integer
|===================
-The bitmask type (bitmask) is used for bitmasks.
+The bitmask type (*bitmask*) is used for bitmasks.
STRING TYPE
~~~~~~~~~~~~
-----------
nft is the command line tool used to set up, maintain and inspect packet
filtering and classification rules in the Linux kernel, in the nftables
-framework. The Linux kernel subsystem is known as nf_tables, and `nft' stands
+framework. The Linux kernel subsystem is known as nf_tables, and `nf' stands
for Netfilter.
OPTIONS
packet processing paths, which invoke nftables if rules for these hooks exist.
[horizontal]
-ip:: IPv4 address family.
-ip6:: IPv6 address family.
-inet:: Internet (IPv4/IPv6) address family.
-arp:: ARP address family, handling IPv4 ARP packets.
-bridge:: Bridge address family, handling packets which traverse a bridge device.
-netdev:: Netdev address family, handling packets from ingress.
+*ip*:: IPv4 address family.
+*ip6*:: IPv6 address family.
+*inet*:: Internet (IPv4/IPv6) address family.
+*arp*:: ARP address family, handling IPv4 ARP packets.
+*bridge*:: Bridge address family, handling packets which traverse a bridge device.
+*netdev*:: Netdev address family, handling packets from ingress.
All nftables objects exist in address family specific namespaces, therefore all
identifiers include an address family. If an identifier is specified without an
it receives.
*export*:: Print the ruleset in machine readable format. The mandatory 'format'
-parameter may be either *xml* or *json*.
+parameter may be either xml or json.
It is possible to limit *list* and *flush* to a specific address family only.
For a list of valid family names, see <<ADDRESS_FAMILIES>> above.
replace *rule* ['family'] 'table' 'chain' handle 'handle' 'statement'...
delete *rule* ['family'] 'table' 'chain' handle 'handle'
-Rules are added to chain in the given table. If the family is not specified, the
+Rules are added to chains in the given table. If the family is not specified, the
ip family is used. Rules are constructed from two kinds of components according
to a set of grammatical rules: expressions and statements.
Expressions can be combined using binary, logical, relational and other types of
expressions to form complex or relational (match) expressions. They are also
used as arguments to certain types of operations, like NAT, packet marking etc.
-+
Each expression has a data type, which determines the size, parsing and
representation of symbolic values and type compatibility with other expressions.
-----------------------------
<cmdline>:0:0-23: Error: Could not process rule: Operation not permitted
filter output oif wlan0
- ^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^
---------------------------------
EXIT STATUS
IPV4 HEADER EXPRESSION
~~~~~~~~~~~~~~~~~~~~~~
[verse]
-ip ['IPv4' 'header' 'field']
+*ip* ['IPv4' 'header' 'field']
.IPv4 header expression
[options="header"]
ICMP HEADER EXPRESSION
~~~~~~~~~~~~~~~~~~~~~~
[verse]
-icmp ['ICMP' 'header' 'field']
+*icmp* ['ICMP' 'header' 'field']
.ICMP header expression
[options="header"]
integer (8 bit)
|checksum|
ICMP checksum field |
-integer (16 nit)
+integer (16 bit)
|id|
ID of echo request/response |
integer (16 bit)
integer (32 bit)
|mtu|
MTU of path MTU discovery|
-integer (32 bit)
+integer (16 bit)
|============================
IPV6 HEADER EXPRESSION
~~~~~~~~~~~~~~~~~~~~~~
[verse]
-ip6 ['IPv6' 'header' 'field']
+*ip6* ['IPv6' 'header' 'field']
-This expression refers to the ipv6 header fields. Caution when using ip6
-nexthdr, the value only refers to the next header, i.e. ip6 nexthdr tcp will
+This expression refers to the ipv6 header fields. Caution when using *ip6
+nexthdr*, the value only refers to the next header, i.e. *ip6 nexthdr tcp* will
only match if the ipv6 packet does not contain any extension headers. Packets
that are fragmented or e.g. contain a routing extension headers will not be
-matched. Please use meta l4proto if you wish to match the real transport header
+matched. Please use *meta l4proto* if you wish to match the real transport header
and ignore any additional extension headers instead.
