Difference between revisions of "Matching packet metainformation"
Jump to navigation
Jump to search
(→The meta selectors: Put meta selectors into a table) |
|||
| Line 6: | Line 6: | ||
{| class="wikitable" | {| class="wikitable" | ||
!colspan=" | !colspan="5"|Meta Selectors | ||
|- style="vertical-align:bottom;" | |- style="vertical-align:bottom;" | ||
! Keyword | ! Keyword | ||
! [[Setting_packet_metainformation |Settable]] | ! [[Setting_packet_metainformation |Settable]] | ||
! style="text-align:left;" | Description | ! style="text-align:left;" | Description | ||
! style="text-align:left;" | Type | |||
! style="text-align:left;" | Notes | ! style="text-align:left;" | Notes | ||
| Line 17: | Line 18: | ||
| [[Setting_packet_metainformation |Y]] | | [[Setting_packet_metainformation |Y]] | ||
| packet mark | | packet mark | ||
| mark | |||
| | | | ||
| Line 23: | Line 25: | ||
| | | | ||
| input interface index | | input interface index | ||
| iface_index | |||
| | | | ||
| Line 29: | Line 32: | ||
| | | | ||
| input interface name | | input interface name | ||
| ifname | |||
| | | | ||
| Line 35: | Line 39: | ||
| | | | ||
| input interface type | | input interface type | ||
| iface_type | |||
| | | | ||
| Line 41: | Line 46: | ||
| | | | ||
| output interface index | | output interface index | ||
| iface_index | |||
| | | | ||
| Line 47: | Line 53: | ||
| | | | ||
| output interface name | | output interface name | ||
| ifname | |||
| | | | ||
| Line 53: | Line 60: | ||
| | | | ||
| output interface type | | output interface type | ||
| iface_type | |||
| | | | ||
| Line 58: | Line 66: | ||
| ''skuid'' | | ''skuid'' | ||
| | | | ||
| socket uid | | UID associated with originating socket | ||
| uid | |||
| | | | ||
| Line 64: | Line 73: | ||
| ''skgid'' | | ''skgid'' | ||
| | | | ||
| socket gid | | GID associated with originating socket | ||
| gid | |||
| | | | ||
| Line 71: | Line 81: | ||
| [[Setting_packet_metainformation |Y]] | | [[Setting_packet_metainformation |Y]] | ||
| [[Ruleset_debug/tracing|nftrace debugging]] bit | | [[Ruleset_debug/tracing|nftrace debugging]] bit | ||
| | |||
| | | | ||
| Line 76: | Line 87: | ||
| ''rtclassid'' | | ''rtclassid'' | ||
| | | | ||
| routing realm | |||
| realm | | realm | ||
| | | | ||
| Line 83: | Line 95: | ||
| | | | ||
| input bridge port | | input bridge port | ||
| | |||
| | | | ||
| Line 89: | Line 102: | ||
| | | | ||
| output bridge port | | output bridge port | ||
| | |||
| | | | ||
| Line 94: | Line 108: | ||
| ''ibrname'' | | ''ibrname'' | ||
| | | | ||
| input bridge name | | input bridge interface name | ||
| ifname | |||
| | | | ||
| Line 100: | Line 115: | ||
| ''obrname'' | | ''obrname'' | ||
| | | | ||
| output bridge name | | output bridge interface name | ||
| ifname | |||
| | | | ||
| Line 107: | Line 123: | ||
| [[Setting_packet_metainformation |Y]] | | [[Setting_packet_metainformation |Y]] | ||
| packet type | | packet type | ||
| pkt_type | |||
| | | | ||
| Line 112: | Line 129: | ||
| ''cpu'' | | ''cpu'' | ||
| | | | ||
| | | CPU number processing the packet | ||
| integer (32 bit) | |||
| | | | ||
| Line 119: | Line 137: | ||
| | | | ||
| input interface group | | input interface group | ||
| devgroup | |||
| | | | ||
| Line 125: | Line 144: | ||
| | | | ||
| output interface group | | output interface group | ||
| devgroup | |||
| | | | ||
| Line 130: | Line 150: | ||
| ''cgroup'' | | ''cgroup'' | ||
| | | | ||
| | | control group ID | ||
| integer (32 bit) | |||
| | | | ||
| Line 136: | Line 157: | ||
| ''ipsec'' | | ''ipsec'' | ||
| | | | ||
| ipsec ( | | true if packet was ipsec encrypted | ||
| boolean (1 bit) | |||
| | | | ||
| Line 142: | Line 164: | ||
| ''time'' | | ''time'' | ||
| | | | ||
| packet | | timestamp of packet reception | ||
| integer (32 bit) or string | |||
| | | | ||
| Line 148: | Line 171: | ||
| ''day'' | | ''day'' | ||
| | | | ||
| | | day of week | ||
| integer (32 bit) or string | |||
| | | | ||
| Line 154: | Line 178: | ||
| ''hour'' | | ''hour'' | ||
| | | | ||
| | | hour of day | ||
| string | |||
| | | | ||
| Line 160: | Line 185: | ||
| ''length'' | | ''length'' | ||
| | | | ||
| packet length | | packet length in bytes | ||
| integer (32 bit) | |||
| | | | ||
| Line 166: | Line 192: | ||
| ''protocol'' | | ''protocol'' | ||
| | | | ||
| packet protocol | | packet protocol / EtherType protocol value | ||
| ether_type | |||
| as in skb->protocol | | as in skb->protocol | ||
| Line 173: | Line 200: | ||
| | | | ||
| netfilter packet protocol family | | netfilter packet protocol family | ||
| like ipv4, ipv6, etc... | | integer (32 bit) | ||
| like ipv4, ipv6, etc...; useful only in inet table | |||
|- style="vertical-align:top;" | |- style="vertical-align:top;" | ||
| Line 179: | Line 207: | ||
| | | | ||
| layer 4 protocol | | layer 4 protocol | ||
| like tcp, udp, etc... | | integer (8 bit) | ||
