Difference between revisions of "Data types"

From nftables wiki
Jump to navigation Jump to search
(→‎Data types used in Netfilter: Added routing realm refs)
(Linked ethernet & IP Wikipedia pages, and conntrack page.)
 
(26 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Data types used in Netfilter =
= ''nft describe'' =


The following data types are used in nft selectors:
You can use ''nft describe'' to get information about a data type, to find out the data type of a particular selector, and to list predefined symbolic constants for that selector. Some examples:
 
<nowiki>% nft describe iif
meta expression, datatype iface_index (network interface index) (basetype integer), 32 bits
 
% nft describe iifname
meta expression, datatype ifname (network interface name) (basetype string), 16 characters
 
% nft describe tcp flags
payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits
 
pre-defined symbolic constants (in hexadecimal):
        fin                            0x01
        syn                            0x02
        rst                            0x04
        psh                            0x08
        ack                            0x10
        urg                            0x20
        ecn                            0x40
        cwr                            0x80</nowiki>
 
 
= List of data types =
 
== Date and time types ==


{| class="wikitable"
{| class="wikitable"
!colspan="4"|Netfilter Data Types
!colspan="4"|Date and time types
|- style="vertical-align:bottom;"
|- style="vertical-align:bottom;"
! Data Type
! Data Type
! style="text-align:left;" | Description
! style="text-align:left;" | Description
! style="text-align:left;" | nft Selector(s)
! style="text-align:left;" | Expressions
! style="text-align:left;" | Notes
! style="text-align:left;" | Notes


|- style="vertical-align:top;"
|- style="vertical-align:top;"
| day
| day
| Either a day of week ("Monday", "Tuesday", etc.), or an integer between 0 and 6. Strings are matched case-insensitively, and a full match is not expected (e.g. "Mon" would match "Monday"). When an integer is given, 0 is Sunday and 6 is Saturday.
| Day of week of packet reception (8 bit integer, with pre-defined symbolic constants):
| [[Matching_packet_metainformation |meta]]
* ''Sunday''
|
* ''Monday''
* ''Tuesday''
* ''Wednesday''
* ''Thursday''
* ''Friday''
* ''Saturday''
| [[Matching_packet_metainformation|''meta&nbsp;day'']]
| ''Sunday'' = 0, ''Saturday'' = 6.
Symbolic constants are case insensitive, and unique abbreviations are accepted: ''Sun'' = ''sun'' = ''Sunday'' = 0.


|- style="vertical-align:top;"
|- style="vertical-align:top;"
| devgroup_type
| hour
| Device group (32 bit integer).
| Hour of day of packet reception (32 bit integer).
| [[Matching_packet_metainformation |meta]]
Specify as string in 24-hour format, hh:mm[:ss].
| Can be specified numerically or as symbolic name defined in /etc/iproute2/group.
| [[Matching_packet_metainformation|''meta&nbsp;hour'']]
| Seconds are optional: ''17:00'' = ''17:00:00''.


|- style="vertical-align:top;"
|- style="vertical-align:top;"
| ether_type
| time
| [https://en.wikipedia.org/wiki/EtherType EtherType] (16 bit integer).
| Relative time of packet reception (64 bit integer).
| [[Matching_packet_metainformation |meta]]
| [[Matching_packet_metainformation |''meta&nbsp;time'']]
| [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/if_ether.h ether.h] has known types.
| Can be specified as a date in ISO format, i.e. "2019-06-06 17:00". Hour and seconds are optional and can be omitted if desired. If omitted, midnight will be assumed. The following three are equivalent: "2019-06-06" = "2019-06-06 00:00" = "2019-06-06 00:00:00".
When an integer is specified, it is assumed to be a UNIX timestamp.
 