.IPv6 header expression
|=======================
*matching if first extension header indicates a fragment* +
-ip6 nexthdr ipv6-frag counter
+*ip6* nexthdr ipv6-frag counter
ICMPV6 HEADER EXPRESSION
~~~~~~~~~~~~~~~~~~~~~~~~
[verse]
-icmpv6 ['ICMPv6' 'header' 'field']
+*icmpv6* ['ICMPv6' 'header' 'field']
.ICMPv6 header expression
[options="header"]
TCP HEADER EXPRESSION
~~~~~~~~~~~~~~~~~~~~~
[verse]
-tcp ['TCP' 'header' 'field']
+*tcp* ['TCP' 'header' 'field']
.TCP header expression
[options="header"]
|==================
|Keyword| Description| Type
|sport|
-source port|
+Source port|
inet_service
|dport|
Destination port|
integer (4 bit)
|flags|
TCP flags|
-tcp_flags
+tcp_flag
|window|
Window|
integer (16 bit)
|checksum|
-checksum|
+Checksum|
integer (16 bit)
|urgptr|
Urgent pointer|
UDP HEADER EXPRESSION
~~~~~~~~~~~~~~~~~~~~~
[verse]
-udp ['UDP' 'header' 'field']
+*udp* ['UDP' 'header' 'field']
.UDP header expression
[options="header"]
|==================
|Keyword| Description| Type
|sport|
-source port|
+Source port|
inet_service
|dport|
Destination port|
|==================
|Keyword| Description| Type
|sport|
-source port|
+Source port|
inet_service
|dport|
Destination port|
|==================
|Keyword| Description| Type
|sport|
-source port|
+Source port|
inet_service
|dport|
Destination port|
|==================
|Keyword| Description| Type
|sport|
-source port|
+Source port|
inet_service
|dport|
Destination port|
byte count seen, see description for *packets* keyword |
integer (64 bit)
|avgpkt|
-average bytes per packet, see description for packets keyword |
+average bytes per packet, see description for *packets* keyword |
integer (64 bit)
|zone|
conntrack zone |
META EXPRESSIONS
~~~~~~~~~~~~~~~~
[verse]
-meta {length | nfproto | l4proto | protocol | priority}
+*meta* {length | nfproto | l4proto | protocol | priority}
[meta] {mark | iif | iifname | iiftype | oif | oifname | oiftype |
skuid | skgid | nftrace | rtclassid | ibrname | obrname | pkttype | cpu
| iifgroup | oifgroup | cgroup | random | secpath}
pkt_type
|cpu|
cpu number processing the packet|
-integer (32 bits)
+integer (32 bit)
|iifgroup|
incoming device group|
devgroup
integer (32 bit)
|random|
pseudo-random number|
-integer (32 bits)
+integer (32 bit)
|secpath|
boolean|
boolean (1 bit)
FIB EXPRESSIONS
~~~~~~~~~~~~~~~
[verse]
-fib {saddr | daddr | {mark | iif | oif}} {oif | oifname | type}
+*fib* {saddr | daddr | {mark | iif | oif}} {oif | oifname | type}
A fib expression queries the fib (forwarding information base) to obtain
information such as the output interface index a particular address would use.
ROUTING EXPRESSIONS
~~~~~~~~~~~~~~~~~~~
[verse]
-rt {classid | nexthop}
+*rt* {classid | nexthop}
A routing expression refers to routing data associated with a packet.
NFLOG group to send messages to|
unsigned integer (16 bit)
|snaplen|
-Length of packet payload to include in netlink messages |
+Length of packet payload to include in netlink message |
unsigned integer (32 bit)
|queue-threshold|
Number of packets to queue inside the kernel before sending them to userspace |
packet type |
pkt_type
|nftrace |
-ruleset packet tracing on/off. Use monitor trace command to watch traces|
+ruleset packet tracing on/off. Use *monitor trace* command to watch traces|
0, 1
|==========================
ipv4_addr, ipv6_addr, e.g. abcd::1234, or you can use a mapping, e.g. meta mark map { 10 : 192.168.1.2, 20 : 192.168.1.3 }
|port|
Specifies that the source/destination address of the packet should be modified. |
-port number (16 bits)
+port number (16 bit)
|===============================
.NAT statement flags
|Expression | Description | Type
|address |
Specifies that the copy of the packet should be sent to a new gateway.|
-ipv4_addr, ipv6_addr, e.g. abcd::1234, or you can use a mapping. e.g. ip saddr map { 192.168.1.2 : 10.1.1.1 }
+ipv4_addr, ipv6_addr, e.g. abcd::1234, or you can use a mapping, e.g. ip saddr map { 192.168.1.2 : 10.1.1.1 }
|device |
Specifies that the copy should be transmitted via device. |
string
projects / thirdparty / nftables.git / commitdiff
