcast - to all
  • multicast - to group
  • other - addressed to another host
 meta
realm Routing Realm (32 bit integer). meta Can be specified numerically or as symbolic name defined in /etc/iproute2/rt_realms.

Routing realm references:

time Either an integer or a date in ISO format. For example: "2019-06-06 17:00". Hour and seconds are optional and can be omitted if desired. If omitted, midnight will be assumed. The following three would be equivalent: "2019-06-06", "2019-06-06 00:00" and "2019-06-06 00:00:00". When an integer is given, it is assumed to be a UNIX timestamp. meta
uid User ID (32 bit integer). meta Can be specified numerically or as user name.

nft describe

You can use nft describe to get information about a data type, to find out the data type of a particular selector, and to list predefined symbolic constants for that selector. Some examples: 

% nft describe iif
meta expression, datatype iface_index (network interface index) (basetype integer), 32 bits

% nft describe iifname
meta expression, datatype ifname (network interface name) (basetype string), 16 characters

% nft describe tcp flags
payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits

pre-defined symbolic constants (in hexadecimal):
        fin                             0x01
        syn                             0x02
        rst                             0x04
        psh                             0x08
        ack                             0x10
        urg                             0x20
        ecn                             0x40
        cwr                             0x80
Retrieved from "http://wiki.nftables.org/wiki-nftables/index.php?title=Data_types&oldid=727"