| like tcp, udp, etc...; skips ipv6 extension headers | |||
|- style="vertical-align:top;" | |- style="vertical-align:top;" | ||
| ''priority'' | | ''priority'' | ||
| [[Setting_packet_metainformation |Y]] | | [[Setting_packet_metainformation |Y]] | ||
| packet priority | | tc packet priority | ||
| tc_handle | |||
| | | | ||
| Line 190: | Line 220: | ||
| ''random'' | | ''random'' | ||
| | | | ||
| | | pseudo-random number | ||
| integer (32 bit) | |||
| | | | ||
| Line 197: | Line 228: | ||
| [[Setting_packet_metainformation |Y]] | | [[Setting_packet_metainformation |Y]] | ||
| packet secmark | | packet secmark | ||
| | |||
| | | | ||
| Line 203: | Line 235: | ||
| | | | ||
| bridge protocol | | bridge protocol | ||
| | |||
| | | | ||
| Line 209: | Line 242: | ||
| | | | ||
| bridge pvid | | bridge pvid | ||
| | |||
| | | | ||
Revision as of 01:03, 5 February 2021
The meta selectors allows you to match (and in some cases, set) packet metainformation.
The meta selectors
The following meta selectors match -- and in some cases set -- packet metainformation:
| Meta Selectors | ||||
|---|---|---|---|---|
| Keyword | Settable | Description | Type | Notes |
| mark | Y | packet mark | mark | |
| iif | input interface index | iface_index | ||
| iifname | input interface name | ifname | ||
| iiftype | input interface type | iface_type | ||
| oif | output interface index | iface_index | ||
| oifname | output interface name | ifname | ||
| oiftype | output interface type | iface_type | ||
| skuid | UID associated with originating socket | uid | ||
| skgid | GID associated with originating socket | gid | ||
| nftrace | Y | nftrace debugging bit | ||
| rtclassid | routing realm | realm | ||
| ibriport | input bridge port | |||
| obriport | output bridge port | |||
| ibrname | input bridge interface name | ifname | ||
| obrname | output bridge interface name | ifname | ||
| pkttype | Y | packet type | pkt_type | |
| cpu | CPU number processing the packet | integer (32 bit) | ||
| iifgroup | input interface group | devgroup | ||
| oifgroup | output interface group | devgroup | ||
| cgroup | control group ID | integer (32 bit) | ||
| ipsec | true if packet was ipsec encrypted | boolean (1 bit) | ||
| time | timestamp of packet reception | integer (32 bit) or string | ||
| day | day of week | integer (32 bit) or string | ||
| hour | hour of day | string | ||
| length | packet length in bytes | integer (32 bit) | ||
| protocol | packet protocol / EtherType protocol value | ether_type | as in skb->protocol | |
| nfproto | netfilter packet protocol family | integer (32 bit) | like ipv4, ipv6, etc...; useful only in inet table | |
| l4proto | layer 4 protocol | integer (8 bit) | like tcp, udp, etc...; skips ipv6 extension headers | |
| priority | Y | tc packet priority | tc_handle | |
| random | pseudo-random number | integer (32 bit) | ||
| secmark | Y | packet secmark | ||
| ibrvproto | bridge protocol | |||
| ibrpvid | bridge pvid | |||
Matching packets by interface name
You can use one of the following selectors to match the interface name:
- iifname, to match the input network interface name.
- oifname, to match the output network interface name.
- iif, to match the interface index of the network interface name. This is faster than iifname as it only has to compare a 32-bits unsigned integer instead of a string. The interface index is dynamically allocated, so don't use this for interfaces that are dynamically created and destroyed, eg. ppp0.
- oif, like iif but it matches the output network interface index.
An example usage of the interface name is the following:
% nft add rule filter input meta oifname lo accept
This rule accepts all traffic for the loopback pseudodevice lo.
Matching packets by packet mark
You can match packets whose mark is 123 with the following rule:
nft add rule filter output meta mark 123 counter
Matching packets the socket UID
You can use your user name to match traffic, eg.
% nft add rule filter output meta skuid pablo counter
Or the 32-bits unsigned integer (UID) in case there is no entry in /etc/passwd for a given user.
% nft add rule filter output meta skuid 1000 counter
Let's just generate some HTTP traffic to test this rule:
% wget --spider http://www.google.com
Then, if you check the counters, you can verify that the packets are matching that rule.
% nft list table filter
table ip filter {
chain output {
type filter hook output priority 0;
skuid pablo counter packets 7 bytes 510
}
chain input {
type filter hook input priority 0;
}
}
Important: Beware if you test this with ping, it is usually installed with suid so that traffic will match the root user (uid=0).
Matching packet priority
- Since nftables v0.7 you can match the packet priority, the tc classid:
% nft add rule filter forward meta priority abcd:1234- Packet without set priority can be matched using meta priority none
% nft add rule filter forward meta priority none