手元の getent version $ getent --version getent (Ubuntu GLIBC 2.39-0ubuntu8.6) 2.39 Copyright (C) 2024 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Written by Thorsten Kukuk. man より引用 getent(1) General Commands Manual getent(1) NAME getent - get entries from Name Service Switch libraries SYNOPSIS getent [option]... database key... DESCRIPTION The getent command displays entries from databases supported by the Name Service Switch libraries, which are configured in /etc/nsswitch.conf. If one or more key arguments are provided, then only the entries that match the supplied keys will be displayed. Otherwise, if no key is provided, all entries will be displayed (unless the database does not support enumeration). The database may be any of those supported by the GNU C Library, listed below: ahosts When no key is provided, use sethostent(3), gethostent(3), and endhostent(3) to enumerate the hosts database. This is identical to using hosts(5). When one or more key arguments are provided, pass each key in succession to getaddrinfo(3) with the address family AF_UNSPEC, enu‐ merating each socket address structure returned. ahostsv4 Same as ahosts, but use the address family AF_INET. ahostsv6 Same as ahosts, but use the address family AF_INET6. The call to getaddrinfo(3) in this case includes the AI_V4MAPPED flag. aliases When no key is provided, use setaliasent(3), getaliasent(3), and endaliasent(3) to enumerate the aliases database. When one or more key argu‐ ments are provided, pass each key in succession to getaliasbyname(3) and display the result. ethers When one or more key arguments are provided, pass each key in succession to ether_aton(3) and ether_hostton(3) until a result is obtained, and display the result. Enumeration is not supported on ethers, so a key must be provided. group When no key is provided, use setgrent(3), getgrent(3), and endgrent(3) to enumerate the group database. When one or more key arguments are provided, pass each numeric key to getgrgid(3) and each nonnumeric key to getgrnam(3) and display the result. gshadow When no key is provided, use setsgent(3), getsgent(3), and endsgent(3) to enumerate the gshadow database. When one or more key arguments are provided, pass each key in succession to getsgnam(3) and display the result. hosts When no key is provided, use sethostent(3), gethostent(3), and endhostent(3) to enumerate the hosts database. When one or more key arguments are provided, pass each key to gethostbyaddr(3) or gethostbyname2(3), depending on whether a call to inet_pton(3) indicates that the key is an IPv6 or IPv4 address or not, and display the result. initgroups When one or more key arguments are provided, pass each key in succession to getgrouplist(3) and display the result. Enumeration is not sup‐ ported on initgroups, so a key must be provided. netgroup When one key is provided, pass the key to setnetgrent(3) and, using getnetgrent(3) display the resulting string triple (hostname, username, domainname). Alternatively, three keys may be provided, which are interpreted as the hostname, username, and domainname to match to a net‐ group name via innetgr(3). Enumeration is not supported on netgroup, so either one or three keys must be provided. networks When no key is provided, use setnetent(3), getnetent(3), and endnetent(3) to enumerate the networks database. When one or more key arguments are provided, pass each numeric key to getnetbyaddr(3) and each nonnumeric key to getnetbyname(3) and display the result. passwd When no key is provided, use setpwent(3), getpwent(3), and endpwent(3) to enumerate the passwd database. When one or more key arguments are provided, pass each numeric key to getpwuid(3) and each nonnumeric key to getpwnam(3) and display the result. protocols When no key is provided, use setprotoent(3), getprotoent(3), and endprotoent(3) to enumerate the protocols database. When one or more key ar‐ guments are provided, pass each numeric key to getprotobynumber(3) and each nonnumeric key to getprotobyname(3) and display the result. rpc When no key is provided, use setrpcent(3), getrpcent(3), and endrpcent(3) to enumerate the rpc database. When one or more key arguments are provided, pass each numeric key to getrpcbynumber(3) and each nonnumeric key to getrpcbyname(3) and display the result. services When no key is provided, use setservent(3), getservent(3), and endservent(3) to enumerate the services database. When one or more key argu‐ ments are provided, pass each numeric key to getservbynumber(3) and each nonnumeric key to getservbyname(3) and display the result. shadow When no key is provided, use setspent(3), getspent(3), and endspent(3) to enumerate the shadow database. When one or more key arguments are provided, pass each key in succession to getspnam(3) and display the result. OPTIONS --service service -s service Override all databases with the specified service. (Since glibc 2.2.5.) --service database:service -s database:service Override only specified databases with the specified service. The option may be used multiple times, but only the last service for each data‐ base will be used. (Since glibc 2.4.) --no-idn -i Disables IDN encoding in lookups for ahosts/getaddrinfo(3) (Since glibc-2.13.) --help -? Print a usage summary and exit. --usage Print a short usage summary and exit. --version -V Print the version number, license, and disclaimer of warranty for getent. EXIT STATUS One of the following exit values can be returned by getent: 0 Command completed successfully. 1 Missing arguments, or database unknown. 2 One or more supplied key could not be found in the database. 3 Enumeration not supported on this database. SEE ALSO nsswitch.conf(5) Linux man-pages 6.7 2023-11-01 getent(1)

はじめに curl google.com やChromeでgoogle.comへアクセスする際など、アプリケーションがドメイン名を利用しようとするとき、内部的にはC標準ライブラリのgetaddrinfoにこのドメイン名が渡されて、IPアドレスに解決されている。 この際の挙動をいつも忘れるのでメモする。 本文 概要 ドメイン名を渡したりIPアドレスを渡したりすると、様々な設定を用いて、そのドメイン名やIPアドレスが対応するIPアドレスを1つ以上返してくれる。 基本的な使い方 インターフェース int getaddrinfo(const char *restrict node, const char *restrict service, const struct addrinfo *restrict hints, struct addrinfo **restrict res); 実際の値のイメージ node = "google.com" service = "http" フローのイメージ curl google.com が呼ばれる ダイナミックリンクされている、libc.soのgetaddrinfo(“google.com”, “http”)が呼ばれる libresolv が呼ばれる libresolv が、/etc/nsswitch.confを読み込む(備考のように書かれていたとする) まずfiles、すなわち/etc/hostsで解決が試みられる 次にresolve、すなわちsystemd-resolvedで解決が試みられる。具体的には、ネットワークインターフェースごとにドメインが設定してあるので、そのドメインに該当した場合はそのインターフェースに設定されたDNSのIPアドレスにドメイン解決クエリを発行する。 dns、すなわち/etc/resolv.confに記載されたDNSのIPアドレスにドメイン解決クエリを発行する。備考の場合、127.0.0.53である。 備考1 /etc/nsswitch.conf hosts: files resolve dns 備考2 全体的に未検証だが、systemd-resolvedにおいては、ネットワークインターフェースごとでなく、全体のフォールバックとしてのDNSサーバのIPアドレスを設定できる。そのため、resolveが設定されていれば、その後ろにdnsは置かなくてよいらしい。 備考3 /etc/resolv.conf nameserver 127.0.0.53

はじめに RiscVの学習でよく使うようになったのでメモ help Usage: riscv64-unknown-elf-objdump <option(s)> <file(s)> Display information from object <file(s)>. At least one of the following switches must be given: -a, --archive-headers Display archive header information -f, --file-headers Display the contents of the overall file header -p, --private-headers Display object format specific file header contents -P, --private=OPT,OPT... Display object format specific contents -h, --[section-]headers Display the contents of the section headers -x, --all-headers Display the contents of all headers -d, --disassemble Display assembler contents of executable sections -D, --disassemble-all Display assembler contents of all sections --disassemble=<sym> Display assembler contents from <sym> -S, --source Intermix source code with disassembly --source-comment[=<txt>] Prefix lines of source code with <txt> -s, --full-contents Display the full contents of all sections requested -Z, --decompress Decompress section(s) before displaying their contents -g, --debugging Display debug information in object file -e, --debugging-tags Display debug information using ctags style -G, --stabs Display (in raw form) any STABS info in the file -W, --dwarf[a/=abbrev, A/=addr, r/=aranges, c/=cu_index, L/=decodedline, f/=frames, F/=frames-interp, g/=gdb_index, i/=info, o/=loc, m/=macro, p/=pubnames, t/=pubtypes, R/=Ranges, l/=rawline, s/=str, O/=str-offsets, u/=trace_abbrev, T/=trace_aranges, U/=trace_info] Display the contents of DWARF debug sections -Wk,--dwarf=links Display the contents of sections that link to separate debuginfo files -WK,--dwarf=follow-links Follow links to separate debug info files (default) -WN,--dwarf=no-follow-links Do not follow links to separate debug info files -L, --process-links Display the contents of non-debug sections in separate debuginfo files. (Implies -WK) --ctf[=SECTION] Display CTF info from SECTION, (default `.ctf') --sframe[=SECTION] Display SFrame info from SECTION, (default '.sframe') -t, --syms Display the contents of the symbol table(s) -T, --dynamic-syms Display the contents of the dynamic symbol table -r, --reloc Display the relocation entries in the file -R, --dynamic-reloc Display the dynamic relocation entries in the file @<file> Read options from <file> -v, --version Display this program's version number -i, --info List object formats and architectures supported -H, --help Display this information The following switches are optional: -b, --target=BFDNAME Specify the target object format as BFDNAME -m, --architecture=MACHINE Specify the target architecture as MACHINE -j, --section=NAME Only display information for section NAME -M, --disassembler-options=OPT Pass text OPT on to the disassembler -EB --endian=big Assume big endian format when disassembling -EL --endian=little Assume little endian format when disassembling --file-start-context Include context from start of file (with -S) -I, --include=DIR Add DIR to search list for source files -l, --line-numbers Include line numbers and filenames in output -F, --file-offsets Include file offsets when displaying information -C, --demangle[=STYLE] Decode mangled/processed symbol names STYLE can be "none", "auto", "gnu-v3", "java", "gnat", "dlang", "rust" --recurse-limit Enable a limit on recursion whilst demangling (default) --no-recurse-limit Disable a limit on recursion whilst demangling -w, --wide Format output for more than 80 columns -U[d|l|i|x|e|h] Controls the display of UTF-8 unicode characters --unicode=[default|locale|invalid|hex|escape|highlight] -z, --disassemble-zeroes Do not skip blocks of zeroes when disassembling --start-address=ADDR Only process data whose address is >= ADDR --stop-address=ADDR Only process data whose address is < ADDR --no-addresses Do not print address alongside disassembly --prefix-addresses Print complete address alongside disassembly --[no-]show-raw-insn Display hex alongside symbolic disassembly --insn-width=WIDTH Display WIDTH bytes on a single line for -d --adjust-vma=OFFSET Add OFFSET to all displayed section addresses --show-all-symbols When disassembling, display all symbols at a given address --special-syms Include special symbols in symbol dumps --inlines Print all inlines for source line (with -l) --prefix=PREFIX Add PREFIX to absolute paths for -S --prefix-strip=LEVEL Strip initial directory names for -S --dwarf-depth=N Do not display DIEs at depth N or greater --dwarf-start=N Display DIEs starting at offset N --dwarf-check Make additional dwarf consistency checks. --ctf-parent=NAME Use CTF archive member NAME as the CTF parent --visualize-jumps Visualize jumps by drawing ASCII art lines --visualize-jumps=color Use colors in the ASCII art --visualize-jumps=extended-color Use extended 8-bit color codes --visualize-jumps=off Disable jump visualization --disassembler-color=off Disable disassembler color output. (default) --disassembler-color=terminal Enable disassembler color output if displaying on a terminal. --disassembler-color=on Enable disassembler color output. --disassembler-color=extended Use 8-bit colors in disassembler output. riscv64-unknown-elf-objdump: supported targets: elf64-littleriscv elf32-littleriscv elf32-bigriscv elf64-bigriscv pei-riscv64-little elf64-little elf64-big elf32-little elf32-big srec symbolsrec verilog tekhex binary ihex plugin riscv64-unknown-elf-objdump: supported architectures: riscv riscv:rv64 riscv:rv32 The following RISC-V specific disassembler options are supported for use with the -M switch (multiple options should be separated by commas): numeric Print numeric register names, rather than ABI names. no-aliases Disassemble only into canonical instructions. priv-spec=SPEC Print the CSR according to the chosen privilege spec. For the options above, the following values are supported for "SPEC": 1.9.1 1.10 1.11 1.12 Report bugs to <https://sourceware.org/bugzilla/>. man objdump と同じだったので省略 ...

はじめに 最近、使うようになったのでmanをメモ man objdump より引用 OBJDUMP(1) GNU Development Tools OBJDUMP(1) NAME objdump - display information from object files SYNOPSIS objdump [-a|--archive-headers] [-b bfdname|--target=bfdname] [-C|--demangle[=style] ] [-d|--disassemble[=symbol]] [-D|--disassemble-all] [-z|--disassemble-zeroes] [-EB|-EL|--endian={big | little }] [-f|--file-headers] [-F|--file-offsets] [--file-start-context] [-g|--debugging] [-e|--debugging-tags] [-h|--section-headers|--headers] [-i|--info] [-j section|--section=section] [-l|--line-numbers] [-S|--source] [--source-comment[=text]] [-m machine|--architecture=machine] [-M options|--disassembler-options=options] [-p|--private-headers] [-P options|--private=options] [-r|--reloc] [-R|--dynamic-reloc] [-s|--full-contents] [-Z|--decompress] [-W[lLiaprmfFsoORtUuTgAck]| --dwarf[=rawline,=decodedline,=info,=abbrev,=pubnames,=aranges,=macro,=frames,=frames-interp,=str,=str-offsets,=loc,=Ranges,=pubtypes,=trace_info,=trace_abbrev,=trace_aranges,=gdb_index,=addr,=cu_index,=links]] [-WK|--dwarf=follow-links] [-WN|--dwarf=no-follow-links] [-wD|--dwarf=use-debuginfod] [-wE|--dwarf=do-not-use-debuginfod] [-L|--process-links] [--ctf=section] [--sframe=section] [-G|--stabs] [-t|--syms] [-T|--dynamic-syms] [-x|--all-headers] [-w|--wide] [--start-address=address] [--stop-address=address] [--no-addresses] [--prefix-addresses] [--[no-]show-raw-insn] [--adjust-vma=offset] [--show-all-symbols] [--dwarf-depth=n] [--dwarf-start=n] [--ctf-parent=section] [--no-recurse-limit|--recurse-limit] [--special-syms] [--prefix=prefix] [--prefix-strip=level] [--insn-width=width] [--visualize-jumps[=color|=extended-color|=off] [--disassembler-color=[off|terminal|on|extended] [-U method] [--unicode=method] [-V|--version] [-H|--help] objfile... DESCRIPTION objdump displays information about one or more object files. The options control what particular information to display. This information is mostly useful to programmers who are working on the compilation tools, as opposed to programmers who just want their program to compile and work. objfile... are the object files to be examined. When you specify archives, objdump shows information on each of the member object files. OPTIONS The long and short forms of options, shown here as alternatives, are equivalent. At least one option from the list -a,-d,-D,-e,-f,-g,-G,-h,-H,-p,-P,-r,-R,-s,-S,-t,-T,-V,-x must be given. -a --archive-header If any of the objfile files are archives, display the archive header information (in a format similar to ls -l). Besides the information you could list with ar tv, objdump -a shows the object file format of each archive member. --adjust-vma=offset When dumping information, first add offset to all the section addresses. This is useful if the section addresses do not correspond to the symbol table, which can happen when putting sections at particular addresses when using a format which can not represent section addresses, such as a.out. -b bfdname --target=bfdname Specify that the object-code format for the object files is bfdname. This option may not be necessary; objdump can automatically recognize many formats. For example, objdump -b oasys -m vax -h fu.o displays summary information from the section headers (-h) of fu.o, which is explicitly identified (-m) as a VAX object file in the format produced by Oasys compilers. You can list the formats available with the -i option. -C --demangle[=style] Decode (demangle) low-level symbol names into user-level names. Besides removing any initial underscore prepended by the system, this makes C++ function names readable. Different compilers have different mangling styles. The optional demangling style argument can be used to choose an appropriate demangling style for your compiler. --recurse-limit --no-recurse-limit --recursion-limit --no-recursion-limit Enables or disables a limit on the amount of recursion performed whilst demangling strings. Since the name mangling formats allow for an infinite level of recursion it is possible to create strings whose decoding will exhaust the amount of stack space available on the host machine, triggering a memory fault. The limit tries to prevent this from happening by restricting recursion to 2048 levels of nesting. The default is for this limit to be enabled, but disabling it may be necessary in order to demangle truly complicated names. Note however that if the recursion limit is disabled then stack exhaustion is possible and any bug reports about such an event will be rejected. -g --debugging Display debugging information. This attempts to parse STABS debugging format information stored in the file and print it out using a C like syntax. If no STABS debugging was found this option falls back on the -W option to print any DWARF information in the file. -e --debugging-tags Like -g, but the information is generated in a format compatible with ctags tool. -d --disassemble --disassemble=symbol Display the assembler mnemonics for the machine instructions from the input file. This option only disassembles those sections which are expected to contain instructions. If the optional symbol argument is given, then display the assembler mnemonics starting at symbol. If symbol is a function name then disassembly will stop at the end of the function, otherwise it will stop when the next symbol is encountered. If there are no matches for symbol then nothing will be displayed. Note if the --dwarf=follow-links option is enabled then any symbol tables in linked debug info files will be read in and used when disassembling. -D --disassemble-all Like -d, but disassemble the contents of all non-empty non-bss sections, not just those expected to contain instructions. -j may be used to select specific sections. This option also has a subtle effect on the disassembly of instructions in code sections. When option -d is in effect objdump will assume that any symbols present in a code section occur on the boundary between instructions and it will refuse to disassemble across such a boundary. When option -D is in effect however this assumption is supressed. This means that it is possible for the output of -d and -D to differ if, for example, data is stored in code sections. If the target is an ARM architecture this switch also has the effect of forcing the disassembler to decode pieces of data found in code sections as if they were instructions. Note if the --dwarf=follow-links option is enabled then any symbol tables in linked debug info files will be read in and used when disassembling. --no-addresses When disassembling, don't print addresses on each line or for symbols and relocation offsets. In combination with --no-show-raw-insn this may be useful for comparing compiler output. --prefix-addresses When disassembling, print the complete address on each line. This is the older disassembly format. -EB -EL --endian={big|little} Specify the endianness of the object files. This only affects disassembly. This can be useful when disassembling a file format which does not describe endianness information, such as S-records. -f --file-headers Display summary information from the overall header of each of the objfile files. -F --file-offsets When disassembling sections, whenever a symbol is displayed, also display the file offset of the region of data that is about to be dumped. If zeroes are being skipped, then when disassembly resumes, tell the user how many zeroes were skipped and the file offset of the location from where the disassembly resumes. When dumping sections, display the file offset of the location from where the dump starts. --file-start-context Specify that when displaying interlisted source code/disassembly (assumes -S) from a file that has not yet been displayed, extend the context to the start of the file. -h --section-headers --headers Display summary information from the section headers of the object file. File segments may be relocated to nonstandard addresses, for example by using the -Ttext, -Tdata, or -Tbss options to ld. However, some object file formats, such as a.out, do not store the starting address of the file segments. In those situations, although ld relocates the sections correctly, using objdump -h to list the file section headers cannot show the correct addresses. Instead, it shows the usual addresses, which are implicit for the target. Note, in some cases it is possible for a section to have both the READONLY and the NOREAD attributes set. In such cases the NOREAD attribute takes precedence, but objdump will report both since the exact setting of the flag bits might be important. -H --help Print a summary of the options to objdump and exit. -i --info Display a list showing all architectures and object formats available for specification with -b or -m. -j name --section=name Display information for section name. This option may be specified multiple times. -L --process-links Display the contents of non-debug sections found in separate debuginfo files that are linked to the main file. This option automatically implies the -WK option, and only sections requested by other command line options will be displayed. -l --line-numbers Label the display (using debugging information) with the filename and source line numbers corresponding to the object code or relocs shown. Only useful with -d, -D, or -r. -m machine --architecture=machine Specify the architecture to use when disassembling object files. This can be useful when disassembling object files which do not describe architecture information, such as S-records. You can list the available architectures with the -i option. For most architectures it is possible to supply an architecture name and a machine name, separated by a colon. For example foo:bar would refer to the bar machine type in the foo architecture. This can be helpful if objdump has been configured to support multiple architectures. If the target is an ARM architecture then this switch has an additional effect. It restricts the disassembly to only those instructions supported by the architecture specified by machine. If it is necessary to use this switch because the input file does not contain any architecture information, but it is also desired to disassemble all the instructions use -marm. -M options --disassembler-options=options Pass target specific information to the disassembler. Only supported on some targets. If it is necessary to specify more than one disassembler option then multiple -M options can be used or can be placed together into a comma separated list. For ARC, dsp controls the printing of DSP instructions, spfp selects the printing of FPX single precision FP instructions, dpfp selects the printing of FPX double precision FP instructions, quarkse_em selects the printing of special QuarkSE-EM instructions, fpuda selects the printing of double precision assist instructions, fpus selects the printing of FPU single precision FP instructions, while fpud selects the printing of FPU double precision FP instructions. Additionally, one can choose to have all the immediates printed in hexadecimal using hex. By default, the short immediates are printed using the decimal representation, while the long immediate values are printed as hexadecimal. cpu=... allows one to enforce a particular ISA when disassembling instructions, overriding the -m value or whatever is in the ELF file. This might be useful to select ARC EM or HS ISA, because architecture is same for those and disassembler relies on private ELF header data to decide if code is for EM or HS. This option might be specified multiple times - only the latest value will be used. Valid values are same as for the assembler -mcpu=... option. If the target is an ARM architecture then this switch can be used to select which register name set is used during disassembler. Specifying -M reg-names-std (the default) will select the register names as used in ARM's instruction set documentation, but with register 13 called 'sp', register 14 called 'lr' and register 15 called 'pc'. Specifying -M reg-names-apcs will select the name set used by the ARM Procedure Call Standard, whilst specifying -M reg-names-raw will just use r followed by the register number. There are also two variants on the APCS register naming scheme enabled by -M reg- names-atpcs and -M reg-names-special-atpcs which use the ARM/Thumb Procedure Call Standard naming conventions. (Either with the normal register names or the special register names). This option can also be used for ARM architectures to force the disassembler to interpret all instructions as Thumb instructions by using the switch --disassembler-options=force-thumb. This can be useful when attempting to disassemble thumb code produced by other compilers. For AArch64 targets this switch can be used to set whether instructions are disassembled as the most general instruction using the -M no-aliases option or whether instruction notes should be generated as comments in the disasssembly using -M notes. For the x86, some of the options duplicate functions of the -m switch, but allow finer grained control. "x86-64" "i386" "i8086" Select disassembly for the given architecture. "intel" "att" Select between intel syntax mode and AT&T syntax mode. "amd64" "intel64" Select between AMD64 ISA and Intel64 ISA. "intel-mnemonic" "att-mnemonic" Select between intel mnemonic mode and AT&T mnemonic mode. Note: "intel-mnemonic" implies "intel" and "att-mnemonic" implies "att". "addr64" "addr32" "addr16" "data32" "data16" Specify the default address size and operand size. These five options will be overridden if "x86-64", "i386" or "i8086" appear later in the option string. "suffix" When in AT&T mode and also for a limited set of instructions when in Intel mode, instructs the disassembler to print a mnemonic suffix even when the suffix could be inferred by the operands or, for certain instructions, the execution mode's defaults. For PowerPC, the -M argument raw selects disasssembly of hardware insns rather than aliases. For example, you will see "rlwinm" rather than "clrlwi", and "addi" rather than "li". All of the -m arguments for gas that select a CPU are supported. These are: 403, 405, 440, 464, 476, 601, 603, 604, 620, 7400, 7410, 7450, 7455, 750cl, 821, 850, 860, a2, booke, booke32, cell, com, e200z2, e200z4, e300, e500, e500mc, e500mc64, e500x2, e5500, e6500, efs, power4, power5, power6, power7, power8, power9, power10, ppc, ppc32, ppc64, ppc64bridge, ppcps, pwr, pwr2, pwr4, pwr5, pwr5x, pwr6, pwr7, pwr8, pwr9, pwr10, pwrx, titan, vle, and future. 