|}
 


== Network interface types ==


|- style="vertical-align:top;"
{| class="wikitable"
| gid
!colspan="4"|Network interface types
| Group ID (32 bit integer).
|- style="vertical-align:bottom;"
| [[Matching_packet_metainformation |meta]]
! Data Type
| Can be specified numerically or as group name.
! style="text-align:left;" | Description
! style="text-align:left;" | Expressions
! style="text-align:left;" | Notes


|- style="vertical-align:top;"
|- style="vertical-align:top;"
| hour
| devgroup
| A string representing an hour in 24-hour format. Seconds can optionally be specified. For example, 17:00 and 17:00:00 would be equivalent.
| Device group (32 bit integer).
| [[Matching_packet_metainformation |meta]]
| [[Matching_packet_metainformation|''meta''&nbsp;{''iifgroup''&nbsp;|&nbsp;''oifgroup''}]]
|
| Can be specified numerically or as symbolic name defined in /etc/iproute2/group.


|- style="vertical-align:top;"
|- style="vertical-align:top;"
| iface_index
| iface_index
| Interface index (32 bit integer).
| Interface index (32 bit integer).
| [[Matching_packet_metainformation |meta]]
| [[Matching_packet_metainformation|''meta''&nbsp;{''iif''&nbsp;|&nbsp;''oif''}]]
| Can be specified numerically or as name of an existing interface.
| Can be specified numerically or as name of an existing interface.
Use ifname instead for interfaces whose name and/or index can change (i.e. those that appear / disappear dynamically).
Use ifname instead for interfaces whose name and/or index can change (i.e. those that appear / disappear dynamically).
Line 51: Line 91:
|- style="vertical-align:top;"
|- style="vertical-align:top;"
| iface_type
| iface_type
| Interface type (16 bit integer).
| Interface type (16 bit integer, with pre-defined symbolic constants):
| [[Matching_packet_metainformation |meta]]
* ''ether''
* ''ppp''
* ''ipip''
* ''ipip6''
* ''loopback''
* ''sit''
* ''ipgre''
| [[Matching_packet_metainformation|''meta''&nbsp;{''iiftype''&nbsp;|&nbsp;''oiftype''}]]
|  
|  


|- style="vertical-align:top;"
|- style="vertical-align:top;"
| ifkind
| ifkind
| Interface kind (16 byte string).
| Interface kind name (16 byte string).
| [[Matching_packet_metainformation |meta]]
| [[Matching_packet_metainformation|''meta''&nbsp;{''iifkind''&nbsp;|&nbsp;''oifkind''}]]
| List of ifkinds is in man 8 ip-link TYPES section.
| dev->rtnl_link_ops->kind
The ''man 8 ip-link'' TYPES section lists valid ifkinds. It's missing at least one: ''tun''.


