Difference between revisions of "Data types"
(→Data types used in Netfilter: Added ether_addr, inet_proto, internal links.) |
(→Data types used in Netfilter: Added values for inet_proto.) |
||
| Line 89: | Line 89: | ||
|- style="vertical-align:top;" | |- style="vertical-align:top;" | ||
| inet_proto | | inet_proto | ||
| Internet protocol (8 bit integer) | | Internet protocol (8 bit integer), with pre-defined symbolic constants: | ||
* ''tcp'' | |||
* ''udp'' | |||
* ''udplite'' | |||
* ''esp'' | |||
* ''ah'' | |||
* ''icmp'' | |||
* ''icmpv6'' | |||
* ''comp'' | |||
* ''dccp'' | |||
* ''sctp'' | |||
| [[Matching_packet_header_fields#Matching_transport_protocol|''ip protocol'']]<br> | | [[Matching_packet_header_fields#Matching_transport_protocol|''ip protocol'']]<br> | ||
[[Matching_packet_header_fields#Matching_IPv6_header_fields|''ip6 nexthdr'']]<br> | [[Matching_packet_header_fields#Matching_IPv6_header_fields|''ip6 nexthdr'']]<br> | ||
| Line 95: | Line 105: | ||
''comp nexthdr''<br> | ''comp nexthdr''<br> | ||
[[Matching_connection_tracking_stateful_metainformation|''ct'' {''original'' | ''reply''} ''protocol'']] | [[Matching_connection_tracking_stateful_metainformation|''ct'' {''original'' | ''reply''} ''protocol'']] | ||
| | | [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/in.h in.h] has known types. | ||
|- style="vertical-align:top;" | |- style="vertical-align:top;" | ||
Revision as of 14:29, 17 February 2021
Data types used in Netfilter
The following data types are used in nft expressions to select matching packets:
| Netfilter Data Types | |||
|---|---|---|---|
| Data Type | Description | nft Expressions | Notes |
| day | Either a day of week ("Monday", "Tuesday", etc.), or an integer between 0 and 6. Strings are matched case-insensitively, and a full match is not expected (e.g. "Mon" would match "Monday"). When an integer is given, 0 is Sunday and 6 is Saturday. | meta day | |
| devgroup | Device group (32 bit integer). | meta {iifgroup | oifgroup} | Can be specified numerically or as symbolic name defined in /etc/iproute2/group. |
| ether_addr | Ethernet address (48 bit integer). | ether {saddr | daddr} arp {saddr | daddr} ether |
|
| ether_type | EtherType (16 bit integer, with pre-defined symbolic constants):
|
meta protocol | ether.h has known types.
NOTE that ether.h lists EtherTypes in network order, while nft uses little-endian order on x86. (Check output of nft describe ether_type.) |
| gid | Group ID (32 bit integer). | meta skgid | Can be specified numerically or as group name. |
| hour | A string representing an hour in 24-hour format. Seconds can optionally be specified. For example, 17:00 and 17:00:00 would be equivalent. | meta hour | |
| iface_index | Interface index (32 bit integer). | meta {iif | oif} | Can be specified numerically or as name of an existing interface.
Use ifname instead for interfaces whose name and/or index can change (i.e. those that appear / disappear dynamically). |
| iface_type | Interface type (16 bit integer, with pre-defined symbolic constants):
|
meta {iiftype | oiftype} | |
| ifkind | Interface kind name (16 byte string). | meta {iifkind | oifkind} | dev->rtnl_link_ops->kind
The man 8 ip-link TYPES section lists valid ifkinds. It's missing at least one: tun. |
| ifname | Interface name (16 byte string). | meta {iifname | oifname} | Does not have to exist.
Slower than iface_index but good for interfaces that can dynamically appear / disappear. |
| inet_proto | Internet protocol (8 bit integer), with pre-defined symbolic constants:
|
ip protocol ip6 nexthdr |
in.h has known types. |
| inet_service | Network service port number (16 bit integer). | udp {sport | dport} tcp {sport | dport} |
|
| ipv4_addr | IPv4 address (32 bit integer). | ip {saddr | daddr} arp {saddr | daddr} ip |
|
| ipv6_addr | IPv6 address (128 bit integer). | ip6 {saddr | daddr} ct {original | reply} ip6 {saddr | daddr} |
|
| pkt_type | Packet type (8 bit integer, with pre-defined symbolic constants):
|
meta pkttype | |
| realm | Routing Realm (32 bit integer). | meta rtclassid | Can be specified numerically or as symbolic name defined in /etc/iproute2/rt_realms.
Routing realm references: |
| time | Either an integer or a date in ISO format. For example: "2019-06-06 17:00". Hour and seconds are optional and can be omitted if desired. If omitted, midnight will be assumed. The following three would be equivalent: "2019-06-06", "2019-06-06 00:00" and "2019-06-06 00:00:00". When an integer is given, it is assumed to be a UNIX timestamp. | meta time | |
| uid | User ID (32 bit integer). | meta skuid | Can be specified numerically or as user name. |
nft describe
You can use nft describe to get information about a data type, to find out the data type of a particular selector, and to list predefined symbolic constants for that selector. Some examples:
% nft describe iif
meta expression, datatype iface_index (network interface index) (basetype integer), 32 bits
% nft describe iifname
meta expression, datatype ifname (network interface name) (basetype string), 16 characters
% nft describe tcp flags
payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits
pre-defined symbolic constants (in hexadecimal):
fin 0x01
syn 0x02
rst 0x04
psh 0x08
ack 0x10
urg 0x20
ecn 0x40
cwr 0x80