32 and 64 modify the default or a prior CPU selection, disabling and enabling 64-bit insns respectively. In addition, altivec, any, lsp, htm, vsx, spe and spe2 add capabilities to a previous or later CPU selection. any will disassemble any opcode known to binutils, but in cases where an opcode has two different meanings or different arguments, you may not see the disassembly you expect. If you disassemble without giving a CPU selection, a default will be chosen from information gleaned by BFD from the object files headers, but the result again may not be as you expect. For MIPS, this option controls the printing of instruction mnemonic names and register names in disassembled instructions. Multiple selections from the following may be specified as a comma separated string, and invalid options are ignored: "no-aliases" Print the 'raw' instruction mnemonic instead of some pseudo instruction mnemonic. I.e., print 'daddu' or 'or' instead of 'move', 'sll' instead of 'nop', etc. "msa" Disassemble MSA instructions. "virt" Disassemble the virtualization ASE instructions. "xpa" Disassemble the eXtended Physical Address (XPA) ASE instructions. "gpr-names=ABI" Print GPR (general-purpose register) names as appropriate for the specified ABI. By default, GPR names are selected according to the ABI of the binary being disassembled. "fpr-names=ABI" Print FPR (floating-point register) names as appropriate for the specified ABI. By default, FPR numbers are printed rather than names. "cp0-names=ARCH" Print CP0 (system control coprocessor; coprocessor 0) register names as appropriate for the CPU or architecture specified by ARCH. By default, CP0 register names are selected according to the architecture and CPU of the binary being disassembled. "hwr-names=ARCH" Print HWR (hardware register, used by the "rdhwr" instruction) names as appropriate for the CPU or architecture specified by ARCH. By default, HWR names are selected according to the architecture and CPU of the binary being disassembled. "reg-names=ABI" Print GPR and FPR names as appropriate for the selected ABI. "reg-names=ARCH" Print CPU-specific register names (CP0 register and HWR names) as appropriate for the selected CPU or architecture. For any of the options listed above, ABI or ARCH may be specified as numeric to have numbers printed rather than names, for the selected types of registers. You can list the available values of ABI and ARCH using the --help option. For VAX, you can specify function entry addresses with -M entry:0xf00ba. You can use this multiple times to properly disassemble VAX binary files that don't contain symbol tables (like ROM dumps). In these cases, the function entry mask would otherwise be decoded as VAX instructions, which would probably lead the rest of the function being wrongly disassembled. -p --private-headers Print information that is specific to the object file format. The exact information printed depends upon the object file format. For some object file formats, no additional information is printed. -P options --private=options Print information that is specific to the object file format. The argument options is a comma separated list that depends on the format (the lists of options is displayed with the help). For XCOFF, the available options are: "header" "aout" "sections" "syms" "relocs" "lineno," "loader" "except" "typchk" "traceback" "toc" "ldinfo" For PE, the available options are: "header" "sections" Not all object formats support this option. In particular the ELF format does not use it. -r --reloc Print the relocation entries of the file. If used with -d or -D, the relocations are printed interspersed with the disassembly. -R --dynamic-reloc Print the dynamic relocation entries of the file. This is only meaningful for dynamic objects, such as certain types of shared libraries. As for -r, if used with -d or -D, the relocations are printed interspersed with the disassembly. -s --full-contents Display the full contents of sections, often used in combination with -j to request specific sections. By default all non-empty non-bss sections are displayed. By default any compressed section will be displayed in its compressed form. In order to see the contents in a decompressed form add the -Z option to the command line. -S --source Display source code intermixed with disassembly, if possible. Implies -d. --show-all-symbols When disassembling, show all the symbols that match a given address, not just the first one. --source-comment[=txt] Like the -S option, but all source code lines are displayed with a prefix of txt. Typically txt will be a comment string which can be used to distinguish the assembler code from the source code. If txt is not provided then a default string of "# " (hash followed by a space), will be used. --prefix=prefix Specify prefix to add to the absolute paths when used with -S. --prefix-strip=level Indicate how many initial directory names to strip off the hardwired absolute paths. It has no effect without --prefix=prefix. --show-raw-insn When disassembling instructions, print the instruction in hex as well as in symbolic form. This is the default except when --prefix-addresses is used. --no-show-raw-insn When disassembling instructions, do not print the instruction bytes. This is the default when --prefix-addresses is used. --insn-width=width Display width bytes on a single line when disassembling instructions. --visualize-jumps[=color|=extended-color|=off] Visualize jumps that stay inside a function by drawing ASCII art between the start and target addresses. The optional =color argument adds color to the output using simple terminal colors. Alternatively the =extended-color argument will add color using 8bit colors, but these might not work on all terminals. If it is necessary to disable the visualize-jumps option after it has previously been enabled then use visualize-jumps=off. --disassembler-color=off --disassembler-color=terminal --disassembler-color=on|color|colour --disassembler-color=extened|extended-color|extened-colour Enables or disables the use of colored syntax highlighting in disassembly output. The default behaviour is determined via a configure time option. Note, not all architectures support colored syntax highlighting, and depending upon the terminal used, colored output may not actually be legible. The on argument adds colors using simple terminal colors. The terminal argument does the same, but only if the output device is a terminal. The extended-color argument is similar to the on argument, but it uses 8-bit colors. These may not work on all terminals. The off argument disables colored disassembly. -W[lLiaprmfFsoORtUuTgAckK] --dwarf[=rawline,=decodedline,=info,=abbrev,=pubnames,=aranges,=macro,=frames,=frames-interp,=str,=str-offsets,=loc,=Ranges,=pubtypes,=trace_info,=trace_abbrev,=trace_aranges,=gdb_index,=addr,=cu_index,=links,=follow-links] Displays the contents of the DWARF debug sections in the file, if any are present. Compressed debug sections are automatically decompressed (temporarily) before they are displayed. If one or more of the optional letters or words follows the switch then only those type(s) of data will be dumped. The letters and words refer to the following information: "a" "=abbrev" Displays the contents of the .debug_abbrev section. "A" "=addr" Displays the contents of the .debug_addr section. "c" "=cu_index" Displays the contents of the .debug_cu_index and/or .debug_tu_index sections. "f" "=frames" Display the raw contents of a .debug_frame section. "F" "=frames-interp" Display the interpreted contents of a .debug_frame section. "g" "=gdb_index" Displays the contents of the .gdb_index and/or .debug_names sections. "i" "=info" Displays the contents of the .debug_info section. Note: the output from this option can also be restricted by the use of the --dwarf-depth and --dwarf-start options. "k" "=links" Displays the contents of the .gnu_debuglink, .gnu_debugaltlink and .debug_sup sections, if any of them are present. Also displays any links to separate dwarf object files (dwo), if they are specified by the DW_AT_GNU_dwo_name or DW_AT_dwo_name attributes in the .debug_info section. "K" "=follow-links" Display the contents of any selected debug sections that are found in linked, separate debug info file(s). This can result in multiple versions of the same debug section being displayed if it exists in more than one file. In addition, when displaying DWARF attributes, if a form is found that references the separate debug info file, then the referenced contents will also be displayed. Note - in some distributions this option is enabled by default. It can be disabled via the N debug option. The default can be chosen when configuring the binutils via the --enable-follow-debug-links=yes or --enable-follow-debug-links=no options. If these are not used then the default is to enable the following of debug links. Note - if support for the debuginfod protocol was enabled when the binutils were built then this option will also include an attempt to contact any debuginfod servers mentioned in the DEBUGINFOD_URLS environment variable. This could take some time to resolve. This behaviour can be disabled via the =do-not-use-debuginfod debug option. "N" "=no-follow-links" Disables the following of links to separate debug info files. "D" "=use-debuginfod" Enables contacting debuginfod servers if there is a need to follow debug links. This is the default behaviour. "E" "=do-not-use-debuginfod" Disables contacting debuginfod servers when there is a need to follow debug links. "l" "=rawline" Displays the contents of the .debug_line section in a raw format. "L" "=decodedline" Displays the interpreted contents of the .debug_line section. "m" "=macro" Displays the contents of the .debug_macro and/or .debug_macinfo sections. "o" "=loc" Displays the contents of the .debug_loc and/or .debug_loclists sections. "O" "=str-offsets" Displays the contents of the .debug_str_offsets section. "p" "=pubnames" Displays the contents of the .debug_pubnames and/or .debug_gnu_pubnames sections. "r" "=aranges" Displays the contents of the .debug_aranges section. "R" "=Ranges" Displays the contents of the .debug_ranges and/or .debug_rnglists sections. "s" "=str" Displays the contents of the .debug_str, .debug_line_str and/or .debug_str_offsets sections. "t" "=pubtype" Displays the contents of the .debug_pubtypes and/or .debug_gnu_pubtypes sections. "T" "=trace_aranges" Displays the contents of the .trace_aranges section. "u" "=trace_abbrev" Displays the contents of the .trace_abbrev section. "U" "=trace_info" Displays the contents of the .trace_info section. Note: displaying the contents of .debug_static_funcs, .debug_static_vars and debug_weaknames sections is not currently supported. --dwarf-depth=n Limit the dump of the ".debug_info" section to n children. This is only useful with --debug-dump=info. The default is to print all DIEs; the special value 0 for n will also have this effect. With a non-zero value for n, DIEs at or deeper than n levels will not be printed. The range for n is zero-based. --dwarf-start=n Print only DIEs beginning with the DIE numbered n. This is only useful with --debug-dump=info. If specified, this option will suppress printing of any header information and all DIEs before the DIE numbered n. Only siblings and children of the specified DIE will be printed. This can be used in conjunction with --dwarf-depth. --dwarf-check Enable additional checks for consistency of Dwarf information. --ctf[=section] Display the contents of the specified CTF section. CTF sections themselves contain many subsections, all of which are displayed in order. By default, display the name of the section named .ctf, which is the name emitted by ld. --ctf-parent=member If the CTF section contains ambiguously-defined types, it will consist of an archive of many CTF dictionaries, all inheriting from one dictionary containing unambiguous types. This member is by default named .ctf, like the section containing it, but it is possible to change this name using the "ctf_link_set_memb_name_changer" function at link time. When looking at CTF archives that have been created by a linker that uses the name changer to rename the parent archive member, --ctf-parent can be used to specify the name used for the parent. --sframe[=section] Display the contents of the specified SFrame section. By default, display the name of the section named .sframe, which is the name emitted by ld. -G --stabs Display the full contents of any sections requested. Display the contents of the .stab and .stab.index and .stab.excl sections from an ELF file. This is only useful on systems (such as Solaris 2.0) in which ".stab" debugging symbol-table entries are carried in an ELF section. In most other file formats, debugging symbol-table entries are interleaved with linkage symbols, and are visible in the --syms output. --start-address=address Start displaying data at the specified address. This affects the output of the -d, -r and -s options. --stop-address=address Stop displaying data at the specified address. This affects the output of the -d, -r and -s options. -t --syms Print the symbol table entries of the file. This is similar to the information provided by the nm program, although the display format is different. The format of the output depends upon the format of the file being dumped, but there are two main types. One looks like this: [ 4](sec 3)(fl 0x00)(ty 0)(scl 3) (nx 1) 0x00000000 .bss [ 6](sec 1)(fl 0x00)(ty 0)(scl 2) (nx 0) 0x00000000 fred where the number inside the square brackets is the number of the entry in the symbol table, the sec number is the section number, the fl value are the symbol's flag bits, the ty number is the symbol's type, the scl number is the symbol's storage class and the nx value is the number of auxiliary entries associated with the symbol. The last two fields are the symbol's value and its name. The other common output format, usually seen with ELF based files, looks like this: 00000000 l d .bss 00000000 .bss 00000000 g .text 00000000 fred Here the first number is the symbol's value (sometimes referred to as its address). The next field is actually a set of characters and spaces indicating the flag bits that are set on the symbol. These characters are described below. Next is the section with which the symbol is associated or *ABS* if the section is absolute (ie not connected with any section), or *UND* if the section is referenced in the file being dumped, but not defined there. After the section name comes another field, a number, which for common symbols is the alignment and for other symbol is the size. Finally the symbol's name is displayed. The flag characters are divided into 7 groups as follows: "l" "g" "u" "!" The symbol is a local (l), global (g), unique global (u), neither global nor local (a space) or both global and local (!). A symbol can be neither local or global for a variety of reasons, e.g., because it is used for debugging, but it is probably an indication of a bug if it is ever both local and global. Unique global symbols are a GNU extension to the standard set of ELF symbol bindings. For such a symbol the dynamic linker will make sure that in the entire process there is just one symbol with this name and type in use. "w" The symbol is weak (w) or strong (a space). "C" The symbol denotes a constructor (C) or an ordinary symbol (a space). "W" The symbol is a warning (W) or a normal symbol (a space). A warning symbol's name is a message to be displayed if the symbol following the warning symbol is ever referenced. "I" "i" The symbol is an indirect reference to another symbol (I), a function to be evaluated during reloc processing (i) or a normal symbol (a space). "d" "D" The symbol is a debugging symbol (d) or a dynamic symbol (D) or a normal symbol (a space). "F" "f" "O" The symbol is the name of a function (F) or a file (f) or an object (O) or just a normal symbol (a space). -T --dynamic-syms Print the dynamic symbol table entries of the file. This is only meaningful for dynamic objects, such as certain types of shared libraries. This is similar to the information provided by the nm program when given the -D (--dynamic) option. The output format is similar to that produced by the --syms option, except that an extra field is inserted before the symbol's name, giving the version information associated with the symbol. If the version is the default version to be used when resolving unversioned references to the symbol then it's displayed as is, otherwise it's put into parentheses. --special-syms When displaying symbols include those which the target considers to be special in some way and which would not normally be of interest to the user. -U [d|i|l|e|x|h] --unicode=[default|invalid|locale|escape|hex|highlight] Controls the display of UTF-8 encoded multibyte characters in strings. The default (--unicode=default) is to give them no special treatment. The --unicode=locale option displays the sequence in the current locale, which may or may not support them. The options --unicode=hex and --unicode=invalid display them as hex byte sequences enclosed by either angle brackets or curly braces. The --unicode=escape option displays them as escape sequences (\uxxxx) and the --unicode=highlight option displays them as escape sequences highlighted in red (if supported by the output device). The colouring is intended to draw attention to the presence of unicode sequences where they might not be expected. -V --version Print the version number of objdump and exit. -x --all-headers Display all available header information, including the symbol table and relocation entries. Using -x is equivalent to specifying all of -a -f -h -p -r -t. -w --wide Format some lines for output devices that have more than 80 columns. Also do not truncate symbol names when they are displayed. -z --disassemble-zeroes Normally the disassembly output will skip blocks of zeroes. This option directs the disassembler to disassemble those blocks, just like any other data. -Z --decompress The -Z option is meant to be used in conunction with the -s option. It instructs objdump to decompress any compressed sections before displaying their contents. @file Read command-line options from file. The options read are inserted in place of the original @file option. If file does not exist, or cannot be read, then the option will be treated literally, and not removed. Options in file are separated by whitespace. A whitespace character may be included in an option by surrounding the entire option in either single or double quotes. Any character (including a backslash) may be included by prefixing the character to be included with a backslash. The file may itself contain additional @file options; any such options will be processed recursively. SEE ALSO nm(1), readelf(1), and the Info entries for binutils. COPYRIGHT Copyright (c) 1991-2024 Free Software Foundation, Inc. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". binutils-2.42 2023-09-02 OBJDUMP(1)

はじめに RiscVのURLをメモ。 URL https://hazm.at/mox/arch/isa/risc-v/the-risc-v-instruction-set-manual/vol1/index.html

はじめに x86のチートシートURLをメモ。 わかりやすいGithubレポジトリがあったので、フォークしたURLをメモします。 (外部の方のURLだと消える可能性があるので、念のためフォークしています。) URL チートシート https://github.com/tetz-akaneya/x86 システムコールと番号対応表 https://github.com/7etsuo/x86/blob/main/x86-linux-syscalls-cheatsheet.md (fork元: https://github.com/7etsuo/x86)

はじめに ネット検索で毎回違うページを探しているので、自分用にまとめる。 man ascii より引用 ascii(7) Miscellaneous Information Manual ascii(7) NAME ascii - ASCII character set encoded in octal, decimal, and hexadecimal DESCRIPTION ASCII is the American Standard Code for Information Interchange. It is a 7-bit code. Many 8-bit codes (e.g., ISO/IEC 8859-1) contain ASCII as their lower half. The international counterpart of ASCII is known as ISO/IEC 646-IRV. The following table contains the 128 ASCII characters. C program '\X' escapes are noted. Oct Dec Hex Char Oct Dec Hex Char ──────────────────────────────────────────────────────────────────────── 000 0 00 NUL '\0' (null character) 100 64 40 @ 001 1 01 SOH (start of heading) 101 65 41 A 002 2 02 STX (start of text) 102 66 42 B 003 3 03 ETX (end of text) 103 67 43 C 004 4 04 EOT (end of transmission) 104 68 44 D 005 5 05 ENQ (enquiry) 105 69 45 E 006 6 06 ACK (acknowledge) 106 70 46 F 007 7 07 BEL '\a' (bell) 107 71 47 G 010 8 08 BS '\b' (backspace) 110 72 48 H 011 9 09 HT '\t' (horizontal tab) 111 73 49 I 012 10 0A LF '\n' (new line) 112 74 4A J 013 11 0B VT '\v' (vertical tab) 113 75 4B K 014 12 0C FF '\f' (form feed) 114 76 4C L 015 13 0D CR '\r' (carriage ret) 115 77 4D M 016 14 0E SO (shift out) 116 78 4E N 017 15 0F SI (shift in) 117 79 4F O 020 16 10 DLE (data link escape) 120 80 50 P 021 17 11 DC1 (device control 1) 121 81 51 Q 022 18 12 DC2 (device control 2) 122 82 52 R 023 19 13 DC3 (device control 3) 123 83 53 S 024 20 14 DC4 (device control 4) 124 84 54 T 025 21 15 NAK (negative ack.) 125 85 55 U 026 22 16 SYN (synchronous idle) 126 86 56 V 027 23 17 ETB (end of trans. blk) 127 87 57 W 030 24 18 CAN (cancel) 130 88 58 X 031 25 19 EM (end of medium) 131 89 59 Y 032 26 1A SUB (substitute) 132 90 5A Z 033 27 1B ESC (escape) 133 91 5B [ 034 28 1C FS (file separator) 134 92 5C \ '\\' 035 29 1D GS (group separator) 135 93 5D ] 036 30 1E RS (record separator) 136 94 5E ^ 037 31 1F US (unit separator) 137 95 5F _ 040 32 20 SPACE 140 96 60 ` 041 33 21 ! 141 97 61 a 042 34 22 " 142 98 62 b 043 35 23 # 143 99 63 c 044 36 24 $ 144 100 64 d 045 37 25 % 145 101 65 e 046 38 26 & 146 102 66 f 047 39 27 ' 147 103 67 g 050 40 28 ( 150 104 68 h 051 41 29 ) 151 105 69 i 052 42 2A * 152 106 6A j 053 43 2B + 153 107 6B k 054 44 2C , 154 108 6C l 055 45 2D - 155 109 6D m 056 46 2E . 156 110 6E n 057 47 2F / 157 111 6F o 060 48 30 0 160 112 70 p 061 49 31 1 161 113 71 q 062 50 32 2 162 114 72 r 063 51 33 3 163 115 73 s 064 52 34 4 164 116 74 t 065 53 35 5 165 117 75 u 066 54 36 6 166 118 76 v 067 55 37 7 167 119 77 w 070 56 38 8 170 120 78 x 071 57 39 9 171 121 79 y 072 58 3A : 172 122 7A z 073 59 3B ; 173 123 7B { 074 60 3C < 174 124 7C | 075 61 3D = 175 125 7D } 076 62 3E > 176 126 7E ~ 077 63 3F ? │ 177 127 7F DEL │ Tables │ For convenience, below are more compact tables in hex and decimal. 2 3 4 5 6 7 30 40 50 60 70 80 90 100 110 120 ------------- --------------------------------- 0: 0 @ P ` p 0: ( 2 < F P Z d n x 1: ! 1 A Q a q 1: ) 3 = G Q [ e o y 2: " 2 B R b r 2: * 4 > H R \ f p z 3: # 3 C S c s 3: ! + 5 ? I S ] g q { 4: $ 4 D T d t 4: " , 6 @ J T ^ h r | 5: % 5 E U e u 5: # - 7 A K U _ i s } 6: & 6 F V f v 6: $ . 8 B L V ` j t ~ 7: ' 7 G W g w 7: % / 9 C M W a k u DEL 8: ( 8 H X h x 8: & 0 : D N X b l v 9: ) 9 I Y i y 9: ' 1 ; E O Y c m w A: * : J Z j z B: + ; K [ k { C: , < L \ l | D: - = M ] m } E: . > N ^ n ~ F: / ? O _ o DEL NOTES History /etc/ascii (VII) appears in the UNIX Programmer's Manual. On older terminals, the underscore code is displayed as a left arrow, called backarrow, the caret is displayed as an up-arrow and the verti‐ cal bar has a hole in the middle. Uppercase and lowercase characters differ by just one bit and the ASCII character 2 differs from the double quote by just one bit, too. That made it much easier to encode characters mechanically or with a non-mi‐ crocontroller-based electronic keyboard and that pairing was found on old teletypes. The ASCII standard was published by the United States of America Stan‐ dards Institute (USASI) in 1968. SEE ALSO charsets(7), iso_8859-1(7), iso_8859-2(7), iso_8859-3(7), iso_8859-4(7), iso_8859-5(7), iso_8859-6(7), iso_8859-7(7), iso_8859-8(7), iso_8859-9(7), iso_8859-10(7), iso_8859-11(7), iso_8859-13(7), iso_8859-14(7), iso_8859-15(7), iso_8859-16(7), utf-8(7) Linux man-pages 6.7 2024-01-28 ascii(7)