|- style="vertical-align:top;"
|- style="vertical-align:top;"
| ifname
| ifname
| Interface name (16 byte string).
| Interface name (16 byte string).
| [[Matching_packet_metainformation |meta]]
| [[Matching_packet_metainformation|''meta''&nbsp;{''iifname''&nbsp;|&nbsp;''oifname''}]]
| Does not have to exist.
| Does not have to exist.
Slower than iface_index but good for interfaces that can dynamically appear / disappear.
Slower than iface_index but good for interfaces that can dynamically appear / disappear.
|}
== Ethernet types ==
{| class="wikitable"
!colspan="4"|[https://en.wikipedia.org/wiki/Ethernet Ethernet] types
|- style="vertical-align:bottom;"
! Data Type
! style="text-align:left;" | Description
! style="text-align:left;" | Expressions
! style="text-align:left;" | Notes
|- style="vertical-align:top;"
| ether_addr
| Ethernet address (48 bit integer).
|
* [[Matching_packet_headers#Matching_ethernet_headers|''ether''&nbsp;{''saddr''&nbsp;|&nbsp;''daddr''}]]
* ''arp''&nbsp;{''saddr''&nbsp;|&nbsp;''daddr''}&nbsp;''ether''
|
|- style="vertical-align:top;"
| ether_type
| [https://en.wikipedia.org/wiki/EtherType EtherType] (16 bit integer, with pre-defined symbolic constants):
* ''arp''
* ''ip''
* ''ip6''
* ''vlan''
| [[Matching_packet_metainformation|''meta&nbsp;protocol'']]
| [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/if_ether.h ether.h] has known types.
NOTE that ether.h lists EtherTypes in [https://en.wikipedia.org/wiki/Endianness#Networking network&nbsp;order], while nft uses little-endian order on x86. (Check output of ''nft describe ether_type''.)
|}
== ARP types ==
{| class="wikitable"
!colspan="4"|[https://en.wikipedia.org/wiki/Address_Resolution_Protocol ARP] types
|- style="vertical-align:bottom;"
! Data Type
! style="text-align:left;" | Description
! style="text-align:left;" | Expressions
! style="text-align:left;" | Notes
|- style="vertical-align:top;"
|
| ARP HLEN, hardware address length in octets (8 bit integer)
| [[Matching_packet_headers#Matching_ARP_headers|''arp hlen'' &laquo;HLEN&raquo;]]
| Unnamed 8-bit integer in nftables.
For ethernet HLEN&nbsp;=&nbsp;6.
|- style="vertical-align:top;"
|
| ARP HTYPE, hardware type (16 bit integer)
| [[Matching_packet_headers#Matching_ARP_headers|''arp htype'' &laquo;HTYPE&raquo;]]
| Unnamed 16-bit integer in nftables.
[https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/if_arp.h if_arp.h] has known types.
|- style="vertical-align:top;"
|
| ARP PLEN, internetwork address length in octets (8 bit integer)
| [[Matching_packet_headers#Matching_ARP_headers|''arp plen'' &laquo;PLEN&raquo;]]
| Unnamed 8-bit integer in nftables.
For IPv4 PLEN&nbsp;=&nbsp;4.
|- style="vertical-align:top;"
| arp_op
| ARP operation (16 bit integer, with pre-defined symbolic constants):
* ''request'' = 1
* ''reply'' = 2
* ''rrequest'' = 3
* ''rreply'' = 4
* ''inrequest'' = 8
* ''inreply'' = 9
* ''nak'' = 10
| [[Matching_packet_headers#Matching_ARP_headers|''arp operation'' &laquo;arp_op&raquo;]]
|
|}
== IP types ==
{| class="wikitable"
!colspan="4"|[https://en.wikipedia.org/wiki/Internet_Protocol IP] types
|- style="vertical-align:bottom;"
! Data Type
! style="text-align:left;" | Description
! style="text-align:left;" | Expressions
! style="text-align:left;" | Notes
|- style="vertical-align:top;"
| inet_proto
| Internet protocol (8 bit integer, with pre-defined symbolic constants):
* ''tcp''
* ''udp''
* ''udplite''
* ''esp''
* ''ah''
* ''icmp''
* ''icmpv6''
* ''comp''
* ''dccp''
* ''sctp''
|
* [[Matching_packet_headers#Matching_transport_protocol|''ip protocol'']]
* [[Matching_packet_headers#Matching_IPv6_headers|''ip6 nexthdr'']]
* ''ah nexthdr''
* ''comp nexthdr''
* [[Matching_connection_tracking_stateful_metainformation|''ct''&nbsp;{''original''&nbsp;|&nbsp;''reply''}&nbsp;''protocol'']]
| [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/in.h in.h] has known types.
