Difference between revisions of "Setting packet metainformation"

From nftables wiki
Jump to navigation Jump to search
(refresh introductory paragraph)
(Added pkttype section. Moved intro description of keywords to the appropriate sections.)
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
You can set some [[Matching_packet_metainformation |metainformation]] in a packet. Current supported options are:
You can set some [[Matching_packet_metainformation |metainformation]] in a packet. Please note that you require a Linux kernel >= 3.14 to use these features.
* mark -- packet mark
* priority -- packet priority
* nftrace -- nftrace debugging bit
* pkttype -- packet type
* secmark -- packet secmark


Please note that you require a Linux kernel >= 3.14 to use these features.
== packet mark ==
 
== mark ==
The following example shows how to set the packet mark:
The following example shows how to set the packet mark:


Line 15: Line 8:
</source>
</source>


== mark and conntrack mark ==
 
== packet mark and conntrack mark ==


You can save/restore conntrack mark like in iptables.
You can save/restore conntrack mark like in iptables.
Line 32: Line 26:
</source>
</source>


== priority ==
 
== packet secmark ==
* You can use [[Secmark|secmark objects]] to set [https://selinuxproject.org/page/NB_Networking#SECMARK SECMARK] labels on packets. 
 
* New in [https://marc.info/?l=netfilter&m=157532146917292&w=2 nftables 0.9.3], you can set the packet secmark from its associated [[Setting_packet_connection_tracking_metainformation#ct_secmark_set_-_Set_conntrack_secmark_from_packet_secmark|conntrack secmark]]:
<source>
meta secmark set ct secmark
</source>
 
 
== packet priority ==
You can set the priority of a packet.
You can set the priority of a packet.


Line 46: Line 50:
'''Warning''': There is a bug in the priority syntax that will be fixed in following versions of nftables.
'''Warning''': There is a bug in the priority syntax that will be fixed in following versions of nftables.


== nftrace ==


Setting nftrace in a packet will report the journey through the nf_tables stack.
== ''pkttype'' ==
 
You can set the [[Data_types#Other_types|packet type]]:
<source>
meta pkttype set {pkt_type}
</source>
 
 
== ''nftrace'' ==
 
Setting the [[Ruleset_debug/tracing|''nftrace'' debugging bit]] in a packet will report the journey through the nf_tables stack:


<source lang="bash">
<source lang="bash">
% nft add rule filter forward udp dport 53 meta nftrace set 1
% nft add rule filter forward udp dport 53 meta nftrace set 1
</source>
</source>


== combination of options ==
== combination of options ==

Latest revision as of 18:33, 16 April 2021

You can set some metainformation in a packet. Please note that you require a Linux kernel >= 3.14 to use these features.

packet mark

The following example shows how to set the packet mark:

% nft add rule route output mark set 123


packet mark and conntrack mark

You can save/restore conntrack mark like in iptables.

In this example, the nf_tables engine set the packet mark to 1. In the last rule, that mark is store in the conntrack entry associated with the flow:

% nft add rule filter forward meta mark set 1
% nft add rule filter forward ct mark set mark

In this example, the conntrack mark is stored in the packet.

% nft add rule filter forward meta mark set ct mark


packet secmark

meta secmark set ct secmark


packet priority

You can set the priority of a packet.

This example shows a similar operation to what "-j CLASSIFY" does in iptables:

% nft add table mangle
% nft add chain postrouting {type route hook output priority -150\; }
% nft add rule mangle postrouting tcp sport 80 meta priority set 1


Warning: There is a bug in the priority syntax that will be fixed in following versions of nftables.


pkttype

You can set the packet type:

meta pkttype set {pkt_type}


nftrace

Setting the nftrace debugging bit in a packet will report the journey through the nf_tables stack:

% nft add rule filter forward udp dport 53 meta nftrace set 1


combination of options

Given the flexible design of nftables, remember you can perform several actions to a packet in one rule:

% nft add rule filter forward ip saddr 192.168.1.1 meta nftrace set 1 meta priority set 2 meta mark set 123