はじめに よく忘れるのでメモ man aptより引用 APT(8) APT APT(8) NAME apt - command-line interface SYNOPSIS apt [-h] [-o=config_string] [-c=config_file] [-t=target_release] [-a=architecture] {list | search | show | update | install pkg [{=pkg_version_number | /target_release}]... | remove pkg... | upgrade | full-upgrade | edit-sources | {-v | --version} | {-h | --help}} DESCRIPTION apt provides a high-level commandline interface for the package management system. It is intended as an end user interface and enables some options better suited for interactive usage by default compared to more specialized APT tools like apt-get(8) and apt- cache(8). Much like apt itself, its manpage is intended as an end user interface and as such only mentions the most used commands and options partly to not duplicate information in multiple places and partly to avoid overwhelming readers with a cornucopia of options and details. update (apt-get(8)) update is used to download package information from all configured sources. Other commands operate on this data to e.g. perform package upgrades or search in and display details about all packages available for installation. upgrade (apt-get(8)) upgrade is used to install available upgrades of all packages currently installed on the system from the sources configured via sources.list(5). New packages will be installed if required to satisfy dependencies, but existing packages will never be removed. If an upgrade for a package requires the removal of an installed package the upgrade for this package isn't performed. When a package is supplied as an argument, the package will be installed prior to the upgrade action. full-upgrade (apt-get(8)) full-upgrade performs the function of upgrade but will remove currently installed packages if this is needed to upgrade the system as a whole. When a package is supplied as an argument, the package will be installed prior to the upgrade action. install, reinstall, remove, purge (apt-get(8)) Performs the requested action on one or more packages specified via regex(7), glob(7) or exact match. The requested action can be overridden for specific packages by appending a plus (+) to the package name to install this package or a minus (-) to remove it. A specific version of a package can be selected for installation by following the package name with an equals (=) and the version of the package to select. Alternatively the version from a specific release can be selected by following the package name with a forward slash (/) and codename (bookworm, trixie, sid ...) or suite name (stable, testing, unstable). This will also select versions from this release for dependencies of this package if needed to satisfy the request. Removing a package removes all packaged data, but leaves usually small (modified) user configuration files behind, in case the remove was an accident. Just issuing an installation request for the accidentally removed package will restore its function as before in that case. On the other hand you can get rid of these leftovers by calling purge even on already removed packages. Note that this does not affect any data or configuration stored in your home directory. autoremove (apt-get(8)) autoremove is used to remove packages that were automatically installed to satisfy dependencies for other packages and are now no longer needed as dependencies changed or the package(s) needing them were removed in the meantime. You should check that the list does not include applications you have grown to like even though they were once installed just as a dependency of another package. You can mark such a package as manually installed by using apt-mark(8). Packages which you have installed explicitly via install are also never proposed for automatic removal. satisfy (apt-get(8)) satisfy satisfies dependency strings, as used in Build-Depends. It also handles conflicts, by prefixing an argument with "Conflicts: ". Example: apt satisfy "foo, bar (>= 1.0)" "Conflicts: baz, fuzz" search (apt-cache(8)) search can be used to search for the given regex(7) term(s) in the list of available packages and display matches. This can e.g. be useful if you are looking for packages having a specific feature. If you are looking for a package including a specific file try apt-file(1). show (apt-cache(8)) Show information about the given package(s) including its dependencies, installation and download size, sources the package is available from, the description of the packages content and much more. It can e.g. be helpful to look at this information before allowing apt(8) to remove a package or while searching for new packages to install. list list is somewhat similar to dpkg-query --list in that it can display a list of packages satisfying certain criteria. It supports glob(7) patterns for matching package names, apt-patterns(7), as well as options to list installed (--installed), upgradeable (--upgradeable) or all available (--all-versions) versions. edit-sources (work-in-progress) edit-sources lets you edit your sources.list(5) files in your preferred text editor while also providing basic sanity checks. showsrc, depends, rdepends, policy (summarised in apt-cache(8)) source, build-dep, download, changelog, clean, distclean, autoclean (summarised in apt- get(8)) SCRIPT USAGE AND DIFFERENCES FROM OTHER APT TOOLS The apt(8) commandline is designed as an end-user tool and it may change behavior between versions. While it tries not to break backward compatibility this is not guaranteed either if a change seems beneficial for interactive use. All features of apt(8) are available in dedicated APT tools like apt-get(8) and apt- cache(8) as well. apt(8) just changes the default value of some options (see apt.conf(5) and specifically the Binary scope). So you should prefer using these commands (potentially with some additional options enabled) in your scripts as they keep backward compatibility as much as possible. SEE ALSO apt-get(8), apt-cache(8), sources.list(5), apt.conf(5), apt-config(8), apt-patterns(7), The APT User's guide in /usr/share/doc/apt-doc/, apt_preferences(5), the APT Howto. DIAGNOSTICS apt returns zero on normal operation, decimal 100 on error. BUGS APT bug page[1]. If you wish to report a bug in APT, please see /usr/share/doc/debian/bug-reporting.txt or the reportbug(1) command. AUTHOR APT team NOTES 1. APT bug page https://bugs.debian.org/src:apt APT 2.7.14 12 March 2024 APT(8)

はじめに nftコマンドについてメモ。 man nftより引用 NFT(8) NFT(8) NAME nft - Administration tool of the nftables framework for packet filtering and classification SYNOPSIS nft [ -nNscaeSupyjtT ] [ -I directory ] [ -f filename | -i | cmd ...] nft -h nft -v DESCRIPTION nft is the command line tool used to set up, maintain and inspect packet filtering and classification rules in the Linux kernel, in the nftables framework. The Linux kernel subsystem is known as nf_tables, and ‘nf’ stands for Netfilter. OPTIONS The command accepts several different options which are documented here in groups for better understanding of their meaning. You can get information about options by running nft --help. General options: -h, --help Show help message and all options. -v, --version Show version. -V Show long version information, including compile-time configuration. Ruleset input handling options that specify to how to load rulesets: -f, --file filename Read input from filename. If filename is -, read from stdin. -D, --define name=value Define a variable. You can only combine this option with -f. -i, --interactive Read input from an interactive readline CLI. You can use quit to exit, or use the EOF marker, normally this is CTRL-D. -I, --includepath directory Add the directory directory to the list of directories to be searched for included files. This option may be specified multiple times. -c, --check Check commands validity without actually applying the changes. -o, --optimize Optimize your ruleset. You can combine this option with -c to inspect the proposed optimizations. Ruleset list output formatting that modify the output of the list ruleset command: -a, --handle Show object handles in output. -s, --stateless Omit stateful information of rules and stateful objects. -t, --terse Omit contents of sets from output. -S, --service Translate ports to service names as defined by /etc/services. -N, --reversedns Translate IP address to names via reverse DNS lookup. This may slow down your listing since it generates network traffic. -u, --guid Translate numeric UID/GID to names as defined by /etc/passwd and /etc/group. -n, --numeric Print fully numerical output. -y, --numeric-priority Display base chain priority numerically. -p, --numeric-protocol Display layer 4 protocol numerically. -T, --numeric-time Show time, day and hour values in numeric format. Command output formatting: -e, --echo When inserting items into the ruleset using add, insert or replace commands, print notifications just like nft monitor. -j, --json Format output in JSON. See libnftables-json(5) for a schema description. -d, --debug level Enable debugging output. The debug level can be any of scanner, parser, eval, netlink, mnl, proto-ctx, segtree, all. You can combine more than one by separating by the , symbol, for example -d eval,mnl. INPUT FILE FORMATS LEXICAL CONVENTIONS Input is parsed line-wise. When the last character of a line, just before the newline character, is a non-quoted backslash (\), the next line is treated as a continuation. Multiple commands on the same line can be separated using a semicolon (;). A hash sign (#) begins a comment. All following characters on the same line are ignored. Identifiers begin with an alphabetic character (a-z,A-Z), followed by zero or more alphanumeric characters (a-z,A-Z,0-9) and the characters slash (/), backslash (\), underscore (_) and dot (.). Identifiers using different characters or clashing with a keyword need to be enclosed in double quotes ("). INCLUDE FILES include filename Other files can be included by using the include statement. The directories to be searched for include files can be specified using the -I/--includepath option. You can override this behaviour either by prepending ‘./’ to your path to force inclusion of files located in the current working directory (i.e. relative path) or / for file location expressed as an absolute path. If -I/--includepath is not specified, then nft relies on the default directory that is specified at compile time. You can retrieve this default directory via the -h/--help option. Include statements support the usual shell wildcard symbols (,?,[]). Having no matches for an include statement is not an error, if wildcard symbols are used in the include statement. This allows having potentially empty include directories for statements like include "/etc/firewall/rules/". The wildcard matches are loaded in alphabetical order. Files beginning with dot (.) are not matched by include statements. SYMBOLIC VARIABLES define variable = expr undefine variable redefine variable = expr $variable Symbolic variables can be defined using the define statement. Variable references are expressions and can be used to initialize other variables. The scope of a definition is the current block and all blocks contained within. Symbolic variables can be undefined using the undefine statement, and modified using the redefine statement. Using symbolic variables. define int_if1 = eth0 define int_if2 = eth1 define int_ifs = { $int_if1, $int_if2 } redefine int_if2 = wlan0 undefine int_if2 filter input iif $int_ifs accept ADDRESS FAMILIES Address families determine the type of packets which are processed. For each address family, the kernel contains so called hooks at specific stages of the packet processing paths, which invoke nftables if rules for these hooks exist. ip IPv4 address family. ip6 IPv6 address family. inet Internet (IPv4/IPv6) address family. arp ARP address family, handling IPv4 ARP packets. bridge Bridge address family, handling packets which traverse a bridge device. netdev Netdev address family, handling packets on ingress and egress. All nftables objects exist in address family specific namespaces, therefore all identifiers include an address family. If an identifier is specified without an address family, the ip family is used by default. IPV4/IPV6/INET ADDRESS FAMILIES The IPv4/IPv6/Inet address families handle IPv4, IPv6 or both types of packets. They contain five hooks at different packet processing stages in the network stack. Table 1. IPv4/IPv6/Inet address family hooks ┌─────────────┬──────────────────────────────────┐ │ Hook │ Description │ ├─────────────┼──────────────────────────────────┤ │ │ │ │ prerouting │ All packets entering the system │ │ │ are processed by the prerouting │ │ │ hook. It is invoked before the │ │ │ routing process and is used for │ │ │ early filtering or changing │ │ │ packet attributes that affect │ │ │ routing. │ ├─────────────┼──────────────────────────────────┤ │ │ │ │ input │ Packets delivered to the local │ │ │ system are processed by the │ │ │ input hook. │ ├─────────────┼──────────────────────────────────┤ │ │ │ │ forward │ Packets forwarded to a different │ │ │ host are processed by the │ │ │ forward hook. │ ├─────────────┼──────────────────────────────────┤ │ │ │ │ output │ Packets sent by local processes │ │ │ are processed by the output │ │ │ hook. │ ├─────────────┼──────────────────────────────────┤ │ │ │ │ postrouting │ All packets leaving the system │ │ │ are processed by the postrouting │ │ │ hook. │ ├─────────────┼──────────────────────────────────┤ │ │ │ │ ingress │ All packets entering the system │ │ │ are processed by this hook. It │ │ │ is invoked before layer 3 │ │ │ protocol handlers, hence before │ │ │ the prerouting hook, and it can │ │ │ be used for filtering and │ │ │ policing. Ingress is only │ │ │ available for Inet family (since │ │ │ Linux kernel 5.10). │ └─────────────┴──────────────────────────────────┘ ARP ADDRESS FAMILY The ARP address family handles ARP packets received and sent by the system. It is commonly used to mangle ARP packets for clustering. Table 2. ARP address family hooks ┌────────┬──────────────────────────────────┐ │ Hook │ Description │ ├────────┼──────────────────────────────────┤ │ │ │ │ input │ Packets delivered to the local │ │ │ system are processed by the │ │ │ input hook. │ ├────────┼──────────────────────────────────┤ │ │ │ │ output │ Packets send by the local system │ │ │ are processed by the output │ │ │ hook. │ └────────┴──────────────────────────────────┘ BRIDGE ADDRESS FAMILY The bridge address family handles Ethernet packets traversing bridge devices. The list of supported hooks is identical to IPv4/IPv6/Inet address families above. NETDEV ADDRESS FAMILY The Netdev address family handles packets from the device ingress and egress path. This family allows you to filter packets of any ethertype such as ARP, VLAN 802.1q, VLAN 802.1ad (Q-in-Q) as well as IPv4 and IPv6 packets. Table 3. Netdev address family hooks ┌─────────┬─────────────────────────────────┐ │ Hook │ Description │ ├─────────┼─────────────────────────────────┤ │ │ │ │ ingress │ All packets entering the system │ │ │ are processed by this hook. It │ │ │ is invoked after the network │ │ │ taps (ie. tcpdump), right after │ │ │ tc ingress and before layer 3 │ │ │ protocol handlers, it can be │ │ │ used for early filtering and │ │ │ policing. │ ├─────────┼─────────────────────────────────┤ │ │ │ │ egress │ All packets leaving the system │ │ │ are processed by this hook. It │ │ │ is invoked after layer 3 │ │ │ protocol handlers and before tc │ │ │ egress. It can be used for late │ │ │ filtering and policing. │ └─────────┴─────────────────────────────────┘ Tunneled packets (such as vxlan) are processed by netdev family hooks both in decapsulated and encapsulated (tunneled) form. So a packet can be filtered on the overlay network as well as on the underlying network. Note that the order of netfilter and tc is mirrored on ingress versus egress. This ensures symmetry for NAT and other packet mangling. Ingress packets which are redirected out some other interface are only processed by netfilter on egress if they have passed through netfilter ingress processing before. Thus, ingress packets which are redirected by tc are not subjected to netfilter. But they are if they are redirected by netfilter on ingress. Conceptually, tc and netfilter can be thought of as layers, with netfilter layered above tc: If the packet hasn’t been passed up from the tc layer to the netfilter layer, it’s not subjected to netfilter on egress. RULESET {list | flush} ruleset [family] The ruleset keyword is used to identify the whole set of tables, chains, etc. currently in place in kernel. The following ruleset commands exist: list Print the ruleset in human-readable format. flush Clear the whole ruleset. Note that, unlike iptables, this will remove all tables and whatever they contain, effectively leading to an empty ruleset - no packet filtering will happen anymore, so the kernel accepts any valid packet it receives. It is possible to limit list and flush to a specific address family only. For a list of valid family names, see the section called “ADDRESS FAMILIES” above. By design, list ruleset command output may be used as input to nft -f. Effectively, this is the nft-equivalent of iptables-save and iptables-restore. TABLES {add | create} table [family] table [ {comment comment ;} { flags 'flags ; }] {delete | destroy | list | flush} table [family] table list tables [family] delete table [family] handle handle destroy table [family] handle handle Tables are containers for chains, sets and stateful objects. They are identified by their address family and their name. The address family must be one of ip, ip6, inet, arp, bridge, netdev. The inet address family is a dummy family which is used to create hybrid IPv4/IPv6 tables. The meta expression nfproto keyword can be used to test which family (ipv4 or ipv6) context the packet is being processed in. When no address family is specified, ip is used by default. The only difference between add and create is that the former will not return an error if the specified table already exists while create will return an error. Table 4. Table flags ┌─────────┬─────────────────────────────────┐ │ Flag │ Description │ ├─────────┼─────────────────────────────────┤ │ │ │ │ dormant │ table is not evaluated any more │ │ │ (base chains are unregistered). │ └─────────┴─────────────────────────────────┘ Add, change, delete a table. # start nft in interactive mode nft --interactive # create a new table. create table inet mytable # add a new base chain: get input packets add chain inet mytable myin { type filter hook input priority filter; } # add a single counter to the chain add rule inet mytable myin counter # disable the table temporarily -- rules are not evaluated anymore add table inet mytable { flags dormant; } # make table active again: add table inet mytable add Add a new table for the given family with the given name. delete Delete the specified table. destroy Delete the specified table, it does not fail if it does not exist. list List all chains and rules of the specified table. flush Flush all chains and rules of the specified table. CHAINS {add | create} chain [family] table chain [{ type type hook hook [device device] priority priority ; [policy policy ;] [comment comment ;] }] {delete | destroy | list | flush} chain ['family] table chain list chains [family] delete chain [family] table handle handle destroy chain [family] table handle handle rename chain [family] table chain newname Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization. add Add a new chain in the specified table. When a hook and priority value are specified, the chain is created as a base chain and hooked up to the networking stack. create Similar to the add command, but returns an error if the chain already exists. delete Delete the specified chain. The chain must not contain any rules or be used as jump target. destroy Delete the specified chain, it does not fail if it does not exist. The chain must not contain any rules or be used as jump target. rename Rename the specified chain. list List all rules of the specified chain. flush Flush all rules of the specified chain. For base chains, type, hook and priority parameters are mandatory. Table 5. Supported chain types ┌────────┬───────────────┬─────────────────────┬─────────────────────┐ │ Type │ Families │ Hooks │ Description │ ├────────┼───────────────┼─────────────────────┼─────────────────────┤ │ │ │ │ │ │ filter │ all │ all │ Standard chain type │ │ │ │ │ to use in doubt. │ ├────────┼───────────────┼─────────────────────┼─────────────────────┤ │ │ │ │ │ │ nat │ ip, ip6, inet │ prerouting, input, │ Chains of this type │ │ │ │ output, postrouting │ perform Native │ │ │ │ │ Address Translation │ │ │ │ │ based on conntrack │ │ │ │ │ entries. Only the │ │ │ │ │ first packet of a │ │ │ │ │ connection actually │ │ │ │ │ traverses this │ │ │ │ │ chain - its rules │ │ │ │ │ usually define │ │ │ │ │ details of the │ │ │ │ │ created conntrack │ │ │ │ │ entry (NAT │ │ │ │ │ statements for │ │ │ │ │ instance). │ ├────────┼───────────────┼─────────────────────┼─────────────────────┤ │ │ │ │ │ │ route │ ip, ip6 │ output │ If a packet has │ │ │ │ │ traversed a chain │ │ │ │ │ of this type and is │ │ │ │ │ about to be │ │ │ │ │ accepted, a new │ │ │ │ │ route lookup is │ │ │ │ │ performed if │ │ │ │ │ relevant parts of │ │ │ │ │ the IP header have │ │ │ │ │ changed. This │ │ │ │ │ allows one to e.g. │ │ │ │ │ implement policy │ │ │ │ │ routing selectors │ │ │ │ │ in nftables. │ └────────┴───────────────┴─────────────────────┴─────────────────────┘ Apart from the special cases illustrated above (e.g. nat type not supporting forward hook or route type only supporting output hook), there are three further quirks worth noticing: • The netdev family supports merely two combinations, namely filter type with ingress hook and filter type with egress hook. Base chains in this family also require the device parameter to be present since they exist per interface only. • The arp family supports only the input and output hooks, both in chains of type filter. • The inet family also supports the ingress hook (since Linux kernel 5.10), to filter IPv4 and IPv6 packet at the same location as the netdev ingress hook. This inet hook allows you to share sets and maps between the usual prerouting, input, forward, output, postrouting and this ingress hook. The device parameter accepts a network interface name as a string, and is required when adding a base chain that filters traffic on the ingress or egress hooks. Any ingress or egress chains will only filter traffic from the interface specified in the device parameter. The priority parameter accepts a signed integer value or a standard priority name which specifies the order in which chains with the same hook value are traversed. The ordering is ascending, i.e. lower priority values have precedence over higher ones. With nat type chains, there’s a lower excluding limit of -200 for priority values, because conntrack hooks at this priority and NAT requires it. Standard priority values can be replaced with easily memorizable names. Not all names make sense in every family with every hook (see the compatibility matrices below) but their numerical value can still be used for prioritizing chains. These names and values are defined and made available based on what priorities are used by xtables when registering their default chains. Most of the families use the same values, but bridge uses different ones from the others. See the following tables that describe the values and compatibility. Table 6. Standard priority names, family and hook compatibility matrix ┌──────────┬───────┬─────────────────────┬─────────────┐ │ Name │ Value │ Families │ Hooks │ ├──────────┼───────┼─────────────────────┼─────────────┤ │ │ │ │ │ │ raw │ -300 │ ip, ip6, inet │ all │ ├──────────┼───────┼─────────────────────┼─────────────┤ │ │ │ │ │ │ mangle │ -150 │ ip, ip6, inet │ all │ ├──────────┼───────┼─────────────────────┼─────────────┤ │ │ │ │ │ │ dstnat │ -100 │ ip, ip6, inet │ prerouting │ ├──────────┼───────┼─────────────────────┼─────────────┤ │ │ │ │ │ │ filter │ 0 │ ip, ip6, inet, arp, │ all │ │ │ │ netdev │ │ ├──────────┼───────┼─────────────────────┼─────────────┤ │ │ │ │ │ │ security │ 50 │ ip, ip6, inet │ all │ ├──────────┼───────┼─────────────────────┼─────────────┤ │ │ │ │ │ │ srcnat │ 100 │ ip, ip6, inet │ postrouting │ └──────────┴───────┴─────────────────────┴─────────────┘ Table 7. Standard priority names and hook compatibility for the bridge family ┌────────┬───────┬─────────────┐ │ │ │ │ │ Name │ Value │ Hooks │ ├────────┼───────┼─────────────┤ │ │ │ │ │ dstnat │ -300 │ prerouting │ ├────────┼───────┼─────────────┤ │ │ │ │ │ filter │ -200 │ all │ ├────────┼───────┼─────────────┤ │ │ │ │ │ out │ 100 │ output │ ├────────┼───────┼─────────────┤ │ │ │ │ │ srcnat │ 300 │ postrouting │ └────────┴───────┴─────────────┘ Basic arithmetic expressions (addition and subtraction) can also be achieved with these standard names to ease relative prioritizing, e.g. mangle - 5 stands for -155. Values will also be printed like this until the value is not further than 10 from the standard value. Base chains also allow one to set the chain’s policy, i.e. what happens to packets not explicitly accepted or refused in contained rules. Supported policy values are accept (which is the default) or drop. RULES {add | insert} rule [family] table chain [handle handle | index index] statement ... [comment comment] replace rule [family] table chain handle handle statement ... [comment comment] {delete | reset} rule [family] table chain handle handle destroy rule [family] table chain handle handle reset rules [family] [table [chain]] Rules are added to chains in the given table. If the family is not specified, the ip family is used. Rules are constructed from two kinds of components according to a set of grammatical rules: expressions and statements. The add and insert commands support an optional location specifier, which is either a handle or the index (starting at zero) of an existing rule. Internally, rule locations are always identified by handle and the translation from index happens in userspace. This has two potential implications in case a concurrent ruleset change happens after the translation was done: The effective rule index might change if a rule was inserted or deleted before the referred one. If the referred rule was deleted, the command is rejected by the kernel just as if an invalid handle was given. A comment is a single word or a double-quoted (") multi-word string which can be used to make notes regarding the actual rule. Note: If you use bash for adding rules, you have to escape the quotation marks, e.g. \"enable ssh for servers\". add Add a new rule described by the list of statements. The rule is appended to the given chain unless a location is specified, in which case the rule is inserted after the specified rule. insert Same as add except the rule is inserted at the beginning of the chain or before the specified rule. replace Similar to add, but the rule replaces the specified rule. delete