|- style="vertical-align:top;"
| inet_service
| Network service port number (16 bit integer).
|
* [[Matching_packet_headers#Matching_TCP.2FUDP.2FUDPlite_traffic|''udp''&nbsp;{''sport''&nbsp;|&nbsp;''dport''}]]
* [[Matching_packet_headers#Matching_TCP.2FUDP.2FUDPlite_traffic|''tcp''&nbsp;{''sport''&nbsp;|&nbsp;''dport''}]]
* [[Matching_packet_headers#Matching_TCP.2FUDP.2FUDPlite_traffic|''udplite''&nbsp;{''sport''&nbsp;|&nbsp;''dport''}]]
* [[Matching_packet_headers#Matching_TCP.2FUDP.2FUDPlite_traffic|''sctp''&nbsp;{''sport''&nbsp;|&nbsp;''dport''}]]
* [[Matching_packet_headers#Matching_TCP.2FUDP.2FUDPlite_traffic|''dccp''&nbsp;{''sport''&nbsp;|&nbsp;''dport''}]]
|
|- style="vertical-align:top;"
| ipv4_addr
| IPv4 address (32 bit integer).
|
* [[Matching_packet_headers#Matching_IPv4_headers|''ip''&nbsp;{''saddr''&nbsp;|&nbsp;''daddr''} ]]
* ''arp''&nbsp;{''saddr''&nbsp;|&nbsp;''daddr''}&nbsp;''ip''
* [[Matching_connection_tracking_stateful_metainformation|''ct''&nbsp;{''original''&nbsp;|&nbsp;''reply''}&nbsp;''ip''&nbsp;{''saddr''&nbsp;|&nbsp;''daddr''}]]
* [[Matching routing information|''rt&nbsp;ip&nbsp;nexthop'']]
* ''ipsec''&nbsp;{''in''&nbsp;|&nbsp;''out''}&nbsp;''ip''&nbsp;{''saddr''&nbsp;|&nbsp;''daddr''}
|
|- style="vertical-align:top;"
| ipv6_addr
| IPv6 address (128 bit integer).
|
* [[Matching_packet_headers#Matching_IPv6_headers|''ip6''&nbsp;{''saddr''&nbsp;|&nbsp;''daddr''} ]]
* [[Matching_connection_tracking_stateful_metainformation|''ct''&nbsp;{''original''&nbsp;|&nbsp;''reply''}&nbsp;''ip6''&nbsp;{''saddr''&nbsp;|&nbsp;''daddr''}]]
* [[Matching routing information|''rt&nbsp;ip6&nbsp;nexthop'']]
* ''ipsec''&nbsp;{''in''&nbsp;|&nbsp;''out''}&nbsp;''ip6''&nbsp;{''saddr''&nbsp;|&nbsp;''daddr''}
|
|}
== Conntrack types ==
{| class="wikitable"
!colspan="4"|[[Connection_Tracking_System|Conntrack]] types
|- style="vertical-align:bottom;"
! Data Type
! style="text-align:left;" | Description
! style="text-align:left;" | Expressions
! style="text-align:left;" | Notes
|- style="vertical-align:top;"
| ct_dir
| Conntrack direction (8 bit integer).
|
| Symbolic constants:
<pre>
original      0
reply          1
</pre>
|- style="vertical-align:top;"
| ct_event
| Conntrack event bits (4 byte bitmask).
|
| Symbolic constants:
<pre>
new            1
related        2
destroy        4
reply          8
assured      16
protoinfo    32
helper        64
mark        128
seqadj      256
secmark      512
label      1024
</pre>
|- style="vertical-align:top;"
| ct_label
| Conntrack label (128 bit bitmask).
|
|
|- style="vertical-align:top;"
| ct_state
| Conntrack state (4 byte bitmask).
|
| Symbolic constants:
<pre>
invalid        1
established    2
related        4
new            8
untracked    64
</pre>
|- style="vertical-align:top;"
| ct_status
| Conntrack status (4 byte bitmask).
|
| Symbolic constants:
<pre>
expected      1
seen-reply    2
assured        4
confirmed      8
snat          16
dnat          32
dying        512
</pre>
|}
== Other types ==
{| class="wikitable"
!colspan="4"|Other types
|- style="vertical-align:bottom;"
! Data Type
! style="text-align:left;" | Description
! style="text-align:left;" | Expressions
! style="text-align:left;" | Notes
|- style="vertical-align:top;"
| gid
| Group ID (32 bit integer).
| [[Matching_packet_metainformation |''meta&nbsp;skgid'']]
| Can be specified numerically or as group name.
|- style="vertical-align:top;"
| mark
| Packet mark (32 bit integer).
|
* [[Matching_packet_metainformation#Matching_by_packet_mark.2C_routing_class_and_realm|''meta&nbsp;mark'']]
* ''socket&nbsp;mark''
* [[Matching routing information|''fib&nbsp;mark&nbsp;.&nbsp;''{''saddr''&nbsp;|&nbsp;''daddr''&nbsp;|&nbsp;''iif''&nbsp;|&nbsp;''oif''}&nbsp;[.&nbsp;...]&nbsp;{''oif''&nbsp;|&nbsp;''oifname''&nbsp;|&nbsp;''type''}]]
* [[Matching_connection_tracking_stateful_metainformation|''ct&nbsp;mark'']]
|


