Setting packet metainformation

From nftables wiki
Revision as of 23:03, 4 May 2018 by Mate (talk | contribs) (→‎mark and conntrack mark: fixed mark setting example)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

You can set some metainformation in a packet: one of mark, priority or nftrace.

Please note that you require a Linux kernel >= 3.14 to use these features.

mark

The following example shows how to set the packet mark:

% nft add rule route output mark set 123

mark and conntrack mark

You can save/restore conntrack mark like in iptables.

In this example, the nf_tables engine set the packet mark to 1. In the last rule, that mark is store in the conntrack entry associated with the flow:

% nft add rule filter forward meta mark set 1
% nft add rule filter forward ct mark set mark

In this example, the conntrack mark is stored in the packet.

% nft add rule filter forward meta mark set ct mark

priority

You can set the priority of a packet.

This example shows a similar operation to what "-j CLASSIFY" does in iptables:

% nft add table mangle
% nft add chain postrouting {type route hook output priority -150\; }
% nft add rule mangle postrouting tcp sport 80 meta priority set 1


Warning: There is a bug in the priority syntax that will be fixed in following versions of nftables.

nftrace

Setting nftrace in a packet will report the journey through the nf_tables stack.

% nft add rule filter forward udp dport 53 meta nftrace set 1

combination of options

Given the flexible design of nftables, remember you can perform several actions to a packet in one rule:

% nft add rule filter forward ip saddr 192.168.1.1 meta nftrace set 1 meta priority set 2 meta mark set 123