Delete the specified rule. destroy Delete the specified rule, it does not fail if it does not exist. reset Reset rule-contained state, e.g. counter and quota statement values. add a rule to ip table output chain. nft add rule filter output ip daddr 192.168.0.0/24 accept # 'ip filter' is assumed # same command, slightly more verbose nft add rule ip filter output ip daddr 192.168.0.0/24 accept delete rule from inet table. # nft -a list ruleset table inet filter { chain input { type filter hook input priority filter; policy accept; ct state established,related accept # handle 4 ip saddr 10.1.1.1 tcp dport ssh accept # handle 5 ... # delete the rule with handle 5 nft delete rule inet filter input handle 5 SETS nftables offers two kinds of set concepts. Anonymous sets are sets that have no specific name. The set members are enclosed in curly braces, with commas to separate elements when creating the rule the set is used in. Once that rule is removed, the set is removed as well. They cannot be updated, i.e. once an anonymous set is declared it cannot be changed anymore except by removing/altering the rule that uses the anonymous set. Using anonymous sets to accept particular subnets and ports. nft add rule filter input ip saddr { 10.0.0.0/8, 192.168.0.0/16 } tcp dport { 22, 443 } accept Named sets are sets that need to be defined first before they can be referenced in rules. Unlike anonymous sets, elements can be added to or removed from a named set at any time. Sets are referenced from rules using an @ prefixed to the sets name. Using named sets to accept addresses and ports. nft add rule filter input ip saddr @allowed_hosts tcp dport @allowed_ports accept The sets allowed_hosts and allowed_ports need to be created first. The next section describes nft set syntax in more detail. add set [family] table set { type type | typeof expression ; [flags flags ;] [timeout timeout ;] [gc-interval gc-interval ;] [elements = { element[, ...] } ;] [size size ;] [comment comment ;] [policy 'policy ;] [auto-merge ;] } {delete | destroy | list | flush | reset } set [family] table set list sets [family] delete set [family] table handle handle {add | delete | destroy } element [family] table set { element[, ...] } Sets are element containers of a user-defined data type, they are uniquely identified by a user-defined name and attached to tables. Their behaviour can be tuned with the flags that can be specified at set creation time. add Add a new set in the specified table. See the Set specification table below for more information about how to specify properties of a set. delete Delete the specified set. destroy Delete the specified set, it does not fail if it does not exist. list Display the elements in the specified set. flush Remove all elements from the specified set. reset Reset state in all contained elements, e.g. counter and quota statement values. Table 8. Set specifications ┌─────────────┬──────────────────────────┬──────────────────────────┐ │ Keyword │ Description │ Type │ ├─────────────┼──────────────────────────┼──────────────────────────┤ │ │ │ │ │ type │ data type of set │ string: ipv4_addr, │ │ │ elements │ ipv6_addr, ether_addr, │ │ │ │ inet_proto, │ │ │ │ inet_service, mark │ ├─────────────┼──────────────────────────┼──────────────────────────┤ │ │ │ │ │ typeof │ data type of set element │ expression to derive the │ │ │ │ data type from │ ├─────────────┼──────────────────────────┼──────────────────────────┤ │ │ │ │ │ flags │ set flags │ string: constant, │ │ │ │ dynamic, interval, │ │ │ │ timeout. Used to │ │ │ │ describe the sets │ │ │ │ properties. │ ├─────────────┼──────────────────────────┼──────────────────────────┤ │ │ │ │ │ timeout │ time an element stays in │ string, decimal followed │ │ │ the set, mandatory if │ by unit. Units are: d, │ │ │ set is added to from the │ h, m, s │ │ │ packet path (ruleset) │ │ ├─────────────┼──────────────────────────┼──────────────────────────┤ │ │ │ │ │ gc-interval │ garbage collection │ string, decimal followed │ │ │ interval, only available │ by unit. Units are: d, │ │ │ when timeout or flag │ h, m, s │ │ │ timeout are active │ │ ├─────────────┼──────────────────────────┼──────────────────────────┤ │ │ │ │ │ elements │ elements contained by │ set data type │ │ │ the set │ │ ├─────────────┼──────────────────────────┼──────────────────────────┤ │ │ │ │ │ size │ maximum number of │ unsigned integer (64 │ │ │ elements in the set, │ bit) │ │ │ mandatory if set is │ │ │ │ added to from the packet │ │ │ │ path (ruleset) │ │ ├─────────────┼──────────────────────────┼──────────────────────────┤ │ │ │ │ │ policy │ set policy │ string: performance │ │ │ │ [default], memory │ ├─────────────┼──────────────────────────┼──────────────────────────┤ │ │ │ │ │ auto-merge │ automatic merge of │ │ │ │ adjacent/overlapping set │ │ │ │ elements (only for │ │ │ │ interval sets) │ │ └─────────────┴──────────────────────────┴──────────────────────────┘ MAPS add map [family] table map { type type | typeof expression [flags flags ;] [elements = { element[, ...] } ;] [size size ;] [comment comment ;] [policy 'policy ;] } {delete | destroy | list | flush | reset } map [family] table map list maps [family] Maps store data based on some specific key used as input. They are uniquely identified by a user-defined name and attached to tables. add Add a new map in the specified table. delete Delete the specified map. destroy Delete the specified map, it does not fail if it does not exist. list Display the elements in the specified map. flush Remove all elements from the specified map. reset Reset state in all contained elements, e.g. counter and quota statement values. Table 9. Map specifications ┌──────────┬──────────────────────────┬──────────────────────────┐ │ Keyword │ Description │ Type │ ├──────────┼──────────────────────────┼──────────────────────────┤ │ │ │ │ │ type │ data type of map │ string: ipv4_addr, │ │ │ elements │ ipv6_addr, ether_addr, │ │ │ │ inet_proto, │ │ │ │ inet_service, mark, │ │ │ │ counter, quota. Counter │ │ │ │ and quota can’t be used │ │ │ │ as keys │ ├──────────┼──────────────────────────┼──────────────────────────┤ │ │ │ │ │ typeof │ data type of set element │ expression to derive the │ │ │ │ data type from │ ├──────────┼──────────────────────────┼──────────────────────────┤ │ │ │ │ │ flags │ map flags │ string, same as set │ │ │ │ flags │ ├──────────┼──────────────────────────┼──────────────────────────┤ │ │ │ │ │ elements │ elements contained by │ map data type │ │ │ the map │ │ ├──────────┼──────────────────────────┼──────────────────────────┤ │ │ │ │ │ size │ maximum number of │ unsigned integer (64 │ │ │ elements in the map │ bit) │ ├──────────┼──────────────────────────┼──────────────────────────┤ │ │ │ │ │ policy │ map policy │ string: performance │ │ │ │ [default], memory │ └──────────┴──────────────────────────┴──────────────────────────┘ Users can specifiy the properties/features that the set/map must support. This allows the kernel to pick an optimal internal representation. If a required flag is missing, the ruleset might still work, as nftables will auto-enable features if it can infer this from the ruleset. This may not work for all cases, however, so it is recommended to specify all required features in the set/map definition manually. Table 10. Set and Map flags ┌──────────┬────────────────────────────────┐ │ Flag │ Description │ ├──────────┼────────────────────────────────┤ │ │ │ │ constant │ Set contents will never change │ │ │ after creation │ ├──────────┼────────────────────────────────┤ │ │ │ │ dynamic │ Set must support updates from │ │ │ the packet path with the add, │ │ │ update or delete keywords. │ ├──────────┼────────────────────────────────┤ │ │ │ │ interval │ Set must be able to store │ │ │ intervals (ranges) │ ├──────────┼────────────────────────────────┤ │ │ │ │ timeout │ Set must support element │ │ │ timeouts (auto-removal of │ │ │ elements once they expire). │ └──────────┴────────────────────────────────┘ ELEMENTS {add | create | delete | destroy | get | reset } element [family] table set { ELEMENT[, ...] } ELEMENT := key_expression OPTIONS [: value_expression] OPTIONS := [timeout TIMESPEC] [expires TIMESPEC] [comment string] TIMESPEC := [numd][numh][numm][num[s]] Element-related commands allow one to change contents of named sets and maps. key_expression is typically a value matching the set type. value_expression is not allowed in sets but mandatory when adding to maps, where it matches the data part in its type definition. When deleting from maps, it may be specified but is optional as key_expression uniquely identifies the element. create command is similar to add with the exception that none of the listed elements may already exist. get command is useful to check if an element is contained in a set which may be non-trivial in very large and/or interval sets. In the latter case, the containing interval is returned instead of just the element itself. reset command resets state attached to the given element(s), e.g. counter and quota statement values. Table 11. Element options ┌─────────┬──────────────────────────────────┐ │ Option │ Description │ ├─────────┼──────────────────────────────────┤ │ │ │ │ timeout │ timeout value for sets/maps with │ │ │ flag timeout │ ├─────────┼──────────────────────────────────┤ │ │ │ │ expires │ the time until given element │ │ │ expires, useful for ruleset │ │ │ replication only │ ├─────────┼──────────────────────────────────┤ │ │ │ │ comment │ per element comment field │ └─────────┴──────────────────────────────────┘ FLOWTABLES {add | create} flowtable [family] table flowtable { hook hook priority priority ; devices = { device[, ...] } ; } list flowtables [family] {delete | destroy | list} flowtable [family] table flowtable delete flowtable [family] table handle handle Flowtables allow you to accelerate packet forwarding in software. Flowtables entries are represented through a tuple that is composed of the input interface, source and destination address, source and destination port; and layer 3/4 protocols. Each entry also caches the destination interface and the gateway address - to update the destination link-layer address - to forward packets. The ttl and hoplimit fields are also decremented. Hence, flowtables provides an alternative path that allow packets to bypass the classic forwarding path. Flowtables reside in the ingress hook that is located before the prerouting hook. You can select which flows you want to offload through the flow expression from the forward chain. Flowtables are identified by their address family and their name. The address family must be one of ip, ip6, or inet. The inet address family is a dummy family which is used to create hybrid IPv4/IPv6 tables. When no address family is specified, ip is used by default. The priority can be a signed integer or filter which stands for 0. Addition and subtraction can be used to set relative priority, e.g. filter + 5 equals to 5. add Add a new flowtable for the given family with the given name. delete Delete the specified flowtable. destroy Delete the specified flowtable, it does not fail if it does not exist. list List all flowtables. LISTING list { secmarks | synproxys | flow tables | meters | hooks } [family] list { secmarks | synproxys | flow tables | meters | hooks } table [family] table list ct { timeout | expectation | helper | helpers } table [family] table Inspect configured objects. list hooks shows the full hook pipeline, including those registered by kernel modules, such as nf_conntrack. STATEFUL OBJECTS {add | delete | destroy | list | reset} counter [family] table object {add | delete | destroy | list | reset} quota [family] table object {add | delete | destroy | list} limit [family] table object delete counter [family] table handle handle delete quota [family] table handle handle delete limit [family] table handle handle destroy counter [family] table handle handle destroy quota [family] table handle handle destroy limit [family] table handle handle list counters [family] list quotas [family] list limits [family] reset counters [family] reset quotas [family] reset counters [family] table reset quotas [family] table Stateful objects are attached to tables and are identified by a unique name. They group stateful information from rules, to reference them in rules the keywords "type name" are used e.g. "counter name". add Add a new stateful object in the specified table. delete Delete the specified object. destroy Delete the specified object, it does not fail if it does not exist. list Display stateful information the object holds. reset List-and-reset stateful object. CT HELPER add ct helper [family] table name { type type protocol protocol ; [l3proto family ;] } delete ct helper [family] table name list ct helpers Ct helper is used to define connection tracking helpers that can then be used in combination with the ct helper set statement. type and protocol are mandatory, l3proto is derived from the table family by default, i.e. in the inet table the kernel will try to load both the ipv4 and ipv6 helper backends, if they are supported by the kernel. Table 12. conntrack helper specifications ┌──────────┬─────────────────────────┬──────────────────────────┐ │ Keyword │ Description │ Type │ ├──────────┼─────────────────────────┼──────────────────────────┤ │ │ │ │ │ type │ name of helper type │ quoted string (e.g. │ │ │ │ "ftp") │ ├──────────┼─────────────────────────┼──────────────────────────┤ │ │ │ │ │ protocol │ layer 4 protocol of the │ string (e.g. ip) │ │ │ helper │ │ ├──────────┼─────────────────────────┼──────────────────────────┤ │ │ │ │ │ l3proto │ layer 3 protocol of the │ address family (e.g. ip) │ │ │ helper │ │ ├──────────┼─────────────────────────┼──────────────────────────┤ │ │ │ │ │ comment │ per ct helper comment │ string │ │ │ field │ │ └──────────┴─────────────────────────┴──────────────────────────┘ defining and assigning ftp helper. Unlike iptables, helper assignment needs to be performed after the conntrack lookup has completed, for example with the default 0 hook priority. table inet myhelpers { ct helper ftp-standard { type "ftp" protocol tcp } chain prerouting { type filter hook prerouting priority filter; tcp dport 21 ct helper set "ftp-standard" } } CT TIMEOUT add ct timeout [family] table name { protocol protocol ; policy = { state: value [, ...] } ; [l3proto family ;] } delete ct timeout [family] table name list ct timeouts Ct timeout is used to update connection tracking timeout values.Timeout policies are assigned with the ct timeout set statement. protocol and policy are mandatory, l3proto is derived from the table family by default. Table 13. conntrack timeout specifications ┌──────────┬─────────────────────────┬──────────────────────────┐ │ Keyword │ Description │ Type │ ├──────────┼─────────────────────────┼──────────────────────────┤ │ │ │ │ │ protocol │ layer 4 protocol of the │ string (e.g. ip) │ │ │ timeout object │ │ ├──────────┼─────────────────────────┼──────────────────────────┤ │ │ │ │ │ state │ connection state name │ string (e.g. │ │ │ │ "established") │ ├──────────┼─────────────────────────┼──────────────────────────┤ │ │ │ │ │ value │ timeout value for │ unsigned integer │ │ │ connection state │ │ ├──────────┼─────────────────────────┼──────────────────────────┤ │ │ │ │ │ l3proto │ layer 3 protocol of the │ address family (e.g. ip) │ │ │ timeout object │ │ ├──────────┼─────────────────────────┼──────────────────────────┤ │ │ │ │ │ comment │ per ct timeout comment │ string │ │ │ field │ │ └──────────┴─────────────────────────┴──────────────────────────┘ tcp connection state names that can have a specific timeout value are: close, close_wait, established, fin_wait, last_ack, retrans, syn_recv, syn_sent, time_wait and unack. You can use sysctl -a |grep net.netfilter.nf_conntrack_tcp_timeout_ to view and change the system-wide defaults. ct timeout allows for flow-specific settings, without changing the global timeouts. For example, tcp port 53 could have much lower settings than other traffic. udp state names that can have a specific timeout value are replied and unreplied. defining and assigning ct timeout policy. table ip filter { ct timeout customtimeout { protocol tcp; l3proto ip policy = { established: 2m, close: 20s } } chain output { type filter hook output priority filter; policy accept; ct timeout set "customtimeout" } } testing the updated timeout policy. % conntrack -E It should display: [UPDATE] tcp 6 120 ESTABLISHED src=172.16.19.128 dst=172.16.19.1 sport=22 dport=41360 [UNREPLIED] src=172.16.19.1 dst=172.16.19.128 sport=41360 dport=22 CT EXPECTATION add ct expectation [family] table name { protocol protocol ; dport dport ; timeout timeout ; size size ; [*l3proto family ;] } delete ct expectation [family] table name list ct expectations Ct expectation is used to create connection expectations. Expectations are assigned with the ct expectation set statement. protocol, dport, timeout and size are mandatory, l3proto is derived from the table family by default. Table 14. conntrack expectation specifications ┌──────────┬─────────────────────────┬──────────────────────────┐ │ Keyword │ Description │ Type │ ├──────────┼─────────────────────────┼──────────────────────────┤ │ │ │ │ │ protocol │ layer 4 protocol of the │ string (e.g. ip) │ │ │ expectation object │ │ ├──────────┼─────────────────────────┼──────────────────────────┤ │ │ │ │ │ dport │ destination port of │ unsigned integer │ │ │ expected connection │ │ ├──────────┼─────────────────────────┼──────────────────────────┤ │ │ │ │ │ timeout │ timeout value for │ unsigned integer │ │ │ expectation │ │ ├──────────┼─────────────────────────┼──────────────────────────┤ │ │ │ │ │ size │ size value for │ unsigned integer │ │ │ expectation │ │ ├──────────┼─────────────────────────┼──────────────────────────┤ │ │ │ │ │ l3proto │ layer 3 protocol of the │ address family (e.g. ip) │ │ │ expectation object │ │ ├──────────┼─────────────────────────┼──────────────────────────┤ │ │ │ │ │ comment │ per ct expectation │ string │ │ │ comment field │ │ └──────────┴─────────────────────────┴──────────────────────────┘ defining and assigning ct expectation policy. table ip filter { ct expectation expect { protocol udp dport 9876 timeout 2m size 8 l3proto ip } chain input { type filter hook input priority filter; policy accept; ct expectation set "expect" } } COUNTER add counter [family] table name [{ [ packets packets bytes bytes ; ] [ comment comment ; }] delete counter [family] table name list counters Table 15. Counter specifications ┌─────────┬──────────────────────────┬──────────────────────┐ │ Keyword │ Description │ Type │ ├─────────┼──────────────────────────┼──────────────────────┤ │ │ │ │ │ packets │ initial count of packets │ unsigned integer (64 │ │ │ │ bit) │ ├─────────┼──────────────────────────┼──────────────────────┤ │ │ │ │ │ bytes │ initial count of bytes │ unsigned integer (64 │ │ │ │ bit) │ ├─────────┼──────────────────────────┼──────────────────────┤ │ │ │ │ │ comment │ per counter comment │ string │ │ │ field │ │ └─────────┴──────────────────────────┴──────────────────────┘ Using named counters. nft add counter filter http nft add rule filter input tcp dport 80 counter name \"http\" Using named counters with maps. nft add counter filter http nft add counter filter https nft add rule filter input counter name tcp dport map { 80 : \"http\", 443 : \"https\" } QUOTA add quota [family] table name { [over|until] bytes BYTE_UNIT [ used bytes BYTE_UNIT ] ; [ comment comment ; ] } BYTE_UNIT := bytes | kbytes | mbytes delete quota [family] table name list quotas Table 16. Quota specifications ┌─────────┬──────────────────────────┬─────────────────────────┐ │ Keyword │ Description │ Type │ ├─────────┼──────────────────────────┼─────────────────────────┤ │ │ │ │ │ quota │ quota limit, used as the │ Two arguments, unsigned │ │ │ quota name │ integer (64 bit) and │ │ │ │ string: bytes, kbytes, │ │ │ │ mbytes. "over" and │ │ │ │ "until" go before these │ │ │ │ arguments │ ├─────────┼──────────────────────────┼─────────────────────────┤ │ │ │ │ │ used │ initial value of used │ Two arguments, unsigned │ │ │ quota │ integer (64 bit) and │ │ │ │ string: bytes, kbytes, │ │ │ │ mbytes │ ├─────────┼──────────────────────────┼─────────────────────────┤ │ │ │ │ │ comment │ per quota comment field │ string │ └─────────┴──────────────────────────┴─────────────────────────┘ Using named quotas. nft add quota filter user123 { over 20 mbytes } nft add rule filter input ip saddr 192.168.10.123 quota name \"user123\" Using named quotas with maps. nft add quota filter user123 { over 20 mbytes } nft add quota filter user124 { over 20 mbytes } nft add rule filter input quota name ip saddr map { 192.168.10.123 : \"user123\", 192.168.10.124 : \"user124\" } EXPRESSIONS Expressions represent values, either constants like network addresses, port numbers, etc., or data gathered from the packet during ruleset evaluation. Expressions can be combined using binary, logical, relational and other types of expressions to form complex or relational (match) expressions. They are also used as arguments to certain types of operations, like NAT, packet marking etc. Each expression has a data type, which determines the size, parsing and representation of symbolic values and type compatibility with other expressions. DESCRIBE COMMAND describe expression | data type The describe command shows information about the type of an expression and its data type. A data type may also be given, in which nft will display more information about the type. The describe command. $ nft describe tcp flags payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits predefined symbolic constants: fin 0x01 syn 0x02 rst 0x04 psh 0x08 ack 0x10 urg 0x20 ecn 0x40 cwr 0x80 DATA TYPES Data types determine the size, parsing and representation of symbolic values and type compatibility of expressions. A number of global data types exist, in addition some expression types define further data types specific to the expression type. Most data types have a fixed size, some however may have a dynamic size, f.i. the string type. Some types also have predefined symbolic constants. Those can be listed using the nft describe command: $ nft describe ct_state datatype ct_state (conntrack state) (basetype bitmask, integer), 32 bits pre-defined symbolic constants (in hexadecimal): invalid 0x00000001 new ... Types may be derived from lower order types, f.i. the IPv4 address type is derived from the integer type, meaning an IPv4 address can also be specified as an integer value. In certain contexts (set and map definitions), it is necessary to explicitly specify a data type. Each type has a name which is used for this. INTEGER TYPE ┌─────────┬─────────┬──────────┬───────────┐ │ Name │ Keyword │ Size │ Base type │ ├─────────┼─────────┼──────────┼───────────┤ │ │ │ │ │ │ Integer │ integer │ variable │ - │ └─────────┴─────────┴──────────┴───────────┘ The integer type is used for numeric values. It may be specified as a decimal, hexadecimal or octal number. The integer type does not have a fixed size, its size is determined by the expression for which it is used. BITMASK TYPE ┌─────────┬─────────┬──────────┬───────────┐ │ Name │ Keyword │ Size │ Base type │ ├─────────┼─────────┼──────────┼───────────┤ │ │ │ │ │ │ Bitmask │ bitmask │ variable │ integer │ └─────────┴─────────┴──────────┴───────────┘ The bitmask type (bitmask) is used for bitmasks. STRING TYPE ┌────────┬─────────┬──────────┬───────────┐ │ Name │ Keyword │ Size │ Base type │ ├────────┼─────────┼──────────┼───────────┤ │ │ │ │ │ │ String │ string │ variable │ - │ └────────┴─────────┴──────────┴───────────┘ The string type is used for character strings. A string begins with an alphabetic character (a-zA-Z) followed by zero or more alphanumeric characters or the characters /, -, _ and .. In addition, anything enclosed in double quotes (") is recognized as a string. String specification. # Interface name filter input iifname eth0 # Weird interface name filter input iifname "(eth0)" LINK LAYER ADDRESS TYPE ┌────────────────────┬─────────┬──────────┬───────────┐ │ Name │ Keyword │ Size │ Base type │ ├────────────────────┼─────────┼──────────┼───────────┤ │ │ │ │ │ │ Link layer address │ lladdr │ variable │ integer │ └────────────────────┴─────────┴──────────┴───────────┘ The link layer address type is used for link layer addresses. Link layer addresses are specified as a variable amount of groups of two hexadecimal digits separated using colons (:). Link layer address specification. # Ethernet destination MAC address filter input ether daddr 20:c9:d0:43:12:d9 IPV4 ADDRESS TYPE ┌──────────────┬───────────┬────────┬───────────┐ │ Name │ Keyword │ Size │ Base type │ ├──────────────┼───────────┼────────┼───────────┤ │ │ │ │ │ │ IPV4 address │ ipv4_addr │ 32 bit │ integer │ └──────────────┴───────────┴────────┴───────────┘ The IPv4 address type is used for IPv4 addresses. Addresses are specified in either dotted decimal, dotted hexadecimal, dotted octal, decimal, hexadecimal, octal notation or as a host name. A host name will be resolved using the standard system resolver. IPv4 address specification. # dotted decimal notation filter output ip daddr 127.0.0.1 # host name filter output ip daddr localhost IPV6 ADDRESS TYPE ┌──────────────┬───────────┬─────────┬───────────┐ │ Name │ Keyword │ Size │ Base type │ ├──────────────┼───────────┼─────────┼───────────┤ │ │ │ │ │ │ IPv6 address │ ipv6_addr │ 128 bit │ integer │ └──────────────┴───────────┴─────────┴───────────┘ The IPv6 address type is used for IPv6 addresses. Addresses are specified as a host name or as hexadecimal halfwords separated by colons. Addresses might be enclosed in square brackets ("[]") to differentiate them from port numbers. IPv6 address specification. # abbreviated loopback address filter output ip6 daddr ::1 IPv6 address specification with bracket notation. # without [] the port number (22) would be parsed as part of the # ipv6 address