|- style="vertical-align:top;"
|- style="vertical-align:top;"
| pkt_type
| pkt_type
| Packet type:
| Packet type (8 bit integer, with pre-defined symbolic constants):
<ul>
* ''host'' or ''unicast'' - addressed to local host
<li>''host'' - addressed to local host
* ''broadcast'' - to all
<li>''broadcast'' - to all
* ''multicast'' - to group
<li>''multicast'' - to group
* ''other'' - addressed to another host
<li>''other'' - addressed to another host
| [[Matching_packet_metainformation |''meta&nbsp;pkttype'']]
</ul>
| [[Matching_packet_metainformation |meta]]
|  
|  


Line 83: Line 379:
| realm
| realm
| Routing Realm (32 bit integer).
| Routing Realm (32 bit integer).
| [[Matching_packet_metainformation |meta]]
| [[Matching_packet_metainformation |''meta&nbsp;rtclassid'']]
| Can be specified numerically or as symbolic name defined in /etc/iproute2/rt_realms.
| Can be specified numerically or as symbolic name defined in /etc/iproute2/rt_realms.
Routing realm references:
Routing realm references:
Line 90: Line 386:
<li>[http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH07.web.html policyrouting.org]
<li>[http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH07.web.html policyrouting.org]
</ul>
</ul>
|- style="vertical-align:top;"
| time
| Either an integer or a date in ISO format. For example: "2019-06-06 17:00". Hour and seconds are optional and can be omitted if desired. If omitted, midnight will be assumed. The following three would be equivalent: "2019-06-06", "2019-06-06 00:00" and "2019-06-06 00:00:00". When an integer is given, it is assumed to be a UNIX timestamp.
| [[Matching_packet_metainformation |meta]]
|


|- style="vertical-align:top;"
|- style="vertical-align:top;"
| uid
| uid
| User ID (32 bit integer).
| User ID (32 bit integer).
| [[Matching_packet_metainformation |meta]]
| [[Matching_packet_metainformation |''meta&nbsp;skuid'']]
| Can be specified numerically or as user name.
| Can be specified numerically or as user name.


|}
|}

Latest revision as of 17:05, 20 April 2021

nft describe

You can use nft describe to get information about a data type, to find out the data type of a particular selector, and to list predefined symbolic constants for that selector. Some examples: 

% nft describe iif
meta expression, datatype iface_index (network interface index) (basetype integer), 32 bits

% nft describe iifname
meta expression, datatype ifname (network interface name) (basetype string), 16 characters

% nft describe tcp flags
payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits

pre-defined symbolic constants (in hexadecimal):
        fin                             0x01
        syn                             0x02
        rst                             0x04
        psh                             0x08
        ack                             0x10
        urg                             0x20
        ecn                             0x40
        cwr                             0x80


List of data types

Date and time types

Date and time types
Data Type Description Expressions Notes
day Day of week of packet reception (8 bit integer, with pre-defined symbolic constants):
  • Sunday
  • Monday
  • Tuesday
  • Wednesday
  • Thursday
  • Friday
  • Saturday
 meta day Sunday = 0, Saturday = 6.

Symbolic constants are case insensitive, and unique abbreviations are accepted: Sun = sun = Sunday = 0.

hour Hour of day of packet reception (32 bit integer).

Specify as string in 24-hour format, hh:mm[:ss].

meta hour Seconds are optional: 17:00 = 17:00:00.
time Relative time of packet reception (64 bit integer). meta time Can be specified as a date in ISO format, i.e. "2019-06-06 17:00". Hour and seconds are optional and can be omitted if desired. If omitted, midnight will be assumed. The following three are equivalent: "2019-06-06" = "2019-06-06 00:00" = "2019-06-06 00:00:00".

When an integer is specified, it is assumed to be a UNIX timestamp.


