Difference between revisions of "Setting packet metainformation"
(add nftrace wiki link) |
(Added secmark section, showing how to set packet secmark from conntrack secmark.) |
||
| Line 14: | Line 14: | ||
% nft add rule route output mark set 123 | % nft add rule route output mark set 123 | ||
</source> | </source> | ||
== mark and conntrack mark == | == mark and conntrack mark == | ||
| Line 31: | Line 32: | ||
% nft add rule filter forward meta mark set ct mark | % nft add rule filter forward meta mark set ct mark | ||
</source> | </source> | ||
== secmark == | |||
New in [https://marc.info/?l=netfilter&m=157532146917292&w=2 nftables 0.9.3], you can set the packet secmark from its associated [[Setting_packet_connection_tracking_metainformation#ct_secmark_set_-_Set_conntrack_secmark_from_packet_secmark|conntrack secmark]]: | |||
<source> | |||
meta secmark set ct secmark | |||
</source> | |||
== priority == | == priority == | ||
| Line 45: | Line 54: | ||
'''Warning''': There is a bug in the priority syntax that will be fixed in following versions of nftables. | '''Warning''': There is a bug in the priority syntax that will be fixed in following versions of nftables. | ||
== nftrace == | == nftrace == | ||
| Line 53: | Line 63: | ||
% nft add rule filter forward udp dport 53 meta nftrace set 1 | % nft add rule filter forward udp dport 53 meta nftrace set 1 | ||
</source> | </source> | ||
== combination of options == | == combination of options == | ||
Revision as of 19:00, 16 April 2021
You can set some metainformation in a packet. Current supported options are:
- mark -- packet mark
- priority -- packet priority
- nftrace -- nftrace debugging bit
- pkttype -- packet type
- secmark -- packet secmark
Please note that you require a Linux kernel >= 3.14 to use these features.
mark
The following example shows how to set the packet mark:
% nft add rule route output mark set 123
mark and conntrack mark
You can save/restore conntrack mark like in iptables.
In this example, the nf_tables engine set the packet mark to 1. In the last rule, that mark is store in the conntrack entry associated with the flow:
% nft add rule filter forward meta mark set 1
% nft add rule filter forward ct mark set mark
In this example, the conntrack mark is stored in the packet.
% nft add rule filter forward meta mark set ct mark
secmark
New in nftables 0.9.3, you can set the packet secmark from its associated conntrack secmark:
meta secmark set ct secmark
priority
You can set the priority of a packet.
This example shows a similar operation to what "-j CLASSIFY" does in iptables:
% nft add table mangle
% nft add chain postrouting {type route hook output priority -150\; }
% nft add rule mangle postrouting tcp sport 80 meta priority set 1
Warning: There is a bug in the priority syntax that will be fixed in following versions of nftables.
nftrace
Setting nftrace in a packet will report the journey through the nf_tables stack.
% nft add rule filter forward udp dport 53 meta nftrace set 1
combination of options
Given the flexible design of nftables, remember you can perform several actions to a packet in one rule:
% nft add rule filter forward ip saddr 192.168.1.1 meta nftrace set 1 meta priority set 2 meta mark set 123