ip6 nat prerouting tcp dport 2222 dnat to [1ce::d0]:22 BOOLEAN TYPE ┌─────────┬─────────┬───────┬───────────┐ │ Name │ Keyword │ Size │ Base type │ ├─────────┼─────────┼───────┼───────────┤ │ │ │ │ │ │ Boolean │ boolean │ 1 bit │ integer │ └─────────┴─────────┴───────┴───────────┘ The boolean type is a syntactical helper type in userspace. Its use is in the right-hand side of a (typically implicit) relational expression to change the expression on the left-hand side into a boolean check (usually for existence). Table 17. The following keywords will automatically resolve into a boolean type with given value ┌─────────┬───────┐ │ Keyword │ Value │ ├─────────┼───────┤ │ │ │ │ exists │ 1 │ ├─────────┼───────┤ │ │ │ │ missing │ 0 │ └─────────┴───────┘ Table 18. expressions support a boolean comparison ┌────────────┬─────────────────────────────┐ │ Expression │ Behaviour │ ├────────────┼─────────────────────────────┤ │ │ │ │ fib │ Check route existence. │ ├────────────┼─────────────────────────────┤ │ │ │ │ exthdr │ Check IPv6 extension header │ │ │ existence. │ ├────────────┼─────────────────────────────┤ │ │ │ │ tcp option │ Check TCP option header │ │ │ existence. │ └────────────┴─────────────────────────────┘ Boolean specification. # match if route exists filter input fib daddr . iif oif exists # match only non-fragmented packets in IPv6 traffic filter input exthdr frag missing # match if TCP timestamp option is present filter input tcp option timestamp exists ICMP TYPE TYPE ┌───────────┬───────────┬───────┬───────────┐ │ Name │ Keyword │ Size │ Base type │ ├───────────┼───────────┼───────┼───────────┤ │ │ │ │ │ │ ICMP Type │ icmp_type │ 8 bit │ integer │ └───────────┴───────────┴───────┴───────────┘ The ICMP Type type is used to conveniently specify the ICMP header’s type field. Table 19. Keywords may be used when specifying the ICMP type ┌─────────────────────────┬───────┐ │ Keyword │ Value │ ├─────────────────────────┼───────┤ │ │ │ │ echo-reply │ 0 │ ├─────────────────────────┼───────┤ │ │ │ │ destination-unreachable │ 3 │ ├─────────────────────────┼───────┤ │ │ │ │ source-quench │ 4 │ ├─────────────────────────┼───────┤ │ │ │ │ redirect │ 5 │ ├─────────────────────────┼───────┤ │ │ │ │ echo-request │ 8 │ ├─────────────────────────┼───────┤ │ │ │ │ router-advertisement │ 9 │ ├─────────────────────────┼───────┤ │ │ │ │ router-solicitation │ 10 │ ├─────────────────────────┼───────┤ │ │ │ │ time-exceeded │ 11 │ ├─────────────────────────┼───────┤ │ │ │ │ parameter-problem │ 12 │ ├─────────────────────────┼───────┤ │ │ │ │ timestamp-request │ 13 │ ├─────────────────────────┼───────┤ │ │ │ │ timestamp-reply │ 14 │ ├─────────────────────────┼───────┤ │ │ │ │ info-request │ 15 │ ├─────────────────────────┼───────┤ │ │ │ │ info-reply │ 16 │ ├─────────────────────────┼───────┤ │ │ │ │ address-mask-request │ 17 │ ├─────────────────────────┼───────┤ │ │ │ │ address-mask-reply │ 18 │ └─────────────────────────┴───────┘ ICMP Type specification. # match ping packets filter output icmp type { echo-request, echo-reply } ICMP CODE TYPE ┌───────────┬───────────┬───────┬───────────┐ │ Name │ Keyword │ Size │ Base type │ ├───────────┼───────────┼───────┼───────────┤ │ │ │ │ │ │ ICMP Code │ icmp_code │ 8 bit │ integer │ └───────────┴───────────┴───────┴───────────┘ The ICMP Code type is used to conveniently specify the ICMP header’s code field. Table 20. Keywords may be used when specifying the ICMP code ┌──────────────────┬───────┐ │ Keyword │ Value │ ├──────────────────┼───────┤ │ │ │ │ net-unreachable │ 0 │ ├──────────────────┼───────┤ │ │ │ │ host-unreachable │ 1 │ ├──────────────────┼───────┤ │ │ │ │ prot-unreachable │ 2 │ ├──────────────────┼───────┤ │ │ │ │ port-unreachable │ 3 │ ├──────────────────┼───────┤ │ │ │ │ frag-needed │ 4 │ ├──────────────────┼───────┤ │ │ │ │ net-prohibited │ 9 │ ├──────────────────┼───────┤ │ │ │ │ host-prohibited │ 10 │ ├──────────────────┼───────┤ │ │ │ │ admin-prohibited │ 13 │ └──────────────────┴───────┘ ICMPV6 TYPE TYPE ┌─────────────┬────────────┬───────┬───────────┐ │ Name │ Keyword │ Size │ Base type │ ├─────────────┼────────────┼───────┼───────────┤ │ │ │ │ │ │ ICMPv6 Type │ icmpx_code │ 8 bit │ integer │ └─────────────┴────────────┴───────┴───────────┘ The ICMPv6 Type type is used to conveniently specify the ICMPv6 header’s type field. Table 21. keywords may be used when specifying the ICMPv6 type: ┌─────────────────────────┬───────┐ │ Keyword │ Value │ ├─────────────────────────┼───────┤ │ │ │ │ destination-unreachable │ 1 │ ├─────────────────────────┼───────┤ │ │ │ │ packet-too-big │ 2 │ ├─────────────────────────┼───────┤ │ │ │ │ time-exceeded │ 3 │ ├─────────────────────────┼───────┤ │ │ │ │ parameter-problem │ 4 │ ├─────────────────────────┼───────┤ │ │ │ │ echo-request │ 128 │ ├─────────────────────────┼───────┤ │ │ │ │ echo-reply │ 129 │ ├─────────────────────────┼───────┤ │ │ │ │ mld-listener-query │ 130 │ ├─────────────────────────┼───────┤ │ │ │ │ mld-listener-report │ 131 │ ├─────────────────────────┼───────┤ │ │ │ │ mld-listener-done │ 132 │ ├─────────────────────────┼───────┤ │ │ │ │ mld-listener-reduction │ 132 │ ├─────────────────────────┼───────┤ │ │ │ │ nd-router-solicit │ 133 │ ├─────────────────────────┼───────┤ │ │ │ │ nd-router-advert │ 134 │ ├─────────────────────────┼───────┤ │ │ │ │ nd-neighbor-solicit │ 135 │ ├─────────────────────────┼───────┤ │ │ │ │ nd-neighbor-advert │ 136 │ ├─────────────────────────┼───────┤ │ │ │ │ nd-redirect │ 137 │ ├─────────────────────────┼───────┤ │ │ │ │ router-renumbering │ 138 │ ├─────────────────────────┼───────┤ │ │ │ │ ind-neighbor-solicit │ 141 │ ├─────────────────────────┼───────┤ │ │ │ │ ind-neighbor-advert │ 142 │ ├─────────────────────────┼───────┤ │ │ │ │ mld2-listener-report │ 143 │ └─────────────────────────┴───────┘ ICMPv6 Type specification. # match ICMPv6 ping packets filter output icmpv6 type { echo-request, echo-reply } ICMPV6 CODE TYPE ┌─────────────┬─────────────┬───────┬───────────┐ │ Name │ Keyword │ Size │ Base type │ ├─────────────┼─────────────┼───────┼───────────┤ │ │ │ │ │ │ ICMPv6 Code │ icmpv6_code │ 8 bit │ integer │ └─────────────┴─────────────┴───────┴───────────┘ The ICMPv6 Code type is used to conveniently specify the ICMPv6 header’s code field. Table 22. keywords may be used when specifying the ICMPv6 code ┌──────────────────┬───────┐ │ Keyword │ Value │ ├──────────────────┼───────┤ │ │ │ │ no-route │ 0 │ ├──────────────────┼───────┤ │ │ │ │ admin-prohibited │ 1 │ ├──────────────────┼───────┤ │ │ │ │ addr-unreachable │ 3 │ ├──────────────────┼───────┤ │ │ │ │ port-unreachable │ 4 │ ├──────────────────┼───────┤ │ │ │ │ policy-fail │ 5 │ ├──────────────────┼───────┤ │ │ │ │ reject-route │ 6 │ └──────────────────┴───────┘ ICMPVX CODE TYPE ┌─────────────┬─────────────┬───────┬───────────┐ │ Name │ Keyword │ Size │ Base type │ ├─────────────┼─────────────┼───────┼───────────┤ │ │ │ │ │ │ ICMPvX Code │ icmpv6_type │ 8 bit │ integer │ └─────────────┴─────────────┴───────┴───────────┘ The ICMPvX Code type abstraction is a set of values which overlap between ICMP and ICMPv6 Code types to be used from the inet family. Table 23. keywords may be used when specifying the ICMPvX code ┌──────────────────┬───────┐ │ Keyword │ Value │ ├──────────────────┼───────┤ │ │ │ │ no-route │ 0 │ ├──────────────────┼───────┤ │ │ │ │ port-unreachable │ 1 │ ├──────────────────┼───────┤ │ │ │ │ host-unreachable │ 2 │ ├──────────────────┼───────┤ │ │ │ │ admin-prohibited │ 3 │ └──────────────────┴───────┘ CONNTRACK TYPES Table 24. overview of types used in ct expression and statement ┌─────────────────────┬───────────┬─────────┬───────────┐ │ Name │ Keyword │ Size │ Base type │ ├─────────────────────┼───────────┼─────────┼───────────┤ │ │ │ │ │ │ conntrack state │ ct_state │ 4 byte │ bitmask │ ├─────────────────────┼───────────┼─────────┼───────────┤ │ │ │ │ │ │ conntrack direction │ ct_dir │ 8 bit │ integer │ ├─────────────────────┼───────────┼─────────┼───────────┤ │ │ │ │ │ │ conntrack status │ ct_status │ 4 byte │ bitmask │ ├─────────────────────┼───────────┼─────────┼───────────┤ │ │ │ │ │ │ conntrack event │ ct_event │ 4 byte │ bitmask │ │ bits │ │ │ │ ├─────────────────────┼───────────┼─────────┼───────────┤ │ │ │ │ │ │ conntrack label │ ct_label │ 128 bit │ bitmask │ └─────────────────────┴───────────┴─────────┴───────────┘ For each of the types above, keywords are available for convenience: Table 25. conntrack state (ct_state) ┌─────────────┬───────┐ │ Keyword │ Value │ ├─────────────┼───────┤ │ │ │ │ invalid │ 1 │ ├─────────────┼───────┤ │ │ │ │ established │ 2 │ ├─────────────┼───────┤ │ │ │ │ related │ 4 │ ├─────────────┼───────┤ │ │ │ │ new │ 8 │ ├─────────────┼───────┤ │ │ │ │ untracked │ 64 │ └─────────────┴───────┘ Table 26. conntrack direction (ct_dir) ┌──────────┬───────┐ │ Keyword │ Value │ ├──────────┼───────┤ │ │ │ │ original │ 0 │ ├──────────┼───────┤ │ │ │ │ reply │ 1 │ └──────────┴───────┘ Table 27. conntrack status (ct_status) ┌────────────┬───────┐ │ Keyword │ Value │ ├────────────┼───────┤ │ │ │ │ expected │ 1 │ ├────────────┼───────┤ │ │ │ │ seen-reply │ 2 │ ├────────────┼───────┤ │ │ │ │ assured │ 4 │ ├────────────┼───────┤ │ │ │ │ confirmed │ 8 │ ├────────────┼───────┤ │ │ │ │ snat │ 16 │ ├────────────┼───────┤ │ │ │ │ dnat │ 32 │ ├────────────┼───────┤ │ │ │ │ dying │ 512 │ └────────────┴───────┘ Table 28. conntrack event bits (ct_event) ┌───────────┬───────┐ │ Keyword │ Value │ ├───────────┼───────┤ │ │ │ │ new │ 1 │ ├───────────┼───────┤ │ │ │ │ related │ 2 │ ├───────────┼───────┤ │ │ │ │ destroy │ 4 │ ├───────────┼───────┤ │ │ │ │ reply │ 8 │ ├───────────┼───────┤ │ │ │ │ assured │ 16 │ ├───────────┼───────┤ │ │ │ │ protoinfo │ 32 │ ├───────────┼───────┤ │ │ │ │ helper │ 64 │ ├───────────┼───────┤ │ │ │ │ mark │ 128 │ ├───────────┼───────┤ │ │ │ │ seqadj │ 256 │ ├───────────┼───────┤ │ │ │ │ secmark │ 512 │ ├───────────┼───────┤ │ │ │ │ label │ 1024 │ └───────────┴───────┘ Possible keywords for conntrack label type (ct_label) are read at runtime from /etc/connlabel.conf. DCCP PKTTYPE TYPE ┌──────────────────┬──────────────┬───────┬───────────┐ │ Name │ Keyword │ Size │ Base type │ ├──────────────────┼──────────────┼───────┼───────────┤ │ │ │ │ │ │ DCCP packet type │ dccp_pkttype │ 4 bit │ integer │ └──────────────────┴──────────────┴───────┴───────────┘ The DCCP packet type abstracts the different legal values of the respective four bit field in the DCCP header, as stated by RFC4340. Note that possible values 10-15 are considered reserved and therefore not allowed to be used. In iptables' dccp match, these values are aliased INVALID. With nftables, one may simply match on the numeric value range, i.e. 10-15. Table 29. keywords may be used when specifying the DCCP packet type ┌──────────┬───────┐ │ Keyword │ Value │ ├──────────┼───────┤ │ │ │ │ request │ 0 │ ├──────────┼───────┤ │ │ │ │ response │ 1 │ ├──────────┼───────┤ │ │ │ │ data │ 2 │ ├──────────┼───────┤ │ │ │ │ ack │ 3 │ ├──────────┼───────┤ │ │ │ │ dataack │ 4 │ ├──────────┼───────┤ │ │ │ │ closereq │ 5 │ ├──────────┼───────┤ │ │ │ │ close │ 6 │ ├──────────┼───────┤ │ │ │ │ reset │ 7 │ ├──────────┼───────┤ │ │ │ │ sync │ 8 │ ├──────────┼───────┤ │ │ │ │ syncack │ 9 │ └──────────┴───────┘ PRIMARY EXPRESSIONS The lowest order expression is a primary expression, representing either a constant or a single datum from a packet’s payload, meta data or a stateful module. META EXPRESSIONS meta {length | nfproto | l4proto | protocol | priority} [meta] {mark | iif | iifname | iiftype | oif | oifname | oiftype | skuid | skgid | nftrace | rtclassid | ibrname | obrname | pkttype | cpu | iifgroup | oifgroup | cgroup | random | ipsec | iifkind | oifkind | time | hour | day } A meta expression refers to meta data associated with a packet. There are two types of meta expressions: unqualified and qualified meta expressions. Qualified meta expressions require the meta keyword before the meta key, unqualified meta expressions can be specified by using the meta key directly or as qualified meta expressions. Meta l4proto is useful to match a particular transport protocol that is part of either an IPv4 or IPv6 packet. It will also skip any IPv6 extension headers present in an IPv6 packet. meta iif, oif, iifname and oifname are used to match the interface a packet arrived on or is about to be sent out on. iif and oif are used to match on the interface index, whereas iifname and oifname are used to match on the interface name. This is not the same — assuming the rule filter input meta iif "foo" Then this rule can only be added if the interface "foo" exists. Also, the rule will continue to match even if the interface "foo" is renamed to "bar". This is because internally the interface index is used. In case of dynamically created interfaces, such as tun/tap or dialup interfaces (ppp for example), it might be better to use iifname or oifname instead. In these cases, the name is used so the interface doesn’t have to exist to add such a rule, it will stop matching if the interface gets renamed and it will match again in case interface gets deleted and later a new interface with the same name is created. Like with iptables, wildcard matching on interface name prefixes is available for iifname and oifname matches by appending an asterisk (*) character. Note however that unlike iptables, nftables does not accept interface names consisting of the wildcard character only - users are supposed to just skip those always matching expressions. In order to match on literal asterisk character, one may escape it using backslash (\). Table 30. Meta expression types ┌───────────┬──────────────────────────┬─────────────────────┐ │ Keyword │ Description │ Type │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ length │ Length of the packet in │ integer (32-bit) │ │ │ bytes │ │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ nfproto │ real hook protocol │ integer (32 bit) │ │ │ family, useful only in │ │ │ │ inet table │ │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ l4proto │ layer 4 protocol, skips │ integer (8 bit) │ │ │ ipv6 extension headers │ │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ protocol │ EtherType protocol value │ ether_type │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ priority │ TC packet priority │ tc_handle │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ mark │ Packet mark │ mark │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ iif │ Input interface index │ iface_index │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ iifname │ Input interface name │ ifname │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ iiftype │ Input interface type │ iface_type │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ oif │ Output interface index │ iface_index │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ oifname │ Output interface name │ ifname │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ oiftype │ Output interface │ iface_type │ │ │ hardware type │ │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ sdif │ Slave device input │ iface_index │ │ │ interface index │ │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ sdifname │ Slave device interface │ ifname │ │ │ name │ │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ skuid │ UID associated with │ uid │ │ │ originating socket │ │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ skgid │ GID associated with │ gid │ │ │ originating socket │ │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ rtclassid │ Routing realm │ realm │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ ibrname │ Input bridge interface │ ifname │ │ │ name │ │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ obrname │ Output bridge interface │ ifname │ │ │ name │ │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ pkttype │ packet type │ pkt_type │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ cpu │ cpu number processing │ integer (32 bit) │ │ │ the packet │ │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ iifgroup │ incoming device group │ devgroup │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ oifgroup │ outgoing device group │ devgroup │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ cgroup │ control group id │ integer (32 bit) │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ random │ pseudo-random number │ integer (32 bit) │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ ipsec │ true if packet was ipsec │ boolean (1 bit) │ │ │ encrypted │ │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ iifkind │ Input interface kind │ │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ oifkind │ Output interface kind │ │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ time │ Absolute time of packet │ Integer (32 bit) or │ │ │ reception │ string │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ day │ Day of week │ Integer (8 bit) or │ │ │ │ string │ ├───────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ hour │ Hour of day │ String │ └───────────┴──────────────────────────┴─────────────────────┘ Table 31. Meta expression specific types ┌───────────────┬──────────────────────────────────┐ │ Type │ Description │ ├───────────────┼──────────────────────────────────┤ │ │ │ │ iface_index │ Interface index (32 bit number). │ │ │ Can be specified numerically or │ │ │ as name of an existing │ │ │ interface. │ ├───────────────┼──────────────────────────────────┤ │ │ │ │ ifname │ Interface name (16 byte string). │ │ │ Does not have to exist. │ ├───────────────┼──────────────────────────────────┤ │ │ │ │ iface_type │ Interface type (16 bit number). │ ├───────────────┼──────────────────────────────────┤ │ │ │ │ uid │ User ID (32 bit number). Can be │ │ │ specified numerically or as user │ │ │ name. │ ├───────────────┼──────────────────────────────────┤ │ │ │ │ gid │ Group ID (32 bit number). Can be │ │ │ specified numerically or as │ │ │ group name. │ ├───────────────┼──────────────────────────────────┤ │ │ │ │ realm │ Routing Realm (32 bit number). │ │ │ Can be specified numerically or │ │ │ as symbolic name defined in │ │ │ /etc/iproute2/rt_realms. │ ├───────────────┼──────────────────────────────────┤ │ │ │ │ devgroup_type │ Device group (32 bit number). │ │ │ Can be specified numerically or │ │ │ as symbolic name defined in │ │ │ /etc/iproute2/group. │ ├───────────────┼──────────────────────────────────┤ │ │ │ │ pkt_type │ Packet type: host (addressed to │ │ │ local host), broadcast (to all), │ │ │ multicast (to group), other │ │ │ (addressed to another host). │ ├───────────────┼──────────────────────────────────┤ │ │ │ │ ifkind │ Interface kind (16 byte string). │ │ │ See TYPES in ip-link(8) for a │ │ │ list. │ ├───────────────┼──────────────────────────────────┤ │ │ │ │ time │ Either an integer or a date in │ │ │ ISO format. For example: │ │ │ "2019-06-06 17:00". Hour and │ │ │ seconds are optional and can be │ │ │ omitted if desired. If omitted, │ │ │ midnight will be assumed. The │ │ │ following three would be │ │ │ equivalent: "2019-06-06", │ │ │ "2019-06-06 00:00" and │ │ │ "2019-06-06 00:00:00". When an │ │ │ integer is given, it is assumed │ │ │ to be a UNIX timestamp. │ ├───────────────┼──────────────────────────────────┤ │ │ │ │ day │ Either a day of week ("Monday", │ │ │ "Tuesday", etc.), or an integer │ │ │ between 0 and 6. Strings are │ │ │ matched case-insensitively, and │ │ │ a full match is not expected │ │ │ (e.g. "Mon" would match │ │ │ "Monday"). When an integer is │ │ │ given, 0 is Sunday and 6 is │ │ │ Saturday. │ ├───────────────┼──────────────────────────────────┤ │ │ │ │ hour │ A string representing an hour in │ │ │ 24-hour format. Seconds can │ │ │ optionally be specified. For │ │ │ example, 17:00 and 17:00:00 │ │ │ would be equivalent. │ └───────────────┴──────────────────────────────────┘ Using meta expressions. # qualified meta expression filter output meta oif eth0 filter forward meta iifkind { "tun", "veth" } # unqualified meta expression filter output oif eth0 # incoming packet was subject to ipsec processing raw prerouting meta ipsec exists accept SOCKET EXPRESSION socket {transparent | mark | wildcard} socket cgroupv2 level NUM Socket expression can be used to search for an existing open TCP/UDP socket and its attributes that can be associated with a packet. It looks for an established or non-zero bound listening socket (possibly with a non-local address). You can also use it to match on the socket cgroupv2 at a given ancestor level, e.g. if the socket belongs to cgroupv2 a/b, ancestor level 1 checks for a matching on cgroup a and ancestor level 2 checks for a matching on cgroup b. Table 32. Available socket attributes ┌─────────────┬──────────────────────────┬─────────────────┐ │ Name │ Description │ Type │ ├─────────────┼──────────────────────────┼─────────────────┤ │ │ │ │ │ transparent │ Value of the │ boolean (1 bit) │ │ │ IP_TRANSPARENT socket │ │ │ │ option in the found │ │ │ │ socket. It can be 0 or │ │ │ │ 1. │ │ ├─────────────┼──────────────────────────┼─────────────────┤ │ │ │ │ │ mark │ Value of the socket mark │ mark │ │ │ (SOL_SOCKET, SO_MARK). │ │ ├─────────────┼──────────────────────────┼─────────────────┤ │ │ │ │ │ wildcard │ Indicates whether the │ boolean (1 bit) │ │ │ socket is wildcard-bound │ │ │ │ (e.g. 0.0.0.0 or ::0). │ │ ├─────────────┼──────────────────────────┼─────────────────┤ │ │ │ │ │ cgroupv2 │ cgroup version 2 for │ cgroupv2 │ │ │ this socket (path from │ │ │ │ /sys/fs/cgroup) │ │ └─────────────┴──────────────────────────┴─────────────────┘ Using socket expression. # Mark packets that correspond to a transparent socket. "socket wildcard 0" # means that zero-bound listener sockets are NOT matched (which is usually # exactly what you want). table inet x { chain y { type filter hook prerouting priority mangle; policy accept; socket transparent 1 socket wildcard 0 mark set 0x00000001 accept } } # Trace packets that corresponds to a socket with a mark value of 15 table inet x { chain y { type filter hook prerouting priority mangle; policy accept; socket mark 0x0000000f nftrace set 1 } } # Set packet mark to socket mark table inet x { chain y { type filter hook prerouting priority mangle; policy accept; tcp dport 8080 mark set socket mark } } # Count packets for cgroupv2 "user.slice" at level 1 table inet x { chain y { type filter hook input priority filter; policy accept; socket cgroupv2 level 1 "user.slice" counter } } OSF EXPRESSION osf [ttl {loose | skip}] {name | version} The osf expression does passive operating system fingerprinting. This expression compares some data (Window Size, MSS, options and their order, DF, and others) from packets with the SYN bit set. Table 33. Available osf attributes ┌─────────┬──────────────────────────┬────────┐ │ Name │ Description │ Type │ ├─────────┼──────────────────────────┼────────┤ │ │ │ │ │ ttl │ Do TTL checks on the │ string │ │ │ packet to determine the │ │ │ │ operating system. │ │ ├─────────┼──────────────────────────┼────────┤ │ │ │ │ │ version │ Do OS version checks on │ │ │ │ the packet. │ │ ├─────────┼──────────────────────────┼────────┤ │ │ │ │ │ name │ Name of the OS signature │ string │ │ │ to match. All signatures │ │ │ │ can be found at pf.os │ │ │ │ file. Use "unknown" for │ │ │ │ OS signatures that the │ │ │ │ expression could not │ │ │ │ detect. │ │ └─────────┴──────────────────────────┴────────┘ Available ttl values. If no TTL attribute is passed, make a true IP header and fingerprint TTL true comparison. This generally works for LANs. * loose: Check if the IP header's TTL is less than the fingerprint one. Works for globally-routable addresses. * skip: Do not compare the TTL at all. Using osf expression. # Accept packets that match the "Linux" OS genre signature without comparing TTL. table inet x { chain y { type filter hook input priority filter; policy accept; osf ttl skip name "Linux" } } FIB EXPRESSIONS fib {saddr | daddr | mark | iif | oif} [. ...] {oif | oifname | type} A fib expression queries the fib (forwarding information base) to obtain information such as the output interface index a particular address would use. The input is a tuple of elements that is used as input to the fib lookup functions. Table 34. fib expression specific types ┌─────────┬────────────────────────┬──────────────────┐ │ Keyword │ Description │ Type │ ├─────────┼────────────────────────┼──────────────────┤ │ │ │ │ │ oif │ Output interface index │ integer (32 bit) │ ├─────────┼────────────────────────┼──────────────────┤ │ │ │ │ │ oifname │ Output interface name │ string │ ├─────────┼────────────────────────┼──────────────────┤ │ │ │ │ │ type │ Address type │ fib_addrtype │ └─────────┴────────────────────────┴──────────────────┘ Use nft describe fib_addrtype to get a list of all address types. Using fib expressions. # drop packets without a reverse path filter prerouting fib saddr . iif oif missing drop In this example, 'saddr . iif' looks up routing information based on the source address and the input interface. oif picks the output interface index from the routing information. If no route was found for the source address/input interface combination, the output interface index is zero. In case the input interface is specified as part of the input key, the output interface index is always the same as the input interface index or zero. If only 'saddr oif' is given, then oif can be any interface index or zero. # drop packets to address not configured on incoming interface filter prerouting fib daddr . iif type != { local, broadcast, multicast } drop # perform lookup in a specific 'blackhole' table (0xdead, needs ip appropriate ip rule) filter prerouting meta mark set 0xdead fib daddr . mark type vmap { blackhole : drop, prohibit : jump prohibited, unreachable : drop } ROUTING EXPRESSIONS rt [ip | ip6] {classid | nexthop | mtu | ipsec} A routing expression refers to routing data associated with a packet. Table 35. Routing expression types ┌─────────┬──────────────────────────┬─────────────────────┐ │ Keyword │ Description │ Type │ ├─────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ classid │ Routing realm │ realm │ ├─────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ nexthop │ Routing nexthop │ ipv4_addr/ipv6_addr │ ├─────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ mtu │ TCP maximum segment size │ integer (16 bit) │ │ │ of route │ │ ├─────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ ipsec │ route via ipsec tunnel │ boolean │ │ │ or transport │ │ └─────────┴──────────────────────────┴─────────────────────┘ Table 36. Routing expression specific types ┌───────┬─────────────────────────────────┐ │ Type │ Description │ ├───────┼─────────────────────────────────┤ │ │ │ │ realm │ Routing Realm (32 bit number). │ │ │ Can be specified numerically or │ │ │ as symbolic name defined in │ │ │ /etc/iproute2/rt_realms. │ └───────┴─────────────────────────────────┘ Using routing expressions. # IP family independent rt expression filter output rt classid 10 # IP family dependent rt expressions ip filter output rt nexthop 192.168.0.1 ip6 filter output rt nexthop fd00::1 inet filter output rt ip nexthop 192.168.0.1 inet filter output rt ip6 nexthop fd00::1 # outgoing packet will be encapsulated/encrypted by ipsec filter output rt ipsec exists IPSEC EXPRESSIONS ipsec {in | out} [ spnum NUM ] {reqid | spi} ipsec {in | out} [ spnum NUM ] {ip | ip6} {saddr | daddr} An ipsec expression refers to ipsec data associated with a packet. The in or out keyword needs to be used to specify if the expression should examine inbound or outbound policies. The in keyword can be used in the prerouting, input and forward hooks. The out keyword applies to forward, output and postrouting hooks. The optional keyword spnum can be used to match a specific state in a chain, it defaults to 0. Table 37. Ipsec expression types ┌─────────┬──────────────────────────┬─────────────────────┐ │ Keyword │ Description │ Type │ ├─────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ reqid │ Request ID │ integer (32 bit) │ ├─────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ spi │ Security Parameter Index │ integer (32 bit) │ ├─────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ saddr │ Source address of the │ ipv4_addr/ipv6_addr │ │ │ tunnel │ │ ├─────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ daddr │ Destination address of │ ipv4_addr/ipv6_addr │ │ │ the tunnel │ │ └─────────┴──────────────────────────┴─────────────────────┘ Note: When using xfrm_interface, this expression is not useable in output hook as the plain packet does not traverse it with IPsec info attached - use a chain in postrouting hook instead. NUMGEN EXPRESSION numgen {inc | random} mod NUM [ offset NUM ] Create a number generator. The inc or random keywords control its operation mode: In inc mode, the last returned value is simply incremented. In random mode, a new random number is returned. The value after mod keyword specifies an upper boundary (read: modulus) which is not reached by returned numbers. The optional offset allows one to increment the returned value by a fixed offset. A typical use-case for numgen is load-balancing: Using numgen expression. # round-robin between 192.168.10.100 and 192.168.20.200: add rule nat prerouting dnat to numgen inc mod 2 map \ { 0 : 192.168.10.100, 1 : 192.168.20.200 } # probability-based with odd bias using intervals: add rule nat prerouting dnat to numgen random mod 10 map \ { 0-2 : 192.168.10.100, 3-9 : 192.168.20.200 } HASH EXPRESSIONS jhash {ip saddr | ip6 daddr | tcp dport | udp sport | ether saddr} [. ...] mod NUM [ seed NUM ] [ offset NUM ] symhash mod NUM [ offset NUM ] Use a hashing function to generate a number. The functions available are jhash, known as Jenkins Hash, and symhash, for Symmetric Hash. The jhash requires an expression to determine the parameters of the packet header to apply the hashing, concatenations are possible as well. The value after mod keyword specifies an upper boundary (read: modulus) which is not reached by returned numbers. The optional seed is used to specify an init value used as seed in the hashing function. The optional offset allows one to increment the returned value by a fixed offset. A typical use-case for jhash and symhash is load-balancing: Using hash expressions. # load balance based on source ip between 2 ip addresses: add rule nat prerouting dnat to jhash ip saddr mod 2 map \ { 0 : 192.168.10.100, 1 : 192.168.20.200 } # symmetric load balancing between 2 ip addresses: add rule nat prerouting dnat to symhash mod 2 map \ { 0 : 192.168.10.100, 1 : 192.168.20.200 } PAYLOAD EXPRESSIONS Payload expressions refer to data from the packet’s payload. ETHERNET HEADER EXPRESSION ether {daddr | saddr | type} Table 38. Ethernet header expression types ┌─────────┬─────────────────────────┬────────────┐ │ Keyword │ Description │ Type │ ├─────────┼─────────────────────────┼────────────┤ │ │ │ │ │ daddr │ Destination MAC address │ ether_addr │ ├─────────┼─────────────────────────┼────────────┤ │ │ │ │ │ saddr │ Source MAC address │ ether_addr │ ├─────────┼─────────────────────────┼────────────┤ │ │ │ │ │ type │ EtherType │ ether_type │ └─────────┴─────────────────────────┴────────────┘ VLAN HEADER EXPRESSION vlan {id | dei | pcp | type} The vlan expression is used to match on the vlan header fields. This expression will not work in the ip, ip6 and inet families, unless the vlan interface is configured with the reorder_hdr off setting. The default is reorder_hdr on which will automatically remove the vlan tag from the packet. See ip-link(8) for more information. For these families its easier to match the vlan interface name instead, using the meta iif or meta iifname expression. Table 39. VLAN header expression ┌─────────┬─────────────────────────┬──────────────────┐ │ Keyword │ Description │ Type │ ├─────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ id │ VLAN ID (VID) │ integer (12 bit) │ ├─────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ dei │ Drop Eligible Indicator │ integer (1 bit) │ ├─────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ pcp │ Priority code point │ integer (3 bit) │ ├─────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ type │ EtherType │ ether_type │ └─────────┴─────────────────────────┴──────────────────┘ ARP HEADER EXPRESSION arp {htype | ptype | hlen | plen | operation | saddr { ip | ether } | daddr { ip | ether } Table 40. ARP header expression ┌─────────────┬─────────────────────────┬──────────────────┐ │ Keyword │ Description │ Type │ ├─────────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ htype │ ARP hardware type │ integer (16 bit) │ ├─────────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ ptype │ EtherType │ ether_type │ ├─────────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ hlen │ Hardware address len │ integer (8 bit) │ ├─────────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ plen │ Protocol address len │ integer (8 bit) │ ├─────────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ operation │ Operation │ arp_op │ ├─────────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ saddr ether │ Ethernet sender address │ ether_addr │ ├─────────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ daddr ether │ Ethernet target address │ ether_addr │ ├─────────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ saddr ip │ IPv4 sender address │ ipv4_addr │ ├─────────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ daddr ip │ IPv4 target address │ ipv4_addr │ └─────────────┴─────────────────────────┴──────────────────┘ IPV4 HEADER EXPRESSION ip {version | hdrlength | dscp | ecn | length | id | frag-off | ttl | protocol | checksum | saddr | daddr } Table 41. IPv4 header expression ┌───────────┬─────────────────────────┬───────────────────────┐ │ Keyword │ Description │ Type │ ├───────────┼─────────────────────────┼───────────────────────┤ │ │ │ │ │ version │ IP header version (4) │ integer (4 bit) │ ├───────────┼─────────────────────────┼───────────────────────┤ │ │ │ │ │ hdrlength │ IP header length │ integer (4 bit) FIXME │ │ │ including options │ scaling │ ├───────────┼─────────────────────────┼───────────────────────┤ │ │ │ │ │ dscp │ Differentiated Services │ dscp │ │ │ Code Point │ │ ├───────────┼─────────────────────────┼───────────────────────┤ │ │ │ │ │ ecn │ Explicit Congestion │ ecn │ │ │ Notification │ │ ├───────────┼─────────────────────────┼───────────────────────┤ │ │ │ │ │ length │ Total packet length │ integer (16 bit) │ ├───────────┼─────────────────────────┼───────────────────────┤ │ │ │ │ │ id │ IP ID │ integer (16 bit) │ ├───────────┼─────────────────────────┼───────────────────────┤ │ │ │ │ │ frag-off │ Fragment offset │ integer (16 bit) │ ├───────────┼─────────────────────────┼───────────────────────┤ │ │ │ │ │ ttl │ Time to live │ integer (8 bit) │ ├───────────┼─────────────────────────┼───────────────────────┤ │ │ │ │ │ protocol │ Upper layer protocol │ inet_proto │ ├───────────┼─────────────────────────┼───────────────────────┤ │ │ │ │ │ checksum │ IP header checksum │ integer (16 bit) │ ├───────────┼─────────────────────────┼───────────────────────┤ │ │ │ │ │ saddr │ Source address │ ipv4_addr │ ├───────────┼─────────────────────────┼───────────────────────┤ │ │ │ │ │ daddr │ Destination address │ ipv4_addr │ └───────────┴─────────────────────────┴───────────────────────┘ Careful with matching on ip length: If GRO/GSO is enabled, then the Linux kernel might aggregate several packets into one big packet that is larger than MTU. Moreover, if GRO/GSO maximum size is larger than 65535 (see man ip-link(8), specifically gro_ipv6_max_size and gso_ipv6_max_size), then ip length might be 0 for such jumbo packets. meta length allows you to match on the packet length including the IP header size. If you want to perform heuristics on the ip length field, then disable GRO/GSO. ICMP HEADER EXPRESSION icmp {type | code | checksum | id | sequence | gateway | mtu} This expression refers to ICMP header fields. When using it in inet, bridge or netdev families, it will cause an implicit dependency on IPv4 to be created. To match on unusual cases like ICMP over IPv6, one has to add an explicit meta protocol ip6 match to the rule. Table 42. ICMP header expression ┌──────────┬─────────────────────────┬──────────────────┐ │ Keyword │ Description │ Type │ ├──────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ type │ ICMP type field │ icmp_type │ ├──────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ code │ ICMP code field │ integer (8 bit) │ ├──────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ checksum │ ICMP checksum field │ integer (16 bit) │ ├──────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ id │ ID of echo │ integer (16 bit) │ │ │ request/response │ │ ├──────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ sequence │ sequence number of echo │ integer (16 bit) │ │ │ request/response │ │ ├──────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ gateway │ gateway of redirects │ integer (32 bit) │ ├──────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ mtu │ MTU of path MTU │ integer (16 bit) │ │ │ discovery │ │ └──────────┴─────────────────────────┴──────────────────┘ IGMP HEADER EXPRESSION igmp {type | mrt | checksum | group} This expression refers to IGMP header fields. When using it in inet, bridge or netdev families, it will cause an implicit dependency on IPv4 to be created. To match on unusual cases like IGMP over IPv6, one has to add an explicit meta protocol ip6 match to the rule. Table 43. IGMP header expression ┌──────────┬───────────────────────┬──────────────────┐ │ Keyword │ Description │ Type │ ├──────────┼───────────────────────┼──────────────────┤ │ │ │ │ │ type │ IGMP type field │ igmp_type │ ├──────────┼───────────────────────┼──────────────────┤ │ │ │ │ │ mrt │ IGMP maximum response │ integer (8 bit) │ │ │ time field │ │ ├──────────┼───────────────────────┼──────────────────┤ │ │ │ │ │ checksum │ IGMP checksum field │ integer (16 bit) │ ├──────────┼───────────────────────┼──────────────────┤ │ │ │ │ │ group │ Group address │ integer (32 bit) │ └──────────┴───────────────────────┴──────────────────┘ IPV6 HEADER EXPRESSION ip6 {version | dscp | ecn | flowlabel | length | nexthdr | hoplimit | saddr | daddr} This expression refers to the ipv6 header fields. Caution when using ip6 nexthdr, the value only refers to the next header, i.e. ip6 nexthdr tcp will only match if the ipv6 packet does not contain any extension headers. Packets that are fragmented or e.g. contain a routing extension headers will not be matched. Please use meta l4proto if you wish to match the real transport header and ignore any additional extension headers instead. Table 44. IPv6 header expression ┌───────────┬─────────────────────────┬──────────────────┐ │ Keyword │ Description │ Type │ ├───────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ version │ IP header version (6) │ integer (4 bit) │ ├───────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ dscp │ Differentiated Services │ dscp │ │ │ Code Point │ │ ├───────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ ecn │ Explicit Congestion │ ecn │ │ │ Notification │ │ ├───────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ flowlabel │ Flow label │ integer (20 bit) │ ├───────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ length │ Payload length │ integer (16 bit) │ ├───────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ nexthdr │ Nexthdr protocol │ inet_proto │ ├───────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ hoplimit │ Hop limit │ integer (8 bit) │ ├───────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ saddr │ Source address │ ipv6_addr │ ├───────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ daddr │ Destination address │ ipv6_addr │ └───────────┴─────────────────────────┴──────────────────┘ Careful with matching on ip6 length: If GRO/GSO is enabled, then the Linux kernel might aggregate several packets into one big packet that is larger than MTU. Moreover, if GRO/GSO maximum size is larger than 65535 (see man ip-link(8), specifically gro_ipv6_max_size and gso_ipv6_max_size), then ip6 length might be 0 for such jumbo packets. meta length allows you to match on the packet length including the IP header size. If you want to perform heuristics on the ip6 length field, then disable GRO/GSO. Using ip6 header expressions. # matching if first extension header indicates a fragment ip6 nexthdr ipv6-frag ICMPV6 HEADER EXPRESSION icmpv6 {type | code | checksum | parameter-problem | packet-too-big | id | sequence | max-delay | taddr | daddr} This expression refers to ICMPv6 header fields. When using it in inet, bridge or netdev families, it will cause an implicit dependency on IPv6 to be created. To match on unusual cases like ICMPv6 over IPv4, one has to add an explicit meta protocol ip match to the rule. Table 45. ICMPv6 header expression ┌───────────────────┬──────────────────────────┬──────────────────┐ │ Keyword │ Description │ Type │ ├───────────────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ type │ ICMPv6 type field │ icmpv6_type │ ├───────────────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ code │ ICMPv6 code field │ integer (8 bit) │ ├───────────────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ checksum │ ICMPv6 checksum field │ integer (16 bit) │ ├───────────────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ parameter-problem │ pointer to problem │ integer (32 bit) │ ├───────────────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ packet-too-big │ oversized MTU │ integer (32 bit) │ ├───────────────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ id │ ID of echo │ integer (16 bit) │ │ │ request/response │ │ ├───────────────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ sequence │ sequence number of echo │ integer (16 bit) │ │ │ request/response │ │ ├───────────────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ max-delay │ maximum response delay │ integer (16 bit) │ │ │ of MLD queries │ │ ├───────────────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ taddr │ target address of │ ipv6_addr │ │ │ neighbor solicit/advert, │ │ │ │ redirect or MLD │ │ ├───────────────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ daddr │ destination address of │ ipv6_addr │ │ │ redirect │ │ └───────────────────┴──────────────────────────┴──────────────────┘ TCP HEADER EXPRESSION tcp {sport | dport | sequence | ackseq | doff | reserved | flags | window | checksum | urgptr} Table 46. TCP header expression ┌──────────┬────────────────────────┬───────────────────────┐ │ Keyword │ Description │ Type │ ├──────────┼────────────────────────┼───────────────────────┤ │ │ │ │ │ sport │ Source port │ inet_service │ ├──────────┼────────────────────────┼───────────────────────┤ │ │ │ │ │ dport │ Destination port │ inet_service │ ├──────────┼────────────────────────┼───────────────────────┤ │ │ │ │ │ sequence │ Sequence number │ integer (32 bit) │ ├──────────┼────────────────────────┼───────────────────────┤ │ │ │ │ │ ackseq │ Acknowledgement number │ integer (32 bit) │ ├──────────┼────────────────────────┼───────────────────────┤ │ │ │ │ │ doff │ Data offset │ integer (4 bit) FIXME │ │ │ │ scaling │ ├──────────┼────────────────────────┼───────────────────────┤ │ │ │ │ │ reserved │ Reserved area │ integer (4 bit) │ ├──────────┼────────────────────────┼───────────────────────┤ │ │ │ │ │ flags │ TCP flags │ tcp_flag │ ├──────────┼────────────────────────┼───────────────────────┤ │ │ │ │ │ window │ Window │ integer (16 bit) │ ├──────────┼────────────────────────┼───────────────────────┤ │ │ │ │ │ checksum │ Checksum │ integer (16 bit) │ ├──────────┼────────────────────────┼───────────────────────┤ │ │ │ │ │ urgptr │ Urgent pointer │ integer (16 bit) │ └──────────┴────────────────────────┴───────────────────────┘ UDP HEADER EXPRESSION udp {sport | dport | length | checksum} Table 47. UDP header expression ┌──────────┬─────────────────────┬──────────────────┐ │ Keyword │ Description │ Type │ ├──────────┼─────────────────────┼──────────────────┤ │ │ │ │ │ sport │ Source port │ inet_service │ ├──────────┼─────────────────────┼──────────────────┤ │ │ │ │ │ dport │ Destination port │ inet_service │ ├──────────┼─────────────────────┼──────────────────┤ │ │ │ │ │ length │ Total packet length │ integer (16 bit) │ ├──────────┼─────────────────────┼──────────────────┤ │ │ │ │ │ checksum │ Checksum │ integer (16 bit) │ └──────────┴─────────────────────┴──────────────────┘ UDP-LITE HEADER EXPRESSION udplite {sport | dport | checksum} Table 48. UDP-Lite header expression ┌──────────┬──────────────────┬──────────────────┐ │ Keyword │ Description │ Type │ ├──────────┼──────────────────┼──────────────────┤ │ │ │ │ │ sport │ Source port │ inet_service │ ├──────────┼──────────────────┼──────────────────┤ │ │ │ │ │ dport │ Destination port │ inet_service │ ├──────────┼──────────────────┼──────────────────┤ │ │ │ │ │ checksum │ Checksum │ integer (16 bit) │ └──────────┴──────────────────┴──────────────────┘ SCTP HEADER EXPRESSION sctp {sport | dport | vtag | checksum} sctp chunk CHUNK [ FIELD ] CHUNK := data | init | init-ack | sack | heartbeat | heartbeat-ack | abort | shutdown | shutdown-ack | error | cookie-echo | cookie-ack | ecne | cwr | shutdown-complete | asconf-ack | forward-tsn | asconf FIELD := COMMON_FIELD | DATA_FIELD | INIT_FIELD | INIT_ACK_FIELD | SACK_FIELD | SHUTDOWN_FIELD | ECNE_FIELD | CWR_FIELD | ASCONF_ACK_FIELD | FORWARD_TSN_FIELD | ASCONF_FIELD COMMON_FIELD := type | flags | length DATA_FIELD := tsn | stream | ssn | ppid INIT_FIELD := init-tag | a-rwnd | num-outbound-streams | num-inbound-streams | initial-tsn INIT_ACK_FIELD := INIT_FIELD SACK_FIELD := cum-tsn-ack | a-rwnd | num-gap-ack-blocks | num-dup-tsns SHUTDOWN_FIELD := cum-tsn-ack ECNE_FIELD := lowest-tsn CWR_FIELD := lowest-tsn ASCONF_ACK_FIELD := seqno FORWARD_TSN_FIELD := new-cum-tsn ASCONF_FIELD := seqno Table 49. SCTP header expression ┌──────────┬────────────────────────┬────────────────────────┐ │ Keyword │ Description │ Type │ ├──────────┼────────────────────────┼────────────────────────┤ │ │ │ │ │ sport │ Source port │ inet_service │ ├──────────┼────────────────────────┼────────────────────────┤ │ │ │ │ │ dport │ Destination port │ inet_service │ ├──────────┼────────────────────────┼────────────────────────┤ │ │ │ │ │ vtag │ Verification Tag │ integer (32 bit) │ ├──────────┼────────────────────────┼────────────────────────┤ │ │ │ │ │ checksum │ Checksum │ integer (32 bit) │ ├──────────┼────────────────────────┼────────────────────────┤ │ │ │ │ │ chunk │ Search chunk in packet │ without FIELD, boolean │ │ │ │ indicating existence │ └──────────┴────────────────────────┴────────────────────────┘ Table 50. SCTP chunk fields ┌──────────────────────┬───────────────┬────────────────────┬─────────────────────┐ │ Name │ Width in bits │ Chunk │ Notes │ ├──────────────────────┼───────────────┼────────────────────┼─────────────────────┤ │ │ │ │ │ │ type │ 8 │ all │ not useful, defined │ │ │ │ │ by chunk type │ ├──────────────────────┼───────────────┼────────────────────┼─────────────────────┤ │ │ │ │ │ │ flags │ 8 │ all │ semantics defined │ │ │ │ │ on per-chunk basis │ ├──────────────────────┼───────────────┼────────────────────┼─────────────────────┤ │ │ │ │ │ │ length │ 16 │ all │ length of this │ │ │ │ │ chunk in bytes │ │ │ │ │ excluding padding │ ├──────────────────────┼───────────────┼────────────────────┼─────────────────────┤ │ │ │ │ │ │ tsn │ 32 │ data │ transmission │ │ │ │ │ sequence number │ ├──────────────────────┼───────────────┼────────────────────┼─────────────────────┤ │ │ │ │ │ │ stream │ 16 │ data │ stream identifier │ ├──────────────────────┼───────────────┼────────────────────┼─────────────────────┤ │ │ │ │ │ │ ssn │ 16 │ data │ stream sequence │ │ │ │ │ number │ ├──────────────────────┼───────────────┼────────────────────┼─────────────────────┤ │ │ │ │ │ │ ppid │ 32 │ data │ payload protocol │ │ │ │ │ identifier │ ├──────────────────────┼───────────────┼────────────────────┼─────────────────────┤ │ │ │ │ │ │ init-tag │ 32 │ init, init-ack │ initiate tag │ ├──────────────────────┼───────────────┼────────────────────┼─────────────────────┤ │ │ │ │ │ │ a-rwnd │ 32 │ init, init-ack, │ advertised receiver │ │ │ │ sack │ window credit │ ├──────────────────────┼───────────────┼────────────────────┼─────────────────────┤ │ │ │ │ │ │ num-outbound-streams │ 16 │ init, init-ack │ number of outbound │ │ │ │ │ streams │ ├──────────────────────┼───────────────┼────────────────────┼─────────────────────┤ │ │ │ │ │ │ num-inbound-streams │ 16 │ init, init-ack │ number of inbound │ │ │ │ │ streams │ ├──────────────────────┼───────────────┼────────────────────┼─────────────────────┤ │ │ │ │ │ │ initial-tsn │ 32 │ init, init-ack │ initial transmit │ │ │ │ │ sequence number │ ├──────────────────────┼───────────────┼────────────────────┼─────────────────────┤ │ │ │ │ │ │ cum-tsn-ack │ 32 │ sack, shutdown │ cumulative │ │ │ │ │ transmission │ │ │ │ │ sequence number │ │ │ │ │ acknowledged │ ├──────────────────────┼───────────────┼────────────────────┼─────────────────────┤ │ │ │ │ │ │ num-gap-ack-blocks │ 16 │ sack │ number of Gap Ack │ │ │ │ │ Blocks included │ ├──────────────────────┼───────────────┼────────────────────┼─────────────────────┤ │ │ │ │ │ │ num-dup-tsns │ 16 │ sack │ number of duplicate │ │ │ │ │ transmission │ │ │ │ │ sequence numbers │ │ │ │ │ received │ ├──────────────────────┼───────────────┼────────────────────┼─────────────────────┤ │ │ │ │ │ │ lowest-tsn │ 32 │ ecne, cwr │ lowest transmission │ │ │ │ │ sequence number │ ├──────────────────────┼───────────────┼────────────────────┼─────────────────────┤ │ │ │ │ │ │ seqno │ 32 │ asconf-ack, asconf │ sequence number │ ├──────────────────────┼───────────────┼────────────────────┼─────────────────────┤ │ │ │ │ │ │ new-cum-tsn │ 32 │ forward-tsn │ new cumulative │ │ │ │ │ transmission │ │ │ │ │ sequence number │ └──────────────────────┴───────────────┴────────────────────┴─────────────────────┘ DCCP HEADER EXPRESSION dccp {sport | dport | type} Table 51. DCCP header expression ┌─────────┬──────────────────┬──────────────┐ │ Keyword │ Description │ Type │ ├─────────┼──────────────────┼──────────────┤ │ │ │ │ │ sport │ Source port │ inet_service │ ├─────────┼──────────────────┼──────────────┤ │ │ │ │ │ dport │ Destination port │ inet_service │ ├─────────┼──────────────────┼──────────────┤ │ │ │ │ │ type │ Packet type │ dccp_pkttype │ └─────────┴──────────────────┴──────────────┘ AUTHENTICATION HEADER EXPRESSION ah {nexthdr | hdrlength | reserved | spi | sequence} Table 52. AH header expression ┌───────────┬──────────────────────────┬──────────────────┐ │ Keyword │ Description │ Type │ ├───────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ nexthdr │ Next header protocol │ inet_proto │ ├───────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ hdrlength │ AH Header length │ integer (8 bit) │ ├───────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ reserved │ Reserved area │ integer (16 bit) │ ├───────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ spi │ Security Parameter Index │ integer (32 bit) │ ├───────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ sequence │ Sequence number │ integer (32 bit) │ └───────────┴──────────────────────────┴──────────────────┘ ENCRYPTED SECURITY PAYLOAD HEADER EXPRESSION esp {spi | sequence} Table 53. ESP header expression ┌──────────┬──────────────────────────┬──────────────────┐ │ Keyword │ Description │ Type │ ├──────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ spi │ Security Parameter Index │ integer (32 bit) │ ├──────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ sequence │ Sequence number │ integer (32 bit) │ └──────────┴──────────────────────────┴──────────────────┘ IPCOMP HEADER EXPRESSION comp {nexthdr | flags | cpi} Table 54. IPComp header expression ┌─────────┬───────────────────────┬──────────────────┐ │ Keyword │ Description │ Type │ ├─────────┼───────────────────────┼──────────────────┤ │ │ │ │ │ nexthdr │ Next header protocol │ inet_proto │ ├─────────┼───────────────────────┼──────────────────┤ │ │ │ │ │ flags │ Flags │ bitmask │ ├─────────┼───────────────────────┼──────────────────┤ │ │ │ │ │ cpi │ compression Parameter │ integer (16 bit) │ │ │ Index │ │ └─────────┴───────────────────────┴──────────────────┘ GRE HEADER EXPRESSION gre {flags | version | protocol} gre ip {version | hdrlength | dscp | ecn | length | id | frag-off | ttl | protocol | checksum | saddr | daddr } gre ip6 {version | dscp | ecn | flowlabel | length | nexthdr | hoplimit | saddr | daddr} The gre expression is used to match on the gre header fields. This expression also allows to match on the IPv4 or IPv6 packet within the gre header. Table 55. GRE header expression ┌──────────┬──────────────────────────┬──────────────────┐ │ Keyword │ Description │ Type │ ├──────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ flags │ checksum, routing, key, │ integer (5 bit) │ │ │ sequence and strict │ │ │ │ source route flags │ │ ├──────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ version │ gre version field, 0 for │ integer (3 bit) │ │ │ GRE and 1 for PPTP │ │ ├──────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ protocol │ EtherType of │ integer (16 bit) │ │ │ encapsulated packet │ │ └──────────┴──────────────────────────┴──────────────────┘ Matching inner IPv4 destination address encapsulated in gre. netdev filter ingress gre ip daddr 9.9.9.9 counter GENEVE HEADER EXPRESSION geneve {vni | flags} geneve ether {daddr | saddr | type} geneve vlan {id | dei | pcp | type} geneve ip {version | hdrlength | dscp | ecn | length | id | frag-off | ttl | protocol | checksum | saddr | daddr } geneve ip6 {version | dscp | ecn | flowlabel | length | nexthdr | hoplimit | saddr | daddr} geneve tcp {sport | dport | sequence | ackseq | doff | reserved | flags | window | checksum | urgptr} geneve udp {sport | dport | length | checksum} The geneve expression is used to match on the geneve header fields. The geneve header encapsulates a ethernet frame within a udp packet. This expression requires that you restrict the matching to udp packets (usually at port 6081 according to IANA-assigned ports). Table 56. GENEVE header expression ┌──────────┬──────────────────────────┬──────────────────┐ │ Keyword │ Description │ Type │ ├──────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ protocol │ EtherType of │ integer (16 bit) │ │ │ encapsulated packet │ │ ├──────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ vni │ Virtual Network ID (VNI) │ integer (24 bit) │ └──────────┴──────────────────────────┴──────────────────┘ Matching inner TCP destination port encapsulated in geneve. netdev filter ingress udp dport 4789 geneve tcp dport 80 counter GRETAP HEADER EXPRESSION gretap {vni | flags} gretap ether {daddr | saddr | type} gretap vlan {id | dei | pcp | type} gretap ip {version | hdrlength | dscp | ecn | length | id | frag-off | ttl | protocol | checksum | saddr | daddr } gretap ip6 {version | dscp | ecn | flowlabel | length | nexthdr | hoplimit | saddr | daddr} gretap tcp {sport | dport | sequence | ackseq | doff | reserved | flags | window | checksum | urgptr} gretap udp {sport | dport | length | checksum} The gretap expression is used to match on the encapsulated ethernet frame within the gre header. Use the gre expression to match on the gre header fields. Matching inner TCP destination port encapsulated in gretap. netdev filter ingress gretap tcp dport 80 counter VXLAN HEADER EXPRESSION vxlan {vni | flags} vxlan ether {daddr | saddr | type} vxlan vlan {id | dei | pcp | type} vxlan ip {version | hdrlength | dscp | ecn | length | id | frag-off | ttl | protocol | checksum | saddr | daddr } vxlan ip6 {version | dscp | ecn | flowlabel | length | nexthdr | hoplimit | saddr | daddr} vxlan tcp {sport | dport | sequence | ackseq | doff | reserved | flags | window | checksum | urgptr} vxlan udp {sport | dport | length | checksum} The vxlan expression is used to match on the vxlan header fields. The vxlan header encapsulates a ethernet frame within a udp packet. This expression requires that you restrict the matching to udp packets (usually at port 4789 according to IANA-assigned ports). Table 57. VXLAN header expression ┌─────────┬──────────────────────────┬──────────────────┐ │ Keyword │ Description │ Type │ ├─────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ flags │ vxlan flags │ integer (8 bit) │ ├─────────┼──────────────────────────┼──────────────────┤ │ │ │ │ │ vni │ Virtual Network ID (VNI) │ integer (24 bit) │ └─────────┴──────────────────────────┴──────────────────┘ Matching inner TCP destination port encapsulated in vxlan. netdev filter ingress udp dport 4789 vxlan tcp dport 80 counter ARP HEADER EXPRESSION arp {htype | ptype | hlen | plen | operation | saddr { ip | ether } | daddr { ip | ether } Table 58. ARP header expression ┌─────────────┬─────────────────────────┬──────────────────┐ │ Keyword │ Description │ Type │ ├─────────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ htype │ ARP hardware type │ integer (16 bit) │ ├─────────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ ptype │ EtherType │ ether_type │ ├─────────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ hlen │ Hardware address len │ integer (8 bit) │ ├─────────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ plen │ Protocol address len │ integer (8 bit) │ ├─────────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ operation │ Operation │ arp_op │ ├─────────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ saddr ether │ Ethernet sender address │ ether_addr │ ├─────────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ daddr ether │ Ethernet target address │ ether_addr │ ├─────────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ saddr ip │ IPv4 sender address │ ipv4_addr │ ├─────────────┼─────────────────────────┼──────────────────┤ │ │ │ │ │ daddr ip │ IPv4 target address │ ipv4_addr │ └─────────────┴─────────────────────────┴──────────────────┘ RAW PAYLOAD EXPRESSION @base,offset,length The raw payload expression instructs to load length bits starting at offset bits. Bit 0 refers to the very first bit — in the C programming language, this corresponds to the topmost bit, i.e. 0x80 in case of an octet. They are useful to match headers that do not have a human-readable template expression yet. Note that nft will not add dependencies for Raw payload expressions. If you e.g. want to match protocol fields of a transport header with protocol number 5, you need to manually exclude packets that have a different transport header, for instance by using meta l4proto 5 before the raw expression. Table 59. Supported payload protocol bases ┌──────┬──────────────────────────────────┐ │ Base │ Description │ ├──────┼──────────────────────────────────┤ │ │ │ │ ll │ Link layer, for example the │ │ │ Ethernet header │ ├──────┼──────────────────────────────────┤ │ │ │ │ nh │ Network header, for example IPv4 │ │ │ or IPv6 │ ├──────┼──────────────────────────────────┤ │ │ │ │ th │ Transport Header, for example │ │ │ TCP │ ├──────┼──────────────────────────────────┤ │ │ │ │ ih │ Inner Header / Payload, i.e. │ │ │ after the L4 transport level │ │ │ header │ └──────┴──────────────────────────────────┘ Matching destination port of both UDP and TCP. inet filter input meta l4proto {tcp, udp} @th,16,16 { 53, 80 } The above can also be written as inet filter input meta l4proto {tcp, udp} th dport { 53, 80 } it is more convenient, but like the raw expression notation no dependencies are created or checked. It is the users responsibility to restrict matching to those header types that have a notion of ports. Otherwise, rules using raw expressions will errnously match unrelated packets, e.g. mis-interpreting ESP packets SPI field as a port. Rewrite arp packet target hardware address if target protocol address matches a given address. input meta iifname enp2s0 arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 accept EXTENSION HEADER EXPRESSIONS Extension header expressions refer to data from variable-sized protocol headers, such as IPv6 extension headers, TCP options and IPv4 options. nftables currently supports matching (finding) a given ipv6 extension header, TCP option or IPv4 option. hbh {nexthdr | hdrlength} frag {nexthdr | frag-off | more-fragments | id} rt {nexthdr | hdrlength | type | seg-left} dst {nexthdr | hdrlength} mh {nexthdr | hdrlength | checksum | type} srh {flags | tag | sid | seg-left} tcp option {eol | nop | maxseg | window | sack-perm | sack | sack0 | sack1 | sack2 | sack3 | timestamp} tcp_option_field ip option { lsrr | ra | rr | ssrr } ip_option_field The following syntaxes are valid only in a relational expression with boolean type on right-hand side for checking header existence only: exthdr {hbh | frag | rt | dst | mh} tcp option {eol | nop | maxseg | window | sack-perm | sack | sack0 | sack1 | sack2 | sack3 | timestamp} ip option { lsrr | ra | rr | ssrr } dccp option dccp_option_type Table 60. IPv6 extension headers ┌─────────┬────────────────────────┐ │ Keyword │ Description │ ├─────────┼────────────────────────┤ │ │ │ │ hbh │ Hop by Hop │ ├─────────┼────────────────────────┤ │ │ │ │ rt │ Routing Header │ ├─────────┼────────────────────────┤ │ │ │ │ frag │ Fragmentation header │ ├─────────┼────────────────────────┤ │ │ │ │ dst │ dst options │ ├─────────┼────────────────────────┤ │ │ │ │ mh │ Mobility Header │ ├─────────┼────────────────────────┤ │ │ │ │ srh │ Segment Routing Header │ └─────────┴────────────────────────┘ Table 61. TCP Options ┌───────────┬──────────────────────────┬──────────────────────┐ │ Keyword │ Description │ TCP option fields │ ├───────────┼──────────────────────────┼──────────────────────┤ │ │ │ │ │ eol │ End if option list │ - │ ├───────────┼──────────────────────────┼──────────────────────┤ │ │ │ │ │ nop │ 1 Byte TCP Nop padding │ - │ │ │ option │ │ ├───────────┼──────────────────────────┼──────────────────────┤ │ │ │ │ │ maxseg │ TCP Maximum Segment Size │ length, size │ ├───────────┼──────────────────────────┼──────────────────────┤ │ │ │ │ │ window │ TCP Window Scaling │ length, count │ ├───────────┼──────────────────────────┼──────────────────────┤ │ │ │ │ │ sack-perm │ TCP SACK permitted │ length │ ├───────────┼──────────────────────────┼──────────────────────┤ │ │ │ │ │ sack │ TCP Selective │ length, left, right │ │ │ Acknowledgement (alias │ │ │ │ of block 0) │ │ ├───────────┼──────────────────────────┼──────────────────────┤ │ │ │ │ │ sack0 │ TCP Selective │ length, left, right │ │ │ Acknowledgement (block │ │ │ │ 0) │ │ ├───────────┼──────────────────────────┼──────────────────────┤ │ │ │ │ │ sack1 │ TCP Selective │ length, left, right │ │ │ Acknowledgement (block │ │ │ │ 1) │ │ ├───────────┼──────────────────────────┼──────────────────────┤ │ │ │ │ │ sack2 │ TCP Selective │ length, left, right │ │ │ Acknowledgement (block │ │ │ │ 2) │ │ ├───────────┼──────────────────────────┼──────────────────────┤ │ │ │ │ │ sack3 │ TCP Selective │ length, left, right │ │ │ Acknowledgement (block │ │ │ │ 3) │ │ ├───────────┼──────────────────────────┼──────────────────────┤ │ │ │ │ │ timestamp │ TCP Timestamps │ length, tsval, tsecr │ └───────────┴──────────────────────────┴──────────────────────┘ TCP option matching also supports raw expression syntax to access arbitrary options: tcp option tcp option @number,offset,length Table 62. IP Options ┌─────────┬─────────────────────┬─────────────────────────┐ │ Keyword │ Description │ IP option fields │ ├─────────┼─────────────────────┼─────────────────────────┤ │ │ │ │ │ lsrr │ Loose Source Route │ type, length, ptr, addr │ ├─────────┼─────────────────────┼─────────────────────────┤ │ │ │ │ │ ra │ Router Alert │ type, length, value │ ├─────────┼─────────────────────┼─────────────────────────┤ │ │ │ │ │ rr │ Record Route │ type, length, ptr, addr │ ├─────────┼─────────────────────┼─────────────────────────┤ │ │ │ │ │ ssrr │ Strict Source Route │ type, length, ptr, addr │ └─────────┴─────────────────────┴─────────────────────────┘ finding TCP options. filter input tcp option sack-perm exists counter matching TCP options. filter input tcp option maxseg size lt 536 matching IPv6 exthdr. ip6 filter input frag more-fragments 1 counter finding IP option. filter input ip option lsrr exists counter finding DCCP option. filter input dccp option 40 exists counter CONNTRACK EXPRESSIONS Conntrack expressions refer to meta data of the connection tracking entry associated with a packet. There are three types of conntrack expressions. Some conntrack expressions require the flow direction before the conntrack key, others must be used directly because they are direction agnostic. The packets, bytes and avgpkt keywords can be used with or without a direction. If the direction is omitted, the sum of the original and the reply direction is returned. The same is true for the zone, if a direction is given, the zone is only matched if the zone id is tied to the given direction. ct {state | direction | status | mark | expiration | helper | label | count | id} ct [original | reply] {l3proto | protocol | bytes | packets | avgpkt | zone} ct {original | reply} {proto-src | proto-dst} ct {original | reply} {ip | ip6} {saddr | daddr} The conntrack-specific types in this table are described in the sub-section CONNTRACK TYPES above. Table 63. Conntrack expressions ┌────────────┬──────────────────────────┬─────────────────────┐ │ Keyword │ Description │ Type │ ├────────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ state │ State of the connection │ ct_state │ ├────────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ direction │ Direction of the packet │ ct_dir │ │ │ relative to the │ │ │ │ connection │ │ ├────────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ status │ Status of the connection │ ct_status │ ├────────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ mark │ Connection mark │ mark │ ├────────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ expiration │ Connection expiration │ time │ │ │ time │ │ ├────────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ helper │ Helper associated with │ string │ │ │ the connection │ │ ├────────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ label │ Connection tracking │ ct_label │ │ │ label bit or symbolic │ │ │ │ name defined in │ │ │ │ connlabel.conf in the │ │ │ │ nftables include path │ │ ├────────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ l3proto │ Layer 3 protocol of the │ nf_proto │ │ │ connection │ │ ├────────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ saddr │ Source address of the │ ipv4_addr/ipv6_addr │ │ │ connection for the given │ │ │ │ direction │ │ ├────────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ daddr │ Destination address of │ ipv4_addr/ipv6_addr │ │ │ the connection for the │ │ │ │ given direction │ │ ├────────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ protocol │ Layer 4 protocol of the │ inet_proto │ │ │ connection for the given │ │ │ │ direction │ │ ├────────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ proto-src │ Layer 4 protocol source │ integer (16 bit) │ │ │ for the given direction │ │ ├────────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ proto-dst │ Layer 4 protocol │ integer (16 bit) │ │ │ destination for the │ │ │ │ given direction │ │ ├────────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ packets │ packet count seen in the │ integer (64 bit) │ │ │ given direction or sum │ │ │ │ of original and reply │ │ ├────────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ bytes │ byte count seen, see │ integer (64 bit) │ │ │ description for packets │ │ │ │ keyword │ │ ├────────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ avgpkt │ average bytes per │ integer (64 bit) │ │ │ packet, see description │ │ │ │ for packets keyword │ │ ├────────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ zone │ conntrack zone │ integer (16 bit) │ ├────────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ count │ number of current │ integer (32 bit) │ │ │ connections │ │ ├────────────┼──────────────────────────┼─────────────────────┤ │ │ │ │ │ id │ Connection id │ ct_id │ └────────────┴──────────────────────────┴─────────────────────┘ restrict the number of parallel connections to a server. nft add set filter ssh_flood '{ type ipv4_addr; flags dynamic; }' nft add rule filter input tcp dport 22 add @ssh_flood '{ ip saddr ct count over 2 }' reject STATEMENTS Statements represent actions to be performed. They can alter control flow (return, jump to a different chain, accept or drop the packet) or can perform actions, such as logging, rejecting a packet, etc. Statements exist in two kinds. Terminal statements unconditionally terminate evaluation of the current rule, non-terminal statements either only conditionally or never terminate evaluation of the current rule, in other words, they are passive from the ruleset evaluation perspective. There can be an arbitrary amount of non-terminal statements in a rule, but only a single terminal statement as the final statement. VERDICT STATEMENT The verdict statement alters control flow in the ruleset and issues policy decisions for packets. {accept | drop | queue | continue | return} {jump | goto} chain accept and drop are absolute verdicts — they terminate ruleset evaluation immediately. accept Terminate ruleset evaluation and accept the packet. The packet can still be dropped later by another hook, for instance accept in the forward hook still allows one to drop the packet later in the postrouting hook, or another forward base chain that has a higher priority number and is evaluated afterwards in the processing pipeline. drop Terminate ruleset evaluation and drop the packet. The drop occurs instantly, no further chains or hooks are evaluated. It is not possible to accept the packet in a later chain again, as those are not evaluated anymore for the packet. queue Terminate ruleset evaluation and queue the packet to userspace. Userspace must provide a drop or accept verdict. In case of accept, processing resumes with the next base chain hook, not the rule following the queue verdict. continue Continue ruleset evaluation with the next rule. This is the default behaviour in case a rule issues no verdict. return Return from the current chain and continue evaluation at the next rule in the last chain. If issued in a base chain, it is equivalent to the base chain policy. jump chain Continue evaluation at the first rule in chain. The current position in the ruleset is pushed to a call stack and evaluation will continue there when the new chain is entirely evaluated or a return verdict is issued. In case an absolute verdict is issued by a rule in the chain, ruleset evaluation terminates immediately and the specific action is taken. goto chain Similar to jump, but the current position is not pushed to the call stack, meaning that after the new chain evaluation will continue at the last chain instead of the one containing the goto statement. Using verdict statements. # process packets from eth0 and the internal network in from_lan # chain, drop all packets from eth0 with different source addresses. filter input iif eth0 ip saddr 192.168.0.0/24 jump from_lan filter input iif eth0 drop PAYLOAD STATEMENT payload_expression set value The payload statement alters packet content. It can be used for example to set ip DSCP (diffserv) header field or ipv6 flow labels. route some packets instead of bridging. # redirect tcp:http from 192.160.0.0/16 to local machine for routing instead of bridging # assumes 00:11:22:33:44:55 is local MAC address. bridge input meta iif eth0 ip saddr 192.168.0.0/16 tcp dport 80 meta pkttype set unicast ether daddr set 00:11:22:33:44:55 Set IPv4 DSCP header field. ip forward ip dscp set 42 EXTENSION HEADER STATEMENT extension_header_expression set value The extension header statement alters packet content in variable-sized headers. This can currently be used to alter the TCP Maximum segment size of packets, similar to the TCPMSS target in iptables. change tcp mss. tcp flags syn tcp option maxseg size set 1360 # set a size based on route information: tcp flags syn tcp option maxseg size set rt mtu You can also remove tcp options via reset keyword. remove tcp option. tcp flags syn reset tcp option sack-perm LOG STATEMENT log [prefix quoted_string] [level syslog-level] [flags log-flags] log group nflog_group [prefix quoted_string] [queue-threshold value] [snaplen size] log level audit The log statement enables logging of matching packets. When this statement is used from a rule, the Linux kernel will print some information on all matching packets, such as header fields, via the kernel log (where it can be read with dmesg(1) or read in the syslog). In the second form of invocation (if nflog_group is specified), the Linux kernel will pass the packet to nfnetlink_log which will send the log through a netlink socket to the specified group. One userspace process may subscribe to the group to receive the logs, see man(8) ulogd for the Netfilter userspace log daemon and libnetfilter_log documentation for details in case you would like to develop a custom program to digest your logs. In the third form of invocation (if level audit is specified), the Linux kernel writes a message into the audit buffer suitably formatted for reading with auditd. Therefore no further formatting options (such as prefix or flags) are allowed in this mode. This is a non-terminating statement, so the rule evaluation continues after the packet is logged. Table 64. log statement options ┌─────────────────┬──────────────────────────┬──────────────────────────┐ │ Keyword │ Description │ Type │ ├─────────────────┼──────────────────────────┼──────────────────────────┤ │ │ │ │ │ prefix │ Log message prefix │ quoted string │ ├─────────────────┼──────────────────────────┼──────────────────────────┤ │ │ │ │ │ level │ Syslog level of logging │ string: emerg, alert, │ │ │ │ crit, err, warn │ │ │ │ [default], notice, info, │ │ │ │ debug, audit │ ├─────────────────┼──────────────────────────┼──────────────────────────┤ │ │ │ │ │ group │ NFLOG group to send │ unsigned integer (16 │ │ │ messages to │ bit) │ ├─────────────────┼──────────────────────────┼──────────────────────────┤ │ │ │ │ │ snaplen │ Length of packet payload │ unsigned integer (32 │ │ │ to include in netlink │ bit) │ │ │ message │ │ ├─────────────────┼──────────────────────────┼──────────────────────────┤ │ │ │ │ │ queue-threshold │ Number of packets to │ unsigned integer (32 │ │ │ queue inside the kernel │ bit) │ │ │ before sending them to │ │ │ │ userspace │ │ └─────────────────┴──────────────────────────┴──────────────────────────┘ Table 65. log-flags ┌──────────────┬─────────────────────────────────┐ │ Flag │ Description │ ├──────────────┼─────────────────────────────────┤ │ │ │ │ tcp sequence │ Log TCP sequence numbers. │ ├──────────────┼─────────────────────────────────┤ │ │ │ │ tcp options │ Log options from the TCP packet │ │ │ header. │ ├──────────────┼─────────────────────────────────┤ │ │ │ │ ip options │ Log options from the IP/IPv6 │ │ │ packet header. │ ├──────────────┼─────────────────────────────────┤ │ │ │ │ skuid │ Log the userid of the process │ │ │ which generated the packet. │ ├──────────────┼─────────────────────────────────┤ │ │ │ │ ether │ Decode MAC addresses and │ │ │ protocol. │ ├──────────────┼─────────────────────────────────┤ │ │ │ │ all │ Enable all log flags listed │ │ │ above. │ └──────────────┴─────────────────────────────────┘ Using log statement. # log the UID which generated the packet and ip options ip filter output log flags skuid flags ip options # log the tcp sequence numbers and tcp options from the TCP packet ip filter output log flags tcp sequence,options # enable all supported log flags ip6 filter output log flags all REJECT STATEMENT reject [ with REJECT_WITH ] REJECT_WITH := icmp icmp_code | icmpv6 icmpv6_code | icmpx icmpx_code | tcp reset A reject statement is used to send back an error packet in response to the matched packet otherwise it is equivalent to drop so it is a terminating statement, ending rule traversal. This statement is only valid in base chains using the input, forward or output hooks, and user-defined chains which are only called from those chains. Table 66. different ICMP reject variants are meant for use in different table families ┌─────────┬────────┬─────────────┐ │ Variant │ Family │ Type │ ├─────────┼────────┼─────────────┤ │ │ │ │ │ icmp │ ip │ icmp_code │ ├─────────┼────────┼─────────────┤ │ │ │ │ │ icmpv6 │ ip6 │ icmpv6_code │ ├─────────┼────────┼─────────────┤ │ │ │ │ │ icmpx │ inet │ icmpx_code │ └─────────┴────────┴─────────────┘ For a description of the different types and a list of supported keywords refer to DATA TYPES section above. The common default reject value is port-unreachable. Note that in bridge family, reject statement is only allowed in base chains which hook into input or prerouting. COUNTER STATEMENT A counter statement sets the hit count of packets along with the number of bytes. counter packets number bytes number counter { packets number | bytes number } CONNTRACK STATEMENT The conntrack statement can be used to set the conntrack mark and conntrack labels. ct {mark | event | label | zone} set value The ct statement sets meta data associated with a connection. The zone id has to be assigned before a conntrack lookup takes place, i.e. this has to be done in prerouting and possibly output (if locally generated packets need to be placed in a distinct zone), with a hook priority of raw (-300). Unlike iptables, where the helper assignment happens in the raw table, the helper needs to be assigned after a conntrack entry has been found, i.e. it will not work when used with hook priorities equal or before -200. Table 67. Conntrack statement types ┌─────────┬──────────────────────────┬──────────────────────┐ │ Keyword │ Description │ Value │ ├─────────┼──────────────────────────┼──────────────────────┤ │ │ │ │ │ event │ conntrack event bits │ bitmask, integer (32 │ │ │ │ bit) │ ├─────────┼──────────────────────────┼──────────────────────┤ │ │ │ │ │ helper │ name of ct helper object │ quoted string │ │ │ to assign to the │ │ │ │ connection │ │ ├─────────┼──────────────────────────┼──────────────────────┤ │ │ │ │ │ mark │ Connection tracking mark │ mark │ ├─────────┼──────────────────────────┼──────────────────────┤ │ │ │ │ │ label │ Connection tracking │ label │ │ │ label │ │ ├─────────┼──────────────────────────┼──────────────────────┤ │ │ │ │ │ zone │ conntrack zone │ integer (16 bit) │ └─────────┴──────────────────────────┴──────────────────────┘ save packet nfmark in conntrack. ct mark set meta mark set zone mapped via interface. table inet raw { chain prerouting { type filter hook prerouting priority raw; ct zone set iif map { "eth1" : 1, "veth1" : 2 } } chain output { type filter hook output priority raw; ct zone set oif map { "eth1" : 1, "veth1" : 2 } } } restrict events reported by ctnetlink. ct event set new,related,destroy NOTRACK STATEMENT The notrack statement allows one to disable connection tracking for certain packets. notrack Note that for this statement to be effective, it has to be applied to packets before a conntrack lookup happens. Therefore, it needs to sit in a chain with either prerouting or output hook and a hook priority of -300 (raw) or less. See SYNPROXY STATEMENT for an example usage. META STATEMENT A meta statement sets the value of a meta expression. The existing meta fields are: priority, mark, pkttype, nftrace. meta {mark | priority | pkttype | nftrace | broute} set value A meta statement sets meta data associated with a packet. Table 68. Meta statement types ┌──────────┬────────────────────────┬───────────┐ │ Keyword │ Description │ Value │ ├──────────┼────────────────────────┼───────────┤ │ │ │ │ │ priority │ TC packet priority │ tc_handle │ ├──────────┼────────────────────────┼───────────┤ │ │ │ │ │ mark │ Packet mark │ mark │ ├──────────┼────────────────────────┼───────────┤ │ │ │ │ │ pkttype │ packet type │ pkt_type │ ├──────────┼────────────────────────┼───────────┤ │ │ │ │ │ nftrace │ ruleset packet tracing │ 0, 1 │ │ │ on/off. Use monitor │ │ │ │ trace command to watch │ │ │ │ traces │ │ ├──────────┼────────────────────────┼───────────┤ │ │ │ │ │ broute │ broute on/off. packets │ 0, 1 │ │ │ are routed instead of │ │ │ │ being bridged │ │ └──────────┴────────────────────────┴───────────┘ LIMIT STATEMENT limit rate [over] packet_number / TIME_UNIT [burst packet_number packets] limit rate [over] byte_number BYTE_UNIT / TIME_UNIT [burst byte_number BYTE_UNIT] TIME_UNIT := second | minute | hour | day BYTE_UNIT := bytes | kbytes | mbytes A limit statement matches at a limited rate using a token bucket filter. A rule using this statement will match until this limit is reached. It can be used in combination with the log statement to give limited logging. The optional over keyword makes it match over the specified rate. The burst value influences the bucket size, i.e. jitter tolerance. With packet-based limit, the bucket holds exactly burst packets, by default five. If you specify packet burst, it must be a non-zero value. With byte-based limit, the bucket’s minimum size is the given rate’s byte value and the burst value adds to that, by default zero bytes. Table 69. limit statement values ┌───────────────┬───────────────────┬──────────────────────┐ │ Value │ Description │ Type │ ├───────────────┼───────────────────┼──────────────────────┤ │ │ │ │ │ packet_number │ Number of packets │ unsigned integer (32 │ │ │ │ bit) │ ├───────────────┼───────────────────┼──────────────────────┤ │ │ │ │ │ byte_number │ Number of bytes │ unsigned integer (32 │ │ │ │ bit) │ └───────────────┴───────────────────┴──────────────────────┘ NAT STATEMENTS snat [[ip | ip6] [ prefix ] to] ADDR_SPEC [:PORT_SPEC] [FLAGS] dnat [[ip | ip6] [ prefix ] to] ADDR_SPEC [:PORT_SPEC] [FLAGS] masquerade [to :PORT_SPEC] [FLAGS] redirect [to :PORT_SPEC] [FLAGS] ADDR_SPEC := address | address - address PORT_SPEC := port | port - port FLAGS := FLAG [, FLAGS] FLAG := persistent | random | fully-random The nat statements are only valid from nat chain types. The snat and masquerade statements specify that the source address of the packet should be modified. While snat is only valid in the postrouting and input chains, masquerade makes sense only in postrouting. The dnat and redirect statements are only valid in the prerouting and output chains, they specify that the destination address of the packet should be modified. You can use non-base chains which are called from base chains of nat chain type too. All future packets in this connection will also be mangled, and rules should cease being examined. The masquerade statement is a special form of snat which always uses the outgoing interface’s IP address to translate to. It is particularly useful on gateways with dynamic (public) IP addresses. The redirect statement is a special form of dnat which always translates the destination address to the local host’s one. It comes in handy if one only wants to alter the destination port of incoming traffic on different interfaces. When used in the inet family (available with kernel 5.2), the dnat and snat statements require the use of the ip and ip6 keyword in case an address is provided, see the examples below. Before kernel 4.18 nat statements require both prerouting and postrouting base chains to be present since otherwise packets on the return path won’t be seen by netfilter and therefore no reverse translation will take place. The optional prefix keyword allows to map to map n source addresses to n destination addresses. See Advanced NAT examples below. Table 70. NAT statement values ┌────────────┬──────────────────────────┬─────────────────────────┐ │ Expression │ Description │ Type │ ├────────────┼──────────────────────────┼─────────────────────────┤ │ │ │ │ │ address │ Specifies that the │ ipv4_addr, ipv6_addr, │ │ │ source/destination │ e.g. abcd::1234, or you │ │ │ address of the packet │ can use a mapping, e.g. │ │ │ should be modified. You │ meta mark map { 10 : │ │ │ may specify a mapping to │ 192.168.1.2, 20 : │ │ │ relate a list of tuples │ 192.168.1.3 } │ │ │ composed of arbitrary │ │ │ │ expression key with │ │ │ │ address value. │ │ ├────────────┼──────────────────────────┼─────────────────────────┤ │ │ │ │ │ port │ Specifies that the │ port number (16 bit) │ │ │ source/destination port │ │ │ │ of the packet should be │ │ │ │ modified. │ │ └────────────┴──────────────────────────┴─────────────────────────┘ Table 71. NAT statement flags ┌──────────────┬──────────────────────────────────┐ │ Flag │ Description │ ├──────────────┼──────────────────────────────────┤ │ │ │ │ persistent │ Gives a client the same │ │ │ source-/destination-address for │ │ │ each connection. │ ├──────────────┼──────────────────────────────────┤ │ │ │ │ random │ In kernel 5.0 and newer this is │ │ │ the same as fully-random. In │ │ │ earlier kernels the port mapping │ │ │ will be randomized using a │ │ │ seeded MD5 hash mix using source │ │ │ and destination address and │ │ │ destination port. │ ├──────────────┼──────────────────────────────────┤ │ │ │ │ fully-random │ If used then port mapping is │ │ │ generated based on a 32-bit │ │ │ pseudo-random algorithm. │ └──────────────┴──────────────────────────────────┘ Using NAT statements. # create a suitable table/chain setup for all further examples add table nat add chain nat prerouting { type nat hook prerouting priority dstnat; } add chain nat postrouting { type nat hook postrouting priority srcnat; } # translate source addresses of all packets leaving via eth0 to address 1.2.3.4 add rule nat postrouting oif eth0 snat to 1.2.3.4 # redirect all traffic entering via eth0 to destination address 192.168.1.120 add rule nat prerouting iif eth0 dnat to 192.168.1.120 # translate source addresses of all packets leaving via eth0 to whatever # locally generated packets would use as source to reach the same destination add rule nat postrouting oif eth0 masquerade # redirect incoming TCP traffic for port 22 to port 2222 add rule nat prerouting tcp dport 22 redirect to :2222 # inet family: # handle ip dnat: add rule inet nat prerouting dnat ip to 10.0.2.99 # handle ip6 dnat: add rule inet nat prerouting dnat ip6 to fe80::dead # this masquerades both ipv4 and ipv6: add rule inet nat postrouting meta oif ppp0 masquerade Advanced NAT examples. # map prefixes in one network to that of another, e.g. 10.141.11.4 is mangled to 192.168.2.4, # 10.141.11.5 is mangled to 192.168.2.5 and so on. add rule nat postrouting snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 } # map a source address, source port combination to a pool of destination addresses and ports: add rule nat postrouting dnat to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2-10.141.10.5 . 8888-8999 } # The above example generates the following NAT expression: # # [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ] # # which expects to obtain the following tuple: # IP address (min), source port (min), IP address (max), source port (max) # to be obtained from the map. The given addresses and ports are inclusive. # This also works with named maps and in combination with both concatenations and ranges: table ip nat { map ipportmap { typeof ip saddr : interval ip daddr . tcp dport flags interval elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999, 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 } } chain prerouting { type nat hook prerouting priority dstnat; policy accept; ip protocol tcp dnat ip to ip saddr map @ipportmap } } @ipportmap maps network prefixes to a range of hosts and ports. The new destination is taken from the range provided by the map element. Same for the destination port. Note the use of the "interval" keyword in the typeof description. This is required so nftables knows that it has to ask for twice the amount of storage for each key-value pair in the map. ": ipv4_addr . inet_service" would allow associating one address and one port with each key. But for this case, for each key, two addresses and two ports (The minimum and maximum values for both) have to be stored. TPROXY STATEMENT Tproxy redirects the packet to a local socket without changing the packet header in any way. If any of the arguments is missing the data of the incoming packet is used as parameter. Tproxy matching requires another rule that ensures the presence of transport protocol header is specified. tproxy to address:port tproxy to {address | :port} This syntax can be used in ip/ip6 tables where network layer protocol is obvious. Either IP address or port can be specified, but at least one of them is necessary. tproxy {ip | ip6} to address[:port] tproxy to :port This syntax can be used in inet tables. The ip/ip6 parameter defines the family the rule will match. The address parameter must be of this family. When only port is defined, the address family should not be specified. In this case the rule will match for both families. Table 72. tproxy attributes ┌─────────┬─────────────────────────────────┐ │ Name │ Description │ ├─────────┼─────────────────────────────────┤ │ │ │ │ address │ IP address the listening socket │ │ │ with IP_TRANSPARENT option is │ │ │ bound to. │ ├─────────┼─────────────────────────────────┤ │ │ │ │ port │ Port the listening socket with │ │ │ IP_TRANSPARENT option is bound │ │ │ to. │ └─────────┴─────────────────────────────────┘ Example ruleset for tproxy statement. table ip x { chain y { type filter hook prerouting priority mangle; policy accept; tcp dport ntp tproxy to 1.1.1.1 udp dport ssh tproxy to :2222 } } table ip6 x { chain y { type filter hook prerouting priority mangle; policy accept; tcp dport ntp tproxy to [dead::beef] udp dport ssh tproxy to :2222 } } table inet x { chain y { type filter hook prerouting priority mangle; policy accept; tcp dport 321 tproxy to :ssh tcp dport 99 tproxy ip to 1.1.1.1:999 udp dport 155 tproxy ip6 to [dead::beef]:smux } } SYNPROXY STATEMENT This statement will process TCP three-way-handshake parallel in netfilter context to protect either local or backend system. This statement requires connection tracking because sequence numbers need to be translated. synproxy [mss mss_value] [wscale wscale_value] [SYNPROXY_FLAGS] Table 73. synproxy statement attributes ┌────────┬─────────────────────────────────┐ │ Name │ Description │ ├────────┼─────────────────────────────────┤ │ │ │ │ mss │ Maximum segment size announced │ │ │ to clients. This must match the │ │ │ backend. │ ├────────┼─────────────────────────────────┤ │ │ │ │ wscale │ Window scale announced to │ │ │ clients. This must match the │ │ │ backend. │ └────────┴─────────────────────────────────┘ Table 74. synproxy statement flags ┌───────────┬──────────────────────────────────┐ │ Flag │ Description │ ├───────────┼──────────────────────────────────┤ │ │ │ │ sack-perm │ Pass client selective │ │ │ acknowledgement option to │ │ │ backend (will be disabled if not │ │ │ present). │ ├───────────┼──────────────────────────────────┤ │ │ │ │ timestamp │ Pass client timestamp option to │ │ │ backend (will be disabled if not │ │ │ present, also needed for │ │ │ selective acknowledgement and │ │ │ window scaling). │ └───────────┴──────────────────────────────────┘ Example ruleset for synproxy statement. Determine tcp options used by backend, from an external system tcpdump -pni eth0 -c 1 'tcp[tcpflags] == (tcp-syn|tcp-ack)' port 80 & telnet 192.0.2.42 80 18:57:24.693307 IP 192.0.2.42.80 > 192.0.2.43.48757: Flags [S.], seq 360414582, ack 788841994, win 14480, options [mss 1460,sackOK, TS val 1409056151 ecr 9690221, nop,wscale 9], length 0 Switch tcp_loose mode off, so conntrack will mark out-of-flow packets as state INVALID. echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose Make SYN packets untracked. table ip x { chain y { type filter hook prerouting priority raw; policy accept; tcp flags syn notrack } } Catch UNTRACKED (SYN packets) and INVALID (3WHS ACK packets) states and send them to SYNPROXY. This rule will respond to SYN packets with SYN+ACK syncookies, create ESTABLISHED for valid client response (3WHS ACK packets) and drop incorrect cookies. Flags combinations not expected during 3WHS will not match and continue (e.g. SYN+FIN, SYN+ACK). Finally, drop invalid packets, this will be out-of-flow packets that were not matched by SYNPROXY. table ip x { chain z { type filter hook input priority filter; policy accept; ct state invalid, untracked synproxy mss 1460 wscale 9 timestamp sack-perm ct state invalid drop } } FLOW STATEMENT A flow statement allows us to select what flows you want to accelerate forwarding through layer 3 network stack bypass. You have to specify the flowtable name where you want to offload this flow. flow add @flowtable QUEUE STATEMENT This statement passes the packet to userspace using the nfnetlink_queue handler. The packet is put into the queue identified by its 16-bit queue number. Userspace can inspect and modify the packet if desired. Userspace must then drop or re-inject the packet into the kernel. See libnetfilter_queue documentation for details. queue [flags QUEUE_FLAGS] [to queue_number] queue [flags QUEUE_FLAGS] [to queue_number_from - queue_number_to] queue [flags QUEUE_FLAGS] [to QUEUE_EXPRESSION ] QUEUE_FLAGS := QUEUE_FLAG [, QUEUE_FLAGS] QUEUE_FLAG := bypass | fanout QUEUE_EXPRESSION := numgen | hash | symhash | MAP STATEMENT QUEUE_EXPRESSION can be used to compute a queue number at run-time with the hash or numgen expressions. It also allows one to use the map statement to assign fixed queue numbers based on external inputs such as the source ip address or interface names. Table 75. queue statement values ┌───────────────────┬─────────────────────────┬──────────────────────┐ │ Value │ Description │ Type │ ├───────────────────┼─────────────────────────┼──────────────────────┤ │ │ │ │ │ queue_number │ Sets queue number, │ unsigned integer (16 │ │ │ default is 0. │ bit) │ ├───────────────────┼─────────────────────────┼──────────────────────┤ │ │ │ │ │ queue_number_from │ Sets initial queue in │ unsigned integer (16 │ │ │ the range, if fanout is │ bit) │ │ │ used. │ │ ├───────────────────┼─────────────────────────┼──────────────────────┤ │ │ │ │ │ queue_number_to │ Sets closing queue in │ unsigned integer (16 │ │ │ the range, if fanout is │ bit) │ │ │ used. │ │ └───────────────────┴─────────────────────────┴──────────────────────┘ Table 76. queue statement flags ┌────────┬───────────────────────────────┐ │ Flag │ Description │ ├────────┼───────────────────────────────┤ │ │ │ │ bypass │ Let packets go through if │ │ │ userspace application cannot │ │ │ back off. Before using this │ │ │ flag, read libnetfilter_queue │ │ │ documentation for performance │ │ │ tuning recommendations. │ ├────────┼───────────────────────────────┤ │ │ │ │ fanout │ Distribute packets between │ │ │ several queues. │ └────────┴───────────────────────────────┘ DUP STATEMENT The dup statement is used to duplicate a packet and send the copy to a different destination. dup to device dup to address device device Table 77. Dup statement values ┌────────────┬─────────────────────────┬──────────────────────────┐ │ Expression │ Description │ Type │ ├────────────┼─────────────────────────┼──────────────────────────┤ │ │ │ │ │ address │ Specifies that the copy │ ipv4_addr, ipv6_addr, │ │ │ of the packet should be │ e.g. abcd::1234, or you │ │ │ sent to a new gateway. │ can use a mapping, e.g. │ │ │ │ ip saddr map { │ │ │ │ 192.168.1.2 : 10.1.1.1 } │ ├────────────┼─────────────────────────┼──────────────────────────┤ │ │ │ │ │ device │ Specifies that the copy │ string │ │ │ should be transmitted │ │ │ │ via device. │ │ └────────────┴─────────────────────────┴──────────────────────────┘ Using the dup statement. # send to machine with ip address 10.2.3.4 on eth0 ip filter forward dup to 10.2.3.4 device "eth0" # copy raw frame to another interface netdev ingress dup to "eth0" dup to "eth0" # combine with map dst addr to gateways dup to ip daddr map { 192.168.7.1 : "eth0", 192.168.7.2 : "eth1" } FWD STATEMENT The fwd statement is used to redirect a raw packet to another interface. It is only available in the netdev family ingress and egress hooks. It is similar to the dup statement except that no copy is made. You can also specify the address of the next hop and the device to forward the packet to. This updates the source and destination MAC address of the packet by transmitting it through the neighboring layer. This also decrements the ttl field of the IP packet. This provides a way to effectively bypass the classical forwarding path, thus skipping the fib (forwarding information base) lookup. fwd to device fwd [ip | ip6] to address device device Using the fwd statement. # redirect raw packet to device netdev ingress fwd to "eth0" # forward packet to next hop 192.168.200.1 via eth0 device netdev ingress ether saddr set fwd ip to 192.168.200.1 device "eth0" SET STATEMENT The set statement is used to dynamically add or update elements in a set from the packet path. The set setname must already exist in the given table and must have been created with one or both of the dynamic and the timeout flags. The dynamic flag is required if the set statement expression includes a stateful object. The timeout flag is implied if the set is created with a timeout, and is required if the set statement updates elements, rather than adding them. Furthermore, these sets should specify both a maximum set size (to prevent memory exhaustion), and their elements should have a timeout (so their number will not grow indefinitely) either from the set definition or from the statement that adds or updates them. The set statement can be used to e.g. create dynamic blacklists. Dynamic updates are also supported with maps. In this case, the add or update rule needs to provide both the key and the data element (value), separated via :. {add | update} @setname { expression [timeout timeout] [comment string] } Example for simple blacklist. # declare a set, bound to table "filter", in family "ip". # Timeout and size are mandatory because we will add elements from packet path. # Entries will timeout after one minute, after which they might be # re-added if limit condition persists. nft add set ip filter blackhole \ "{ type ipv4_addr; flags dynamic; timeout 1m; size 65536; }" # declare a set to store the limit per saddr. # This must be separate from blackhole since the timeout is different nft add set ip filter flood \ "{ type ipv4_addr; flags dynamic; timeout 10s; size 128000; }" # whitelist internal interface. nft add rule ip filter input meta iifname "internal" accept # drop packets coming from blacklisted ip addresses. nft add rule ip filter input ip saddr @blackhole counter drop # add source ip addresses to the blacklist if more than 10 tcp connection # requests occurred per second and ip address. nft add rule ip filter input tcp flags syn tcp dport ssh \ add @flood { ip saddr limit rate over 10/second } \ add @blackhole { ip saddr } \ drop # inspect state of the sets. nft list set ip filter flood nft list set ip filter blackhole # manually add two addresses to the blackhole. nft add element filter blackhole { 10.2.3.4, 10.23.1.42 } MAP STATEMENT The map statement is used to lookup data based on some specific input key. expression map { MAP_ELEMENTS } MAP_ELEMENTS := MAP_ELEMENT [, MAP_ELEMENTS] MAP_ELEMENT := key : value The key is a value returned by expression. Using the map statement. # select DNAT target based on TCP dport: # connections to port 80 are redirected to 192.168.1.100, # connections to port 8888 are redirected to 192.168.1.101 nft add rule ip nat prerouting dnat tcp dport map { 80 : 192.168.1.100, 8888 : 192.168.1.101 } # source address based SNAT: # packets from net 192.168.1.0/24 will appear as originating from 10.0.0.1, # packets from net 192.168.2.0/24 will appear as originating from 10.0.0.2 nft add rule ip nat postrouting snat to ip saddr map { 192.168.1.0/24 : 10.0.0.1, 192.168.2.0/24 : 10.0.0.2 } VMAP STATEMENT The verdict map (vmap) statement works analogous to the map statement, but contains verdicts as values. expression vmap { VMAP_ELEMENTS } VMAP_ELEMENTS := VMAP_ELEMENT [, VMAP_ELEMENTS] VMAP_ELEMENT := key : verdict Using the vmap statement. # jump to different chains depending on layer 4 protocol type: nft add rule ip filter input ip protocol vmap { tcp : jump tcp-chain, udp : jump udp-chain , icmp : jump icmp-chain } XT STATEMENT This represents an xt statement from xtables compat interface. It is a fallback if translation is not available or not complete. xt TYPE NAME TYPE := match | target | watcher Seeing this means the ruleset (or parts of it) were created by iptables-nft and one should use that to manage it. BEWARE: nftables won’t restore these statements. ADDITIONAL COMMANDS These are some additional commands included in nft. MONITOR The monitor command allows you to listen to Netlink events produced by the nf_tables subsystem. These are either related to creation and deletion of objects or to packets for which meta nftrace was enabled. When they occur, nft will print to stdout the monitored events in either JSON or native nft format. monitor [new | destroy] MONITOR_OBJECT monitor trace MONITOR_OBJECT := tables | chains | sets | rules | elements | ruleset To filter events related to a concrete object, use one of the keywords in MONITOR_OBJECT. To filter events related to a concrete action, use keyword new or destroy. The second form of invocation takes no further options and exclusively prints events generated for packets with nftrace enabled. Hit ^C to finish the monitor operation. Listen to all events, report in native nft format. % nft monitor Listen to deleted rules, report in JSON format. % nft -j monitor destroy rules Listen to both new and destroyed chains, in native nft format. % nft monitor chains Listen to ruleset events such as table, chain, rule, set, counters and quotas, in native nft format. % nft monitor ruleset Trace incoming packets from host 10.0.0.1. % nft add rule filter input ip saddr 10.0.0.1 meta nftrace set 1 % nft monitor trace ERROR REPORTING When an error is detected, nft shows the line(s) containing the error, the position of the erroneous parts in the input stream and marks up the erroneous parts using carets (^). If the error results from the combination of two expressions or statements, the part imposing the constraints which are violated is marked using tildes (~). For errors returned by the kernel, nft cannot detect which parts of the input caused the error and the entire command is marked. Error caused by single incorrect expression. <cmdline>:1:19-22: Error: Interface does not exist filter output oif eth0 ^^^^ Error caused by invalid combination of two expressions. <cmdline>:1:28-36: Error: Right hand side of relational expression (==) must be constant filter output tcp dport == tcp dport ~~ ^^^^^^^^^ Error returned by the kernel. <cmdline>:0:0-23: Error: Could not process rule: Operation not permitted filter output oif wlan0 ^^^^^^^^^^^^^^^^^^^^^^^ EXIT STATUS On success, nft exits with a status of 0. Unspecified errors cause it to exit with a status of 1, memory allocation errors with a status of 2, unable to open Netlink socket with 3. SEE ALSO libnftables(3), libnftables-json(5), iptables(8), ip6tables(8), arptables(8), ebtables(8), ip(8), tc(8) There is an official wiki at: https://wiki.nftables.org AUTHORS nftables was written by Patrick McHardy and Pablo Neira Ayuso, among many other contributors from the Netfilter community. COPYRIGHT Copyright © 2008-2014 Patrick McHardy <kaber@trash.net> Copyright © 2013-2018 Pablo Neira Ayuso <pablo@netfilter.org> nftables is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. This documentation is licensed under the terms of the Creative Commons Attribution-ShareAlike 4.0 license, CC BY-SA 4.0 http://creativecommons.org/licenses/by-sa/4.0/. 10/11/2023 NFT(8)