Network interface types

Network interface types
Data Type Description Expressions Notes
devgroup Device group (32 bit integer). meta {iifgroup | oifgroup} Can be specified numerically or as symbolic name defined in /etc/iproute2/group.
iface_index Interface index (32 bit integer). meta {iif | oif} Can be specified numerically or as name of an existing interface.

Use ifname instead for interfaces whose name and/or index can change (i.e. those that appear / disappear dynamically).

iface_type Interface type (16 bit integer, with pre-defined symbolic constants):
  • ether
  • ppp
  • ipip
  • ipip6
  • loopback
  • sit
  • ipgre
 meta {iiftype | oiftype}
ifkind Interface kind name (16 byte string). meta {iifkind | oifkind} dev->rtnl_link_ops->kind

The man 8 ip-link TYPES section lists valid ifkinds. It's missing at least one: tun.

ifname Interface name (16 byte string). meta {iifname | oifname} Does not have to exist.

Slower than iface_index but good for interfaces that can dynamically appear / disappear.


Ethernet types

Ethernet types
Data Type Description Expressions Notes
ether_addr Ethernet address (48 bit integer).
ether_type EtherType (16 bit integer, with pre-defined symbolic constants):
  • arp
  • ip
  • ip6
  • vlan
 meta protocol ether.h has known types.

NOTE that ether.h lists EtherTypes in network order, while nft uses little-endian order on x86. (Check output of nft describe ether_type.)


ARP types

ARP types
Data Type Description Expressions Notes
ARP HLEN, hardware address length in octets (8 bit integer) arp hlen «HLEN» Unnamed 8-bit integer in nftables.

For ethernet HLEN = 6.

ARP HTYPE, hardware type (16 bit integer) arp htype «HTYPE» Unnamed 16-bit integer in nftables.

if_arp.h has known types.

ARP PLEN, internetwork address length in octets (8 bit integer) arp plen «PLEN» Unnamed 8-bit integer in nftables.

For IPv4 PLEN = 4.

arp_op ARP operation (16 bit integer, with pre-defined symbolic constants):
  • request = 1
  • reply = 2
  • rrequest = 3
  • rreply = 4
  • inrequest = 8
  • inreply = 9
  • nak = 10
 arp operation «arp_op»


IP types

IP types
Data Type Description Expressions Notes
inet_proto Internet protocol (8 bit integer, with pre-defined symbolic constants):
  • tcp
  • udp
  • udplite
  • esp
  • ah
  • icmp
  • icmpv6
  • comp
  • dccp
  • sctp
 in.h has known types.
inet_service Network service port number (16 bit integer).
ipv4_addr IPv4 address (32 bit integer).
ipv6_addr IPv6 address (128 bit integer).


Conntrack types

Conntrack types
Data Type Description Expressions Notes
ct_dir Conntrack direction (8 bit integer). Symbolic constants: 
original       0
reply          1
ct_event Conntrack event bits (4 byte bitmask). Symbolic constants: 
new            1
related        2
destroy        4
reply          8
assured       16
protoinfo     32
helper        64
mark         128
seqadj       256
secmark      512
label       1024
ct_label Conntrack label (128 bit bitmask).
ct_state Conntrack state (4 byte bitmask). Symbolic constants: 
invalid        1
established    2
related        4
new            8
untracked     64
ct_status Conntrack status (4 byte bitmask). Symbolic constants: 
expected       1
seen-reply     2
assured        4
confirmed      8
snat          16
dnat          32
dying        512


Other types

Other types
Data Type Description Expressions Notes
gid Group ID (32 bit integer). meta skgid Can be specified numerically or as group name.
mark Packet mark (32 bit integer).
pkt_type Packet type (8 bit integer, with pre-defined symbolic constants):
  • host or unicast - addressed to local host
  • broadcast - to all
  • multicast - to group
  • other - addressed to another host
 meta pkttype
realm Routing Realm (32 bit integer). meta rtclassid Can be specified numerically or as symbolic name defined in /etc/iproute2/rt_realms.

Routing realm references:

uid User ID (32 bit integer). meta skuid Can be specified numerically or as user name.
Retrieved from "http://wiki.nftables.org/wiki-nftables/index.php?title=Data_types&oldid=969"